<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1822615684631785&amp;ev=PageView&amp;noscript=1"/>

Update on Spam and Phishing Issue

GMass User Update - spam and phishing

[See below in the “What we did” section for the latest updates.]

Over the last week, starting on July 28, 2021, we noticed an increase in the number of users reporting that their emails were going to the Spam folder. Many were users that were sending organic non-commercial email that was used to landing in the Inbox. On August 3, 2021, we discovered that our default system tracking domain, which is based on a domain from Amazon Web Services, had been compromised and its reputation lowered, which was causing the Spam issue.

On August 3, we sent this notice to all affected users, and we replaced the default system tracking domain with a different one.

However, we discovered on August 4, that the new system tracking domain we started using on August 3, had now been flagged by Google as a phishing domain.

As a result, if you sent with GMass, starting around 10 PM GMT on August 4, and you had either open tracking, click tracking, or an unsubscribe link present, you would might have gotten bouncebacks indicating a block that looked like this:

Your sending limits might be lower than normal

You might also notice that your sending limits have been throttled. If you’re used to sending more emails without an issue, and now you’re getting “You have reached a limit” bouncebacks. that is also a consequence of this issue. Google keeps track of messages sent on a rolling 24-hour basis, so the limit issue should go away in about 24 hours.

What we did

Once we noticed this, we again swapped out our system tracking domain for a different one and this went further and segregated the assignment of our system domains based on user profiles. Meaning free accounts are on one tracking domain while paid accounts are on another. There’s further segmentation between these two groups as well. That has fixed the issue for now.

Update on 8/5/21 17:15 GMT:

We are now checking all user URLs in campaigns against the Google Safe Browsing list via their API and disabling redirects for any matching URLs. We’ve always checked against the Spamhaus DBL and SUBRL lists but now we’re adding the Safe Browsing list as well.

Update on 8/11/21 05:36 GMT:

We’ve combed through gigabytes of data and found several malicious actors using GMass to send Google-login phishing emails. Those accounts have been terminated, the click-tracked redirects have been disabled, and we’ve notified Google through the Google Search Console. As of now, all of our shared tracking domains are clean and not causing any deliverability issues. It’s still a best practice to set up your own tracking domain though, just in case this happens in the future.

Update on 8/11/21 06:08 GMT:

Hitting Limits: If you’re still hitting Gmail’s limits earlier than you’re used to, you may need to wait about 24 hours since the last 69585 bounce before that issues goes away.

Non-commercial users: If you’re not sending commercial email, meaning you’re sending out things like event announcements, notifications to a membership group, or similar non-commercial content, we can put you on a separate tracking domain dedicated for users just like you. Ask our support team to do this for you.

For a frank explanation of what happened and why, see my tweet on the matter.

What you can do

Here is how you can take control of the matter and avoid this issue going forward.

  1. The simplest long term solution is to set up your own tracking domain. This will isolate you from our nearly 1-million other users. That means that if 1 of our 1 million users does something bad, it won’t affect you.
  2. If you don’t know HOW to set up your own tracking domain, but you have a domain and know how to access its settings, we can do the setup for you. Just fill out this form.
  3. Another solution, which will avoid this problem entirely, is to turn OFF open and click tracking, and don’t include an unsubscribe link. Each of these 3 features (open tracking, click tracking, unsubscribe link) forces the tracking domain to appear in your email, which is what can cause the above issues. If you don’t use any of these 3 features, then you’ll never have this kind of issue because the tracking domain won’t appear in your emails.

Frequently Asked Questions

Q: Ugh, why is this happening?

A: It’s an unfortunate consequence of being a popular email platform. We used a default domain to include in our users’ emails so that open tracking, click tracking, and the unsubscribe link work “out of the box” without any user setup required. The downside of that is that 1 bad actor can ruin it for everyone else. That’s likely what’s happening here.

Q: So why don’t you catch the bad actor?

A: We’re trying, but with the amount of email flow that goes through our system, it’s a difficult task. This has happened before though and we’ve always managed to nail down the cause, so I’m confident we will this time as well.

Q: I tested sending an email just with the regular Gmail Send button, and not using GMass, and I didn’t have this problem. So GMass is the problem?

A: Sort of. When you send with GMass, and you use any of the open tracking, click tracking, or unsubscribe features, we have to insert a domain into your emails to make those features work. It’s that domain that is getting flagged and causing these spam and blocking issues.

Q: I tested sending the same email with a different platform, a competitor of GMass’s, and the email went through fine. Why aren’t they having the same problem?

A: Out of all the tools that allow people to send campaigns directly through their Gmail/Google Workspace accounts, GMass is one of the top 3 highest volume tools. The higher volume email a tool sends, and the more people that use the tool, the more likely it is to run into a problem like this. Most Gmail-based sending tools don’t push nearly the volume of email we do. It’s a catch-22. Become a popular email platform and suffer this problem, or don’t become popular and never have this problem.

Q: So what can I do right now if I’m having this spam/blocking problem?

A: You can either a) turn off open/click tracking and don’t include an unsubscribe link, or b) set up your own tracking domain.

Q: I already filled out the form to have you set up my tracking domain for me but haven’t heard back. What’s the deal?

A: We’re working our way through all the setups. It takes about 15 minutes to set up each one, and when we offered to do this for our users a few days ago, we had hundreds of submissions. We’ll get to you soon!

Resources and more reading

How to set up your own tracking domain

Fill out the form to have us assist with tracking domain setup

A more detailed explanation of why tracking domains cause issues

How to turn off tracking and eliminate this issue

7 Comments
  1. I am just trying to send a regular email without hitting the Gmass button and am now blocked after trying to send a Gmass email Aug4. What do I do?

  2. I cant send any email either.

    Leif has exceeded the Gmail sending limit by sending too many messages that were rejected as spam.
    User must wait up to 23 hours to resume activity.”

    I was sending an email to 17 people that I have already send emails to – no spam whatsoever

    What in the hell – I have a business to run

    1. Hi Leif,

      The notification you received is not related to the Spam and Phishing issue in the above article. The sending limit is something that is enforced by Gmail, not by GMass. According to Google, regular G Suite accounts are limited to 2,000. But other factors like the age of the account, content of the Campaign, or reputation of the domain can affect your sending limit.

  3. How long will it take to get the tracking Domain set up? Trying to figure out if you need any more information from us to get it done. Please let us know. Pretty much have paused the sales side of the business until we can get this done.

  4. Guys, you never answer my emails. You never answer here. You are stealing my money!

    You demoted my account to a Free one, whereas I have restarted the paid membership on 29 July. I have a PayPal transaction.

    I’m losing money again because of all the troubles you don’t care to help me with

Leave a Reply to sylvia Cancel reply

Your email address will not be published. Required fields are marked *

Try GMass today

It only takes 30 seconds to install it!

Install Now GMass requires Chrome

GMass

Share This