When unicorns go bad: Salesforce and pump-n-dump scams

About six months ago, I noticed a significant uptick in spam email. But not just any spam, oh no. I found myself flooded with stock pump-n-dump spam, in incredible quantities.

What is pump-n-dump?

A pump-n-dump scam is where a scammer buys a large quantity of a cheap stock, then floods the world with hype to drive up the price of the stock. When it starts to rise, the scammer sells all his shares, the stock collapses, and the scam victims lose their investments.

Occasionally, the companies parasitized in this way can go out of business (small companies will sometimes use their own stock as collateral for loans, with the agreement that if the price of the stock drops below a certain point, the loans come due immediately).

And as I collected examples of this spam, I noticed something interesting: all the pump and dump scam spam originated from Salesforce, the $300 billion American tech giant.

American company Salesforce supports stock pump and dump scammers

So what does Salesforce have to do with penny stock scams, and why on earth would Salesforce be supporting pump-n-dump stock scammers? Hang on, let’s go down the rabbit hole.

When I say I’ve been getting stock scam spam in incredible quantities, I mean it. I’ve received 1,794 examples of stock pump-n-dump scam emails between March 17, when I first started collecting them, and October 30. That’s 1,794 scam emails in 227 days, or an average of about eight a day.

Salesforce stock pump and dump spam emails

There are a lot of them. They come from multiple From addresses and claim to be from various “investment” companies, but they all have some characteristics in common:

  • They all originate from IP addresses owned by Salesforce subsidiary Exact Target
  • They all advertise URLs hosted by Salesforce subsidiary Exact Target
  • While they come from different email addresses, they use similar graphics, language, and promote the same sets of stocks

How many different companies do they claim to come from? Lots. Every time I see an example of one of these spam emails, I build a rule in my mail reader app to route future examples to the Salesforce scam spam folder. Between March and October, here’s a list of the From addresses used in these scam emails:

Salesforce stock pump and dump email rules

Each From address will be used to send anywhere from three to twenty or so scam emails before it’s abandoned and the scammers move on to the next.

What does Salesforce make of all this?

On paper, Salesforce/ExactTarget’s spam policies seem good enough. In practice…

In practice, Spamcop has disabled reporting to Salesforce, because Salesforce (a) doesn’t pay any attention to abuse reports and (b) doesn’t follow spam best practices, specifically by not requiring double-opt-in and not honoring remove requests.

Spamcop disables abuse reports to Salesforce for email spam

This isn’t a new problem, either. Spamcop stopped sending abuse reports to Salesforce/ExactTarget at least as far back as 2011, and maybe earlier.

Unsurprisingly, manual emails to Salesforce and ExactTarget abuse addresses do nothing.

So what’s all this about? What does Salesforce gain by assisting stock pump and dump scammers?


Pump and dump scams require broad reach. They are also extremely profitable when they work. So it’s worth spending money to make sure you can reach as many marks as possible; profit varies directly with the number of gullible dupes you can con into buying the hyped stock.

And Salesforce/ExactTarget isn’t cheap:

Salesforce/ExactTarget pricing for spam

Note those prices are (a) billed annually up front and (b) are per organization. So even the cheapest plan is $4,800 out of pocket at the start, and the spammers are using multiple phony organizations in their spam.

This is, I’ll warrant, a nontrivial source of Salesforce revenue.

So Salesforce has a positive financial incentive to aid and abet these scammers, and thousands of folding, spendable reasons to disregard abuse reports.

2 thoughts on “When unicorns go bad: Salesforce and pump-n-dump scams

  1. Nothing has changed in 2023. Political and pseudo investment email is coming from Sales force and 13.108.00/14 in droves.

    We operate a hygeine service for a few thousand mailboxes. We’d like to block these IP blocks but they are also used for things like newsletters and password resets for legitimate companies like Cisco, UPS and Home Depot.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.