M3AAWG published a letter to the FCC addressing the implementation of CSRIC III Cybersecurity Best Practices (pdf link)
The takeaway is that of the ISPs that contribute data to M3AAWG (37M+ users), over 99% of infected users receive notification that they are infected.
I hear from senders occasionally that they are not the problem, bots are the problem and why isn’t anyone addressing bots. The answer is that people are addressing the bot problem.
I’m seeing scattered reports of the SBCGlobal.net MTAs refusing connections. No current information about fixes.
Senders: You’re blocking our mail, why?
Receivers: Because you’re spamming, stop spamming and we won’t block you.
Senders: But we’re not spamming. What do you mean we’re spamming! How could we be spamming, we’re not sending spam!
Receivers: You’re doing all these things (generating complaints, sending to dead accounts, hitting spam traps, not bounce handling, etc) that makes your mail indistinguishable from spam.
Senders: But we can’t tell what we’re doing wrong unless you give us more data!
Receivers: OK, fine. Here are FBLs, postmaster pages, sender access to support people. Now, stop spamming.
time passes
Receivers: It’s costing us how much to provide support to senders?!?! And after years of giving them lots of data it’s still the same problems over and over again? We’re not a charity, we’re going to control our costs and stop providing so much personal support.
And that, readers, is why receivers are pulling back from providing the data they used to.
Most delivery experts will tell you that ISPs measure recipient engagement as a part of their delivery. That’s absolutely true, but I think there’s a language difference that makes it hard for senders to understand what we mean by engagement.
ISPs, and other filtering companies, profile their user base. They know, for instance, who logs in and checks mail every day. They know who checks mail every 20 seconds. They know who gets a lot of spam. They know who hasn’t logged in for months. They know who accurately marks mail as spam and who is sloppy with the this-is-spam button. They know if certain recipients get the same mail, it’s likely to be spam.
Engagement at the ISPs is more about the recipient engaging with their email address and the mail in their mailbox then it is about the recipient engaging with specific emails.