Complaints, contacts and consequences

Yesterday the CRM system Zoho suffered an unexpected outage when their registrar, TierraNet suspended their domain. According to TechCrunch, Zoho’s CEO says there was no notification to the company and that the company had only 3 complaints about phishing.

Based on the article, even as a Zoho customer, I am fully on the registrar’s side here. Every company, absolutely every company that provides service online has a responsibility, even an obligation, to minimise the harm through their service. I have zero doubt that this was an ongoing issue and that TierraNet attempted to contact Zoho multiple times. I also believe that Zoho never got the message.

Why? Too many companies run their abuse and security emails through the same filter that they use for employee emails These filters often block or spam folder reports that contain spam or phishing content. I’ve absolutely had issues where I talk to someone inside a company and then forward them an example of a problem email, only to have their filters eat the email.

But then we did some research. It seems Zoho does have a problem with customers phishing. BUT! They also have a functioning abuse address that acts on complaints.

Over the last 3 years, we’ve sent complaints to Zoho reporting phishing from a number of different customers. Since 2016, they consistently respond and disconnect the phishing site. Sure, the response is boilerplate, but the sites are disconnected.

So the comment to TechCrunch from the CEO about only 3 complaints is confusing. We’ve sent more than that, and the abuse desk has acted on the complaints. Maybe the registrar doesn’t have up to date contact information, maybe Zoho thought they were too big to disconnect. In any case, Zoho does have customers using their site to send phishing mail, but they also appear to have a functional abuse desk that’s handling the complaints.

Alternatively, it’s possible TierraNet that has the non functional abuse desk. They wouldn’t be the first registrar to have horrible processes resulting in customers losing connectivity when they didn’t deserve it.

All of this is a good example of how challenging compliance is, and how complex managing networks can be.

Compliance is hard

The underlying moral here is that compliance is a vital part of offering any service online. Compliance is also hard and requires smart, engaged, empowered people with the right tools.

Nearly 20 years ago I wrote my first compliance desk process document. I was managing a team working at a very large provider. Some of our customers were companies you may have heard of: eBay, Hotmail, Geocities, Napster. Some of our customers were actually large providers themselves and had customers of their own.

As the compliance team our job was to minimize the abuse going through our network. But it wasn’t as simple as shutting down anyone we got complaints about. We had to investigate to see if the complaints were legitimate, did we have evidence that there was a violation here? If there was, we needed to take appropriate action. That action was rarely “shut the customer down.” Why? There were contracts and SLAs and millions of dollars of monthly revenue at stake.

I remember having a rather heated discussion with folks on the team. They thought we, as a contracted abuse desk, should have the power to shut down any customer at any time. There is no way you want an outside contractor with that type of power and lack of oversight. It simply was a bad business decision to allow us to shut down all of eBay because one of their users sent spam linking to an auction. It was a bad business decision to shut down a company as large as eBay without warning, period. We needed processes to make sure that we gave customers with their own customers the tools and information they needed to manage their abuse. Sure, we had the ability to force them to take action, as we could shut them down. But not every compliance relationship needs to be combative.

Communication is vital

Setting up good processes are vital. I’m working with multiple clients right now to help them work through how to set up their own compliance desks. These customers also have to make sure they stay in communication with their upstream compliance desk. Everyone has to have good contact information for each other. Maybe the Zoho / TierraNet problem was simply a Zoho employee moved on and everyone forgot to update their point of contact with the registrar. When the registrar sent the notifications, they may have gone to an empty mailbox (or a spamtrap!) or an employee who had no idea what to do with it.

Still, simply disconnecting a company as big as Zoho, with so many vital services running off it, was something that shouldn’t have been done lightly. And maybe it wasn’t. In any case, this ended up being bad publicity for TierraNet, a bad experience for Zoho and it didn’t really protect anyone. The consequence for poor compliance handling and poor communication is Zoho and all their customers are off the air. TierraNet looks bad and is likely to lose some customers. The travesty is that end users are no safer than they were before this whole thing happened.

What next?

I’m a big believer that every online service needs some sort of compliance desk. Yes, even if you are a CRM provider. Even if you are a small social networking site designed for certain types of clubs. If you provide services to third parties, you need to have some sort of way to make sure your customers don’t create problems online.

Providers that offer services to other providers need to make sure their compliance desk has a clear path of escalation. They can’t, and shouldn’t, take all compliance away from customers by default. But they should also have processes for disconnecting even the big customers.

Compliance is complicated. It’d be lovely if it could be automated, but there is no AI that can make the complex decisions required for an effective compliance desk. Sure, a lot of the work can be automated, a lot of the decisions can be automated even. But there will always be cases that need trained, experienced, smart people to navigate effectively.

 

 

Related Posts

August 2017: The month in email

Hello! Hope all are keeping safe through Harvey, Irma, Katia and the aftermath. I know many people that have been affected and are currently out of their homes. I am proud to see so many of my fellow deliverability folks are helping our displaced colleagues with resources, places to stay and money to replace damaged property.
Here’s a mid-month late wrapup of our August blog posts. Our favorite part of August? The total eclipse, which was absolutely amazing. Let me show you some pictures.





Ok, back to email.
We’re proud of the enormous milestone we marked this month: ten years of near-daily posts to our Word to the Wise blog. Thanks for all of your attention and feedback over the past decade!
In other industry news, I pointed to some interesting findings from the Litmus report on the State of Email Deliverability, which is always a terrific resource.
I also wrote about the evolution of filters at web-based email providers, and noted that Gmail’s different approach may well be because it entered the market later than other providers.
In spam, spoofing, and other abuse-related news, I posted about how easy it is for someone to spoof a sender’s identity, even without any technical hacks. This recent incident with several members of the US presidential administration should remind us all to be more careful with making sure we pay attention to where messages come from. How else can you tell that someone might not be wholly legitimate and above-board? I talked about some of what I look at when I get a call from a prospective customer as well as some of the delightful conversations I’ve had with spammers over the years.
In the security arena, Steve noted the ongoing shift to TLS and Google’s announcement that they will label text and email form fields on pages without TLS as “NOT SECURE”. What is TLS, you ask? Steve answers all your questions in a comprehensive post about Transport Layer Security and Certificate Authority Authorization records.
Also worth reading, and not just for the picture of Paddington Bear: Steve’s extremely detailed post about local-part semantics, the chunk of information before the at sign in an email address. How do you choose your email addresses (assuming they are not assigned to you at work or school…)? An email address is an identity, both culturally and for security purposes.
In subscription best practices — or the lack thereof — Steve talked about what happens when someone doesn’t quite complete a user registration. Should you send them a reminder to finish their registration? Of course! Should you keep sending those reminders for 16 months after they’ve stopped engaging with you? THE SURPRISING ANSWER! (Ok, you know us. It wasn’t that surprising.)

Read More

GDPR and Whois data

For folks who aren’t following the discussion about whois records and GDPR compliance there’s a decent summary at vice.com: What Is Going to Happen With Whois?

Read More

Do you have an abuse@ address?

I’ve mentioned multiple times before that I really don’t like using personal contacts until and unless the published or official channels fail. I don’t hold this opinion just about resolving delivery issues, but also use official channels when reporting spam to one of my addresses or spam traps.
My usual complaints contain a plain text copy of the mail, including full headers and a short summary of the email address it was sent to. “This is an address that was part of a leak from…” or “This is an address scraped off my website. It’s been removed from the website since 2004” or “This address isn’t used to sign up for any mail.”
Sadly, there are a number of “legitimate” ESPs that don’t have or don’t monitor their abuse address. In some cases it’s an oversight or a break down of internal mail handling. But in most cases, it’s a sign that the ESP doesn’t actually handle abuse.
It’s frustrating to watch an ESP post long blog posts about “best practices” and “effective delivery” and “not spamming” and yet not be able to actually stop their own customers from spamming. It’s not even that I necessarily want them to disconnect their spamming customers (although that would be nice) but suppressing the address that I’ve told them was a spamtrap seems trivial. And yet, a month after my first complaint and weeks after escalating to a personal contact, I’m still getting spam.
The 5 things every ESP should do to handle spam complaints.

Read More