Company responsibility and compliance

I blogged a few times recently about Zoho and their issues with malicious actors abusing their platform. They asked me to post the following statement from their CEO Sridhar Vembu.

Unfortunately phishing has become one of the bad side-effects of Zoho’s rapid growth over the last couple of years, especially the growth of our mail service. Since Zoho Mail offers the most generous free accounts as part of our freemium strategy, this gets exacerbated as more malicious actors take advantage of this massive customer value. But we are clamping down on this heavily and I quickly wanted to share what we have done and will be doing.

The first step is to examine all accounts, especially free ones since this is where most of the abuse appears to be happening. We are now mandating verification using mobile numbers for all accounts, including free ones (which also helps in two-factor authentication for accounts). We are actively looking at suspicious login patterns, and blocking such users, particularly for outgoing SMTP.

The second step is around improving and tightening our policies for all users. We have recently revised and changed our policy around SPF (sender policy framework) and implemented DKIM (domain key identified mail) for our domain. This will result in a solid DMARC policy that we will also publish.

There are other heuristic methods and algorithms we are exploring and testing before we deploy at scale that we will not discuss in any detail, for all the right reasons.

I commend Zoho for the steps they’re taking. I think they are a step in the right direction.

I also want to emphasize that this is not a problem limited to very large companies. Any company, and I do mean any company, providing email services is a target for malicious entities. It doesn’t really matter how big you are or how small your customer base is. It is crucial for anyone providing online services to have plans for what to do in case of abuse.

Does this mean every company needs a full fledged compliance desk? Possibly not. If your customer base is very small, like a few hundred customers and you only advertise to a niche group then you may get away with hiding from the bad guys. But security by obscurity has never been a long term solution to most security problems.

In my experience, if you’re big enough to have a dedicated customer support desk, then you’re big enough to monitor deliverability and abuse. This isn’t as hard as it sounds if you’re using a 3rd party to send mail. Companies like Sendgrid, Sparkpost, Mandrill and many of the SMTP providers, are doing most of the heavy lifting for you. They’re signed up for and collecting feedback loop emails, they’re analyzing bounce data and providing all this information for you in an easy to digest way.

The simplest thing to do is task one of your support people with monitoring deliverability metrics from your upstream and reading the abuse@ mailbox. As your company grows, they become the lead for your compliance team. Whatever you decide, it’s critical that someone have ownership of compliance. Compliance needs to be built into processes from an early stage.

It is, of course, possible to add compliance onto an existing company, that’s how most existing companies have done it. But they’ve mostly done it due to business interrupting events because they ignored abuse and compliance issues for too long. Zoho wasn’t specifically ignoring compliance, our experience was they did cut off phishers, but someone missed the bigger picture that there was other abuse going on.

Whatever your company size, if you’re providing email services you must address abuse issues. The bad guys will find you and abuse you. It’s not a question of if, it’s a question of when. The longer you wait the more likely it is that you’re going to have a business interrupting event like a Spamhaus listing, disconnection by your ESP or even disconnection by your registrar. Planning ahead doesn’t mean you’ll never be abused, it just means you’ll be equipped to deal with it.

Related Posts

People are the weakest link

All of the technical security in the world won’t fix the biggest security problem: people. Let’s face it, we are the weakest link. Adding more security doesn’t work, it only causes people to figure out ways to get around the security.

Read More

Check your abuse addresses

Even if you have excellent policies and an effective, empowered enforcement team you can still have technical problems that can cause you to drop abuse mail, and so lose the opportunity to get a bad actor off your network before they damage your reputation further.

Read More

September 2016: The month in email

Happy October, everyone. As we prepare to head to London for the Email Innovations Summit, we’re taking a look back at our busy September. As always, we welcome your feedback, questions, and amusing anecdotes. Seriously, we could use some amusing anecdotes. Or cat pictures.
 
San Francisco and Coit tower
We continued to discuss the ongoing abuse and the larger issues raised by attacks across the larger internet infrastructure. It’s important to note that even when these attacks aren’t specifically targeting email senders, security issues affect all of us. It’s important for email marketers to understand that increased attacks do affect how customers view the email channel, and senders must take extra care to avoid the appearance of spam, phishing, or other fraudulent activity. I summarized some of the subscription form abuse issues that we’re seeing across the web, and noted responses from Spamhaus and others involved in fighting this abuse. We’re working closely with ESPs and policy groups to continue to document, analyze and strategize best practices to provide industry-wide responses to these attacks.
I was pleased to note that Google is stepping up with a new program, Project Shield, to help journalists and others who are being targeted by these attacks by providing hosting and DDoS protections.
I’m also delighted to see some significant improvements in email client interactions and user experiences. I wrote a bit about some of those here, and I added my thoughts to Al’s discussion of a new user interaction around unsubscribing in the iOS 10 mail client, and I’ll be curious to see how this plays out across other mail clients.
For our best practices coverage, Steve wrote about global suppression lists, and the ways these are used properly and improperly to prevent mail to certain addresses. I wrote about using the proper pathways and workflows to report abuse and get help with problems. I also wrote about the ways in which incentivizing address collection leads to fraud. This is something we really need to take seriously — the problem is more significant than some bad addresses cluttering up your lists. It contributes to the larger landscape of fraud and abuse online, and we need to figure out better ways to build sustainable email programs.
Is there such a thing as a perfect email? I revisited a post from 2011 and noted, as always, that a perfect email is less about technology and more about making sure that the communication is wanted and expected by the recipient. I know I sound like a broken record on this point (or whatever the 21st century equivalent metaphor of a broken record is….) but it’s something that bears repeating as marketers continue to evolve email programs.
We had a bit of a discussion about how senders try to negotiate anti-spam policies with their ESPs. Is this something you’ve experienced, either as a sender or an ESP?
In Ask Laura, I covered shared IP addresses and tagged email addresses, questions I get fairly frequently from marketers as they enhance their lists and manage their email infrastructures. As always, we welcome your questions on all things email delivery related.

Read More