Evolution of policy

Last week, I talked about policy, using some different blocklist policies as examples. In that post I talked about how important it is that policy evolve. One example of that is how we’ve been evolving policy related to companies that get listed on Purchased Lists and ESPs. Who is listed has evolved over time, and we’re actually looking at some policy changes right now.

Listing policy 1

The first iteration of the list was crowdsourced by deliverability people. One person mentioned they had a list they used when customers would argue “X company lets me send to purchased lists.” That list got shared and lots of folks contributed their company names. I offered to publish the list and thus the initial blog post.

  • Your company was added to the list by being nominated from a small group of people.

Listing policy 2

Once the blog post went up a surprising number of companies asked to be added to the list. I was happy to add the companies but needed some criteria other than nominated by this group of people. Our policy had to evolve to cover self-nominations. Whatever the policy was it needed to be something I could easily check and verify and couldn’t take up a significant amount of time.

  • Your company was added to the list by being nominated from a small group of people; or
  • Your company was self nominated and your terms and conditions / acceptable use policy states you do not allow purchased lists.

At the time I created policy 2 there were some specific goals driving it. We were getting regular requests to be added to the list. I didn’t have a lot of time or energy to vet every listing. There was also some pushback from anti-spam groups on the initial post that the list wasn’t accurate. Thus, the requirement that there be a public statement on the company’s website stating public lists weren’t allowed.

Listing policy 3

There’s one company on the list we’ve been having ongoing, frustrating interactions with. They don’t seem to enforce their abuse policy at all. We’ve reported multiple customers who are spamming purchased (and “purchased“) lists and the company refuses to take any action. The same customers keep spamming us over and over again. They meet the criteria for listing – they have a public policy that says they don’t allow purchased lists. But we’re seeing ongoing mail to addresses that are either purchased or stolen.

We decided to remove strike that company from the list. That’s fine, we’re allowed to make exceptions to the policy. I also always knew that “having a public statement against purchased lists” was a bit of a weak policy. Many companies have those public statements but don’t actually stop customers from sending to purchased lists. I was sure I’d have to wrestle with this issue sooner or later.

What are the goals?

The initial goal was to post timely information based on conversations happening in the industry. There were folks who wanted the lists to be more public, so they could point their own customers at it. We met that goal.

The second goal was to allow companies to add themselves to the list with some confidence they belonged on the list.

My newest goal is to sensibly and fairly add (and remove) companies who are not enforcing their policy. But what does not enforcing their policy look like? In the case of the company we removed from the list, we have sufficient evidence that they’re not stopping spam off their network. I’m pretty convinced there are other companies on the list that poorly manage their customers, too. But we don’t have as much direct evidence against those other companies.

The questions I’m asking as I think about what a sane policy would look like include:

  • what is the goal of the list now? is it to give props to companies that enforce their policies? is it simply to give companies a place to point to regarding ESPs that prohibit purchased lists?
  • if the goal is to highlight companies that are actually enforcing their policies, what does ‘enforcing their policies’ look like?
  • do I want to do all the vetting myself or should other people be involved in vetting?
  • how accurate do I want the list to be?
  • does it matter if companies get onto the list when they don’t qualify?
  • what is my time availability and how does that interact with the policy requirements?
  • does any of this matter?

I don’t have answers to all of the questions. I would prefer that the list be accurate and reflect only those companies that actively prevent their customers from sending to purchased lists. But how to ensure accuracy? And what counts? Does blocking mail to people who complain count? Making customers reconfirm lists?

This is one of the challenging bits of policy development. I don’t have answers, yet. At best the current policy is

  • Your company was added to the list by being nominated from a small group of people; or
  • Your company was self nominated and your terms and conditions / acceptable use policy states you do not allow purchased lists.
  • I don’t have any direct or overwhelming evidence customers are allowed to send spam to purchased lists.

For today, that’s good enough. But I know that it’s a stop gap policy, not a long term one.

Related Posts

Thoughts on policy

A particular blocklist, once again, listed a major ESP this week. Their justification is “this is our policy.” Which is true, it is their policy to list under these circumstances. That doesn’t make it a good policy, or even an effective policy. It’s simply a policy.

Read More

Are you still thinking of purchasing a mailing list?

Last week there was an article published by btobonline promoting the services of a company called Netprospex. Netprospex, as you can probably gather from their company name, is all about the buying and selling of mailing lists. They will sell anyone a list of prospects.
The overall theme of the article is that there is nothing wrong with spam and that if a sender follows a few simple rules spamming will drive business to new heights. Understandably, there are a few people who disagree with the article and the value of the Netprospex lists.
I’ve stayed out of the discussion, mostly because it’s pretty clear to me that article was published solely to promote the Netprospex business, and their point of view is that they make more money when they can convince people to purchase lists from them. Dog bites man isn’t a very compelling news story. Data selling company wants you to buy data from them isn’t either.
They are right, there is nothing illegal about spam. Any sender can purchase a list and then send mail to the addresses on that list and as long as that sender meets the rock bottom standards set out in CAN SPAM. As long as your mail has an opt-out link, a physical postal address and unforged headers that mail is legal. The only other obligation on the sender is to honor any unsubscribe requests within ten days. So, yes, it is legal to send spam.
But legal action isn’t the only consequence of spamming. Today I received the following in an email from a colleague.

Read More

Not a customer you want

Earlier this week one of my ESP clients contacted me. They have a new (potential?) customer dealing with some delivery challenges. Client was looking for advice on how to move the customer over and improve their delivery at the same time.
My advice was actually pretty simple: this isn’t a customer you want. Walk away.
I reached that conclusion about 10 seconds after I loaded the customer’s website. Because I know sometimes initial impressions are wrong, I did spend about 10 more minutes poking around. What I found did nothing to change my mind or convince me my initial impression was wrong. In fact, everything I found reinforced the belief that this was not a good customer for my client.
I sent my client an email explaining what I’d found and they agreed. Future deliverability problem averted!
Some of what I found inspired the conversations with spammers blog post from earlier this week. For instance, the website had two different signup forms, each pointing to a different ESP. Both links were dead.

Then I looked at the company’s whois record and found a bunch of cookie cutter websites, all with different domain names, all with the same broken subscription links.
I do this manually and I can’t fathom how you would automate this kind of checking. For me, it seems there absolutely needs to be a human in the loop. But I suspect that there are ways to automate these types of checks.
In any case, there’s a spammer looking for an email service provider. He’s having problems with IP reputation at his current ESP. He sends content and will even share with you the domain he’s using to collect email addresses. Pro tip: try and sign up for his mail before he signs your contract.

Read More