ESPs are failing recipients

Over the last few years I’ve reduced the complaints I send to ESPs about their customers to almost nothing. The only companies I send complaints to are ones where I actually know folks inside the compliance desk, and I almost never expect action, I just send them as professional courtesy.

Two icon figures sitting at a table talking to each other

The sad fact is, many ESPs are really horrible about dealing with spam coming from their networks. The older, larger companies are often a jumble of poorly integrated technologies resulting from a decade of acquisition. More than a decade ago I sat at a MAAWG conference with the director of deliverability at one of the oldest ESPs. We were talking about their recent Spamhaus listings that I’d been hired to help address and their overall complaint processes. One of the issues was, due to multiple mergers and acquisitions, half of their abuse mail went to the wrong place and some of it was being thrown away.

This is an old story, but only as an example of how long this problem has been going on. Even now, companies retire domain names from receiving mail, but still have them littered throughout their email headers. They miss complaints, they miss notices and then they discover they and most of their customers have extensive delivery problems.

The newer companies are lean and agile and don’t think about investing in actual compliance work until they run face first into an escalated Spamhaus listing. Their solution to the problem is to throw machine learning at it, and try and come up with a way to programatically identify bad customers. The problem is this is a moving target and there’s nothing set and forget about it. Algorithms like this need to be constantly maintained and trained. May as well invest in the human element.

Of course, this is all about the customers sending mail through ESPs. But that’s not the only problem. There are any number of ESPs whose own marketing teams use spam. I cannot tell you the number of companies in the space who’ve decided to add me to their marketing list without bothering to ask me if I want to hear from them.

Just last month I started receiving mail from an ESP. “We’ve made an acquisition! We’re growing!” was the first message I received from them. I wasn’t sure what was going on so I contacted their abuse desk asking what opt-in data they have for me. The person I contacted was apologetic and said she’d chase it down. She also informed me I’d be removed from future emails.

A few days later I received an email telling me that they weren’t really sure where I opted-in, but that it was probably a page on their website that they no longer had up. This doesn’t sound right as the address was one I don’t enter into forms. If a form doesn’t take a tagged address, I use a gmail account. But, I want to give the company the benefit of the doubt so I treat it as solved and move on.

Three weeks later I get another email from the same ESP advertising an upcoming webinar. Again, I send mail pointing out that I was assured I’d been unsubscribed. This time my colleague responds and tells me that I signed up for their mailing list because I attended a conference with them in 2016.

I don’t even have words for how grossly inadequate this response is. If it’s true, which I don’t even know any more, it’s horrible marketing to wait 3 years to start mailing someone after acquiring their email address. But the incompetence doesn’t stop there. This was a conference I attended to speak on two different panels, both regarding deliverability and how not to send spam. As a speaker I don’t always visit the trade floor and if I do, I don’t hand out cards or ask for more information. In any case, I can say with quite a bit of certainty this company wasn’t at the trade show, as they announced this version of their name about 6 months after the conference.

Of course, this isn’t as unusual as it should be, one reason I’m not naming names. ESPs hire aggressive marketers who often send spam… er… “cold emails.” It still amounts to the same thing – an unending bombardment of unsolicited emails from companies who then turn around and ask to be added to my list of “good ESPs” that don’t allow purchased lists.

ESPs need to step up and stop allowing spam on their networks. This goes for customer mail and for their own mail. It’s long past time for them to invest in actual compliance desks and start actually requiring customers to send better mail.

Related Posts

Permission trumps good metrics

Most companies and senders will tell you they follow all the best practices. My experience says they follow the easy best practices. They’ll comply with technical best practices, they’ll tick all the boxes for content and formatting, they’ll make a nod to permission. Then they’re surprised that their mail delivery isn’t great.

Read More

The Blighty Flag

Back in the dark ages (the late ’90s) most people used dialup to connect to the internet. Those people who had broadband could run all sorts of services off them, including websites and mail servers and such. We had a cable modem for a while handling mail for blighty.com.
At that time blighty.com had an actual website. This site hosted some of the very first online tools for fighting abuse and tracking spam. At the same time, both of us were fairly active on USENET and in other anti-spam fora. This meant there were more than a few spammers who went out of their way to make our lives difficult. Sometimes by filing false complaints, other times by actually causing problems through the website.
At one point, they managed to get a complaint to our cable provider and we were shut off. Steve contacted their postmaster, someone we knew and who knew us, who realized the complaint was bogus and got us turned back on. Postmaster also said he was flagging our account with “the blighty flag” that meant he had to review the account before it would be turned off in the future.
I keep imagining the blighty flag looking like this in somebody’s database.

That is to say, sometimes folks disable accounts they really shouldn’t be disabling. Say, for instance:

This was an accident by a twitter employee, according to a post by @TwitterGov

Read More

Marketing automation plugins facilitate spam

There’s been an explosion of “Google plugins” that facilitate spam through Gmail and G Suite. They have a similar set of features. Most of these features act to protect the spammer from spam filtering and the poor reputation that comes from purchasing lists and incessantly spamming targets. Some of these plugins have all the features of a full fledged ESP, except a SMTP server and a compliance / deliverability team.
I’ll give the folks creating these programs credit. They identified that the marketers want a way to send mail to purchased lists. But ESPs with good deliverability and reputations don’t allow purchased lists. ESPs that do allow purchased lists often have horrible delivery problems. Enter the spam enabling programs.
From the outside, the folks creating these programs have a design goal to permit spam without the negatives. What do I mean? I mean that the program feature set creates an environment where users can send spam without affect the rest of their mail.
The primary way the software prevents spam blocking is using  Google, Amazon or Office 365 as their outbound mail server. Let’s be frank, these systems carry enough real mail, they’re unlikely to be widely blocked. These ISPs are also not geared up to deal with compliance the same way ESPs or consumer providers are.
There seem to be more and more of these companies around. I first learned of them when I started getting a lot of spam from vaguely legitimate companies through google mail servers. Some of them were even kind enough to inform me they were using Gmail as their marketing strategy.

I didn’t realize quite how big this space was, though. And it does seem to be getting even bigger.
Then a vendor in the space reached out looking for delivery help for them and their customers. Seems they were having some challenges getting mail into some ISPs. I told them I couldn’t help. They did mention 3 or 4 names of their competitors, to help me understand their business model.
Last week, one of the companies selling this sort of software asked me if I’d provide quotes for a blog article they were writing. This blog article was about various blocklists and how their software makes it such that their customers don’t really have to worry about blocking. According to the article, even domain based blocking isn’t an issue because they recommend using a domain completely separate from their actual domain. I declined to participate. I did spend a little time on their website just to see what they were doing.
This morning a vendor in the space joined one of the email slack channels I participate in asking for feedback on their software. Again, they provide software so companies can send spam through google outbound IPs. Discussions with the vendor made it clear that they take zero responsibility for how their software is used.
I don’t actually expect that even naming and shaming these companies facilitating spam will do anything to change their minds. They don’t care about the email ecosystem or how annoying their customers are. About the best they could do is accept opt-out requests from those of us who really don’t want to be bothered by their customers. Even that won’t really help, even domain based opt-outs are ineffective.
What needs to happen is companies like Google, Amazon and Microsoft need to step up and enforce their anti-spam policies.

Read More