ESPs need to step up their compliance game

I don’t send a lot of spam complaints generally. Mostly I block and move on. There are some companies, though, that I offer the professional courtesy of sending a complaint or a report to their abuse@ address. Former clients, friends and colleagues generally get that courtesy.

The number of ESPs that completely fail to take any action is disappointing. Too many of them can’t even manage the simple courtesy of removing addresses. A few don’t even process bounces correctly and continue to send mail even when getting a spam block or 550 user unknown.

Sometimes I’ll reach out to folks who I know work at particular ESPs, although that’s less common these days as everyone seems to be moving companies and I can’t keep track. Often I get an invite to “always send me complaints directly.” That … is not a solution, people. Expecting people who are reporting spam to go out of their way to send mail to individuals rather than a standard mailbox just puts more on the recipient. For me, at least, it involves a trip to LinkedIn to figure out who I know at a particular place and sometimes I’m just too busy.

There’s also the problem where at least one ESP throws away direct reports to their staff, probably because ‘they contain spam.’ I reached out to a colleague who asked me to forward the reports to them. They never received the reports and we resorted to me cutting and pasting headers into a slack conversation.

Look, I get it. Compliance is a challenge. I’ve set up enough compliance desks over the years to understand things will fall through the cracks. But I’ve also worked with desks that have automation that extract the address from every complaint at receipt time and make sure that address is suppressed from the problem customer’s list. That happens before the report is ever seen by a human, ensuring that people who are complaining don’t have to complain more than once.

I also understand that mergers and acquisitions and company expansions mean that sometime there’s not a clear pathway to the abuse box. There was one ESP that had abuse@esp in their headers as the right place to complain. The problem was those emails were handled by legal at the parent company and were never sent to the actual division sending the mail. There’s also been a massive relaxation in what’s acceptable, with many ESPs looking the other way when lists or addresses are acquired without permission. And, yes, some of those are on my list and I have heard directly from their abuse desks that action won’t be taken against the sender even though there’s incontrovertible evidence the address was acquired through a third party.

Many ESPs are failing to effectively stop abuse through their networks. Some of this is because how we monitor abuse hasn’t kept up with the changes in the email ecosystem. Other problems include unsupportive management, understaffed compliance desks, and abandoned or unmonitored abuse@ addresses. Then there is the entire ecosystem of spam that is built around Google, Office365 and data sellers.

In a week, many of us will be getting together in London to talk about ways to reduce messaging abuse. These events tend to be busy and there’s so much to talk about we don’t always get to have the conversations we need to. Maybe we need to make some time to have this conversation, though. How can we, as ESPs, stop more abuse than we’re currently managing to stop? What can we do to make the Internet a better, safer place? Are there some easy changes we can make to improve things?

Related Posts

Where do you accept reports?

One of the things that is most frustrating to me about sending in spam reports is that many ESPs and senders don’t actively monitor their abuse address. A few months ago I talked about getting spam from Dell to multiple email addresses of mine.
What I didn’t talk about was how badly broken the ESP was in handling my complaint. The ESP was, like many ESPs, an organization that grew organically and also purchased several smaller ESPs over the course of a few years. This means they have at least 5 or 6 different domains.
The problem is, they don’t effectively monitor abuse@ for those different domains. In fact, it took me blogging about it to get any response from the ESP. Unfortunately, that initial response was “why didn’t you tell us about it?”
I pointed out I’d tried abuse@domain1, abuse@domain2, abuse@domain3, and abuse@domain4. Some of the addresses were in the mail headers, others were in the ESP record at abuse.net. Three of those addresses bounced with “no such user.” In other words, I’d tried to tell them, but they weren’t accepting reports in a way I could access.
Every ESP should have active abuse addresses at domains that show up in their mail. This means the bounce address domain should have an abuse address. The reverse DNS domain should have an abuse address. The d= domain should have an abuse address.
And those addresses should be monitored. In the Dell case, the ESP did have an active abuse@ address but it was handled by corporate. Corporate dropped the ball and never forwarded the complaint to the ESP reps who could act on the spam issue.
ESPs and all senders should have abuse@ addresses that are monitored. They should also be tested on a regular basis. In the above case, addresses that used to work were disabled during some upgrade or another. No one thought to test to see if they were working after the change.
You should also test your process. If you send in a complaint, how does it get handled? What happens? Do you even have a complaint handling process outside of “count and forward”?
All large scale senders should have appropriate abuse@ addresses that are monitored. If you don’t, well, you look like a spammer.

Read More

Raising the standard

Last week news broke that Mailchimp had disconnected a number of anti-vaccination activists from their platform and banned anti-vax content. I applaud their decision and hope other companies will follow their lead in banning harmful content from their network.

Read More

May 2015: The Month in Email

Greetings from Dublin, where we’re gearing up for M3AAWG adventures.
In the blog this month, we did a post on purchased lists that got a lot of attention. If you’ve been reading the blog for any length of time, you know how I feel about purchased lists — they perform poorly and cause delivery problems, and we always advise clients to steer clear. With your help, we’ve now compiled a list of the ESPs that have a clearly stated policy that they will not tolerate purchased lists. This should be valuable ammunition both for ESPs and for email program managers when they asked to use purchased lists. Let us know if we’re missing any ESPs by commenting directly on that post. We also shared an example of what we saw when we worked with a client using a list that had been collected by a third party.
In other best practices around addresses, we discussed all the problems that arise when people use what they think are fake addresses to fill out web forms, and gave a nod to a marketer trying an alternate contact method to let customers know their email is bouncing.
We also shared some of the things we advise our clients to do when they are setting up a mailing or optimizing an existing program. You might consider trying them before your own next send. In the “what not to do” category, we highlighted four things that spammers do that set them apart from legitimate senders.
In industry news, we talked about mergers, acquisitions and the resulting business changes: Verizon is buying AOL, Aurea is buying Lyris, Microsoft will converge Office365/EOP and Outlook.com/Hotmail, and Sprint will no longer support clear.net and clearwire.net addresses.
Josh posted about Yahoo’s updated deliverability FAQ, which is interesting reading if you’re keeping up on deliverability and ESP best practices. He also wrote about a new development in the land of DMARC: BestGuessPass. Josh also wrote a really useful post about the differences between the Mail From and the Display From addresses, which is a handy reference if you ever need to explain it to someone.
And finally, I contributed a few “meta” posts this month that you might enjoy:

Read More