Confidential to ESPs

Dear Colleagues at ESPs,

We have a problem. More specifically, YOU have a problem. You have a spam problem. One that you’re not taking care of in any way, shape or form.

There was a point where ESPs started caring about spam out of their networks. They got blocked enough they had to take action. Because they took action a lot of the big blocklists started being nice. Spamhaus, for instance, would do ‘informational’ listings so that ESPs could fix things rather than going to a direct block.

This led management at ESPs to start to think they had this spam thing under control. They stopped worrying too much about spam and compliance. I mean, to management the whole point of having a compliance desk is to stop the blocks. No blocks mean no problems with spam out of the network, right?

As someone who gets a lot of B2B spam let me make it clear: You have not stopped spam off your networks. What’s even worse is that your current processes don’t act on complaints.

  • One major ESP has their abuse desk behind filters leading to spam complaints being thrown away. I’ve talked with folks inside this company, who have confirmed to me that they don’t see complaints from me in the abuse box, even though I can demonstrate logs that show the mail was accepted. Those same people have asked for me to send them copies of the complaints, which also never make it to their mailboxes. In one case we resorted to copying and pasting headers into Slack.
  • This same ESP has been allowing multiple customers to spam their “We have your data and are going to sell it out to people” through the ESP. It’s been reported over and over again, but the spam still keeps coming. These “multiple” customers have suspiciously similar websites and email content / structure. Oh, and they’re not even complying with CAN SPAM.
  • Another major ESP ignored complaints about a B2B spammer for months. When I finally reached out to a friend who worked there I was told “oh, we only got your complaint and no FBLs so we never investigated further.” Newsflash: you will never get FBLs for B2B mail, they don’t exist. If you’re relying on the numbers of FBLs to trigger action at your compliance desk, you may as well just hang out a “SPAMMERS WELCOME HERE!” sign.
  • Yet another major ESP is currently allowing a customer to spam. I’ve even gotten a response from their abuse desk telling me ‘they’re looking into it.’ This particular ESP was one of the first signatories on my “ESPs that prohibit purchased list” blog post. They clearly do allow purchased lists as the only way this email address got on a list is if it was purchased – a fact that was in my initial report of spam, the one that got a response from the ESP.

Here’s the deal, many ESPs need to get their poop in a group and stop allowing so much spam off their networks. They need to stop thinking what they’re doing is adequate and enough. It’s not.

I’m not the only one that is frustrated here. Talking with some of the Spamhaus folks last month in London made it very clear that they’re done with cutting ESPs slack. There was an incident back in the spring where a large number of informational listings targeted ESP IP addresses. These were removed pretty quickly but not because they were in error. More because the delistings couldn’t happen in a timely manner.

Those listings will be coming back if the spam doesn’t stop. They are all legit listings and they’ll be pushed out in a way that makes the volume easier to handle.

Just recently I said that Spamhaus’ listing of a shared IP at a major ESP was likely due to Spamhaus running out of patience with the lack of action by that ESP. Y’know what really concerned me? In the same discussion was someone who handles blocking for a major B2B filter. This person is usually pretty quiet; mostly they assist with blocks. They followed up to my comment with “Spamhaus isn’t the only one.”

ESPs, you have a spam problem. Folks responsible for blocking spam are losing patience with your failures to address active spam coming from your network. Some of the biggest ESPs in the business are sending more spam than they should be. They need to get their house in order. Those of you who have chatted with me in various other places know I’ve been beating this drum for a while now.

One of the thing that always happens when I bring this up is colleagues reach out to me and tell me that I can always send them complaints directly. First, no, I can’t as some of you have spam filters that throw the complaints away. Second, no, I shouldn’t have to. I shouldn’t have to keep a list of who works where in order to submit complaints to the right place in order to tell ESPs they have a spammer. Third, no, I should not be getting special treatment here. Your systems should be able to take a complaint from anyone and make it so that person doesn’t get spammed again.

Escalation channels are good, but should never be used for a “hey, your customer bought a list / is mailing the address stolen from X / got chased off 3 other ESPs” style complaints. Escalations are for non-standard situations. A spam complaint is not a weird situation.

I will point out, too, that this is not an intractable or impossible problem. Two of the biggest ESPs almost never show up in my mailbox. When they do show up, it only takes a single complaint and the spam stops. Now, maybe they’re just removing my address from their customer’s list, I don’t know. But, y’know what? That’s more than many ESPs do. But I do regularly get spam from the same sender just on a different ESP.

Many of the ESPs I’m seeing problems from used to be part of the solution. They used to have competent and functional compliance desks. For whatever reason (staff attrition, buyouts and management changes, complacency, lack of consequences) they’re becoming part of the problem. It’s time to step up or face the listings.

Related Posts

ESPs are failing recipients

Over the last few years I’ve reduced the complaints I send to ESPs about their customers to almost nothing. The only companies I send complaints to are ones where I actually know folks inside the compliance desk, and I almost never expect action, I just send them as professional courtesy.

Read More

The Blighty Flag

Back in the dark ages (the late ’90s) most people used dialup to connect to the internet. Those people who had broadband could run all sorts of services off them, including websites and mail servers and such. We had a cable modem for a while handling mail for blighty.com.
At that time blighty.com had an actual website. This site hosted some of the very first online tools for fighting abuse and tracking spam. At the same time, both of us were fairly active on USENET and in other anti-spam fora. This meant there were more than a few spammers who went out of their way to make our lives difficult. Sometimes by filing false complaints, other times by actually causing problems through the website.
At one point, they managed to get a complaint to our cable provider and we were shut off. Steve contacted their postmaster, someone we knew and who knew us, who realized the complaint was bogus and got us turned back on. Postmaster also said he was flagging our account with “the blighty flag” that meant he had to review the account before it would be turned off in the future.
I keep imagining the blighty flag looking like this in somebody’s database.

That is to say, sometimes folks disable accounts they really shouldn’t be disabling. Say, for instance:

This was an accident by a twitter employee, according to a post by @TwitterGov

Read More

Who pays for spam?

A couple weeks ago, I published a blog post about monetizing the complaint stream. The premise was that ESPs could offer lower base rates for sending if the customer agreed to pay per complaint. The idea came to me while talking with a deliverability expert at a major ESP. One of their potential customer wanted the ESP to allow them to mail purchased lists. The customer even offered to indemnify the ESP and assume all legal risk for mailing purchased lists.
While on the surface this may seem like a generous offer, there aren’t many legal liabilities associated with sending email. Follow a few basic rules that most of us learn in Kindergarten (say your name, stop poking when asked, don’t lie) and there’s no chance you’ll be legally liable for your actions.
Legal liability is not really the concern for most ESPs. The bigger issues for ESPs including overall sending reputation and cost associated with resolving a block. The idea behind monetizing the complaint stream was making the customer bear some of the risk for bad sends. ESP customers do a lot of bad things, up to and including spamming, without having any financial consequences for the behavior. By sharing  in the non-legal consequences of spamming, the customer may feel some of the effect of their bad decisions.
Right now, ESPs really protect customers from consequences. The ESP pays for the compliance team. The ESP handles negotiations with ISPs and filtering companies. The cost of this is partially built into the sending pricing, but if there is a big problem, the ESP ends up shouldering the bulk of the resolution costs. In some cases, the ESP even loses revenue as they disconnect the sender.
ESPs hide the cost of bad decisions from customers and do not incentivize customers to make good decisions. Maybe if they started making customers shoulder some of the financial liability for spamming there’d be less spamming.

Read More