Services, abuse and bears

A couple weeks ago I wrote a post about handling abuse complaints. As a bit of a throwaway I mentioned that new companies don’t always think about how their service can be abused before releasing it on the unsuspecting internet.
Today’s blog post by Margot Romary at the Return Path In the Know blog reminds me that it’s not always new companies that don’t think about abuse potential before launching services.

I don’t have enough fingers to count the instances over the years when — in running one of the largest email systems in the world at my previous employer — I had to shut down a new product launch because the peer initiated email feature of this new product was insecure.

Margo also points out that networks that allow peer-initiated messages have an average of over 20 spamtraps per IP address. The only surprise about this statistic is how low it is. Margot mentions spammer abuse as one of the primary reasons, but I don’t think every form used by Return Path clients is actually open to spammer abuse. Yes, thinking about how to spammer proof peer-submission is important. But it’s as important to think about how to stop submitters from inadvertently hurting your reputation.
It’s not just forms that have problems, social networking sites also see problems with users and spammers abusing their services.
No security is going to be perfect. After years and years of this, all the people who fight abuse can do is acknowledge that we’re never going to actually stop spammers, scammers and criminals from attacking and compromising services. We are never going to outrun the bear. But that doesn’t mean we shouldn’t think about erecting as many fences and obstacles as possible.

Related Posts

Spamhaus and Gmail

Today’s been chock full of phone calls and dealing with clients, but I did happen to notice a bunch of people having small herds of cows because Spamhaus listed www.gmail.com on the SBL.
“SPAMHAUS BLOCKS GOOGLE!!!” the headlines scream.
My own opinion is that Google doesn’t do enough to police their network and their users, and that a SBL listing isn’t exactly a false positive or Spamhaus overreaching. In this case, though, the headlines and the original article didn’t actually get the story right.
Spamhaus blocked a range of IP addresses that are owned by Google that included the IP for www.gmail.com. This range of IP addresses did not include the gmail outgoing mailservers.
Spamhaus says

Read More

Should you respond to complaints

David Spinks asks on twitter:

Should you ever contact someone who made an abuse complaint about your newsletter to find out why

Read More

Email marketing is hard

I’ve watched a couple discussions around the email and anti-spam community recently with a bit of awe. It seems many email marketers are admitting they are powerless to actually implement all the good advice they give to others.
They are admitting they can’t persuade, cajole, influence or pressure their companies to actually follow best practices. Some of the comments public and private comments I’ve heard from various industry leaders:

Read More