BLOG
Questions about Spamhaus
I have gotten a lot of questions about Spamhaus since I’ve been talking about them on the blog and on various mailing lists. Those questions can be condensed and summed up into a single thought.
What engagement metrics should I monitor to avoid a Spamhaus listing?
First off Spamhaus doesn’t care about about engagement.
Spamhaus wants you to stop mailing people who never asked to receive mail from you. That’s all.
Stop sending unsolicited bulk email. Period.
Engagement is mostly used by the large ISPs who are trying to work out which of you are sending mail people asked for and which of you are just harvesting addresses and spamming wildly. They’re using engagement as part of their metrics to separate out the good from the bad.
The only time engagement comes into play with Spamhaus is when you hire people like me to help you get out of the hole you’ve dug yourself. Those people like me? We tell you, “Well, Spamhaus wants you to go COI, but I think we can fix this problem without having to go so aggressive. I think if we fix your collection processes going forward and remove unengaged people, then you’ll only be mailing people who want to receive mail from you.” And then we go to bat for you with Spamhaus.
And I’ve made it work before so so they’ll give you a chance to have me help you stop being spammers. Not only do my methods work to stop future listings, some of my clients have reported a doubling of revenue from emails.
If marketers would stop sending mail to people who never asked to receive it, they would never have to deal with a Spamhaus block ever again. Spamhaus doesn’t go out of their way to look for senders, they just passively monitor addresses that have never asked for mail. Stop hitting those addresses and magically all your Spamhaus problems will go away.
Well said, Laura.
Methods to reduce incorrect subscriptions inevitably introduce friction to the subscription process — a generally undesirable thing for users and marketers.
The key question then is how much friction is appropriate for what level of error reduction.
Unfortunately it seems that while most everyone agrees on the principle of optin, marketers & Spamhaus get into shouting matches about the details of what error rate is acceptable, how much due diligence is necessary etc. and the whole conversation just ends up producing more heat than light.
I don’t think Spamhaus has said much in regards to what error rate is acceptable, merely that persistent bad behavior drives listings. And the two obvious points that are central to this discussion are the two simple ideas.
First, it’s much harder and more painful to clean up a dirty list than it is to just build a clean one in the first place. Instead of bending over backwards trying to reverse-engineer permission, why not have a process to ensure that you have permission to begin with?
Second, if a marketer can’t successfully motivate a consumer to click on an email confirmation link, how can they possibly hope to sell that consumer something that costs them more than the time spent clicking on an email?
That ‘how much friction’ on the front-end, regardless of how much it is, will be much less painful than cleanup after the Spamhaus listing from doing it horribly wrong.
Hang on – if you go fully COI/DOI and then don’t mail for a year – perhaps your business mailing needs are annual. Say on the first anniversay you bounce, year 2 you get listed because Spamhaus has bought up the domain for trapping. You have permission to mail that address – the fact someone has come along to cybersquat it as a honeypot does not remove that consent – that *is* all about engagement Laura.
Also you said yesterday that a single mail would not get you listed with Spamhaus. That is not correct. If you happen to have a misconfigured mailer – and fire into specific domains that the CBL list is monitoring (cough – messagelabs etc) with a bad helo (eg ‘localhost’), you’ll find yourself listed very fast for a single instance. Granted CBL != Spamhaus, but none the less it will cause you to be blocked by Spamhaus (zen).
Show me where that has happened, somebody is truly COI and a delay in mailing caused an SBL entry. I suppose it COULD happen, but it’s so edge case as to be too far out there to worry about. So I think Laura’s still correct.
What is important is it *could* happen. Don’t you yourself – in your role with a large ESP – have an on off issue with UCEProtect doing just this? Cybersquatting old domains and then blocking your shared IP’s when they are mailed by your customers, despite your customers having full consent to mail?
For example – does 207.xx.xx.28 ring any bells lately? AFAIR you have a stock answer for this as and when it crops up: “‘What kind of blocklist charges for removal” ?? I think I’ve heard you say it about Sorbs & UCEProtect over the years that I’ve been reading your various posts.
The result is simple enough – legitimate senders with genuine opt-in contacts can get blocklisted. Car dealers – for one thing – are quite prone to this problem. They are perfectly legitimate businesses but have infrequent mailing needs. It’s probably not common – but it happens. Whist it’s not Spamhauscentric – these false postives do occur and I know that you know that Mr Iverson.
By and large blocklists do a great job (except a couple of them which clearly could be run a great deal better than they are) – but they are not perfect and I’m sure they are more than aware of their own issues. Spamhaus & Barracuda are clearly the better ones.
Spamhaus and UCEProtect aren’t really in the same discussion. Spamhaus is a broad-reaching business run by professionals, with a pronounced impact on deliverability. UCEProtect was (is?) a tiny farce run by an idiot, with a very small reach. In general, if you think UCEProtect is your problem, then you are looking for your keys under the lamppost “because the light is better here”. You should really be looking somewhere else.
Sure, UCEProtect is run by a nutjob – I don’t think anyone could disagree with that. I’m not sure I agree with your remarks about Spamhaus being professional, having read some of the public musings and rantings of Mr Linford – but I don’t want to get into that, it’s not a discussion that belongs on Laura’s blog.
My point is that there are circumstances where mailing opt-in recipients quite legitimately, but very infrequently, could result in getting listed where an organisation buys up old domains to use for traps and this can probably be avoided by better engagement with more frequent mails.
A techincal solution for it could be to employ an opt-in system for infrequent mailers that performs a whois lookup on the domain being used to subscribe, and sets a review date based on it’s expiry. But, engagement could really help it. Seems bizarre to be punished for infrequent legitimate mailing – but there you have it. 50 shades of engagement 🙂
Here’s the thing, though. I’m not seeing people getting blacklisted after using COI. Is it out there somewhere? Maybe, but I’m doubting it until I observe it with my own two eyes.