About the Hillary Clinton email server thing…

I was going to say something about the issue with Hillary Clinton using an email server provided by her own staff for some of her email traffic, rather than one provided by her employer, but @LaneWinree already wrote pretty much what I’d have written, just better than I would have done.

So, I guarantee this is exactly how the email server thing went down.
Whatever internal system the government has set up for email communication is, I guarantee, a total and utter shitshow.
Shitshow as in horrid UI, horrid performance, and just in general unusable. Most business email environments are. Government worse.
Clinton probably complains about this, someone on staff looks into fixing it, someone somewhere thinks “Hey, we could just build a server”
Given that it’s absurdly easy to build an environment to host an email server, a request gets made and some IT guy somewhere says it’s fine
So a server gets built, Clinton uses it, and the whole thing gets overlooked because someone way down the chain doesn’t vette it out
And given the sheer scale of systems the federal government uses, no one audits what systems are running and where
And if you’re Clinton or her staff, you’re thinking if IT signed off on it, it complies with all needed regulations
So where it -should- have been nixed was that federal IT level, where a network specialist sees the request and says “Nope, can’t do it.”
But because it didn’t get nixed there, no one any further up the chain should have any reason to think it’s insecure and against the rules
Here’s the dirty IT secret: This crap happens all the time. Someone at the IT level should know better and deny the request, and that’s it.
And the reason this happened is likely because building a separate environment probably saved a few days work optimizing the existing one
So when Comey says there was no intent to break the law, I totally buy it. Compliance often breaks due to badly optimized systems/processes
Coming from the IT side, I don’t expect mid/upper management to get ANY of these nuances, nor would I find value in explaining it all
So it’s totally reasonable for a manager to assume that if I sign off and build it, I believe it complies with compliance regulations.
Because, well, compliance adherence over IT systems is something -I- should be responsible for. Not a manager. Or Secretary of State.
So the tl;dnr version is a complaint happened, someone put in a request to address the complaint, and IT dropped the ball on compliance.
Yes in IT you want to be helpful and provide solutions, but you MUST know how to comply with IT regulations. That’s on you, not up the chain
I’ve posited this to some friends who also work in IT, and each one of them agrees that this is likely what happened.
Badly optimized legacy systems require a ton of work to fix, IT monkey looks for a shortcut, breaks compliance rules in the process.
@LaneWinree

Related Posts

Who pays for spam?

A couple weeks ago, I published a blog post about monetizing the complaint stream. The premise was that ESPs could offer lower base rates for sending if the customer agreed to pay per complaint. The idea came to me while talking with a deliverability expert at a major ESP. One of their potential customer wanted the ESP to allow them to mail purchased lists. The customer even offered to indemnify the ESP and assume all legal risk for mailing purchased lists.
While on the surface this may seem like a generous offer, there aren’t many legal liabilities associated with sending email. Follow a few basic rules that most of us learn in Kindergarten (say your name, stop poking when asked, don’t lie) and there’s no chance you’ll be legally liable for your actions.
Legal liability is not really the concern for most ESPs. The bigger issues for ESPs including overall sending reputation and cost associated with resolving a block. The idea behind monetizing the complaint stream was making the customer bear some of the risk for bad sends. ESP customers do a lot of bad things, up to and including spamming, without having any financial consequences for the behavior. By sharing  in the non-legal consequences of spamming, the customer may feel some of the effect of their bad decisions.
Right now, ESPs really protect customers from consequences. The ESP pays for the compliance team. The ESP handles negotiations with ISPs and filtering companies. The cost of this is partially built into the sending pricing, but if there is a big problem, the ESP ends up shouldering the bulk of the resolution costs. In some cases, the ESP even loses revenue as they disconnect the sender.
ESPs hide the cost of bad decisions from customers and do not incentivize customers to make good decisions. Maybe if they started making customers shoulder some of the financial liability for spamming there’d be less spamming.

Read More

Technology does not trump policy when it comes to delivery

Recently Ken Magill wrote an article looking at how an ESP was attempting to sell him services based on the ESPs ‘high deliverability rates.’ I commented that Ken was right, and I still think he is.
Ken has a followup article today. In the first part he thanks Matt Blumberg from Return Path for posting a thoughtful blog post on the piece. Matt did have a very thoughtful article, pointing out that the vast majority of things affecting delivery are under the control of the list owner, not under the control of the ESP. As they are both right, I clearly agree with them. I’ve also posted about reputation and delivery regularly.

Read More

Do you have an abuse@ address?

I’ve mentioned multiple times before that I really don’t like using personal contacts until and unless the published or official channels fail. I don’t hold this opinion just about resolving delivery issues, but also use official channels when reporting spam to one of my addresses or spam traps.
My usual complaints contain a plain text copy of the mail, including full headers and a short summary of the email address it was sent to. “This is an address that was part of a leak from…” or “This is an address scraped off my website. It’s been removed from the website since 2004” or “This address isn’t used to sign up for any mail.”
Sadly, there are a number of “legitimate” ESPs that don’t have or don’t monitor their abuse address. In some cases it’s an oversight or a break down of internal mail handling. But in most cases, it’s a sign that the ESP doesn’t actually handle abuse.
It’s frustrating to watch an ESP post long blog posts about “best practices” and “effective delivery” and “not spamming” and yet not be able to actually stop their own customers from spamming. It’s not even that I necessarily want them to disconnect their spamming customers (although that would be nice) but suppressing the address that I’ve told them was a spamtrap seems trivial. And yet, a month after my first complaint and weeks after escalating to a personal contact, I’m still getting spam.
The 5 things every ESP should do to handle spam complaints.

Read More