Responding to complaints

laura
Industry
April 13, 2017

I sent in a complaint to an ESP earlier today. This was mail from a major UK retailer to an address that is not used to sign up for mail. It’s part of an ongoing stream of spam related to UK services and products. I believe most of this is because one of the data selling companies has that address associated with someone who is not me.

I did explain I believed this was a purchased address but I’m wondering if I will get a response. The address isn’t one of those I regularly use so there isn’t a connection between “Laura, deliverability person” and “Laura, spam victim.” There are some industry folks who go out of their way to respond to my complaints. That’s always rewarding.
On a more theoretical level, I can make good arguments for responding and good arguments for not responding.

Why not respond?

It takes too much time. Back when I was managing the abuse desk for a large network provider, I had 3 people working under me. Between the 4 of us, we could handle a little over 2000 complaints per month. We tried to respond to all complaints, but it did slow down the amount of time it took to process issues. We were also stuck reading and responding to complaints that came in after we’d fixed the problem. This led to an important design point for Abacus: it should be easy to respond to all complaints about an issue and there should be an automatic response to people reporting closed issues.
Blowback. Not every from address is valid and the abuse desk may end up spamming. This happens when people don’t trust the abuse desk to correctly handle the complaint. Or when they think the address might be simply list washed. An abuse desk should not send mail automatically to forged email addresses.
Complainants want to argue. This particularly happens when a complainant wants one action to happen, but the abuse desk doesn’t do that. There is also a segment of the population who will argue word choices – like using double opt-in vs. single opt-in. The reporter is angry and wants to take it out on someone and, hey, the abuse desk answered so that is who they are going to argue with.
Publicity. Bad PR is never fun and “poor” responses can go public. Back when I was abuse, I remember one situation where someone I knew and thought was trustworthy sent in a complaint. I handled the complaint and actually sent him back a response explaining what we did and what we were unable to do. Next thing I know, the email I wrote is published to USENET and boss is calling me on the carpet. What I failed to notice is that buried in the 5th paragraph of the email, after the 4 pages of whois and trace route data, the complainant said they might make any response public. I didn’t read that far, because I saw the headers, knew the issue, handled it and didn’t need all the details. That was one of the last times I responded to anyone, even if I “knew” them.

Why respond?

Politeness. This is really specific to manual complaints. The complainant has taken the time to compose an email alerting you to a problem. It’s just polite to respond.
Publicity. Handling abuse issues can be good publicity for a company. There are still some old timers who fondly remember the emails from Afterburner and his crew of minions. Those emails were great publicity and gave the ISP a good reputation in the anti-abuse community.
Transparency. Transparency in abuse handling lets the wider community know that issues are taken seriously. Without responses, the reporters are left wondering if their report was received or read.

Often the only response people get from a complaint is that the mail stops. That’s not bad, I mean, that’s usually what they wanted. But there are a small number of people who are not reporting spam to make their own mail stop, but instead are reporting spam to help the overall email ecosystem. I don’t know how to separate A from B but it would be nice if there were a way to do so.

Who pays for spam?

A couple weeks ago, I published a blog post about monetizing the complaint stream. The premise was that ESPs could offer lower base rates for sending if the customer agreed to pay per complaint. The idea came to me while talking with a deliverability expert at a major ESP. One of their potential customer wanted the ESP to allow them to mail purchased lists. The customer even offered to indemnify the ESP and assume all legal risk for mailing purchased lists.
While on the surface this may seem like a generous offer, there aren’t many legal liabilities associated with sending email. Follow a few basic rules that most of us learn in Kindergarten (say your name, stop poking when asked, don’t lie) and there’s no chance you’ll be legally liable for your actions.
Legal liability is not really the concern for most ESPs. The bigger issues for ESPs including overall sending reputation and cost associated with resolving a block. The idea behind monetizing the complaint stream was making the customer bear some of the risk for bad sends. ESP customers do a lot of bad things, up to and including spamming, without having any financial consequences for the behavior. By sharing in the non-legal consequences of spamming, the customer may feel some of the effect of their bad decisions.
Right now, ESPs really protect customers from consequences. The ESP pays for the compliance team. The ESP handles negotiations with ISPs and filtering companies. The cost of this is partially built into the sending pricing, but if there is a big problem, the ESP ends up shouldering the bulk of the resolution costs. In some cases, the ESP even loses revenue as they disconnect the sender.
ESPs hide the cost of bad decisions from customers and do not incentivize customers to make good decisions. Maybe if they started making customers shoulder some of the financial liability for spamming there’d be less spamming.

Mary Litynski Award winner Jayne Hitchcock

This morning the Messaging, Mobile and Malware Anti-Abuse Working Group announced the winner of the Mary Litynski Award.
Congratulations to Jayne Hitchcock of WHO@ for her work over the last 2 decades fighting online abuse and cyberstalking.
I’ve never actually met Jayne, but I do remember following her story in the late 90s. She started off trying to protect people from being scammed by Woodside Literary Agency. In return for her work to inform and protect people the principals of Woodside set out on a multi-year harassment campaign against her.
This was in the late 90s and the Internet was very new. There weren’t any laws. There weren’t really abuse desks. We had to protect each other. Law enforcement didn’t know what to do with problems. There weren’t any laws against harassment online. The word “cyberstalking” was created by a reporter when describing what was happening to Jayne.
Jayne has been a force for good online and she and her volunteers help people who are victims of abuse online and cyberstalking. She’s been instrumental in getting anti-cyberstalking laws passed and helping law enforcement understand why online abuse is an issue and that it should be addressed.

Where do you accept reports?

One of the things that is most frustrating to me about sending in spam reports is that many ESPs and senders don’t actively monitor their abuse address. A few months ago I talked about getting spam from Dell to multiple email addresses of mine.
What I didn’t talk about was how badly broken the ESP was in handling my complaint. The ESP was, like many ESPs, an organization that grew organically and also purchased several smaller ESPs over the course of a few years. This means they have at least 5 or 6 different domains.
The problem is, they don’t effectively monitor abuse@ for those different domains. In fact, it took me blogging about it to get any response from the ESP. Unfortunately, that initial response was “why didn’t you tell us about it?”
I pointed out I’d tried abuse@domain1, abuse@domain2, abuse@domain3, and abuse@domain4. Some of the addresses were in the mail headers, others were in the ESP record at abuse.net. Three of those addresses bounced with “no such user.” In other words, I’d tried to tell them, but they weren’t accepting reports in a way I could access.
Every ESP should have active abuse addresses at domains that show up in their mail. This means the bounce address domain should have an abuse address. The reverse DNS domain should have an abuse address. The d= domain should have an abuse address.
And those addresses should be monitored. In the Dell case, the ESP did have an active abuse@ address but it was handled by corporate. Corporate dropped the ball and never forwarded the complaint to the ESP reps who could act on the spam issue.
ESPs and all senders should have abuse@ addresses that are monitored. They should also be tested on a regular basis. In the above case, addresses that used to work were disabled during some upgrade or another. No one thought to test to see if they were working after the change.
You should also test your process. If you send in a complaint, how does it get handled? What happens? Do you even have a complaint handling process outside of “count and forward”?
All large scale senders should have appropriate abuse@ addresses that are monitored. If you don’t, well, you look like a spammer.