There’s been an explosion of “Google plugins” that facilitate spam through Gmail and G Suite. They have a similar set of features. Most of these features act to protect the spammer from spam filtering and the poor reputation that comes from purchasing lists and incessantly spamming targets. Some of these plugins have all the features of a full fledged ESP, except a SMTP server and a compliance / deliverability team.
I’ll give the folks creating these programs credit. They identified that the marketers want a way to send mail to purchased lists. But ESPs with good deliverability and reputations don’t allow purchased lists. ESPs that do allow purchased lists often have horrible delivery problems. Enter the spam enabling programs.
From the outside, the folks creating these programs have a design goal to permit spam without the negatives. What do I mean? I mean that the program feature set creates an environment where users can send spam without affect the rest of their mail.
The primary way the software prevents spam blocking is using Google, Amazon or Office 365 as their outbound mail server. Let’s be frank, these systems carry enough real mail, they’re unlikely to be widely blocked. These ISPs are also not geared up to deal with compliance the same way ESPs or consumer providers are.
There seem to be more and more of these companies around. I first learned of them when I started getting a lot of spam from vaguely legitimate companies through google mail servers. Some of them were even kind enough to inform me they were using Gmail as their marketing strategy.
I didn’t realize quite how big this space was, though. And it does seem to be getting even bigger.
Then a vendor in the space reached out looking for delivery help for them and their customers. Seems they were having some challenges getting mail into some ISPs. I told them I couldn’t help. They did mention 3 or 4 names of their competitors, to help me understand their business model.
Last week, one of the companies selling this sort of software asked me if I’d provide quotes for a blog article they were writing. This blog article was about various blocklists and how their software makes it such that their customers don’t really have to worry about blocking. According to the article, even domain based blocking isn’t an issue because they recommend using a domain completely separate from their actual domain. I declined to participate. I did spend a little time on their website just to see what they were doing.
This morning a vendor in the space joined one of the email slack channels I participate in asking for feedback on their software. Again, they provide software so companies can send spam through google outbound IPs. Discussions with the vendor made it clear that they take zero responsibility for how their software is used.
I don’t actually expect that even naming and shaming these companies facilitating spam will do anything to change their minds. They don’t care about the email ecosystem or how annoying their customers are. About the best they could do is accept opt-out requests from those of us who really don’t want to be bothered by their customers. Even that won’t really help, even domain based opt-outs are ineffective.
What needs to happen is companies like Google, Amazon and Microsoft need to step up and enforce their anti-spam policies.
Ideally, the folks providing these services will have all the tools regular ESPs do. I’m sure many of them do have a subset of those tools. But whether or not these issues are big enough to notice or deal with – as opposed to the other outbound issues they have to deal with – remains to be seen.
Of course, if the issues are big enough, the ISPs will take action and quickly. For instance, last week a poster on mailop pointed out Microsoft was the #1 spam ISP on Spamhaus’ list. A MS rep on the list responded and said they were notifying the appropriate people. This morning when I looked in preparation for this post, Microsoft was #1. When I just went to go get a screenshot, Microsoft wasn’t on the list any longer.
I know many people in the anti-abuse space are working on messaging abuse of the future. Calendar invites are one of the emerging issues. I just hope they don’t forget to address this B2B spam that goes out of its way to hide from current anti-spam services and technology.
RSS - Posts
It’s most problematic with services that hide where the email comes from so you – and your spamfilters – can’t tell that this bit of email from gmail originated on an anonymous ec2 instance rather than coming from anything more legitimate looking.
Good article, good to read such thoughts on this!
I have been saying this for a while, all the ISPs go quiet on this. I believe they don’t care as it’s money. All they really care about is inbound spam as that hurts the revenue they make from having x number of users and ads.
Well, they do care about outbound abuse and do take action. Like I said in the article MS took action very quickly once it was brought to their attention. Google notices but says the volume is low – and last year when we mentioned it to them it might have been.
It’s also not the only outbound issue that mailbox providers have to deal with. They do deal with a lot of the problem quite well. For instance, it’s rare I’ll see viruses or malware coming from a major mailbox provider. All of the mailbox providers have processes for stopping outbound spam and abuse. In this particular case it’s an emerging problem with limited volume at the moment. I just don’t think they can ignore it forever.
My opinion is they don’t care enough vs inbound spam they receive from other mail servers that are not their own. My point stands it’s a business and they will prioritise. I totally understand it isn’t the only issue, nonetheless, it’s an issue that currently affects everyday users who have no clue about security or how to protect themselves.