Complaints, contacts and consequences

laura
Industry
September 25, 2018

Yesterday the CRM system Zoho suffered an unexpected outage when their registrar, TierraNet suspended their domain. According to TechCrunch, Zoho’s CEO says there was no notification to the company and that the company had only 3 complaints about phishing.

Based on the article, even as a Zoho customer, I am fully on the registrar’s side here. Every company, absolutely every company that provides service online has a responsibility, even an obligation, to minimise the harm through their service. I have zero doubt that this was an ongoing issue and that TierraNet attempted to contact Zoho multiple times. I also believe that Zoho never got the message.

Why? Too many companies run their abuse and security emails through the same filter that they use for employee emails These filters often block or spam folder reports that contain spam or phishing content. I’ve absolutely had issues where I talk to someone inside a company and then forward them an example of a problem email, only to have their filters eat the email.

But then we did some research. It seems Zoho does have a problem with customers phishing. BUT! They also have a functioning abuse address that acts on complaints.

Over the last 3 years, we’ve sent complaints to Zoho reporting phishing from a number of different customers. Since 2016, they consistently respond and disconnect the phishing site. Sure, the response is boilerplate, but the sites are disconnected.

So the comment to TechCrunch from the CEO about only 3 complaints is confusing. We’ve sent more than that, and the abuse desk has acted on the complaints. Maybe the registrar doesn’t have up to date contact information, maybe Zoho thought they were too big to disconnect. In any case, Zoho does have customers using their site to send phishing mail, but they also appear to have a functional abuse desk that’s handling the complaints.

Alternatively, it’s possible TierraNet that has the non functional abuse desk. They wouldn’t be the first registrar to have horrible processes resulting in customers losing connectivity when they didn’t deserve it.

All of this is a good example of how challenging compliance is, and how complex managing networks can be.

Compliance is hard

The underlying moral here is that compliance is a vital part of offering any service online. Compliance is also hard and requires smart, engaged, empowered people with the right tools.

Nearly 20 years ago I wrote my first compliance desk process document. I was managing a team working at a very large provider. Some of our customers were companies you may have heard of: eBay, Hotmail, Geocities, Napster. Some of our customers were actually large providers themselves and had customers of their own.

As the compliance team our job was to minimize the abuse going through our network. But it wasn’t as simple as shutting down anyone we got complaints about. We had to investigate to see if the complaints were legitimate, did we have evidence that there was a violation here? If there was, we needed to take appropriate action. That action was rarely “shut the customer down.” Why? There were contracts and SLAs and millions of dollars of monthly revenue at stake.

I remember having a rather heated discussion with folks on the team. They thought we, as a contracted abuse desk, should have the power to shut down any customer at any time. There is no way you want an outside contractor with that type of power and lack of oversight. It simply was a bad business decision to allow us to shut down all of eBay because one of their users sent spam linking to an auction. It was a bad business decision to shut down a company as large as eBay without warning, period. We needed processes to make sure that we gave customers with their own customers the tools and information they needed to manage their abuse. Sure, we had the ability to force them to take action, as we could shut them down. But not every compliance relationship needs to be combative.

Communication is vital

Setting up good processes are vital. I’m working with multiple clients right now to help them work through how to set up their own compliance desks. These customers also have to make sure they stay in communication with their upstream compliance desk. Everyone has to have good contact information for each other. Maybe the Zoho / TierraNet problem was simply a Zoho employee moved on and everyone forgot to update their point of contact with the registrar. When the registrar sent the notifications, they may have gone to an empty mailbox (or a spamtrap!) or an employee who had no idea what to do with it.

Still, simply disconnecting a company as big as Zoho, with so many vital services running off it, was something that shouldn’t have been done lightly. And maybe it wasn’t. In any case, this ended up being bad publicity for TierraNet, a bad experience for Zoho and it didn’t really protect anyone. The consequence for poor compliance handling and poor communication is Zoho and all their customers are off the air. TierraNet looks bad and is likely to lose some customers. The travesty is that end users are no safer than they were before this whole thing happened.

What next?

I’m a big believer that every online service needs some sort of compliance desk. Yes, even if you are a CRM provider. Even if you are a small social networking site designed for certain types of clubs. If you provide services to third parties, you need to have some sort of way to make sure your customers don’t create problems online.

Providers that offer services to other providers need to make sure their compliance desk has a clear path of escalation. They can’t, and shouldn’t, take all compliance away from customers by default. But they should also have processes for disconnecting even the big customers.

Compliance is complicated. It’d be lovely if it could be automated, but there is no AI that can make the complex decisions required for an effective compliance desk. Sure, a lot of the work can be automated, a lot of the decisions can be automated even. But there will always be cases that need trained, experienced, smart people to navigate effectively.

What is spearphishing?

As I’m writing this, I’m watching Deputy Atty General Rod Rosenstein discuss the indictments of 12 Russian military officers for hacking activities during the 2016 election cycle. One of the methods used to gain access to systems was spearphishing.
I think most of us know what phishing is, sending lots of emails to a wide range of people in an attempt to collect some credentials. These credentials are usually passwords to bank or email accounts, but can also be things like amazon or other accounts.
Spearphishing is an attempt to collect credentials from a specific person. The net isn’t thrown wide, to collect any credentials, rather individuals are targeted and researched. These attacks are planned. The targets are carefully researched and observed. The emails are crafted specifically for that target. If one set of emails doesn’t work, then they try again.
In terms of email marketing and deliverability, phishing is something detectable by many anti-spam filters. They’re sent in bulk, and they all look similar or identical to the filters. Spearphising isn’t as simple to detect with standard tools. What many organizations have done is try and combat this with warnings in the client. Like this one from gmail:

Security is becoming a bigger and bigger part of email filtering. I expect that as filters start addressing security more, we’ll see increased warnings like the above.
What can senders do?

Way to go Equifax

Earlier this month I wrote about how we can’t trust Equifax with our personal data. I’m not sure we can trust them with a cotton ball. Today, we discover Equifax has been sending consumers worried about their personal information leaking to the wrong site.

August 2017: The month in email

Hello! Hope all are keeping safe through Harvey, Irma, Katia and the aftermath. I know many people that have been affected and are currently out of their homes. I am proud to see so many of my fellow deliverability folks are helping our displaced colleagues with resources, places to stay and money to replace damaged property.
Here’s a mid-month late wrapup of our August blog posts. Our favorite part of August? The total eclipse, which was absolutely amazing. Let me show you some pictures.

Ok, back to email.
We’re proud of the enormous milestone we marked this month: ten years of near-daily posts to our Word to the Wise blog. Thanks for all of your attention and feedback over the past decade!
In other industry news, I pointed to some interesting findings from the Litmus report on the State of Email Deliverability, which is always a terrific resource.
I also wrote about the evolution of filters at web-based email providers, and noted that Gmail’s different approach may well be because it entered the market later than other providers.
In spam, spoofing, and other abuse-related news, I posted about how easy it is for someone to spoof a sender’s identity, even without any technical hacks. This recent incident with several members of the US presidential administration should remind us all to be more careful with making sure we pay attention to where messages come from. How else can you tell that someone might not be wholly legitimate and above-board? I talked about some of what I look at when I get a call from a prospective customer as well as some of the delightful conversations I’ve had with spammers over the years.
In the security arena, Steve noted the ongoing shift to TLS and Google’s announcement that they will label text and email form fields on pages without TLS as “NOT SECURE”. What is TLS, you ask? Steve answers all your questions in a comprehensive post about Transport Layer Security and Certificate Authority Authorization records.
Also worth reading, and not just for the picture of Paddington Bear: Steve’s extremely detailed post about local-part semantics, the chunk of information before the at sign in an email address. How do you choose your email addresses (assuming they are not assigned to you at work or school…)? An email address is an identity, both culturally and for security purposes.
In subscription best practices — or the lack thereof — Steve talked about what happens when someone doesn’t quite complete a user registration. Should you send them a reminder to finish their registration? Of course! Should you keep sending those reminders for 16 months after they’ve stopped engaging with you? THE SURPRISING ANSWER! (Ok, you know us. It wasn’t that surprising.)