I don’t send a lot of spam complaints generally. Mostly I block and move on. There are some companies, though, that I offer the professional courtesy of sending a complaint or a report to their abuse@ address. Former clients, friends and colleagues generally get that courtesy.
The number of ESPs that completely fail to take any action is disappointing. Too many of them can’t even manage the simple courtesy of removing addresses. A few don’t even process bounces correctly and continue to send mail even when getting a spam block or 550 user unknown.
Sometimes I’ll reach out to folks who I know work at particular ESPs, although that’s less common these days as everyone seems to be moving companies and I can’t keep track. Often I get an invite to “always send me complaints directly.” That … is not a solution, people. Expecting people who are reporting spam to go out of their way to send mail to individuals rather than a standard mailbox just puts more on the recipient. For me, at least, it involves a trip to LinkedIn to figure out who I know at a particular place and sometimes I’m just too busy.
There’s also the problem where at least one ESP throws away direct reports to their staff, probably because ‘they contain spam.’ I reached out to a colleague who asked me to forward the reports to them. They never received the reports and we resorted to me cutting and pasting headers into a slack conversation.
Look, I get it. Compliance is a challenge. I’ve set up enough compliance desks over the years to understand things will fall through the cracks. But I’ve also worked with desks that have automation that extract the address from every complaint at receipt time and make sure that address is suppressed from the problem customer’s list. That happens before the report is ever seen by a human, ensuring that people who are complaining don’t have to complain more than once.
I also understand that mergers and acquisitions and company expansions mean that sometime there’s not a clear pathway to the abuse box. There was one ESP that had abuse@esp in their headers as the right place to complain. The problem was those emails were handled by legal at the parent company and were never sent to the actual division sending the mail. There’s also been a massive relaxation in what’s acceptable, with many ESPs looking the other way when lists or addresses are acquired without permission. And, yes, some of those are on my list and I have heard directly from their abuse desks that action won’t be taken against the sender even though there’s incontrovertible evidence the address was acquired through a third party.
Many ESPs are failing to effectively stop abuse through their networks. Some of this is because how we monitor abuse hasn’t kept up with the changes in the email ecosystem. Other problems include unsupportive management, understaffed compliance desks, and abandoned or unmonitored abuse@ addresses. Then there is the entire ecosystem of spam that is built around Google, Office365 and data sellers.
In a week, many of us will be getting together in London to talk about ways to reduce messaging abuse. These events tend to be busy and there’s so much to talk about we don’t always get to have the conversations we need to. Maybe we need to make some time to have this conversation, though. How can we, as ESPs, stop more abuse than we’re currently managing to stop? What can we do to make the Internet a better, safer place? Are there some easy changes we can make to improve things?
I totally agree with you Laura, over the years the situation has gotten worse.
My take is that this falls under the “too big to block” (aka “I don’t care anymore”) category and I am looking forward to discussing about it next week.
I am not saying good folks in the abuse desks don’t feel bad about it, on the contrary, but – in my opinion – the organization of those “big companies” reflects an understating/resizing of abuse desk’s powers, and that’s why good guys keep moving.