ESPs need to step up their compliance game

I don’t send a lot of spam complaints generally. Mostly I block and move on. There are some companies, though, that I offer the professional courtesy of sending a complaint or a report to their abuse@ address. Former clients, friends and colleagues generally get that courtesy.

The number of ESPs that completely fail to take any action is disappointing. Too many of them can’t even manage the simple courtesy of removing addresses. A few don’t even process bounces correctly and continue to send mail even when getting a spam block or 550 user unknown.

Sometimes I’ll reach out to folks who I know work at particular ESPs, although that’s less common these days as everyone seems to be moving companies and I can’t keep track. Often I get an invite to “always send me complaints directly.” That … is not a solution, people. Expecting people who are reporting spam to go out of their way to send mail to individuals rather than a standard mailbox just puts more on the recipient. For me, at least, it involves a trip to LinkedIn to figure out who I know at a particular place and sometimes I’m just too busy.

There’s also the problem where at least one ESP throws away direct reports to their staff, probably because ‘they contain spam.’ I reached out to a colleague who asked me to forward the reports to them. They never received the reports and we resorted to me cutting and pasting headers into a slack conversation.

Look, I get it. Compliance is a challenge. I’ve set up enough compliance desks over the years to understand things will fall through the cracks. But I’ve also worked with desks that have automation that extract the address from every complaint at receipt time and make sure that address is suppressed from the problem customer’s list. That happens before the report is ever seen by a human, ensuring that people who are complaining don’t have to complain more than once.

I also understand that mergers and acquisitions and company expansions mean that sometime there’s not a clear pathway to the abuse box. There was one ESP that had abuse@esp in their headers as the right place to complain. The problem was those emails were handled by legal at the parent company and were never sent to the actual division sending the mail. There’s also been a massive relaxation in what’s acceptable, with many ESPs looking the other way when lists or addresses are acquired without permission. And, yes, some of those are on my list and I have heard directly from their abuse desks that action won’t be taken against the sender even though there’s incontrovertible evidence the address was acquired through a third party.

Many ESPs are failing to effectively stop abuse through their networks. Some of this is because how we monitor abuse hasn’t kept up with the changes in the email ecosystem. Other problems include unsupportive management, understaffed compliance desks, and abandoned or unmonitored abuse@ addresses. Then there is the entire ecosystem of spam that is built around Google, Office365 and data sellers.

In a week, many of us will be getting together in London to talk about ways to reduce messaging abuse. These events tend to be busy and there’s so much to talk about we don’t always get to have the conversations we need to. Maybe we need to make some time to have this conversation, though. How can we, as ESPs, stop more abuse than we’re currently managing to stop? What can we do to make the Internet a better, safer place? Are there some easy changes we can make to improve things?

Related Posts

ESPs and deliverability

There’s an ongoing discussion, one I normally avoid, regarding how much impact an ESP has on deliverability. Overall, my opinion is that as long as you have a half way decent ESP they have no impact on deliverability. Then I started writing an email and realised that my thoughts are more complex than that.

Read More

Amendment is futile, part 2

When Yahoo filed for dismissal of the Holomaxx complaint, they ended the motion with “Amendment would be futile in this case.” The judge granted Yahoo’s motion but did grant Holomaxx leave to amend. Holomaxx filed an amended complaint earlier this month.
The judge referenced a couple specific deficiencies of Holomaxx’s claims in his dismissal.

Read More

Who pays for spam?

A couple weeks ago, I published a blog post about monetizing the complaint stream. The premise was that ESPs could offer lower base rates for sending if the customer agreed to pay per complaint. The idea came to me while talking with a deliverability expert at a major ESP. One of their potential customer wanted the ESP to allow them to mail purchased lists. The customer even offered to indemnify the ESP and assume all legal risk for mailing purchased lists.
While on the surface this may seem like a generous offer, there aren’t many legal liabilities associated with sending email. Follow a few basic rules that most of us learn in Kindergarten (say your name, stop poking when asked, don’t lie) and there’s no chance you’ll be legally liable for your actions.
Legal liability is not really the concern for most ESPs. The bigger issues for ESPs including overall sending reputation and cost associated with resolving a block. The idea behind monetizing the complaint stream was making the customer bear some of the risk for bad sends. ESP customers do a lot of bad things, up to and including spamming, without having any financial consequences for the behavior. By sharing  in the non-legal consequences of spamming, the customer may feel some of the effect of their bad decisions.
Right now, ESPs really protect customers from consequences. The ESP pays for the compliance team. The ESP handles negotiations with ISPs and filtering companies. The cost of this is partially built into the sending pricing, but if there is a big problem, the ESP ends up shouldering the bulk of the resolution costs. In some cases, the ESP even loses revenue as they disconnect the sender.
ESPs hide the cost of bad decisions from customers and do not incentivize customers to make good decisions. Maybe if they started making customers shoulder some of the financial liability for spamming there’d be less spamming.

Read More