Dear Colleagues at ESPs,
We have a problem. More specifically, YOU have a problem. You have a spam problem. One that you’re not taking care of in any way, shape or form.
There was a point where ESPs started caring about spam out of their networks. They got blocked enough they had to take action. Because they took action a lot of the big blocklists started being nice. Spamhaus, for instance, would do ‘informational’ listings so that ESPs could fix things rather than going to a direct block.
This led management at ESPs to start to think they had this spam thing under control. They stopped worrying too much about spam and compliance. I mean, to management the whole point of having a compliance desk is to stop the blocks. No blocks mean no problems with spam out of the network, right?
As someone who gets a lot of B2B spam let me make it clear: You have not stopped spam off your networks. What’s even worse is that your current processes don’t act on complaints.
- One major ESP has their abuse desk behind filters leading to spam complaints being thrown away. I’ve talked with folks inside this company, who have confirmed to me that they don’t see complaints from me in the abuse box, even though I can demonstrate logs that show the mail was accepted. Those same people have asked for me to send them copies of the complaints, which also never make it to their mailboxes. In one case we resorted to copying and pasting headers into Slack.
- This same ESP has been allowing multiple customers to spam their “We have your data and are going to sell it out to people” through the ESP. It’s been reported over and over again, but the spam still keeps coming. These “multiple” customers have suspiciously similar websites and email content / structure. Oh, and they’re not even complying with CAN SPAM.
- Another major ESP ignored complaints about a B2B spammer for months. When I finally reached out to a friend who worked there I was told “oh, we only got your complaint and no FBLs so we never investigated further.” Newsflash: you will never get FBLs for B2B mail, they don’t exist. If you’re relying on the numbers of FBLs to trigger action at your compliance desk, you may as well just hang out a “SPAMMERS WELCOME HERE!” sign.
- Yet another major ESP is currently allowing a customer to spam. I’ve even gotten a response from their abuse desk telling me ‘they’re looking into it.’ This particular ESP was one of the first signatories on my “ESPs that prohibit purchased list” blog post. They clearly do allow purchased lists as the only way this email address got on a list is if it was purchased – a fact that was in my initial report of spam, the one that got a response from the ESP.
Here’s the deal, many ESPs need to get their poop in a group and stop allowing so much spam off their networks. They need to stop thinking what they’re doing is adequate and enough. It’s not.
I’m not the only one that is frustrated here. Talking with some of the Spamhaus folks last month in London made it very clear that they’re done with cutting ESPs slack. There was an incident back in the spring where a large number of informational listings targeted ESP IP addresses. These were removed pretty quickly but not because they were in error. More because the delistings couldn’t happen in a timely manner.
Just recently I said that Spamhaus’ listing of a shared IP at a major ESP was likely due to Spamhaus running out of patience with the lack of action by that ESP. Y’know what really concerned me? In the same discussion was someone who handles blocking for a major B2B filter. This person is usually pretty quiet; mostly they assist with blocks. They followed up to my comment with “Spamhaus isn’t the only one.”
ESPs, you have a spam problem. Folks responsible for blocking spam are losing patience with your failures to address active spam coming from your network. Some of the biggest ESPs in the business are sending more spam than they should be. They need to get your house in order. Those of you who have chatted with me in various other places know I’ve been beating this drum for a while now.
One of the thing that always happens when I bring this up is colleagues reach out to me and tell me that I can always send them complaints directly. First, no, I can’t as some of you have spam filters that throw the complaints away. Second, no, I shouldn’t have to. I shouldn’t have to keep a list of who works where in order to submit complaints to the right place in order to tell ESPs they have a spammer. Third, no, I should not be getting special treatment here. Your systems should be able to take a complaint from anyone and make it so that person doesn’t get spammed again.
Escalation channels are good, but should never be used for a “hey, your customer bought a list / is mailing the address stolen from X / got chased off 3 other ESPs” style complaints. Escalations are for non-standard situations. A spam complaint is not a weird situation.
I will point out, too, that this is not an intractable or impossible problem. Two of the biggest ESPs almost never show up in my mailbox. When they do show up, it only takes a single complaint and the spam stops. Now, maybe they’re just removing my address from their customer’s list, I don’t know. But, y’know what? That’s more than many ESPs do. But I do regularly get spam from the same sender just on a different ESP.
Many of the ESPs I’m seeing problems from used to be part of the solution. They used to have competent and functional compliance desks. For whatever reason (staff attrition, buyouts and management changes, complacency, lack of consequences) they’re becoming part of the problem. It’s time to step up or face the listings.