ESPs need to step up their compliance game

I don’t send a lot of spam complaints generally. Mostly I block and move on. There are some companies, though, that I offer the professional courtesy of sending a complaint or a report to their abuse@ address. Former clients, friends and colleagues generally get that courtesy.

The number of ESPs that completely fail to take any action is disappointing. Too many of them can’t even manage the simple courtesy of removing addresses. A few don’t even process bounces correctly and continue to send mail even when getting a spam block or 550 user unknown.

Sometimes I’ll reach out to folks who I know work at particular ESPs, although that’s less common these days as everyone seems to be moving companies and I can’t keep track. Often I get an invite to “always send me complaints directly.” That … is not a solution, people. Expecting people who are reporting spam to go out of their way to send mail to individuals rather than a standard mailbox just puts more on the recipient. For me, at least, it involves a trip to LinkedIn to figure out who I know at a particular place and sometimes I’m just too busy.

There’s also the problem where at least one ESP throws away direct reports to their staff, probably because ‘they contain spam.’ I reached out to a colleague who asked me to forward the reports to them. They never received the reports and we resorted to me cutting and pasting headers into a slack conversation.

Look, I get it. Compliance is a challenge. I’ve set up enough compliance desks over the years to understand things will fall through the cracks. But I’ve also worked with desks that have automation that extract the address from every complaint at receipt time and make sure that address is suppressed from the problem customer’s list. That happens before the report is ever seen by a human, ensuring that people who are complaining don’t have to complain more than once.

I also understand that mergers and acquisitions and company expansions mean that sometime there’s not a clear pathway to the abuse box. There was one ESP that had abuse@esp in their headers as the right place to complain. The problem was those emails were handled by legal at the parent company and were never sent to the actual division sending the mail. There’s also been a massive relaxation in what’s acceptable, with many ESPs looking the other way when lists or addresses are acquired without permission. And, yes, some of those are on my list and I have heard directly from their abuse desks that action won’t be taken against the sender even though there’s incontrovertible evidence the address was acquired through a third party.

Many ESPs are failing to effectively stop abuse through their networks. Some of this is because how we monitor abuse hasn’t kept up with the changes in the email ecosystem. Other problems include unsupportive management, understaffed compliance desks, and abandoned or unmonitored abuse@ addresses. Then there is the entire ecosystem of spam that is built around Google, Office365 and data sellers.

In a week, many of us will be getting together in London to talk about ways to reduce messaging abuse. These events tend to be busy and there’s so much to talk about we don’t always get to have the conversations we need to. Maybe we need to make some time to have this conversation, though. How can we, as ESPs, stop more abuse than we’re currently managing to stop? What can we do to make the Internet a better, safer place? Are there some easy changes we can make to improve things?

Click to rate this post!
[Total: 0 Average: 0]

Check Also

when-best-practices-don’t-work

When best practices don’t work

I started out with the best intentions to get back into the swing of things with blogging more regularly. But between MAAWG recovery, COVID recovery and life it’s not worked out that way. This is an excerpt of something I wrote over on slack to explain why someone was still struggling with delivery even though best practices weren’t working. Hope it will be helpful for

>