I'm going to preface this email by saying that I do, in fact, run an abuse desk. I'm the director of the policy enforcement team for my employer, an ESP that everyone knows. I'm not going to mention them by name because anything that I say here is based upon my own thoughts, opinions, and experiences and aren't intended to reflect the policies or positions of my current employer.
On Fri, Aug 14, 2020 at 1:00 AM Hans-Martin Mosner via mailop <mailop@mailop.org> wrote: > > Am 13.08.20 um 19:28 schrieb Al Iverson via mailop: > > On Thu, Aug 13, 2020 at 11:34 AM Hans-Martin Mosner via mailop > > <mailop@mailop.org> wrote: > >> Mails to abuse@ should be handled quickly without being CC'd to a VP. It's > >> the abuse desks job to stop abuse ASAP. If they are understaffed or don't > >> have authority to stop spamming senders then there's an organizational > >> problem that can not be solved by handling abuse reports from the VP's > >> seat. > > I'm not here to defend any given provider, but I will say, I wish you > > could see the amount of absolute garbage that an abuse desk address > > gets. > > I don't say it's trivial, abuse desk work for an ESP is certainly highly > demanding work. It needs sufficient number and > quality of staff and sophisticated and highly flexible automation to sift > through abuse reports. If sending out bulk > mail is your business you'd better pay for a high quality abuse desk, it's a > core part of your business quality. And yet ESPs, like many other businesses, can sometimes look at abuse desk operations as a cost center, not as a core functionality. It's way easier to justify paying for new salespeople who will bring in several times their annual salary in new business per quarter than it is a team of dedicated professionals who spend all day terminating paying customers. > If I were to run an abuse desk the first thing I'd do is install a mail-in > sorter which separates the immediately > actionable reports having full headers from random rants that might or might > not be cause for action and the inevitable > garbage (granted, you can't use a traditional spam filter because folks tend > to cite spam when they report it.) And, sometimes you have to work with the tools that company feels like paying for. Once upon a time, I ran an abuse desk that had operated for years out of a shared Exchange folder because the company didn't want to pay for a ticketing/queueing system. I don't know of anyone who does that now, but I'm sure someone is out there. And talking about what you'd do "if I were to run an abuse desk" is about as useful as me suggesting that "if I were running a postmaster team" I would just open more capacity. > The immediately actionable reports could be further indexed by customer ID > based on mail header information, so when > multiple reports for one customer are received you can prioritize and react > swiftly. Even that's not always possible in a secure environment. My abuse queues are held in a completely disconnected portion of our systems that no one can access without my leave (and usually a signed email from Legal or my management chain is also required). Why? Because we take privacy rather seriously and don't think that our salespeople or Tier 1 Support personnel should have access to your abuse report. I've got 20 years in anti-abuse operations and I've seen lots of reasons to do things this way, including having salespeople try to defend their customer(s) by emailing complainants to ask why they sent a spam complaint, why they didn't just hit delete, to verify that they weren't a bot, or about 20 different other things which would mean that maybe an abuse report wouldn't have come in and this guy could keep his commission. But the upshot of that is my systems don't have the ability to index the customer IDs in the CRM -- we have to add it in by hand (which adds a small headache for us in exchange for avoiding about 3 other much larger headaches). That's not because the system isn't smart enough to do it, but because people have proven themselves untrustworthy enough that I can't let those systems talk to each other. > But without knowing any details about how the current abuse desk work is > organized it's impossible to make specific > improvement suggestions. We already listed some technical and organizational > changes that would likely reduce abuse in > the first place, which would presumably cause a significant reduction in > abuse reports and pressure on the abuse desk. Running email as an infrastructure-only provider is hard -- especially when someone can sign up for an account without sitting down with a salesperson and a lawyer. I've got lots of respect for the job that Will, Len, and their team are doing on this particular issue. It's a hard one. And sometimes, believe it or not, even when you have a salesperson and a lawyer, whack-a-mole is the only game in town. I had one incident a ways back now where the spammer actually put himself out there as a consultant to small(er) businesses and would then just take over their accounts to send his spam. Our salespeople couldn't do anything to stop it since he wasn't involved in the discussions, and the poor customer was on the hook for our fees under the contract and had actually paid the spammer to essentially take over their accounts. My point: Determined bad guys are going act in accord with their determination. And it's not easy to weed that kind of person out, no matter how well-intentioned and technologically competent you are. _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
