Am 08.04.23 um 06:17 schrieb Jarland Donnell via mailop:
To be clear they have an amazing abuse team, easily the first people I would hit up if I were hiring in that area.
Just top notch admins.
If they are top notch but have their hands tied they are essentially worthless to me. They could just as well have a
good time playing darts and drinking beer, it wouldn't make a difference.
Blocking SMTP by default makes sense, but settling on the best way to handle opening it (automated? manual review?) is
a discussion that is very easy to get stuck in. I don't know where they're at on that discussion by now, but when I
left it was something I would have referred to as "on the table." That to say most of the stakeholders would entertain
the discussion.
As a first approach, it might be helpful to only consider opening SMTP for customers whose identity you know with a
sufficient certainty. Whether you then open it by default, make it an automated process, or have an additional manual
review does not make much of a difference, and I'd say that opening port 25 for verified customers is sufficient.
Spammers can easily create like 10000 fresh accounts with different e-mail contacts and fake addresses daily using
automated tools, but as soon as they are required to provide verifiable data for a KYC process they will be gone. Of
course, this hinges on the premise that a spamming account will be terminated quickly and the customer will be banned
from ever having an account again with you.
AI-supported categorizing of new accounts into "likely genuine" and "likely fake" might also help. I have no practical
experience with this, but it would be really interesting to know whether providers try or tried this and what the
results are.
There's likely an attached fear that appearing even remotely hostile to customers could quickly drive them to a
competitor in a pretty competitive market. You have to think that as much as people like you and I would appreciate
them doing it, their customers would likely only be speaking up about it to say the opposite. You might decrease abuse
complaints but you might also decrease NPS scores, and the people sending abuse complaints are usually not your
customers (so pleasing them doesn't = $). You might think that reducing IP blacklisting could reduce customer
complaints and bad NPS scores. I don't think reality actually plays out that way because Gmail doesn't use external
blacklists (that I'm aware of), and Microsoft will unblock individual IPs upon request (sometimes after some back and
forth), and that accounts for almost all of what people want anyway. And even that would only matter to customers that
run mail servers anyway.
And that's why I'm still in favor of blocking spammer-hosting providers swiftly and broadly. It needs to affect the
non-spamming customers, too, to be a strong economic incentive for keeping spammers out. Of course I also punch holes
when contacted by affected e-mail users, but at least I have a chance to tell them that they're with a bad provider and
are supporting criminal activities by letting themselves being used as human shields.
Cheers,
Hans-Martin
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
