Industry Leaders Panel: The Blocklists

Industry Leaders Panel: The Blocklists

The inaugural edition of Inbox Expo 2020 offered a unique opportunity. For the first time those in email marketing where able to ask the founders and leaders in the email space anything they wanted. Scheduled for 30 minutes the session ran for over an hour.

It is now wonder with leaders in the anti-spam and email blocklist space so receptive to our delegates questions and so wiling to engage we were privileged to host this industry first event.

It was incredible to have so many leaders in one place for this panel. Bringing together commercial and non-commercial operators with experience spanning many decades this was a truly unique learning opportunity.

Simon Forster, co-Founder & CEO Spamhaus

Simon oversees operations at what is perhaps the most (in)famous email blocklist. His role involves liaison with all the major IT security organisations and vendors, the largest free email providers, ISPs of all types and from all locations. He deals with large enterprises and has insight into email and security that is unparalleled.

Rob McEwen, Founder & CEO Invaluement

Founder and CEO of invaluement .com, a SaaS business with the goal of helping spam filtering technology companies, ISPs, email hosting companies, and anyone else who hosts their own mail server to achieve the following goals:

(1) block more spam that is undesired by the end users

(2) NOT block legit email (reduce false positives).

(3) Additionally, we’re attempting to revitalize the (almost lost!) art of managing your own mail server, making the complexity of that much easier – it turns out that it *is* possible to achieve BETTER spam filtering and deliverability than the large cloud providers AND have a profitable email hosting or spam filtering business – we help others achieve that goal.

(4) Finally, a newer service involves helping ESPs to not let as much spam go out through their systems, both via education and support provided directly to the ESPs, and by surgically blocking ESPs’ “bad apple” customers, yet without the massive collateral damage that happens when an ESP’s own IPs and domains are blocklisted.

Raymond Dijkxhoorn, Founding member of SURBL and owner of

You will likely have heard of the blocklist SURBL that Raymond was a founding member of, you also likely know some of the customers that use the services of his business e-Hawk. The company that ESPs like MailChimp, ConstantContact, CampaignMonitor and others use to secure their systems against signups from bad actors and serial spammers.

Atro Tossavainen, Anti-Spammer and founder of Koli-Lõks OÜ

Atro is a key member of the team behind Mainsleaze a SpamBouncer project monitoring network that highlights issues at major email service providers and big name brands falling foul of privacy, hygiene and other best practices.

Atro is a professional system administrator since 1996, computer enthusiast since the mid-eighties. Linux, UNIX, cybersecurity, storage, backup, e-mail, anti-spam would be keywords associated with him in his professional work.

A small business owner, entrepreneur, contractor and your go to guy if you have any contract based projects that need a European anti-spam professional. Operating for many years in the space of Anti-Spam and Anti-Malware Information providing analysis, diagnostics and selection and provision of the necessary tools.

James Hoddinott, Director, Security Operations at Cloudmark

James is a long standing member of the anti-spam community and has worked with ProofPoint in a variety of senior roles for well over a decade. Before that was responsible for securing one of the UK’s largest telecommunications companies network from abuse for many years.

ProofPoint is a A commercial blocklist and email security vendor. ProofPoint is an enterprise security company that provides software as a service and on-premise solutions and products for inbound email security, and additionally email encryption, electronic discovery, and email archiving.


Raymond Dijkxhoorn 1:01
Okay, let me start. I am Raymond Dijkxhoorn. I’m in the Netherlands, it’s it’s a bit past eight right now. So it’s a nice start of the weekend the session like this. We have a panel with the operators basically of well, the most used most feared blocklist. And we’re here basically to answer your your questions also later. So we did get some outline at the start, which which helps with we’re trying to basically answer any questions that you have. And let me just outline it, we’re here to help you. So we’ve most of us in this industry, at least for Spamhaus, for shareable, we’ve been around for close to 20 years. So we’re not doing this since yesterday, we have quite a good view on what’s going on in the internet. If you talk about like, where the internet is going, we are always involved in directions. And with that, I would like to introduce Astro on my left.

Atro Tossavainen 2:16
Hello. Nice to meet you all. I’m in Finland, and it’s 9pm here. And maybe a word or two about colour locks. We started tracking spam as a commercial effort about five years ago. I’ve been involved in anti spam ever since the late 90s, I think. And I was a university sysadmin. So it was a hobby for a long time for a long time. And recently, it’s become a commercial effort. We get about 30 million stamps also among to look at identify speakers and other known senders provide intelligence of the stuff that we see.

Raymond Dijkxhoorn 2:55
Awesome. Awesome. Thank you, James.

James Hoddinott 3:02
Yeah, I’m James Hoddinott. I’m in the UK, it is only 7pm for me. So really early in my evenings, I guess there’s just just this sessions and in between some wine and pizza. So we’ll talk quickly. Yeah, so I’ve been doing anti spam stuff for over 20 years now. started off working in for a UK ISP for heading that up, and did that for about 11 years before I then swapped over, joined cloud marketing, took my skills global, and kind of been here ever since running the security operations team. And yeah, generally just spending a lot of time trying to stop the bad guys. And surprisingly, you may like to learn that I do actually try and help the good guys get through occasionally.

Raymond Dijkxhoorn 3:56
Yeah, I think that that’s a really good point. I mean, most of the senators always fear what is going on with the blocklist, but we’re not the bad guys. So that that’s really good to understand.

Rob McEwen 4:11
So I’m Rob McEwen. And I’m from North Carolina, in the United States, and the CIO. So I’ve been managing mail servers since the mid 90s. And, but that was really started off as a side project. I started off more as a web developer and computer programmer. And then as my users were having difficulty with, you know, with spam, that kind of drew me into the whole anti spam world, maybe around 2003 2004. I did some good work as a volunteer for circle during some circles very first couple of years. And, and then I branched off and launched in document a few years later in 2007, which is invaluable. It’s an emphasis on blocklist that focuses on catching a lot of the sneaky spams that are sometimes missed by other blocklist. It isn’t necessarily a drop in replacement for spamhaus, for example, but it’s a great supplement to spamhaus. And mainly, I think one of the things that helped with environment is it was built from the ground up to not overly focus on spam trap hits, and not overly focused on user stats bubbling up to the surface. A lot of spammers learn how to evade those tactics for catching spammers. And those sort of built from the ground up to catch them are sneaky, elusive spammers, many of which were following a lot of good rules. That’s still sending unsolicited messages.

Raymond Dijkxhoorn 5:34
Yeah, I mean, that’s, that’s a good point. And I think that if you are into spam filtering, which are many of the guys who are, we’re supposed to go also to, to the forum in the UK, which unfortunately now is remote. But they know that basically, there is no single source of truth. And what we guys do amongst each other is basically, we are supplementary. So, one time you see it on the Spamhaus list, sometimes you see it on the server list, sometimes you see it on Rob’s list. It if it’s a combination of all three, you might look into your customer, Simon.

Simon Forster 6:19
I’m Simon Forster Yeah, Simon Forster from Spamhaus I’d been doing this for what, sort of 15 years now during them on the commercial side. So really about trying to get some some money in to keep the project going. Yeah, I’m joined, doing sounds a bit like Rob, doing taping stuff with Spamhaus moved across to the commercial side of things. And now, I’m heading that up. I don’t think there’s much more to say about me Really?

Raymond Dijkxhoorn 6:56
Well, I think there is, but we’ll get to that. Okay. Before to start the session, we basically, we get some questions in and we are, hopefully be able to answer questions also. But you have the right audience, if you if you’re willing to know anything about how a blocklist is operating? What should you do to get better understanding how to escalate listings, I mean, you have them all here. I mean, we could have invited Alex from your IBO who is usually afraid to to talk in audience but that that that basically says the majority of the blocklisting are out here. If we cannot fix your problem, you will really have something which is broken. So one of the questions which I wish we got in is, what is the biggest obstacle to effective anti spam today, and the world is changing quickly. I mean, who would knew that we did this conference? Like, like we do it now with all the things happening around the world? But, um, so could you address that? Like, what is the biggest obstacle right now what what we, what do we see in anti spam world?

Atro Tossavainen 8:24
I feel totally unqualified to speak to this matter, but I’ll give it my best shot. The thing is, of course, that the receiving has concentrated so heavily on the three or four major players, that anti Spam is, essentially whatever they do for the majority of recipients. And I don’t think that I or you, or practically anybody here is doing anything with respect to what Google does, or Microsoft even I don’t think they’re using anybody else’s army services. So I guess it all depends on the perspective. And who are you? When you’re asking this question? What is effective anti strength to you? Yeah, for the people who run man and job mail servers, the answer is completely different to what Microsoft or Google would be.

Raymond Dijkxhoorn 9:19
Yeah. And unfortunately, some of us deliver our data to those guys also. So and that’s, that’s what I what I also said, No, it’s not new. We do this for years. But it’s it’s it’s, it’s a very good thing. Yeah. And circling back to my my previous statement. You cannot do do this alone. So we see something. Google sees a lot more likely. But the end result is that we see a lot more than what you would have seen alone. So I think that most of the things that we do are pretty effective. We see a lot of the spam gangs changing their behaviour. And that’s telling me basically that, well, if it would not affect their business, they would not change a thing. So so in a way we do we do, we do good work. It’s also a little bit sad that we do this over 20 years, and the problem is still not gone. But some, some people also say the problem is solved. But if we basically turn off what we are doing, it’s not resolved. So, one of the other questions that we got is, how relevant and that’s basically a follow up on that, how relevant are blocklists today? And moving forward? What do marketeers need to think about it? Simon, do you have any take on that?

Simon Forster 10:57
Yeah, I guess so. Um, so looking at the sort of commercial side, heroin to blocklist today, more so than or, or as much as ever, they’re really quite heavily used by others. And there’s an awful lot of, as we all know, an awful lot of spam out there an awful lot of rubbish. chucking that into a junk folder, and storing it forever doesn’t make sense for an awful lot of these receivers. No one’s ever gonna inbox.

There’s a junk folder associated with that with a few 1000 emails in, I never look at it, it’s just using up storage space on mine provider’s servers. So kick them off as quickly as possible. SMTP Connect drop in fantastic, not your problem then as a receiver. So there’s also another side where you’ve got large ISP, I guess, large receivers as well. Looking at this problem, from a different perspective, we all know that there’s big downward pressure on prices, particularly in this advice people for has been, rather than just providing dumb pipes offer a service as well offers security. And it’s something that bt in the UK, for example, are offering quite heavily now. And they’re looking to bring in as many services as possible, make security a really good selling proposition. But all the data that we get, you’ve hinted at it as well, Raymond, all the data we get it pops up in lots of different places as well. Response policy zone, so blocking, DNS firewall level, gaps, providing the data to some of these other very large receivers that are out there to combine with their own data and your data, everyone’s data on this talk. So all very, very relevant. And there is a subsidiary question. What do marketers need to think about? Yeah, okay. I think that’s really, really easy. I think it’s a really easy answer. It’s just what you guys should always be thinking about. It’s the brand. Forget about the email side of it, and I dropped. And it seems to be a recurring theme through this session, this, what do you call this thing? exhibition. I’m worried about the brand I worry about. And part of that is worrying about the domain associated with the brand. So make sure that you’re keeping the reputation of the brand pristine, worried about IP addresses associated with your, your brand. Look at all this sort of stuff. It also goes broader than this as well. We talk an awful lot nowadays about reputation. So and it’s one of the things that process frustrates people to get onto the main block list. And it’d be interesting to hear what you say, with respect to serve will actually Ramin but people get really frustrated because they end up on the main block list and then they want to know why. What was the reason that got us on? Yeah, I can’t really send you one reason. It’s reputation is you know, we’re looking at 80 plus metrics here. And you’ve just got a bad reputation. Well goes The bangs, cuts across though. We’re listening, presumably, we’ve got lots of SPS here listening to this, a lot of marketers get a good reputation in the industry that’ll serve you really, really well. And it can be a personal reputation. Do the right thing. If you have a problem, hold up your hands, we have a problem, fix it. And then people will start taking your word for it when you say, hey, look, I’ve fixed that problem. Okay, we’ll take your word for it. The list listing goes away. So across the board, reputation, so important.

Raymond Dijkxhoorn 15:39
Yeah, and I also want to address short term and, and long term benefits. Because some, some of the things that we list are really looking forward to short term profits. So just recently, this week, we had a casino site who was listed in in in our shareable data list. And, and the guy had like 2025 different casino domains. And he did the delisting requests, which is, which is quite normal, usually. But he was like, Yeah, my, my mail server got hacked, and some guy send it out Spence with 25 of my domains advertising my site, I don’t know what happened. And it’s like, yeah, I mean, really, we’ve been doing this for quite some time. So we’re not even going to go into details with that. But yeah. And that’s why I say like, if you have a normal brands, they care about their brand recognition, the future of their brand. And, and usually, they they want to do funny stuff with it. And if they do, they will definitely correct it. So there’s a big difference between those two kinds of markets in in our, in our fitting of what’s going on, actually. So, one, one of the questions like it’s a breakdown, but and I would like to address it to rob. Basically, it is a follow up from the previous questions, how relevant are our legacy today? And Has anything changed for them? So it did our broke change? Let’s say from five or 10 years ago?

Rob McEwen 17:27
Yes, it’s, there’s been actually quite a bit of changes. And I’m going to try to go fast and be brief, but it’s going to be difficult, because there’s a few critical things. So. So one thing that’s happened is that there’s been a huge increase and hijacked domains and hijacked. accounts on all servers are where the domain is compromised, where there’s malware hosted at somebody’s website, or where somebody’s username or password gets compromised. And, and that’s a challenge, because that’s always, that’s always been around, but it seems like over the past three or four years, that’s accelerated quite a bit. And that’s represents a challenge because then it’s more difficult for blocklists to balance out, you know, blocking the malicious spam but not having collateral damage. Or, you know, and it creates a need for blockless to be able to more quickly get those domains and IPS delisted when there’s a problem because many times they really shouldn’t be listed right away. But once the problem is fixed, they should be delisted quickly to prevent collateral damage. And I think we’ve all done a pretty good job with that. But, but there’s other things in the industry that have been been difficult one of which is, there’s So originally a lot of the the most prestigious email service providers, they had a very strong dedication, and like the end the 2000s and early 2000 10s, and with with, with trying to stay off of blocklist and trying to kick spammers off their networks, and unfortunately, there’s, there’s a, the, they tried to do a good job with that, because they needed to have good quality, reputation, understanding IPS. And, and that continues to be the truth, you know, today, but what’s happening now are some of the IPS, some of the, the large ISP s and large DSPs are starting to get a little bit of this word too big to blocklist mentality. And, and they’re not being as aggressive with filtering. And, and kicking off you know, that Apple, I mean, just the other day, one of the largest DSPs ran into my inbox a fish came in, when I when I went to take a look at the fish, the the espys hyperlink, which was using not yesterday’s domain name, so it wasn’t really something I could walk that easily came from the right place, using their domain name for the redirect, I clicked on it and went to our new domain name. And when I did it when I went to, it had like zero reputation, the homepage, it didn’t exist anywhere in history, you know, before. So that should have been trivial for an ESP, to be able to do you know, to be able to filter that or spot that before allowing it in. So that’s becoming a problem and and basically, I’m just going to Let you all know that I’m pretty sure almost all of us are making adjustments. And I don’t want to go into too much detail. But you know, like, for example, one of the good things that Spamhaus is doing is they’re doing more filtering based on the domain names that are within the, the, you know, the PTR record and things like that. And that’s going to help them that helps them to retarget those customers. That’s just one example. There’s other things that I’m working on, and then some other to help more specifically target the bad apple customers and DSPs and gsps. Because that’s getting to be a greater need. It’s it’s having to, it’s forcing us all to rethink our technologies and redo things massive in a massive, different way. And I think that’s coming soon, because it’s getting a little out of control. And it’s coming from a large ISP.

Raymond Dijkxhoorn 20:48
Yeah, I completely agree with you. And, and there, there are examples, especially over the last few weeks were very big DSPs have been compromised. They have redirect services. And And personally, from the service point of view, we are talking with a couple of the big guys. The names are known on all of the mailing lists. So it’s no secret. I saw some in the comments also. Thanks, Steve. But they are well aware. They’re also anxious to fix it. But if your company has been like bought four or five times over the last two years, things might be different. And that’s, that’s not talking. Good for them or making excuses for for them to allow it. But it’s just how it happens there. There are guys still working there. And they do a lot of good work with the redirector. Some stuff is new for now, I guess. So we had the same discussions with Twitter, Twitter, fix it. In fact, I don’t even think teed up to is around anymore. There are some other redirects where we had various talks also during our conferences. Some of them it’s their business model. And we just have to cope with that. So we make decisions, they make decisions, and people are free to use our data. And it’s it’s a little bit beyond that, because many of the network vendors are also using our data. So even if you think you’re you’re blocklisted, blocklisting is not impacting my deliverability, I think you should think again, because if if the majority of the large corporations use RPC, kind of datasets to basically filter out traffic, and you are in that list, you don’t have any outreach for commercial customers anymore, that that’s just changing. And anyone who says that it has no impact. I would like to argue with them, because I think it does change their world tremendously. So one of the other questions we had is, and I think that that’s a nice one for James James, your company has like, built a lot of tooling work. So what tools and services do you have available that enterprises market to yours and organisations can use to help them monitor nutrients and improve their health and, you know, channels. And I addressed this one to you, because I know that some of luckless operators do not want to act as a feedback loop. Just being independent, helps us. So James, is there something that you can add there? Yeah,

James Hoddinott 23:43
I mean, I guess, kind of, in terms of CSI blocklist, and it’s, it’s somewhat different to maybe some of the others as far as we’re not, like an officially public kind of lists. So you can’t just get a, you know, kind of query our data with DNS lookups. And that kind of stuff to, so you can’t like immediately check and see it, you know, RUN RUN scripts to check if you’re listening, things like that. The, I mean, in terms of tooling for that, I mean, the device I’ve always given out over the years for that is, is that is that people should be should be monitoring and checking and pausing their logs. That’s a much more effective and quicker way of actually determining when you’re, if you’ve got a listing, rather than going to the effort of creating a whole new set of scripts you have to maintain to check for things. It’s generally very clear when we’re blocking if we blocked one of your IPS. And you know, we’re pretty much every customer, except for a few odd ones. You have some very lame MBAs that are barely capable of handling email. Pretty much all of them will have a redirect to a to our portal. So you can remediate the IP pretty quickly. In terms of other kind of tooling and stuff, We’ve kind of touched one of the areas we’ve kind of concentrate more on is kind of helping other companies to provide that kind of tooling for others. So like anyone out there who, who uses the likes of return path be data source. I think even 250. Okay, I can’t don’t quote me on that one. But we’ve we’ve kind of opened up a lot more information to kind of those companies to be able to get access to a bit more in depth data around things, in terms of kind of campaigns and sending, so anyone who’s going to use those services, can potentially get more information from us via those those tools rather than coming from us kind of directly.

But yeah, I mean, that the big one that we kind of always have is the kind of questions right now, you

know, can we you know, get access or get information in our heads up on block listings in nice light? Well, I mean, the early heads up is that the fight execs, message you get in your local that’s, that’s where you’re gonna see it. I mean, we thought we don’t really get any quicker than that. It’s updates every 60 seconds. So it’s pretty robust, really. But um, yeah. I think I also saw a question posted in the chat earlier about, what’s the kind of useful thing to kind of do in terms of listings.

One of the things, this is one of the things

that really frustrates me whenever on any kind of boats, a mailing list, or any slack channels, and this will post things like basically wanting help and saying, Oh, my P’s listed above, and then post their IP, just post your IP, even if it’s in the faint hope that someone might be able to help. Because the number of times I kind of sit there and wonder, Well, can I be bothered to actually help? Because you didn’t quite likely I’ve actually got to go and ask you for the information to help you. So just generally, just, you know, always include your IP. Don’t try not to obfuscate things. I mean, unless unless there’s something in an error message you’d really think is PII, please just kind of copy it verbatim, and give us give us some of the information we will be wanting to kind of help you.

Raymond Dijkxhoorn 27:13
Yeah, that’s

Atro Tossavainen 27:15
one thing there. Make sure that the people that you’re writing to are actually the people who are lifting you, you wouldn’t believe the amount of time that somebody comes to somebody else saying swords, least stuff. And we’re like, well, we own a sword. So take it elsewhere. Yeah, talk to the right people. Check the listing, if there’s any public documentation associated with the listing, like a TXT record, that contains a link to something that has more information, that TXT record that might contain something immediately useful, like a domain name, or an IP OR gate or something, look this up, keep repeating them to whoever you’re talking to.

Raymond Dijkxhoorn 28:01
There are cases. The other way around is also is also the case sometimes if people do the listing requests, and they’re they’re not the domain owner. Yeah, that’s just an innocent bystander. And we we we respond differently to that. So yeah, it’s

Atro Tossavainen 28:24
getting tough.

Raymond Dijkxhoorn 28:26
Yeah, it’s the game, I guess. So sometimes, you get like silly the listener requests. Sometimes it’s pretty serious. I mean, if you are a big ESP, and you got blocklisted because you have like a bad customer, then you might need to think about how do you onboard those customers? Is there any projecting done when I take this train or just I want business so I let them sign up. I and then you complain afterwards that one of your main IPS which you share with 5000 others is being blocklisted. And and that’s take care of basically what you’re doing there. If you if you are willing to to give your reputation a try with that. We see some of the USPS shifting big customers to separate IPS with, with obvious reasons. They don’t want to have that shared with a customer who just pays little money to do so. So there’s a lot of variation in that. And and yeah, that’s the stuff that we all track. I mean, that’s what we do daily. So I saw I saw one of the questions and I think we can move to answering some questions. I saw a question about how did GDPR impact what we are doing right now. Many of us I know Simon has been to many of the ICANN conferences, me myself. I’m also going there a lot and we see a lot of the The guys in the industry there? Yes, it did impact our lives. Did it change it completely? I don’t think so. There is many ways of tracking bad guys. Did it make it easier? No. If the if I if the information in the Whois records would be accurate, we could do a lot more. And that’s why that’s why we’re also in discussion with with ICANN that if there is going to be a listing level where you have like law enforcement and research that would help us tremendously to see like botnets spam gangs. And and I want to make a clear separation between ESP s who have a dirty customer, or a botnet that is just sending out malware, and we detect all of that. And sometimes, the description is when it used to be like, Hey, I have this bad customer. For me, that is a completely different discussion than the button that we are tracking down. And the action that they do is quite different also. So Simon, I know you, your guys have like a lot of thought that into all these things. Do you see any jumps and changes there? Like, for example, with the current situation in the world we see. I mean, we see a lot of domain names related to the Coronavirus, asking for money doing discharge in Bitcoin scams. What do you see currently?

Simon Forster 31:47
technical difficulties a sense I hope you can hear me okay. And yeah, we’re seeing an awful lot of the same

sort of stuff. Is there anything? Is there anything massively new? No, the same at the moment, the same constraints, the same concerns are coming in. And ransomware is very big, very much on people’s radar at the moment, and has been for quite some time. I think one of the things that frustrates us, we lose a little cough from Steve free guard in the chat session, mentioning someone. We said, we have a lot of frustration with some of the large hosting providers and some of the people that may perhaps provide DDoS prevention services and very privacy oriented, which one has got to applaud. But they’re being heavily used and abused by bad actors to hide command and control servers, typically. And there seems to be no traction, no desire there to look into this and to deal with this problem. And this is one of the things that I think we can. Again, we’ve been doing this for quite some time, it crops up time and time again, people say that this is not their problem. Because they’re not, they’re just providing. So they’re not responsible for the content. But eventually, they get caught out by this. And again, we’ve we’ve seen it with some very large virtual servers. And lots of these networks are getting into trouble now. Because they’ve just been perhaps struggling is the nice way of putting it struggling with the abuse of their systems. And they’re just not getting on top of it, which really impacts the services they can offer their customers ultimately. So there’s a lot of this sort of stuff going on. It’s and I guess one of the things then that I think this might be a point that he he worries about a fair amount. It’s industry consolidation, you end up with two or three really massive players who just think they’re too big to block and that causes issues, ultimately for them.

Raymond Dijkxhoorn 34:31
Yeah. I personally am a little bit surprised that I still can remember some of the abusive housing takedowns I think we all can remember hosting operations being shut down that were like purely bad that had like, virtually a handful of legit customers and the rest of us scam were still Still, I mean, I’m not really proud of it. But if I, if I step on my bike and I bike five minutes, they’re still one of the bigger ones out here. And I think law enforcement could do a lot more. We all, we all know where it’s happening. And it keeps us all busy. So that’s good. But to the intent of fixing shit. I think we could do some more there.

Simon Forster 35:27
But then you do end up with. So AWS, having to introduce eventually got round to introducing Port 25, blocking on services. It’s I mean, this is something that we were talking about 1520 years ago now to ISP. And now they’ve got to be applying that it’s nothing new. It’s depressing, actually, in some ways.

Raymond Dijkxhoorn 35:57
Yeah, it is. It is. So I see a question from Christopher, about if there would be a verification process with a REAL ID before allowed to send. And that circles back a little bit about the statement that I made before. If If you run a big ESB, and you take on customers, think about your onboarding process, because that’s where it starts, if you if you’re willing to, to take in anyone, most likely on a few of our listings here. There’s no doubt about it. But if you do care, and you basically investigate a little bit more your customers that are that you are taking in before, before they are sending out that will change your game a lot. And there’s Oh, there’s also other ways of doing that, like, put them in a profile where they can only send five emails, or something like that. And but it’s only part of the problem. Some of some of your accounts do get compromised, we understand that. Yeah, what do you want to say?

Rob McEwen 37:15
Well, one of the things that’s very helpful is when you’re onboarding and this is I’m just talking to USPS. Now, mainly, but when you’re onboarding a new customer, try to find out, you know, ask them, What is your main domain name and your for your main website, if they have a website, most of the time, they will take that domain name, put it in quotes in Google and look at what comes up, look at the quantity of the of the listings in Google and then also look at the quality of the top 10 results. So for example, if this top 10, if they only have, you know, 200 kids in Google total, and not like 20,000, most everybody else is credible, or more. And then of the of the first top 10 results of those top 10 results are just run of the mill domain analysis websites. This is probably not somebody that’s very credible. But there are exceptions every once in a while, but most of the time, lot. And then the other thing that you can ask the customer is if when they bring you a distribution list, and if see something’s in you’re suspicious of them, ask them to walk you through how a typical customer signed up for their service, and make sure that it’s credible. And starting from how do they find you. So some people will say, well, we don’t have much of a website. But we do have a Facebook page, and we do massive amounts of Facebook ads. And that’s fine. There’s nothing wrong with that. But then have them show you the ads and show you the process to make sure it looks legit. And a lot of times that will like even even that phishing email that I described that came from a large ISP. I mean, if they had just put out domain name in quotes, it would have easily alarm bells would have gone off. And that would have only taken about a minute at the most of an ESP person’s time to figure that out. When they’re doing the vetting. Another thing that one last thing I’ll mention is that because of this two big blocklist issue that’s getting to be more and more of an issue. A lot of people in the marketing industry are getting very Cavalier and starting to say starting to think that it’s okay to send unsolicited messages that people that where you don’t have any business relationship, they never even downloaded a lead magnet from you that you don’t you know, they’ve never bought any product from you. And you’ve just you’ve just gotten that list from a third party and that it used to be obvious to everybody and that was you know, something you should never do. But what’s crazy is that within the marketing industry, you’ve got something called hot customers and cold like hot prospects and cold prospects and warm prospects. They’ll use those that terminology and sir, because cold what some people have gotten mixed up on what they think since it’s okay to send a cold advertisement through Facebook to an to an audience that doesn’t know you. Therefore, that must mean that cold emails are okay. So they’ve got this new phrase, this new terminology where they’ll say over just send me an email tell me that someone would go on to a marketing message board and they’ll say tell me about your Your cold email strategy. And they think that just because they use those words, suddenly that’s authentic and legit. Because Because it is legit and authentic to send advertisements to people that don’t know you, but it’s not legit inauthentic to send emails to people that don’t know you or don’t have some kind of business relationship with you. So if you, if you see talk about cold emails, just know that is a big red flag. And and it’s basically unethical. Maybe it might be legal if they do it, right. But it’s not ethical and, and it’s the kind of thing that blockless will go after.

Raymond Dijkxhoorn 40:30
Yeah, and to a certain, I mean, I agree with that. And to a certain extent, it’s a bit different. But I don’t know, I must not be the only one that received like a zillion COVID-19 customer emails from companies that you did not work with for decades. So I would also keep that in light of GDPR. Like, when you are sending out those COVID-19 emails, really cute. It shouldn’t be like all of the contacts you had ever or should GDPR already limit those, because I definitely got emails, like, from companies that I did not deal with over five years. So that’s also something to think about. So so there was a question for outro. How can we validate the opt in source we get from the user or customer?

Atro Tossavainen 41:30
Andrew can answer that already? And my answer is I don’t think there is one.

Raymond Dijkxhoorn 41:35
Yeah, I agree. It’s like it’s the same like buying lists like you cannot buy opt in lists that that’s

Atro Tossavainen 41:46
but what what Arun Kumar means here, I think, is this, how can they verify the quality of at least that a customer reports no matter how we came to the customer? So basically, as a DSP, you’re trying to do the good thing? know something about the customers list? But a single answer,

Raymond Dijkxhoorn 42:02

And that’s the business they’re in. Basically, they will find out after a few customer emails. And if you share that, that sending IP with your customer that has been with you for years, that’s going to hurt your reputation. And in some other forums, and in some some other conferences, we, we also advertise that like if you only have one sending domain, and you do not basically give your customers a specific sip domain, or any other metrics that we can identify the customer. That will really hurt. Because on blocklisting level, we have domain listings, it could be sub domain listings. But that’s that’s basically as far as we go in the blocklisting industry. If you spread it out over IPS. And Simon can can can comment on that. And you have multiple IPS for multiple customers, don’t share them, then we also know who that customer is. But if you throw it just into a big buckets, it is really hard to find it out for us also. So then we end up with blocking more than what perhaps should have been added.

Rob McEwen 43:20
Let me throw an extra thing in there. When your customer does their first mail out, take a close look at their number of bounces in terms of like unknown user rejection. Second, if that’s higher than usual, that can be a quick telltale sign that something’s wrong. It could also be that your customer just isn’t doing a good job of maintenance and maintenance in their data. But even if that’s the case, it’s still something good to get your customer to work on. But just that first initial set out, you know, said that they do look at look at bounces on an abuser, such a good telltale sign.

Raymond Dijkxhoorn 43:51
Yeah, but I mean, and not to not to defend USPS, but I personally did did some work at USPS just to help them out and see where we could basically improve their procedures. And what happens a lot is that that customer sends out two three nice email listings, nothing bounces, it’s a clean list, and then they start to do better. Wow. And and, and most of the espys basically have a few tests spread I do monitor their their clients quite closely. If it’s a new customer, and after a while you say well, this, this customer is trusted, right? It’s just like when from from outside. If you see IPS doing good stuff and all of a sudden it turns bad. That’s, that’s a lot harder to to make the right justification on that. And that’s what happening a lot also. So I really think that most of the ISVs really try to do it very well. But the guys who basically who we are tracking, the guys who run the botnet sort of Bats off. They’re dead, just use them as a sounding platform.

James Hoddinott 45:13
I think one of the things as well that I mean, again, kind of trying to highlight that we are also on besides senders and stuff, here’s the biggest thing I seem to run into. And I’m talking to USPS. Because you look at some some stuff that leaks through, either not necessarily from them or that use their their platform in some sort of way. And you try to work out well, how can you How is it possible that you can have such a large problem, and it kind of always seems to track back to the fact that there’s free and or kind of almost instant access to the entire product or, and the ability to send vast amounts of messages or do something, you know, that you should, in theory be paying for a lot. And I think it’s a real, the real struggle, I think, for a lot of places is that for people, especially people who wouldn’t be working on the delivered deliverability side, is trying to get them to be able to get the military to factory shut down the marketing and product side to say, Hey, we should know if we forget having this easy access to make let people sign up within seconds. It shouldn’t be the full product and platform, it kind of should be a much more watered down version that allows us to kind of almost sandbox them, but give them give them all the experience and the tools and things I can see how good how good we are and what we could do for them without necessarily actually letting them do it straight away. And I think if more kind of companies can move towards that, I think it’s one of those things where you because you don’t necessarily see how the output of the badness from all that stuff, you only see the good because Be willing go, Hey, you’re the people who are good sign up and then pay money. It’s one of those quantities that never maybe gets kind of noted in any in any spreadsheet as to the impact of it. But certainly I see it time and time again that the customers that are sorry, the the companies that do kind of somewhat shut down or even really massively reduce what what they’re free and or trial accounts, things can do. The spammers, the spammers go away because they will go to the next easier target. So the more that more the interested can do that kind of thing. I think it makes it harder for them to utilise that, you know, the good reputation.

Raymond Dijkxhoorn 47:27
Agree and and before they start to send you have the onboarding process. And that’s really, especially for for freemium accounts, if you have free signups. I mean, we have been in contact with a couple of the and it was not an ESP roll, but a different type of industry that moved from a paid version to a free version. And that that’s where basically the book that’s come in the abutments try to create like 1000s of accounts, and then you as the Help Desk customer, basically abuse desk of that ESP. You’re like where should I start? Because this is not what I expected. And from there, it only goes downhill.

Simon Forster 48:13
Let me just say, from what I just like to sort of build a little bit on what James says, I think it’s absolutely right. Yes, there’s the it starts with the onboarding process. But then yet rate limiting you new accounts as they come on. Certainly, we’ve got a free model and rate limit them quite heavily. And now a number of ESP is also they have different IPS. And depending on how trusted you are, you will find yourself on the Yeah, well, that may get through IP, but don’t bank on it through to the really stellar, clean IPS, where everything is just going to get through. So these are all things that you can be working on and work with your customers to move them across or the trusted customers across to the networks that are really going to get into this. You know, again, get delivered. Yeah,

Raymond Dijkxhoorn 49:14
yeah. And that that’s also like a premium service for ESP so they can charge more for good deliverability. And it circles back to to what Rob told also, like, he saw those guys pointing to domain, but likely, they didn’t use domain during signup. So So likely, they send it out a few emails and and that’s, I mean, some of the SPS I know they have a process where they check the domain name when you onboard. But if you make the templates, the email templates, the landing pages, you can change the flight afterwards. So sometimes you sign up with like, very nice looking thing and you end up with Russian briars or whatever. I mean, it’s it’s things that they do changed during delivery phase, even after the emails have been sent. I mean, we have, we have also notified USPS where it looks quite legitimate. And in the morning, it was malware. And it was always intended like that. But during the sending phase, nothing was wrong. So I’m, again, I’m not here to defend it, but I do understand that there there are heavily, they are being heavily challenged also.

Rob McEwen 50:25
And they might need to do something like make the basically put put domains into some sort of good list that gets there deliberately. And then nobody can change their links to any link that uses a completely new domain name until it’s been approved. That may be a good thing. But the other thing I want to mention has to do with what you were talking about earlier, Raymond about the, the bots signing up for things. And, of course, in addition to signing up for email storage provider accounts, another thing that comes up is that they will, basically, there’s been a huge uptick across the internet with bots, filling up filling out forms, signup forms on the internet, and triggering lots of spam, because sometimes those forms will trigger emails. And, and then often when they trigger those emails, they’ll be malicious content in the body of the message, because a spammer will sometimes throw their their malicious link hyperlink into the comments. And and that can often get, you know, different different Windows Forms trigger feedback messages back to two email addresses that were forged in there by a bot, then that’s a quick way to get your, your IPS and your, you know, blocklisted because it’s it can, it can cause a lot of malicious emails to be sent. So it’s just really not a good idea to have forms convert to other automatically the emails unless you really know what you’re doing. And you’re careful. But the but even before that, just it’s just a really good idea that any kind of signup process or form, have something like a capture setup, are something that would prevent a bot from being able to go to go through with it. I know that there’s exotic ways that bots that the characters can be beat. But but but it really, that’s, that’s very few and far between. and in a lot of people find that when they when they put a capture in front of some things like that a lot of abuse this thought.

Raymond Dijkxhoorn 52:09
Yeah, I mean, I tend to disagree with CAPTCHA. But the rest I do, I mean, bots are usually a lot better in solving the captcha than I am. Sometimes I have to click again and like see how many bridges or cars? I mean, I didn’t like that.


Yeah. What but there, there is one point that I’d like to address, I mean, we we are heavily known in in the sending industry for ages, that we are protecting their systems. And what a lot of people basically are not doing is if they have a signup form, or a feedback form, that they also use our data to check, like, used to spend times data to check if that form is coming from a botnet and just ignore that form. Because most of the majority of the forms that we see in traps are already identified, they are all like, IPS that that been associated with that stuff, since forever. Because what we what we see is that the face of the botnet that is doing form submissions, is one of the last light lifecycles of that box. So it is already known. And it’s quite easy to move from the email side, to also move to other sides of of your internal system where you basically start to monitor your onboarding process against the blocklist that spam house provides for other parties provide and see where is that guy coming from? Instead of just seeing it when you start to send out the email? And same with domain names, if somebody signs up at your ESB, and the domain name is like, 12 hours old? Do you wonder that’s a customer? Or? I mean, that’s that’s just that stuff waiting to happen? Yeah.

Simon Forster 54:10
Is there any case where you can think domain that young you should be doing anything worthwhile?

Raymond Dijkxhoorn 54:17
Oh, yeah.

I mean, we have seen issues or cases where basically random big company had a complete press kit, everything pressed domain name printed, they only forgot to register the domain name. So they did it like two hours before? Because no, you were supposed to do that. Or did you didn’t Oh, let’s do it. So yeah, I’ve seen I’ve seen but it’s very it’s very rare. Yes, I know. Yeah. We can sometimes happen. It doesn’t happen a lot. Now. Usually, it’s usually a bad sign if you’re if you’re doing something with a domain name enlarge. That is basically less than a day off. I would highly question that.

Rob McEwen 55:14
I’ve seen entertainment companies come up with like a new movie or something like that, you know, or new, a new video game. And they’ll release the domain, or they’ll register with the last minute. But if you’re an ESP dealing with that kind of customer, you know that it should used to be educating your customers to let them know about something like that ahead of time that it can be anything

Simon Forster 55:36
but a respected palapa lists. They’re going to have deliverability issues anyway. Yeah, trying to ramping up new domains, new IPS, no reputation behind them hitting a Microsoft or Gmail or whoever. At massive volume. Yeah, that’s not gonna work very well, isn’t

Raymond Dijkxhoorn 55:54
it? depending if they’re using ESP or if they do the sending yourself?

Simon Forster 56:01
Yeah. Okay.

Raymond Dijkxhoorn 56:03
So there’s there’s a thing, if you look at it from the last few days. I mean, we have been monitoring the covid 19. Corona domains fairly closely. It is, it’s really hard to determine which ones are good and which ones are bad. Because those are created like a few hours before and it’s a hospital that says we wish it registered a domain name, fight, roll up, and telling, which is the good one. And which is nuts is very hard. Yes.

Speaking of which,

we still have, like two minutes, we could do like, one less question, I think, if there is somebody who has a nice question left. And otherwise, I would like to Yeah, that’s nice. Collectively, are

in the same organisation, one big duck back. We just make it look like we’ve got multiple entities.

Rob McEwen 57:26
One more thing before we go. Also, with the the Coronavirus, making lots more people work at home than usual. I found just anecdotally just people that I know people around me people in my family are suddenly using email a lot more than they used to. So this is only making email more relevant and more important than it ever was before. And of course, the last thing you want is your work your employee working from home to get a virus because they clicked on something in their email that they misunderstood and didn’t know they’re launching a virus. So that makes blocklist security. All the more important to you.

Raymond Dijkxhoorn 58:02
Yes, it does. It does. Yeah. So do we work either competitive or, or collectively. Anyone on this panel knows, knows each other for years, and we all work together. As I said in the start, there is no single list that basically covers everything. So sometimes we share information, if we think is really bad. We do work together a lot. I don’t really see the other list as competitors. But basically as friends who are who are helping the industry. As strange as that might sound. I saw one less question perhaps about the information sharing, like try to said if you have a share who have beds sign up, and how would that be helpful for us? Definitely.

So with any information, you don’t only need to contact us if you have a delisting request. And that’s that’s a misunderstanding that a lot of USPS have, like we only contact Spamhaus when we have a sending issue. But it’s it’s a lot more proactive to basically he also reached out like, Hey, we have this bad customer and we want to avoid seeing him elsewhere. Can we share the information with you? And it’s as long as you’re as you are allowed to share it with the GDPR restrictions that your company has. We are happy to take in the data. So please, yeah.

Well, I think we are we are running on the time limit. I would like to thank you all for the questions. I hope we can do the next session. of this event in person. Um, let’s shake a little bit less hands down, or perhaps not. Let’s see. Thank you all. Yeah. Yeah. Thanks, guys. Thank you.

Rob McEwen 1:00:16
Thank you.

Simon Forster 1:00:18
Thank you, Raymond.

Video Tagged: ,

Leave a Comment