Everyone wants to protect users and trap data.
As a result, people like to send redacted complaints to email service providers (ESPs). Generally, I’m pretty happy to work with redacted data. I need to be able to tell which client sent mail. I need to be able to tell when they sent the mail (the day is often good enough). And in many cases, I need the subject line. I don’t care much about internal routing, and while having the email address means that I can make certain it gets unsubscribed, I can work around not having that.
I just had cause to send a complaint to Qwest (Centurylink) and got the following list of requirements back:
If you are reporting an email abuse issue such as UBE or spam, please include
the following information so that we can complete a full investigation of
1) Original subject line: When you forward email, please forward it with a
subject header the same as when you received it.
2) Complete message headers: Most email programs only display abbreviated
Please check your email program’s documentation for assistance in how to
display the full message headers. Full message headers will include
a “RECEIVED:” line with a set of four numbers divided by periods
(ex. 192.168.12.34). We cannot complete an investigation without this
3) Complete message body: Please include the complete body of the message as
you received it.
Now, compare that to these headers which I recently received (do note that I have changed the client’s IP and domain name for business reasons):
Received: from mta . example . com ([126.96.36.199]) [removed]
[removed] Jan 2014 [removed]
DKIM-Signature: [removed] d=example . com; [removed]
DomainKey-Signature: [removed] d=example . com; [removed]
Received: by mta.example . com [removed]; [removed] Jan 2014
From: [removed] <example@example . com>
Date: [removed], [removed] Jan 2014 [removed]
Content-Type: multipart/alternative; boundary=[removed]
Content-Type: text/plain; charset=”[removed]”
Here’s the thing, those headers are virtually indistinguishable from headers which a very lazy person would just make up. And, I’m expected to do something about this client (the demand was actually that I should terminate them) based upon less than this evidence. (The original email just pretty much demanded that I just terminate the client. I didn’t get even this level of detail until we had exchanged 3 emails.)
So, if I ran the ESP abuse box the same way that ISPs run their abuse boxes, what should I do?
I want to be helpful and police my corner of the Internet. But, I do have to provide actual evidence to justify shutting down clients. I think that sometimes people forget that in their rush to protect themselves, their users, or even their spamtrap networks. It’s not even that Legal requires it (although they do). It’s that it’s the right thing to do. Even the people who sent this to me would want evidence that meets Qwest/Centurylink’s standards before their own provider shut them off, not the standards of the evidence that they provided with a demand that I take action.
Now, again, I don’t run an abuse box which requires the same level of unredacted proof as an ISP. But, when I voice frustration at getting labeled a spammer for requiring even the level of proof that I do, just remember who is easier to work with.