Finding spam a nuisance and being anti-spam is a default setting for all of us these days. Even as technology evolves and our mailboxes become smarter in reducing this background noise, we all have to endure the steady flow of unsolicited messages arriving in our inboxes each day. New data protection laws may well help to drain the swamp.
However, it seems to be worryingly easy for a legitimate organisation to find their domain on a blacklist and it occurs more often than you would think. It can happen for a number of reasons, but as I found out recently, there seems to be no room to defend yourself once you find yourself blacklisted.
SURBLs are described as lists of websites that have appeared in unsolicited messages and Surbl.org appears to be an open source not-for-profit whose database is used by many of the leading spam filter applications you would generally find installed on a network. While this organisation clearly assists the daily battle against spam, malware and phishing messages by listing sites that appear too many times in them, the question arises: what happens if your site is erroneously reported to them and you find yourself on their blacklist?
This person decided to attack both our site and our reputation and he made it very clear that he was very well connected in the anti-spam community and was going to ‘teach us what the results of spamming are’. When I realised he had indeed managed to get us blacklisted, I assumed that a straightforward conversation with SURBL.org would clear up the situation. Unfortunately, I was wrong.
Eventually, I received an email from them simply saying – ‘Dear Requestor, the site has expired from SURBL’. But this was not before they had already copied-in Mailchimp, letting them know that apparently the GMA had been sending “unsolicited, commercial emails through their system”.
Mailchimp has a job to do and it does it well. It has a zero-tolerance approach to spam email since it understandably needs to protect itself from being blacklisted, as well as do everything to ensure good deliverability for all of its customers. However, the GMA strongly feels that it was misrepresented to Mailchimp and engaged Robert Bond of Bristows LLP and chairman of Data Protection Network to contact Mailchimp’s legal counsel in the US. Robert Bond said, “It is a concern that Mailchimp acts as judge and jury and does not allow GMA to justify its lawful marketing activities.”
Does the process need changing?
Can it be right that one individual’s complaint can lead to a business being automatically, with no warning, blacklisted? I feel that in the GMA’s case, as a domain owner we were found guilty with no trial. It would appear an algorithm was not used to ascertain the credibility of the platform, as no spam or abuse complaints had ever been received in the past. By SURBL’s own methodology, they state: A SURBL is a list of domains that appear in spam emails. When a user of some email client flags a message as spam, that message is sent off to a central service for analysis. The message’s originating server is noted, and the contents are analysed. If the same domain appears in enough spam emails, it is considered for addition to a SURBL blacklist. Could this analysis have been undertaken in this case? Furthermore, there seems to be no ability to defend yourself before damaging action is taken.
We all know and appreciate that these organisations are helping to reduce spam, but what recourse does a legitimate online organisation have when these companies declare you guilty even though no crime has been committed? Another organisation, Charm City Networks who also experienced issues with SURBL wrote, “Surbl.org is incredibly powerful. They themselves will deny having any power, since they just make blacklists publicly available, these blacklists are used by spam filters all across the internet. Being listed by surbl.org can seriously damage a business that relies on email.”
The GMA has been in business for some 30 years, as the print magazine DMI and now as an online publication. We have many customers and members from around the world, yet our model was endangered by one rather overzealous anti-spammer. While I would agree with all anti-spammers’ ethics, in this case I disagree with the practices. Everyone has the right to prove themselves innocent before they are labelled guilty.”
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.