How do I auto-reply responsibly?

[BrandiochConner]

Our marketing/sales department has decided that anyone sending email to certain addresses should receive an auto-reply stating that we have received it.

I have tried to explain to them that this will, eventually, result in us getting blacklisted because the spammers will, eventually, use one or more of those addresses as fake "From:" addresses. But they don't see the problem.

So, I plan to reject inbound email that fails SPF verification (only where the claimed originating domain has correctly configured their SPF entry and the inbound IP address is not on that list). I know of the problems with SPF. But in this case I'll take annoyed individual users over a site wide blacklisting.

But does SpamCop use SPF records for their spamtraps? If not, does anyone have any recommendations for how to mitigate the damage? This is going to happen no matter what I say. As I said, they don't see the problems, just the possibility of making/losing sales. Any technical issues will, of course, be 100% my fault.

TIA!

[Wazoo]

Our marketing/sales department has decided that anyone sending email to certain addresses should receive an auto-reply stating that we have received it.

I have tried to explain to them that this will, eventually, result in us getting blacklisted because the spammers will, eventually, use one or more of those addresses as fake "From:" addresses. But they don't see the problem.

FAQs are provided here. Previous stories from other ISPs exist here. Numerous Topics/Discussions exist here already on this subject. Take your Advertising folks to the Corporate folks and educate them all together.

But does SpamCop use SPF records for their spamtraps? If not, does anyone have any recommendations for how to mitigate the damage? This is going to happen no matter what I say. As I said, they don't see the problems, just the possibility of making/losing sales. Any technical issues will, of course, be 100% my fault.

SpamCop.net spamtrap addresses do not 'send' any e-mail. They exist to be scraped and have crap sent to them. Not all are in/on the spamcop.net domain. Bottom line, this plan won't do what you want.

[BrandiochConner]

FAQs are provided here. Previous stories from other ISPs exist here. Numerous Topics/Discussions exist here already on this subject. Take your Advertising folks to the Corporate folks and educate them all together.

All the education in the world won't mean a thing if they can make a sale (or possibly make a sale or possibly not miss a sale).

I'm convinced that most marketing people are only one step above spammers. Annoying the faceless masses means nothing if you get a commission. So it is up to me to minimize the damage that they'll be causing.

SpamCop.net spamtrap addresses do not 'send' any e-mail. They exist to be scraped and have crap sent to them. Not all are in/on the spamcop.net domain. Bottom line, this plan won't do what you want.

I know they don't send any email. But they are used as forged "From:" addresses by spammers attempting to dilute the value of SpamCop. The spamtrap addresses reference legitimate domains with MX records. I'm going to be rejecting messages at SMTP time based upon SPF entries in an attempt to mitigate the damage our marketing department is going to cause.

If this won't work, what other options are there?

[Miss Betsy]

Workarounds are natural to the IT professional, but in this case, it might be better to try a different workaround.

I know you are frustrated with the marketing people and not in the mood to be tactful, but perhaps announcing that you have to hire another person to check all the auto responses and make sure that they are not responses to spam and are going to charge it to marketing might work. Or say that, in order to implement this change, you need extra hardware for a super spam filter.

Even aol decided that non-delivery responses were not a good thing so it is possible to convince non-techies that some things are not practical technically. Ask the advice of someone higher up than marketing on how the best way to accommodate marketing - being sure to explain clearly the problems of blocking and why auto responses are old fashioned and how much money should you put into the project (including your time in figuring out a workaround).

I was reading the Peter Prescription and he had some techniques to avoid having to do something that would make you 'incompetent' without actually lessening your real competence. One of them was answering questions with exaggerated jargon where all the words make sense but the sentence doesn't. If you send enough memos addressing what they have to do technically in total nonsense, you might never get to the implementation stage. You might get a copy from the library and see if one of the other techniques would work better.

Good Luck!!

Miss Betsy

[StevenUnderwood]

If this won't work, what other options are there?

The best solution is probably to heavily scan the incoming for signs of spam to these accounts but redirect any questionable ones to a holding area to be manually checked (so no messages read:commisions are lost). The auto reply can go out to the messages that come through cleanly while you have minimized (but can't eliminate) the chance of sending the auto-reply to a forged address. The messages that look like spam wil need to wait for their auto-reply. Setting this up on a seperate outgoing server, maybe one only the marketing group uses would also be good. As someone else suggested, make sure all of this is charged to their department.

P.S. I'm dealing with a marketing group insisting on sending out a monthly newsletter, including to anyone who has ever dropped their business card into the fishbowl at the trade shows or contacted them for any reason, above my departments objections. I think we have convinced them to use an outside service for this project to minimize our direct exposure.

[Miss Betsy]

<snip>

P.S. I'm dealing with a marketing group insisting on sending out a monthly newsletter, including to anyone who has ever dropped their business card into the fishbowl at the trade shows or contacted them for any reason, above my departments objections. I think we have convinced them to use an outside service for this project to minimize our direct exposure.

You couldn't even convince them to send a confirmation email? Since the spammers have spoiled it for legitimate business, the likelihood of even a confirmation email getting past filters might be low. However, people who do drop cards in fishbowls at trade shows may be willing to get info or unsubscribe if the newsletter gets past the filters.

Letting an outside service handle it is probably the best solution, though.

Miss Betsy

[rooster]

I was reading the Peter Prescription and he had some techniques to avoid having to do something that would make you 'incompetent' without actually lessening your real competence. One of them was answering questions with exaggerated jargon where all the words make sense but the sentence doesn't. If you send enough memos addressing what they have to do technically in total nonsense, you might never get to the implementation stage. You might get a copy from the library and see if one of the other techniques would work better.

Miss Betsy;

If you liked the PRx, and have a taste for 'miscreative' humour, ...and enjoy a more than middlin' tendency to mischief; you might get a kick our of a book I used to keep in my office for handy reference. I even got the author to sign my 1st edit. copy.

When in Doubt, Mumble: A Bureaucrat's Handbook (ISBN: 0442209266)

James H. Boren

[Miss Betsy]

<snip>you might get a kick our of a book I used to keep in my office for handy reference. <snip>

When in Doubt, Mumble: A Bureaucrat's Handbook (ISBN: 0442209266) James H. Boren

Thanks for the tip! I probably would.

Miss Betsy