The one where a marketing company would rather get their customer's domain blacklisted than learn to use SendGrid
Posted by onlyroad66@reddit | talesfromtechsupport | View on Reddit | 78 comments
I feel like I'm losing my mind.
A client of the MSP I work at recently contracted an external ~~marketing~~ AI Driven personalized email sales generation firm. They send bulk template emails to a list of potential customers and try to convince them to buy something. But they're not marketing, and will correct you every time you so much as insinuate they are.
Whatever. Not the issue I have with them. Because rather than send mail from their own infrastructure or a dedicated bulk sending service, they apparently require a standard licensed user mailbox to ~~send spam~~ generate personalized sales leads.
We warn them that this won't fly, that account is going to get blocked within 24 hours, and that the client runs the risk of having their entire domain blacklisted. Marketing company says it's fine, they've done this with hundreds of clients, including on the Fortune 500. Client says do it, boss says the inevitable stupid tax will be a good source of revenue, us techs are just paid to push buttons so we create them their account.
Twenty four hours pass. Security alert hits the queue, marketing.bozos@clientdomain.com has been restricted from sending out of 365 due to suspect outbound messages. Checking into it...the account was sending out standard boilerplate spam. We have a moment of 'I told you so,' get affected parties together, reiterate that this won't fly and recommend that they do what we told them to in the first place.
No, says the marketing company. This happens all the time. 365 just needs some time to adjust to their sending patterns. They "mimic human behavior" after all. But, we should create them a second marketing account so they can split their sends between them. This will totally fix it, promise. Argument ensues, but at the end of it the second account is created.
Twenty four hours pass. Two security alerts hit the queue. marketing.bozos@clientdomain.com and marketing.bozos2@clientdomain.com have been restricted from sending out of 365 due to suspect outbound messages. Both accounts were sending out standard spam. The 'I told you so' is said with a sigh today. We again recommend they do what they're supposed to.
No, says the marketing company. This has been happing increasingly often. What we really need is a third marketing account so they can be super absolutely sure this doesn't happen again, super duper pinkie promise. The ensuing argument has more tension this time around. A third account is created at the client's insistence.
Twenty four hours pass. Three security alerts hit the queue. marketing.bozos@clientdomain.com, marketing.bozos2@clientdomain.com, and marketing.bozos3@clientdomain.com have been restricted from sending out of 365 due to suspect outbound messages. All three accounts are sending out standard spam. The 'I told you so' is said through gritted teeth. Boss finally puts his foot down, says that we are not going to be creating an infinite series of licensed marketing user accounts. You are going to need to find both a new IT provider and a new domain at the current rate. Argument ensues, further ~~spam~~ sales generation sends are paused until a resolution can be reached. A meeting is scheduled.
The meeting happens, between myself, one of our senior techs/technical executive, stakeholders at the client, and the non-technical account manager from the marketing company. Account manager insists on giving us the sales pitch for their company. "We send bulk template emails to a list of potential customers and try to convince them to buy something" says the account manager in her native tongue of corporate buzzword slop. Great. Amazing. Tell us what shitty bulk sending platform you use and the spf record you want to us add and we can be done with this.
No no no, says the account manager. It's not our business process to use those. We prefer a personalized approach. You see, we mimic realistic human behavior. Our weird proprietary tool that we've grafted to this poor mailbox sends a message once exactly every 120 seconds - just like a human! We personalize our messages by using the same subject line every single time! These are not standard marketing messages, they're an AI driven, personalized sales generation platform. Transcendent. Enrapturing. You're sending spam. You're going to get the client blacklisted. I refuse to believe that we are the first people to have pointed this out to you.
Well, the account manager admits, we have been noticing these issues recently. Since last month, apparently. But we're totally 100% certain that if we just keep at it, 365 will give up eventually! We tell the client this is untenable, unsupportable, and poses a serious risk to their business operations. Marketing company refuses to budge. It is eventually 'agreed' to buy a clientdomainmarketing.com, use it to create a seperate 365 environment, and let marketing company go wild without risk of contaminating the primary domain's reputation.
Am I crazy? Does this sound like anything remotely reasonable? I feel like I'm going insane.
kirby_422@reddit
Why even use a proper mail provider for this spam? A temp postfix server, that only has the DMARC, SPF, etc, setup so that messages aren't unverified sources, and no MX record for incoming, and if you need responses just setup a Reply-To header to a real email address.
Langager90@reddit
They think they behave like a human, so their argument is that 365 should behave in a human way as well and "cut them some slack".
What they get is an... "AI-driven, personalized refusal of service" because...
Oh shit, I gotta finish this message quickly so I can be in time for my next post in 120 seconds!!!
I am human.
Techn0ght@reddit
"Look, all the pretty wordplay aside, can we talk to your technical people on how they intend to bypass 365 security? You've noticed an increase in the problem but all you have is a wish at this point. The technical experience on our side says it isn't going to work."
jimicus@reddit
I think we all know there are absolutely no technical people involved in this conversation. That's what OP is for.
cheesenuggets2003@reddit
OP can do absolutely anything. OP is an expert.
https://www.youtube.com/watch?v=BKorP55Aqvg
Renbarre@reddit
Sing along: when I wish upon a spam...
Jonathan_the_Nerd@reddit
Oh, you mean the CEO's nephew? He's only in high school, but he's a genius! He said you can generate a literally infinite number of addresses to send mail from, so it doesn't matter if a few get blocked.
cheesenuggets2003@reddit
Why is the Federal Reserve cutting? There is clearly still too much cash seeking a return.
deadsoulinside@reddit
Really sounds like a company that has no idea what it's doing and got some sloppy AI solution they want to make a quick buck on now without properly researching shit.
Kind of like someone in an AI sub a while back that was posting some T-Shirt making/Printing website, but had no fucking idea what CMYK was and how they address this when taking an RGB generated photo and converting it to CMYK in order to properly print it to a T-Shirt. Like literally asked me what CMYK meant. So clearly they were not even bothering to know the in and outs of basic commercial printing. But of course they have this amazing tool/site they wanted you to use and pay out the nose to generate/print crappy T-Shirts.
richie65@reddit
"These go to eleven..."
eviled666@reddit
this kind of thing happens more than you think...
kenrichardson@reddit
This is like how every 5 or 10 years some tech bro has a brilliant idea to revolutionize transit, but they just keep inventing "The bus, but somehow worse."
daverhowe@reddit
Sometimes it is "a tram, but somehow worse"
meitemark@reddit
I'm the one writing/making the newsletters / shit we want to get rid of / spam at my workplace. There is nothing human(e) about this. I suspect that if you look hard enough, you will find cries of "please help me, I'm being tortured" messages from the AI.
That said, we use an external sender and and we have to authenticate any domains involved. Spam firm are spammers. And spammers are always the insane ones.
sethbr@reddit
Relatively. Microsoft doesn't want anybody else profiting from spam.
meitemark@reddit
Well, since we don't get the heroes we need, nor the heroes we want, I'll take the villans that cockblock the other villans.
SamuelVimesTrained@reddit
If you are insane - so am I.
That drivel doesn`t mean a thing - it`s words without meaning.
But - see if boss can charge them an additional A&I charge (also known as AH tax) which doubles with every 'account' they request..
Either you all will be rolling in dough shortly - or they will listen.
Frazzledragon@reddit
Those are some odd looking apostrophes there. What kinda keyboard setup are you using?
SadieWopen@reddit
It's a back tick, next to the 1 key
Saelyre@reddit
Ah you mean lowercase tilde.
SadieWopen@reddit
The terminal key?
SamuelVimesTrained@reddit
US international layout - used by someone typing in several languages sometimes (German, Dutch, English) so "results may vary".
Geminii27@reddit
This is not the boss's first rodeo.
megared17@reddit
Spammers gonna spam.
They don't want to use one of those services because they know they will probably get shut down there too.
SparkleKittyMeowMeow@reddit
They would absolutely get shut down by any reputable bulk email service. No one wants senders like this screwing up the reputation of their IPs.
DarraignTheSane@reddit
Maybe I'm missing something, but isn't this exactly what SMTP relay services like SendGrid, Postmark, etc. are intended for? Transactional and bulk / marketing emails?
I was under the impression that you paid for their services because they work to maintain the reputation of their sending IPs. Microsoft doesn't want to mess with any of that and will just shut you down.
KittensInc@reddit
Yes, which is why they have their own terms of service. You can totally use them for marketing email, but you can't use them for spam. For example, all recipients must have given an explicit opt-in, and the email itself must include an opt-out button.
The big email providers don't have a huge problem with marketing - especially if it is clearly labelled. They do care about spam. Using those relay services prevents your marketing email from being confused with spam.
VexingRaven@reddit
My personal favorite thing to do when I see spam come from one of these services is forward it to their abuse contact and explicitly say I don't know the company and I never opted in. The resulting "we've dealt with them" response is so delicious.
MrRiski@reddit
Stupid question. How can I tell if an email came from one of these services vs anything else? I don't generally pay attention to spam that makes it past the Gmail spam filters or the newsletters that I opted into, and actively opt myself out of when they get annoying. If they don't stop I report it as spam and move on.
VexingRaven@reddit
Email headers. Look at the Received: From field as well as the demarc results. That will show you definitively where the email came from, regardless of what domain it shows. They may also have an abuse contact or unsubscribe URL directly in the headers.
SadieWopen@reddit
You can also check any urls in the email. Services like sendgrid change the urls to point at one of their domains.
SparkleKittyMeowMeow@reddit
I love dealing with those. Kicking spammers off the platform is therapeutic.
SparkleKittyMeowMeow@reddit
They do work to maintain the reputation of their IPs. That's why if someone comes along and is sending stuff that is going to actively damage that reputation, they will take action against it. Marketing and bulk emails are perfectly fine, and often are extremely successful, but there are rules. Anyone who falls under GDPR is required by law to get explicit consent for sending non-transactional mailings. The US is behind in this, as CAN-SPAM is not as strict, but it's still best practice to get people's permission before sending them emails.
Loading_M_@reddit
I wouldn't be surprised if many of them require an unsubscribe option in the email as part of the terms of service. They need to maintain their reputation, since that's why you would go with them - they can reliably send emails in your behalf.
SparkleKittyMeowMeow@reddit
Many of them do. Some will let you use your own unsubscribe method, but all of them (or all that I know of) have an unsubscribe option built in. Ones that are tailored toward non-technical customers will often make it a requirement that if you're using their editor, you have to use their unsubscribe link.
Im_in_timeout@reddit
Yep, Sendgrid is a spammer extraordinaire. We block all their junk.
pholan@reddit
Your system, your rules so that’s reasonable. That said they have a decent reputation in the anti spam community. They’re pretty quick to terminate customers given a suggestion of purchased lists,repurposed lists, failing to respect opt out, or other outright spam. They’re selling their ability to get marketing and transactional mail into end user mailboxes and have a strong vested interest in avoiding black lists.
StalkingTheLurkers@reddit
I believe they still have some rules (usually law-based) that you would be required to follow to use their services, or they will cut you off as well.
grauenwolf@reddit
Correct me if I'm wrong, but at the very least they need to have unsubscribe functionality built in. And I doubt that this company bothered to roll their own.
greet_the_sun@reddit
That is a very generous interpretation of that, it's also entirely possible the company is all marketing people and no one technical and they are just clueless about setting up sendgrid.
highlord_fox@reddit
Nah, it's more fun when some place does use Sendgrid... to impersonate an (at)gmail(dot)com address, because they started out small with a gmail account, and they don't want to "disturb customers" or whatever nonsense they stand for.
hitemlow@reddit
Sounds a lot like those marketing companies that come along, offer to switch the client over to new email marketing service, get the client's list of captured emails instead of currently subscribed emails and violates the shit out of the CAN-SPAM act, opening their client up to potentially millions of dollars in liability.
DegaussedMixtape@reddit
I had a fun adjacent one today.
User is trying to send email out to a regular external correspondent of his and auto complete doesn’t have this user in it. He emails this guy all of the time but never saved a contact because outlook autocomplete is his address book.
I do a little digging and find that auto complete only stores 1000 addresses and they are using his mailbox to do marketing email blasts and the email list filled up his autocomplete and pushed a bunch of contacts out of the cache.
He’s borderline irate, but still won’t consider send grid, constant contact or mail chimp.
Cool cool cool
emPtysp4ce@reddit
This is what happens when you let Silicon Valley Nerd Reich techbros make decisions. This is Elon Musk levels of dumb.
K1yco@reddit
I'm sure that if we keep stealing snacks from the liquor store, the store will eventually give up and we don't have to pay for chips and sodas anymore.
the123king-reddit@reddit
You're definitely not the insane one here.
Loko8765@reddit
There is however a high level of ambient insanity.
MidLifeEducation@reddit
That sounds so much better than the phrase "abject stupidity" that came to my mind.
Slackingatmyjob@reddit
"Abyssal imbecility" has a nice ring
MidLifeEducation@reddit
Keep going... I'm taking lots of notes
WackoMcGoose@reddit
"Insanity is like nuclear power. It lasts forever, can be used for both good and evil, and you really don't want to get it on you."
mercurygreen@reddit
Objection! While the SPAMMER is definitely insane, there is no evidence that OP has not been DRIVEN insane!
kagato87@reddit
No, you're not crazy.
MSOL has send rate limits for a reason. Services like SendGrid exist for a reason. (They're closely related, but not causal - they both originate from common issues with bulk sending.)
Heck, I have personalized e-mails I send out through SendGrid...
I like how the company claims they're not a marketing company while claiming to do exactly what you hire a marketing company for...
ManosVanBoom@reddit
Pedant comment: as someone who has been adjacent to both marketing and sales organizations, client is correct. They are not marketing. They are pure unadulterated sales.
LupercaniusAB@reddit
Came here to say this too. I’m neither marketing nor sales (actually a stagehand who has worked hundreds of marketing and sales conferences). I’ve picked this stuff up through osmosis. Marketing crafts the messaging, sales decides how to badger people with it.
ManosVanBoom@reddit
Great summary
ac8jo@reddit
My consultant-English dictionary translates this word salad as spam.
crimsonpowder@reddit
User mailboxes for sending does work, but you have to be very careful about content, pace, and volume.
They're probably not sending every 120 seconds. I've seen O365 restrict sending any time you go faster than every 5 seconds, without fail.
If they are actually going at that pace, then the content of their messages is really bad.
Either way super easy to fix, but they're not technical and likely have a weak product, so here you are.
Frazzledragon@reddit
Believe in the process. Maybe by account 15 or 16 they won't get restricted anymore. After all, their email sending pattern mimics human behaviour.
Dustquake@reddit
I know I send emails exactly 120 seconds apart. /S
androshalforc1@reddit
1 question how much money do they save by not doing it properly?
Mr_ToDo@reddit
Well I don't think you save anything but I'm guessing that in theory you might get around a few spam filters that block based off sending servers. Of course the downside is unfolding in front of you.
Honestly if they wanted to push this I'm thinking a small mail server you make yourself and deploy on the clients side would have a similar effect. Still not a great idea since I'm not big on having my businesses IP being blacklisted, but it'd get around the rate limiting and if server based spam filter bypassing was the goal it would still help(maybe not as much as using 365's but I'm guessing more than the standard mail services, at least until it's on the blacklists). But it shouldn't go on the blacklist because their email is organic and human, right ;)
NBDad@reddit
Literally nothing. It's a fucking one line update to existing public dns records.
Maybe one extra record if they want to get really fancy and do DKIM signing too. 5 mins. Tops. And 4 1/2 of that is signing in to whatever the public dns platform is.
SirEDCaLot@reddit
This is of course incompatible with O365 or Hosted Exchange. You need to route this outbound message traffic through a named pipe connection and use a MQTT broker to ensure proper receiver reputation management. With that in place your emails will be heuristically analyzed and thus algorithmically whitelisted for proper delivery to recipient SPF records. That way none of the SNTP relays will flag your emails as spam.
Obviously, any professional email marketing firm will understand that. You're concerned that this company is not up to date with industry best practices...
anotheritguy@reddit
THIS is the reason I am so against non-technical people having ANYTHING to do with IT. They somehow think if they keep doing the same ridiculous thing over and over somehow they will win out even though the people they hired who are technical keep telling them otherwise.
Revolutionary_Tap897@reddit
Update us with how long it took once that new domain is blacklisted!
DWLooney@reddit
AND They're still risking they're primary domain by association...
LaterGatorPlayer@reddit
Nah. Not even a remote possibility. Their marketing manager told me so. He was also nice enough to sell me a genuine treasure map leading to the lost city of Atlantis.
ZacQuicksilver@reddit
You're describing them wrong:
They're clearly Sales by Personalized AI Marketing.
Gnizzel@reddit
And the vikings sang: "Sales Personalized AI Marketing, Sales Personalized AI Marketing, Sales Personalized AI Marketing, Sales Personalized AI Marketing, Sales Personalized AI Marketing, Sales Personalized AI Marketing, Sales Personalized AI Marketing, Sales Personalized AI Marketing, Sales Personalized AI Marketing, Sales Personalized AI Marketing, Sales Personalized AI Marketing, Sales Personalized AI Marketing"
MidLifeEducation@reddit
So THAT'S what spam means
Candid_Ad5642@reddit
Or an acronym thereof...
atomicsnarl@reddit
Field's Triumverate: Never argue with a fool, never wise up a sap, and never give a sucker an even break.
They are fools, their customer is a sap, so grab all you can from those suckers while you can, then run.
fluffy_in_california@reddit
No no no see GenAI is magic pixie dust! It turns bulk marketting spam into personalized customer outreach...
blegg*
Sorry. Stomach staged a revolt.
capn_kwick@reddit
Ah, yes, the classic definition of insanity "doing the same thing over and over and expecting different results".
glenmarshall@reddit
Anonymously report them to the FTC and other regulatory bodies. Let the trash take itself out.
nighthawke75@reddit
I'd have taken a hard line another 2nd alert and stopped the dumpster fire from affecting the company's operations.
TheLightningCount1@reddit
Someone somewhere staked their reputation on this spam and IT has to eat it and take the blame.