Autoresponders and Forwarders Cause Too Many Problems

We’re getting rid of autoresponders and forwarders configured through all our hosted accounts. Here’s why:

Autoresponders and forwarders are the mechanisms that were, for a long time, useful for managing the flow of email. These mechanisms generated automated responses and the automated re-routing of email messages. They were popular for both users and administrators. However, the Internet is always evolving. Things that may have been safe and widely used in the past are often misused and abused. The frequency of problems that arise from using an online tool, tactic, or convention soon become more of a liability than the value justifies. These two mechanisms, autoresponding and automated forwarding, are now being considered by many service providers as being too risky to allow. 

no more autoresponders and forwarders

Old familiar tools, autoresponders and forwarders, have become impractical because of abuse.

The internet is an ever-changing landscape of many dimensions. There was a time when nobody really understood the future impact of all the fresh new technological abilities we gained when the web became public mid-nineties. The dimensions of potential for the things we now take for granted, like email, weren’t explored. Back when the web first web public in 1995, then people didn’t even have a term for non-permission based email; practically nobody called it spam yet. Spam had only previously referred to the canned pork shoulder product, a Monty Python skit about it, and a deluge of electronic messages sent by mistake because of a program error in 1993. Back before the web went public, hearing AOL sing “You’ve got mail.” was a treat, not a chore. Can you imagine hearing a voice say that to you that every time your Inbox receives some spam? Today that same voice would grow quite annoying for the many people plagued by lots of spam in their mailbox.

Back then, in the nineties, nobody took email for granted because it was fresh, fun, and a treat to receive. It was like that because there were few people who had figured out that mass non-permissions based emailing could be so amazingly profitable. There were some spammers, but they were few in number and hadn’t become even slightly annoying yet. Now there’s so many spammers that they’re a serious drain on the resources of the Internet as a whole. If you have an internet address, and you haven’t done a good job of keeping it secret, chances are you’re in the crosshairs of some spammers, and receiving their spam in your mailbox right now.

This ocean of spammers and spam has negatively impacted certain tactics that businesses used to employ, even businesses with no bad intent and have needs to use email legitimately. Autoresponders and Forwarders are the two tactics of handling email, impacted by spammers’ abuse, that are starting to become too risky to continue to use in normal business. It’s because of what happens when spammers send spam to email boxes configured with these mechanisms.

What is an autoresponder?

When an autoresponder is configured for an email box, email messages sent to that address are automatically replied to with a second message sent back to the initial sender. This is most commonly enabled for a mailbox when a recipient has an “Out of office message” configured on their email account. Maybe they’re going on vacation for a few days or maybe an employee no longer works there and it’s a message to the sender that someone new is in the role. Autoresponders can also be as simple as an automated message that is sent when someone fills out a form or just sends an initial email to a recipient. The message could simply be “Thanks for contacting us – someone will get back to you shortly.” These mechanisms seem like good ideas, like setting up an “Out of office message” was. The assumption has always been that using automated replies like these are best practices in terms of professionalism and technology. It used to be. But now it’s not.

Why did autoresponders become bad to use?

Here’s why: a spammer will send email to everyone. They don’t care whether you’re in the office or not – you’re just another number to them. When they send to an address with an “Out of office message” configured, the mailbox automatically replies back to them just like it’s configured to do with anyone else. There really aren’t any autoresponder settings that say “don’t respond to spammers.” The reason there aren’t any is because no spammer puts their real email address anywhere on the spam emails they send. That would hurt the spammer quickly if they did that, making the email traceable back to them as the sender. Being discovered would quickly cripple their ability to send more and end up having less of the emails they send received and opened. So when spammers spam they do it camouflaged, always with either a fake email address as the sender.  What’s worse than when spammers use fake addresses is when they use someone’s real email address who has nothing to do anything. The addresses of the “senders” are chosen randomly or worse yet, they might use the email address of the person who is the recipient as the sender! And they do it in all sorts of technically sneaky ways. Whatever spammers can do to maximize the eyeballs on their spam, they do.

An example of an autoresponder getting an innocent business flagged as a spammer.

If a spammer uses George’s email address to spam Sally, and Sally has an “Out of office” autoresponse set up to be polite, then George will get the response back from Sally’s email box,”Hey – This is Sally – I’m out of the office.” The problem is that George doesn’t know Sally and never gave Sally permission to send him email. Sally technically spammed George with her autoresponse. It’s no big deal if it happens one time. But what if the spammer sent to a million addresses and all the emails say they came from George? George is going to get at least 10,000 replies back that are “Out of Office” auto-replies. If 100 of those recipient addresses are from a common domain, like Roger’s mid-sized business that Sally works at, George’s host will be inclined to interpret Roger’s business as a sender of  spam. What if George has an email box hosted by Yahoo or AT&T, Comcast, or Office 365, really big hosts who submit lists of suspected spammers to blacklisting authorities every day? Of course Roger’s business wasn’t sending spam, but that’s not going to stop George from getting blamed for it and it won’t help Roger to clean up the mess and incur the costs of remedying it.

What’s Roger’s company’s solution to not being caused to send spam? Dissuade employees from using autoresponder emails, even if they’re on vacation. Educating all the employees about the risks of using autoresponders is going to be a more costly and less effective approach than simply making it policy not to use them. Refer to this article if you need to provide some explanation.

What’s the solution for George to keep his email address from being falsely used as a sender? There’s little that George himself can do to prevent a spammer from picking his email address and making it look like he sent the spam. George’s hosting provider or Roger’s business’s web host can institute certain configurations that make it less lucrative for spammers to choose George, Roger and Sally’s email addresses. These configurations are considered standard best practices, but some hosts still neglect this protective measure and expose their email account holders to fraud.

What is a forwarder?

Forwarders are also a problem for similar reasons. Forwarders are email addresses configured so that they’re not really true email boxes where mail can be sent and received from, but rather aliases of other real email addresses. For example, I can set up a forwarder address for info@domain.com that automatically sends any mail it receives to George@hisdomain.com and Sally@yahoo.com. You could set up 10 forwarder addresses for a single domain and have it all forward to one mailbox, for example: custsvc@domain.com, sales@domain.com, returns@domain.com. Forwarders allow one or many virtual email addresses to have their incoming messages be deposited to real one email box.

Why did forwarders become bad to use?

The problem with forwarders isn’t so much the creation of virtual addresses in the same domain. For example making custsvc@domain.com, sales@domain.com, and returns@domain.com too all forward to joey@domain.com, an actual mailbox. That’s still OK to do. The problem is when a forwarder is configured to send to another domain, particularly domains that people lots of people like to have their mailboxes on: Google’s gmail, AOL, Yahoo, AT&T and its local Bell brands. When a recipient address that’s a virtual address, a forwarder, is sent 800 spam email messages a day, then that Forwarder’s server just passes it along and is therefore seen by the recipient’s server as being the sender of 800 spam emails, every day. The accepting server doesn’t know the full history of the email, but instead can only tell who is passing it over to them.

Think about what it must be like to have to maintain email servers filled with 98% spam.  Your email host has a tough job.

How could the provider, where the actual mailbox resides and collects the messages, not be upset when extra bandwidth is consumed by this volume of garbage traffic? How could they tolerate having to store all that junk, most of which will get ignored by it’s user base, or even annoy their user base and make their email experience aggravating? Would you want your customer service people spending time explaining spam to someone who just intends to be angry about it with no intention of trying to understand whose fault it is? Major hosts have tolerated it for quite a while, probably longer than they should have in the first place. Now they’re so disgusted with the impact of Forwarder emails on their networks that they’ve reduced their tolerance towards spam yet again. And this tolerance is continuing to get even smaller. More and more ISPs and email hosts are reporting businesses for spam when all these innocent businesses are doing is simply forwarding emails.

Changes to the email ecosystem never impacted our user base this much before.

Here at Massive Impressions we offer hosting plans on our own exclusive servers. No matter how exclusive, protected and secure anyone’s server is, if it’s sending out ALL emails that come to an address automatically, via a configured Forwarder, there’s a giant risk of being labeled a spammer. We’ve gotten block notifications from major providers because of things that we have had to correct over the years, and every time so far it’s only been an adjustment most users would never notice. These adjustments we made in the past involved configuring the server more securely, according to emerging security conventions intended to validate our identity and eliminate false-identification. Each time it’s resolved the issues and kept the flow of email unimpeded.

A newer trend in the web hosting industry increased the use of forwarders.

This particular problem of spam created by forwarders has been reaching a crescendo lately. The reason may be attributable to a newer phenomenon, a way of offering web hosting that allows hosts to focus exclusively on the issue of hosting websites without hosting emails accounts. If you do a search for managed web hosting, a service that includes both hosting and “babysitting” your website, you’ll see a lot of providers who don’t offer email accounts as part of their hosting plans. These hosts have depended on Forwarders to meet their client’s expectations for handling emails that come to the hosted domain, and keep costs low.

For a while we were moving towards having our web hosting clients not complicate their use of their domain and site. We relied on forwarding to make our client’s receipt of email easier for them. The obligation having to connect to an additional and separate email account, was avoidable because all email sent to a domain could simply be forwarded to where they wanted it instead. Lots of clients preferred to have their email messages in one place, their Gmail or Yahoo accounts for example.

Alternately, many clients today leverage Google for Work or Office 365 and pass the role of the email server completely over to a 3rd party. While the latter is still recommended as a best practice, the former isn’t, because it involves Forwarders and a flow of spam emails out of innocent servers to judgmental hosts.

So what’s that mean for us, for Massive Impressions and for our Hosting Clients?

It means we’re going to have to configure at least one actual email box with each Server Account. The Server Account Owner will need to use either webmail or connect their email client to the server hosting their site, sending and retrieving through Outlook for example. We will no longer be automatically forwarding email messages out from any of our hosted domains to your favorite email boxes on 3rd party sites. Sorry – we just can’t.

Changes to the Massive Impressions Email Hosting Policy:

We’re making a server-wide policy change for everything, even our own sites and apps.

  • No External Facing Forwarders or Autoresponders, exposed in the manner we previously depended on, can be configured moving forward.
  • All  Virtual Email Addresses must be configured to forwarding to a real mailbox configured within the same Server Account. There will be no more automated sending to addresses outside each account’s domains.
  • All mail for Virtual Email Addresses, received for a specific domain that’s part of the Server Account’s primary or aliased domains, will be deposited in at least one mailbox configured under that Server Account†.

There’s a lot more we’re doing with the configuration of dynamic website features within the sites we host. We’re tightening security and adding measures to ensure our client’s websites don’t expose liabilities like being caused to send spam unintentionally. We’re following the types of best practices maintained by industries that depend these same services.

How does this impact compliance?

Compliance with quality control and security protocols like HIPAA, ISO 9000, and Sarbanes Oxley require using services we provide in a compliant manner – we can’t force compliant methods be followed 100% of the time, but we can provide the infrastructure and coding that allows meeting compliance requirements. We can create separate, secure email boxes, but we can’t keep you from sharing your login. Compliance is about using common sense and a deliberate approach to erring on the side of caution.

This change in policy is not foreseen at this time as presenting changes that make compliance or certification more or less difficult.  Compliance sometimes means handling data more securely, other times it implies the opposite: more transparency. This new restriction of Massive Impressions policy has more of a potential to impact existing compliance protocols geared towards transparency than protocols geared towards data security.

Ultimately, if this new policy and restriction on use of autoresponders and/or forwarders does conflict with documented, approved and certified compliance protocols in effect today or scheduled to go in effect at some future time, certified business may opt to continue to use these mechanisms in spite of risks. If there were documented protocols previously approved that depended on autoresponder and forwarder mechanisms, let us know. We’ll make a case-based assessment to limit liabilities as a stopgap until your protocol’s revision can be formalized.

Reference:

Servint.com Nov 17, 2011 – Controlling Spam and Mistakenly Blacklisted IPs

† Mail can be retrieved by domain stakeholders via webmail and/or mail clients such as Outlook or smartphone mail apps.