Blocking emails to role accounts: Best practice?

Do you block email signup attempts from role accounts? If not, I think you should consider it.

What's a role account, you might ask? It's an email that has a username part (the part to the left of the @ sign) that is commonly reserved for either a system function or administrative role.

RFC 2142 is a great place to start to look for a list of common role accounts. It lists these common usernames: info, marketing, sales, support, abuse, noc, security, postmaster, hostmaster, usenet, news, webmaster, www, uucp, and ftp.

By "blocking email attempts from these role accounts" I mean any signup forms you maintain should not allow submissions of addresses like security@spamresource.com, security@xnnd.com, security@wombatmail.com (or security@ any domain). The theory being that these are either accounts that are made for specific role or departments, not people, and people should be opting-in only themselves when it comes to an email list subscription.

If I know that a sender has "ftp@wombatmail.com" on their mailing list, I can pretty well guess that they made that address up to try to spam it, and it's not likely to have legitimately opted-in.

From an ESP's perspective, the ESP can catch a subset of bad actor clients by looking for how many instances of these "role" email addresses a client may have on their list. It's easy to create a list of these programmatically. A bad guy trying to prospect through sending spam could easily just try to send email to security@(every domain) for every single domain name he or she knows about.

And configuring signup forms to reject mail to these addresses is potentially in your best interest, if you're a web designer or email campaign manager. If somebody fills out a form with one of these address, there's a good chance it is either to "forge subscribe" an unrelated party, or to try to make mail go to a spam trap address. Either way it causes the email sender nothing but problems. (Maybe not at first, but it builds up like dirt, and eventually you end up with enough dirt to start causing big problems.)

Some ESPs and email platforms do block mail to, or signups from, these role accounts today. If you're not sure if this the case with the one you use, ask them to confirm.

In the B2B realm (especially the small business end of the B2B realm), some folks might suggest that mail be allowed to "info, marketing, sales and support" as some small companies do indeed use addresses like sales@(domain) to sign up for various email lists or as the contact email address for their company during purchases of goods or services. My suggestion to you is that if you do manage a small business, don't use these addresses. You'll run into situations where some email vendors block them, and you'll probably get some level of B2B spam via spammers mis-using email platforms that don't block them.

[ H/T: Keith Kouzmanoff ]

2 comments:

  1. Yes! We used RFC 2142 to decide on the list of role accounts we wanted to suppress: https://help.activecampaign.com/hc/en-us/articles/115000637690-Why-are-contacts-bouncing-with-a-9-1-5-code-

    ReplyDelete

Comments policy: Al is always right. Kidding, mostly. Be polite, and you're welcome to join in, even if it's a differing viewpoint.