Skeptical About Amazon’s Bulk E-Mail Service (Beware the Cloud Neighbors)

Amazon has announced yet another web service, this time a Bulk E-Mailing Service.  I love the Amazon strategy of supplying a powerful PaaS (Platform as a Service) one service at a time.  In fact, doing a PaaS this way was one of my key recommendations in, “Sell the Condiments not the Sandwiches.”  I’m generally a huge proponent of Amazon Web Services, but this time I’m skeptical.

Here’s where I’m coming from:

At my last company, we were big users of AWS and we loved it.  Before we went down that route, I canvassed my network for gotchas.  The number one piece of advice we got was not to put our email on Amazon.  Why?  Because too many spammers had already used the service and gotten most of the IP space black balled.

See that part in my title, “Beware the Cloud Neighbors?”  I’ve been noodling on this issue ever since having heard those warnings about Amazon.  It’s really the fundamental concern most people have about the Cloud:  is there something my neighbors will do in the Cloud that will hurt me?  Usually the worry is that the neighbors will try to break in.  But in this case, we have a different problem.  Because the neighbors set up the equivalent of too many meth labs in the neighborhood (hate the spam!), the whole neighborhood got a bad reputation.  I was told at the time that Amazon was trying to work out ways to get un-blacklisted, but as you probably know, that’s really hard. 

This sort of thing was on my mind all during the Wikileaks stories too.  All these Cloud services were kicking Wikileaks out as fast as they could.  I kept wondering what impact a bad actor (perceived, I personally don’t have a problem with Wikileaks) could have on the overall Cloud.  Maybe that’s the reason they had to be kicked out so summarily and quickly.  I got a note from a blog reader that the service I use, WordPress.com, is completely blocked in China.  Here again, a Cloud was being punished for what were presumably the actions of a relatively few of its inhabitants.  Keep in mind the possibility for collateral damage from misbehaving Cloud Neighbors as you look at Clouds.  I expect they will ultimately have to think harder about their T’s and C’s, maybe winding up like some gated communities with all sorts of rules about how you have to behave to live in their Cloud.

Meanwhile, let’s get back to Amazon’s Bulk E-Mail Service.  As I read the announcement, I kept looking for signs of how the service would fix the blacklisting and prevent renewed bad behavior.  The good news is that there are some teeth there.  New users are on a probationary period while Amazon monitors your behavior:

Once your application is up and running, the next step is to request production access using the SES Production Access Request Form. We’ll review your request and generally contact you within 24 hours. Once granted production access, you will no longer have to verify the destination addresses and you’ll be able to send email to any address. SES will begin to increase your daily sending quota and your maximum send rate based on a number of factors including the amount of email that you send, the number of rejections and bounces that occur, and the number of complaints that it generates. This will occur gradually over time as your activities provide evidence that you are using SES in a responsible manner. The combination of sandbox access, production access, and the gradual increase in quotas will allow us to help ensure high deliverability for all customers of SES. This is exactly the same process that bulk senders of email, including Amazon.com, use to “season” their sending channels.

I think that’s great, so where does my skepticism come from?

Two sources, really.  First, is just a concern that whatever residual blacklisting is still out there making it tough even if you follow the rules.  Perhaps Amazon has an endless supply of all new clean IP addresses reserved for the new service.  If so, I’d love to hear that.  If not, why can’t someone fire up a mail server on each of how ever many EC2 instances they own and spam away?  That’s how the blacklisting came about in the first place.  I suspect they must have a clean room for the mail service, as Amazon’s own E-Commerce mail certainly gets through, so let’s stand by to hear something about that.  Maybe someone from Amazon will reply with a comment to this post.  Second source is just vague unease about whether they’ve taken it far enough.  I have had the dubious pleasure of seeing some of the seamy underbelly of the spam world as part of researching how to bootstrap startups and small businesses.  You don’t have to look far before you run into this rather large community of people and you say, “Aha, now I get who these spammers are!”  They have nothing of value to offer you by way of product, but they will say and do anything as often as they can to get you to part with money, a click so someone else gives them the money, or whatever they’re after.

As you look at some of the small business email marketing tools, they have varying degrees of spam resistance baked in.  They do this out of a sheer need for survival.  As Amazon points out, deliverability is the key.  Some of these services got into the hands of spammers early in their careers and watched deliverability for all customers plummet.  It’s interesting to read about what they had to do to recover.  Many of them have hard and fast requirements for things like “double opt-in”, where the prospect has to not only sign up for your newsletter, but also has to click an opt-in link that is solely controlled by the marketing software provider.  They’ve seen the case where the spammer rigged the signup form to be completely misleading and they want no doubt that the person really really does want to be on the mailing list.  You also see requirements to have an opt-out link in every piece of email that goes out, to the point where sometimes the marketing software provider puts one in and you have no control over it.

Amazon is not undertaking anything that direct.  Rather, they’re ramping up users slowly and waiting to see if there is feedback that the user is spamming.  In the long run, that works, and they surely know a lot more than me about it, but it doesn’t seem quite a s foolproof as what others have done.  I’m sure a lot of organizations will prefer not to have Draconian controls over their email, it’s just not clear to me that waiting until spamming occurs will work, at least unless you have an unlimited supply of IPs to burn.

ReadWriteWeb has a piece that leaves the impression Amazon’s prices are so far below competitors that the only thing left is support.  I don’t think that’s right because I think deliverability will be the issue.  Word gets around fast on whether you have it or not and whether it is reliable.  I took a look at the four competitors mentioned in the article with some thoughts:

CritSend:  CritSend has a deliverability engine that checks for likelihood a message would be flagged as spam before it is sent.  It automatically manages bounces and spam notifications.  It automatically analyzes and repackages each email optimizing it with legal and technical compliance additions.  They take care of CAN SPAM compliance for you and append your emails with specific CAN SPAM content footers, DomainKeys signatures and SPF/SenderID. They also handle all aspects of unsubscription management for you including automatically appending your unsubscription message to your emails and full unsubscription request processing. They store unsubscription addresses, bounces and spam report clicks. Their addresses are filtered from your deliveries, and you may edit them through the website dashboard or export them in real time through an API query.

Postmark:  Sounds simpler, but they still handle things like whitelisting, ISP throttling, reverse DNS, feedback loops, content scanning, and delivery monitoring to ensure your emails get to the inbox.

SendGrid also discusses their automated handling of unsubscribe and similar capabilities.

Are you beginning to see how sophisticated some of this stuff is in order to prevent spammers from clogging up a mail delivery service?  Do you need all this?  Hard to say.  Having seen a little bit of the spammers and knowing how much gets through despite such measures, you have to wonder though.  Amazon probably has all these bases covered, but it isn’t clear from their announcement that it is at the level of these other players.  I’d wait for confirmation via references from good-sized and reputable e-commerce players.  After all, it’s basically your reputation that’s at stake as well as your ability to communicate with your customers.