We’ve Changed the FBL Enrollment Process — Here’s Why
If you or your organization has recently applied for enrollment in IP-based feedback loops that we host (e.g., Comcast, Road Runner, etc.) you may have noticed that the confirmation email part of the enrollment process has changed. In this article we’ll explain what changed, and why it’s important.
There are new applications all the time, and up ’till now our ISP partners have had to manually process every application — often taking several hours each day. Our ISP partners have asked us to make the process easier for them by automating more things. In order to address this need, we had to change the way a confirmation email address is chosen.
Enrolling in a complaint feedback loop hosted by Return Path has always been a three step process:
1. You visit the FBL enrollment site and fill out an application with all your pertinent information.
2. When you click the submit button, a confirmation email is generated and sent to a mailbox read by someone who can confirm that you’re the party responsible for the IP address(es) in the application.
3. Once the confirmation email is read and the confirmation link is clicked, the application is then presented to the ISP for approval or denial, entirely at their discretion.
Before now, the confirmation email address was chosen by the applicant, based on a domain name also specified by the applicant. That is, Joe Smith of joesbaitandtackle.com could apply for a feedback loop for a set of IP addresses, and have the confirmation email sent to either abuse@ or firstname.lastname@example.org. Joe would then confirm the application, and it would end up in the ISP’s approval queue.
The new way still gives the applicant the choice of where the confirmation email goes, but the choices are all based on either the WHOIS information or the reverse DNS (PTR) records for the IP address(es) in the application. (This is quite similar to the process used by the Windows Live™ Hotmail Postmaster for enrollment in their Smart Network Data Services program.) This change not only helps us put in an automated framework for application processing for our FBL hosting partners, but also helps us increase security around the private information that might be shared in a spam complaint. Here’s why…
Under the old way, where we allowed the applicant to specify any destination for the confirmation email address, it was not uncommon for someone like our mythical Joe Smith to mistakenly submit an application to attempt to enroll provider A’s mail servers in provider B’s FBL. Joe’s domain is hosted with provider B, you see, but he uses provider A’s servers for his outbound mail. The same scenario would also apply for John Q. Criminal, who might intentionally try to enroll someone else’s mail servers in an FBL in order to skim personal information out of complaints.
The only safeguard against either of these scenarios was that the ISP staff would notice that Joe or John weren’t the person responsible for the submitted IP addresses, and would rightfully deny the request. With the more automated approval framework we’ve developed, this manual oversight will be reduced — so we must have a better way of quickly confirming ownership of the IP addresses in the application, or else poor Joe will be deluged with complaints that are about mail he never sent, and John might have access to information that is not rightfully his. (The ISP which owns the complaint feedback loop still has the final decision over whether to approve any request, of course.)
The new way of determining the appropriate address for the confirmation email makes sure that the confirmation is done by someone who is truly cognizant of the IPs in the application, and knows who is really responsible for them. It moves the oversight of that part of the process away from the ISP offering the FBL, to the network provider of the FBL applicant. It should largely eliminate the prospect of misdirected FBL complaints, and it allows us to streamline the FBL application approval process for our hosting partners — which may also mean quicker turnaround on applications.