Debenhams is the second largest department store chain in the UK. Their turnover for this past financial year was £2.3 billion. They have an online store and a blog, they’re on Twitter and Facebook. One thing you’d expect them to be able to do, is send out marketing email correctly.
For quite a while now (many months), I’ve been noticing strange entries in my mail server logs like this:
2009-12-08 18:18:34 H=revd139.shopdebenhams.com [18.104.22.168]:59759 I=[22.214.171.124]:25 Warning: 126.96.36.199 disconnected without sending a QUIT! 2009-12-08 18:18:39 H=revd138.shopdebenhams.com [188.8.131.52]:51836 I=[184.108.40.206]:25 Warning: 220.127.116.11 disconnected without sending a QUIT! 2009-12-08 18:18:58 H=revd139.shopdebenhams.com [18.104.22.168]:51516 I=[22.214.171.124]:25 Warning: 126.96.36.199 disconnected without sending a QUIT! 2009-12-08 18:19:20 H=revd138.shopdebenhams.com [188.8.131.52]:53471 I=[184.108.40.206]:25 Warning: 220.127.116.11 disconnected without sending a QUIT! 2009-12-08 18:19:25 H=revd139.shopdebenhams.com [18.104.22.168]:59348 I=[22.214.171.124]:25 Warning: 126.96.36.199 disconnected without sending a QUIT! 2009-12-08 18:20:03 H=revd139.shopdebenhams.com [188.8.131.52]:50115 I=[184.108.40.206]:25 Warning: 220.127.116.11 disconnected without sending a QUIT! 2009-12-08 18:20:08 H=revd138.shopdebenhams.com [18.104.22.168]:50382 I=[22.214.171.124]:25 Warning: 126.96.36.199 disconnected without sending a QUIT! 2009-12-08 18:21:18 H=revd139.shopdebenhams.com [188.8.131.52]:62400 I=[184.108.40.206]:25 Warning: 220.127.116.11 disconnected without sending a QUIT! 2009-12-08 18:21:23 H=revd138.shopdebenhams.com [18.104.22.168]:52221 I=[22.214.171.124]:25 Warning: 126.96.36.199 disconnected without sending a QUIT!
Ordinarily, I wouldn’t have given that a second glance, but because I recognised, “debenhams” in the FCRDNS of the connecting host, I finally decided to do a little investigation. I modified my Exim configuration to log transaction information during SMTP, and waited for them to reconnect. From this I figured out what their software is doing. It connects, receives the welcome banner, and then immediately and ungracefully disconnects. It turns out, that the software they’re using doesn’t like multi-line welcome banners, and fails when it comes across them. That’s not only terrible behaviour, but an RFC violation. I confirmed this by modifying my banner to be single-line and waiting for their next retry. The reason I added a multi-line welcome banner to my server was because it sometimes trips up poorly written spamming software. It seems Debenhams shares that characteristic.
They also commit another RFC violation. Instead of sending:
Their software sends:
MAIL FROM: <firstname.lastname@example.org>
White-space following “MAIL FROM:” is explicitly disallowed by the RFCs. Many mail servers still allow it though in order to follow the general rule, “be strict about what you send, and liberal about what you accept.” However, that whitespace is still a strong indicator that the connecting host is a poorly written spam sending zombie, and spam filters can score on that.
For the best part of a year, they’ve been failing to deliver mail to this particular address. They use Omniture to track which of the recipients actually read the email, so they obviously have some interest in what’s happening to their mailshots. So why aren’t they detecting bounces and “washing” their lists after each mailshot? I guess they don’t understand good practice.
When a message finally got through, I checked out its headers to see what I could find. First thing I noticed was that it was filtered into a spam folder. I looked at the SpamAssassin report and it turns out their domain and IPs are on several blacklists. Specifically:
There are only two reasons you’d exist on that many blacklists.
- You’re sending unsolicited bulk e-mail. Either knowingly, or unwittingly. BAD.
- You don’t realise that you’re listed, or don’t know how to get yourself removed/excluded. Any mildly competent email admin could deal with this problem.
I wonder how many people don’t get to see email from Debenhams because it ends up in their spam folder? They add the usual comment, “To ensure you don’t miss out on your email updates, please add email@example.com to your address book now,” but that’s pretty useless if they don’t even see the message in the first place. Also, it implies that merely placing an address in an address book, whitelists it - Most mail systems don’t work that way.
The email also triggered a SpamAssassin rule named SARE_UNSUB38D from the commonly used rules at http://saupdates.openprotect.com/. Mailshots like this should be run through a number of spam filters before they’re sent out in order to check if they hit on anything common.
One good thing which they do, is that they use DKIM. This suggests to me that at some point in the not too distant past, they’ve actually given some thought as to the deliverability of their mailshots. Perhaps they realise that their mail isn’t getting through to people and don’t know how to deal with it? A company with a £2.3 billion turnover should have a whole team of competent techies in their Marketting department. If they did, they wouldn’t have these problems.
I emailed their postmaster address regarding the multi-line banner issue yesterday. I doubt I will hear back, but if I do I shall update this post.
They don’t appear to be suffering the multi-line welcome banner problem anymore. Unfortunately I don’t have access to any Debenhams email from around the time I wrote this post, but looking at the X-Mailer’s of the ones that I do have access to:
2009-Jul-16: X-Mailer: nlserver, Build 5.00.5116 2010-Jan-14: X-mailer: nlserver, Build 5.10.5627
I wonder if that upgrade fixed the problem. They’re still on the JunkEmailFilter, Barracuda and SpamEatingMonkey blacklists though and they’re still sending badly formatted “MAIL FROM” SMTP commands.