# Debenhams Fails at Sending Email

Debenhams is the second largest department store chain in the UK. Their turnover
for this past financial year was £2.3 billion. They have an online store and a
blog, they're on Twitter and Facebook. One thing you'd expect them to be able to
do, is send out marketing email correctly.

For quite a while now (many months), I've been noticing strange entries in my
mail server logs like this:

```bash
2009-12-08 18:18:34 H=revd139.shopdebenhams.com [195.154.153.139]:59759 I=[92.48.122.147]:25 Warning: 195.154.153.139 disconnected without sending a QUIT!
2009-12-08 18:18:39 H=revd138.shopdebenhams.com [195.154.153.138]:51836 I=[92.48.122.147]:25 Warning: 195.154.153.138 disconnected without sending a QUIT!
2009-12-08 18:18:58 H=revd139.shopdebenhams.com [195.154.153.139]:51516 I=[92.48.122.147]:25 Warning: 195.154.153.139 disconnected without sending a QUIT!
2009-12-08 18:19:20 H=revd138.shopdebenhams.com [195.154.153.138]:53471 I=[92.48.122.147]:25 Warning: 195.154.153.138 disconnected without sending a QUIT!
2009-12-08 18:19:25 H=revd139.shopdebenhams.com [195.154.153.139]:59348 I=[92.48.122.147]:25 Warning: 195.154.153.139 disconnected without sending a QUIT!
2009-12-08 18:20:03 H=revd139.shopdebenhams.com [195.154.153.139]:50115 I=[92.48.122.147]:25 Warning: 195.154.153.139 disconnected without sending a QUIT!
2009-12-08 18:20:08 H=revd138.shopdebenhams.com [195.154.153.138]:50382 I=[92.48.122.147]:25 Warning: 195.154.153.138 disconnected without sending a QUIT!
2009-12-08 18:21:18 H=revd139.shopdebenhams.com [195.154.153.139]:62400 I=[92.48.122.147]:25 Warning: 195.154.153.139 disconnected without sending a QUIT!
2009-12-08 18:21:23 H=revd138.shopdebenhams.com [195.154.153.138]:52221 I=[92.48.122.147]:25 Warning: 195.154.153.138 disconnected without sending a QUIT!
```

Ordinarily, I wouldn't have given that a second glance, but because I
recognised, "debenhams" in the <abbr title="Fully Confirmed Reverse
DNS">FCRDNS</abbr> of the connecting host, I finally decided to do a little
investigation. I modified my [Exim](https://www.exim.org/) configuration to log
transaction information during SMTP, and waited for them to reconnect. From this
I figured out what their software is doing. It connects, receives the welcome
banner, and then immediately and ungracefully disconnects. It turns out, that
the software they're using doesn't like multi-line welcome banners, and fails
when it comes across them. That's not only terrible behaviour, but an RFC
violation. I confirmed this by modifying my banner to be single-line and waiting
for their next retry. The reason I added a multi-line welcome banner to my
server was because it sometimes trips up poorly written spamming software. It
seems Debenhams shares that characteristic.

They also commit another RFC violation. Instead of sending:

```text
MAIL FROM:<debenhams5-bounces@shopdebenhams.com>
```

Their software sends:

```text
MAIL FROM: <debenhams5-bounces@shopdebenhams.com>
```

White-space following "MAIL FROM:" is explicitly disallowed by the RFCs. Many
mail servers still allow it though in order to follow the general rule, "be
strict about what you send, and liberal about what you accept." However, that
whitespace is still a strong indicator that the connecting host is a poorly
written spam sending zombie, and spam filters can score on that.

For the best part of a year, they've been failing to deliver mail to this
particular address. They use
[Omniture](https://business.adobe.com/products/analytics/adobe-analytics.html)
to track which of the recipients actually read the email, so they obviously have
some interest in what's happening to their mailshots. So why aren't they
detecting bounces and "washing" their lists after each mailshot? I guess they
don't understand good practice.

When a message finally got through, I checked out its headers to see what I
could find. First thing I noticed was that it was filtered into a spam folder. I
looked at the SpamAssassin report and it turns out their domain and IPs are on
several blacklists. Specifically:

1. b.barracudacentral.org
2. hostkarma.junkemailfilter.com
3. blackholes.five-ten-sg.com
4. urired.spameatingmonkey.net

There are only two reasons you'd exist on that many blacklists.

1. You're sending unsolicited bulk e-mail. Either knowingly, or unwittingly. BAD.
2. You don't realise that you're listed, or don't know how to get yourself removed/excluded. Any mildly competent email admin could deal with this problem.

I wonder how many people don't get to see email from Debenhams because it ends
up in their spam folder? They add the usual comment, "To ensure you don't miss
out on your email updates, please add important-info@debenhams.com to your
address book now," but that's pretty useless if they don't even see the message
in the first place. Also, it implies that merely placing an address in an
address book, whitelists it - Most mail systems don't work that way.

The email also triggered a SpamAssassin rule named SARE_UNSUB38D from the
commonly used rules at
[http://saupdates.openprotect.com/](http://saupdates.openprotect.com/).
Mailshots like this should be run through a number of spam filters before
they're sent out in order to check if they hit on anything common.

One good thing which they do, is that they use <abbr title="Domain Keys
Identified Mail">DKIM</abbr>. This suggests to me that at some point in the not
too distant past, they've actually given some thought as to the deliverability
of their mailshots. Perhaps they realise that their mail isn't getting through
to people and don't know how to deal with it? A company with a £2.3 billion
turnover should have a whole team of competent techies in their Marketting
department. If they did, they wouldn't have these problems.

I emailed their postmaster address regarding the multi-line banner issue
yesterday. I doubt I will hear back, but if I do I shall update this post.

**UPDATE:**

They don't appear to be suffering the multi-line welcome banner problem anymore.
Unfortunately I don't have access to any Debenhams email from around the time I
wrote this post, but looking at the X-Mailer's of the ones that I do have access
to:

```text
2009-Jul-16: X-Mailer: nlserver, Build 5.00.5116
2010-Jan-14: X-mailer: nlserver, Build 5.10.5627
```

I wonder if that upgrade fixed the problem. They're still on the
JunkEmailFilter, Barracuda and SpamEatingMonkey blacklists though and they're
still sending badly formatted "MAIL FROM" SMTP commands.