SparkPost just suspended the mail account I used with Discourse

Well, theoretically it would be possible to add those links to each and every discourse email, but I can’t imagine that they really want us to have them in transactional (in the strict sense) emails, like password renewal or confirm email address etc, although that’s what their policy says.

I suppose they just added anything they could think of to their policy, just to cover themselves for any possible reason for which they might want to suspend users.

I think the real problem is perhaps that their actual suspension practice seems to be rather, well… rude, opaque, and non-cooperative.

Another, unavoidable problem is that, due to how discourse and other forum software works, there is always a chance that offensive content gets sent out. It’s therefore important that mail providers handle such cases adequately, especially by giving admins a chance to deal with the source of the problem, i.e. the user producing the content.

2 Likes

I just saw that sparkpost even encourages discourse admins to use their service:

So I wonder if it might make sense for the discourse team to contact them and ask them if they can do something about the problem of banned accounts. @zogstrip actually made a good point when he suggested that part of the unpleasant experience may be due to the suspension being automated:

I can imagine that they have piles of automated suspensions which are legitimate so that responding to complaints about suspensions on their free plan may not be a priority.

But if they (or someone) at sparkpost is willing to work with us here on meta to improve their detection algorithm, that could help solve the problem. For example, if there’d be a way for sparkpost to recognize that mails are being sent from a legitimate discourse instance, they could use less restrictive filters. Or if they could tell PM emails (which are sent to only one or a few people) these could be treated differently.

3 Likes

A recent post happened to include a single link to http://tcl.tk/ and I have been down for 3 days since this happened to happen on a weekend.

1 Like

A day after this some SparkPost “level 2” support person finally setup an exception to re-enable my account. It is very unclear if http://tcl.tk was just whitelisted or if my account was flagged to be less sensitive.

Doesn’t really matter to me. I setup an ElasticEmail account for my discourse server. That was very easy to do and we will see if they treat me any better.

My summary from this thread:

  • It would be useful to have a config option to not include user-submitted links in emails.
  • SparkPost should not be listed first on the page suggesting emails services to use when installing Discourse
    .
3 Likes

How exactly was your tcl.tk url rendered in the email? Was it an actual (clickable) link or just text? I’m assuming it was a proper html link. In tgat case, there might be a chance that it suffices to render links as text rather than clickable links, instead of removing them entirely.

Or: Maybe I’m taking this too far, but another option could be to replace all external links with internal ones which redirect to the actual url. A nice side effect would be that links clicked in emails could be counted just like those clicked on the site.

However, the downside would be that the external link would have to be removed completely from the email because links in form <a href="internal-link">external-link</a> will be identified as phishing attempts.

1 Like

Pretty sure it had http://tcl.tk directly in the text that was automatically linkifed by Discourse.

Obviously keeping the links in the email is the preferred solution which is why I switched email providers.

1 Like

I’m not sure the case for this is cut-and-dried. We’re talking about user-submitted links here. Even with sensible restrictions in place (new user posts not included in summary emails), there is still a serious danger of naughty links going out via emails from my Discourse forum.

I think @tophee’s idea of link rewriting is a good one, although this will still, of course, lead to email recipients clicking through to potentially dangerous websites.

If there is a public blacklist of bad domains, I think `Discourse ought to check this when a user posts links in the first place. This may help.

Yes, I realized after posting my last post above, that discourse is really good at linkifying urls, even just tcl.tk (written as tcl.tk) is recognized as a link! So I wonder if it might help to simply skip that kind of linkification for emails? That would mean that people can still force links if they use html or markdown.

Hm, not sure this makes much sense except for it possibly being easy to implement.

I’m not sure this would help, given that Sparkpost (and probably other providers too) are so secretive about their filter algorithms. It’s obviously part of their strategy to not allow users to be strategic in circumventing their filters.

So, based on the discussion so far, I think there are basic strategies for dealing with this:

  1. Remove or rewrite external links in discourse emails (perhaps with a whitelist in site settings for links that remain untouched),
  2. Work with the SparkPost people (and possibly other providers) to find a solution, as mentioned above.

@wscott, it would be cool if you could report back about your experience with ElasticEmail :slight_smile:

1 Like

Why don’t you add that domain to the list of watched / screened words with an action of “block”? That way nobody can post links to it.

I’ve been suspended as well, because a user posted an Adfly link in a post that was sent in a number of emails. When I replied saying that I filtered that domain in posts (which makes sense to filter to begin with) they very quickly restored service to my account. I don’t think their restrictions are unreasonable, so I have no plans to move away from their service.

If I have more problems, I’ll just move to AWS SES, which I believe allows you to send 50,000 emails per month, even without their free tier.

1 Like

The problem is not so much that they are unreasonable but that they are unknown. How did you learn what the exact reason for the suspension was?

Since you had, in contrast to many, a positive experience with getting your account restored, could you say what exactly you did to succeed?

I have a feeling that one thing that might have helped you get the response you wanted was that you immediately (?) told them that you have taken action to prevent similar emails from being sent out again. I can imagine that they might be much more inclined to respond to such an email than one that merely complains “Why the heck did you suspend my account?” So that could be something to remember for any of us once we end up in tge same situation.

2 Likes

Come to think of it, they didn’t provide any explanation in the suspension notice. I replied to that email, and that’s when they let me know that I’d mailed an Adfly link.

I provided them with evidence that Adfly links were no longer allowed to be posted on our Discourse, and that seemed to be sufficient for restoring service.

1 Like

Okay, so they do reply to people on the free plan (or are you paying?) with suspended accounts. I wonder how to explain such different user experiences as yours and the many other ones who failed to get their account back. Maybe you were just lucky?

If it’s as simple as that, then I don’t understand why they’re not publishing their blacklist so we know what we’re dealing with and can prevent stuff from happening in the first place.

I am on the free plan and they did eventually reply and explain the problem and they did restore my account. My only issue was that it took from Saturday to Tuesday with no service. Not a big deal in this case, but makes not want to try this with a more important forum that might want to grow to a paid plan. By the way I saw no indication that the paid plan is treated any differently with this stuff.

1 Like

And now SparkPost is discontinuing the free plan, so I guess it will be removed as a recommendation for new Discourse installs pretty soon anyway.

https://www.sparkpost.com/blog/updated-service-plans/

4 Likes

No need to panic, though, for existing users of the free plan:

These changes notwithstanding, I would like to reaffirm a promise I made to honor the terms of our former 100K free plan for all existing customers of that plan. In fact, we are grandfathering all current customers, free or paid, into their current plan’s sending volume and price point if they choose to remain on their existing plans.

2 Likes

They still have a free 15k message plan, but if you go over that,it seem that they’ll just stop sending your mail.

@codinghorror, you might want to update docs accordingly.

Check this out: Remove defunct SparkPost free plan by jtaylor69 · Pull Request #5058 · discourse/discourse · GitHub

4 Likes

How are things working out for you at ElasticEmail? Can you say anything about deliverability in comparison to Sparkpost (I still have a couple of organizations which keep rejecting my emails from SparkPost).

ElasticEmail is great, i’ve been using them for a month now since i started my forum and never had any issues, support is great as well.

4 Likes