Watching from the sidelines: Messagelabs vs SORBS

Now, you might think that, since I'm Chief Scientist for a third email security company, Mimecast, I would just be sitting back and enjoying this development. But while I can't deny that there's a certain pleasure to be obtained from watching your competitors hit each other over the head with sticks, I think that both companies are being somewhat unfairly vilified in the popular portrayal of this little spat.

This week has brought us news of a battle, almost certainly unintentional, between two major antispam services.  It seems that SORBS has put MessageLabs on a blacklist that is blocking outbound email from MessageLabs customers.

View from the sideline

To explain why I would want to defend both MessaageLabs and SORBS while they're happily beating each other up, it's necessary to say a little about the structure and complexity of the Internet in general and antispam technology in particular.  The enormous success of the Internet has come, almost entirely, from the development of clearly-specified protocols that are used by otherwise competitive parties.

Mail flows between Lotus Notes, Microsoft Exchange, Gmail, and other tools because the implementers are all doing their best -- for the most part -- to comply with a set of vendor-neutral standards from the IETF, such as SMTP and MIME.

This kind of "coopetition" is hard to do in any case, but it gets much harder in any security-related area, because you are fighting an active opponent.  It's hard enough to get multiple vendors to converge on a single standard and its interpretation; things get really complicated when they have to cooperate at subverting a clever, active opponent such as a spammer.  The bad guys are actively trying to find holes or ambiguities in the protocols, and to exploit them for anti-social ends.

In other words, spam control is hard, and there's no rule book for doing it well.  Like local police who rush in to arrest a crime ring that turns out to be FBI agents on a sting operation, the good guys can easily end up shooting at each other with the best of intentions.

Of course, police work can be good or sloppy.  Maybe the FBI didn't keep local police informed about the sting, or maybe the local police didn't tell the FBI what they were up to.  The mere fact that they're shooting at each other doesn't begin to tell you who's at fault.  I could easily believe that either SORBS, MessageLabs, both, or neither were at fault here, so I hate seeing a rush to judgement.  With most of the mechanisms fully automated, this kind of blacklisting could probably happen to any of us.

While I don't know who to blame in this case, I am pretty sure that MessageLabs doesn't deserve to have customers abandon it simply because of this incident, as a few have indicated they will do.  Every anti-spam company has to walk the line between aggression in fighting spam and defence against its customers being inadvertently labelled spammers.  (And note the word inadvertent:  Mimecast, for example, vets and trains its potential customers to try to ensure that they aren't spammers, intentional or not.)

My colleagues and I are happy to offer dozens of good reasons for users of MessageLabs, SORBS, or other email security services to switch to Mimecast.   But this incident isn't one of them.  MessageLabs was the victim of an unhappy accident, and while it may or may not share some blame with SORBS, such accidents can, in the end, happen to anyone.   Perfection is an admirable goal, but an unreasonable expectation.

Image (c) storem