More Eggs, More Baskets: The Importance of Diversity in Email Management
But there's another lesson to be learned as well. Our customers -- and I'm sure some of our savvier competitors' customers -- were scarcely affected. The recipients most badly affected, almost by definition, were the ones that were overly relying on a single source of information about what is and isn't spam. Even the most well-run, well-intentioned service will occasionally make a mistake, but it's less likely that two will make the same mistake simultaneously. If you only absolutely block mail when two independent sources say to block it, you're much less likely to be causing the kind of critical situations we saw last week.
Recently I wrote about the big kerfluffle where SORBS put MessageLabs on a blacklist, and MessageLabs' customers' emails stopped going through to SORBS' users. I suggested that customers shouldn't be quite so quick to point fingers, because email is a complicated business and accidents can happen to anyone.
At first blush, this would seem to suggest that the promise of cloud providers and appliance vendors -- to take these worries out of your hands -- is a false one. But in reality that depends on the way those third party providers are conceptualizing their own roles. If they are themselves making sure that a wide variety of factors are considered, you'll probably get better results than if you did it yourself.
It's easy, simple, and probably a mistake to give a single blacklisting agency total veto power over mail entering your site. But it's reasonable to expect that your service provider is in fact basing such decisions on multiple sources of information. Any antispam company can, if it so chooses, base its decisions on multiple factors; the only incentive in the other direction is the potential cost of that information. When costs leads to short-cuts, decisions may sometimes be made based on isolated bad information.
At Mimecast, we subscribe and give weight to several independent blacklists, but we don't give any of them absolute veto power over mail to our customers. Among other things, we automatically whitelist the email addresses with which our customers have communicated in the past. This means that if an email sender's site had been blacklisted, we would be more likely to block most mail coming from that site, but would still allow mail from known correspondents.
In the current state of the art, whitelisting past correspondents simply trumps broader blacklists. No anti-spam technique is perfect; issues of identity spoofing are always present, and future countermeasures by the spammers may make this technique less valuable some day. Fighting spam well means you're running hard just to stay in place; last week's events give me even more confidence that we're running in the right direction.
As I've said many times, email is a very, very complicated business. That's a good reason to outsource it, to be sure, but only to a provider with a healthy respect for the complexity of email today, and a commitment to evolve along with it into an even more complex future.