Implementing any hardware or software solution carries some degree of risk. In fact, any sort of solution whatsoever is risky.
The question is: how to mitigate the risk, and what degree of failure is acceptable?
Yesterday I wrote about what I perceived to be bad customer service from a company called Business Catalyst, aka Good Barry (Customer Service, Good and Bad). I use email every day to communicate with dozens of people all around the world. When the people at this company were failing to respond to my messages, I assumed they were either uninterested or simply too disorganized to maintain communication. Either way, I decided that this was a business that I didn’t want to work with.
In fact, it turns out that Business Catalyst employs a spam-prevention protocol called “greylisting” (check out the markedly pro-greylisting article about the protocol on Wikipedia: greylisting). Basically, all messages to their email server are initially assumed to be unsolicited and are refused. The greylisting protocol further assumes that legitimate mail comes from a legitimate mail server that will, eventually, try to send the message again. Those are two pretty big assumptions, from my perspective, and they present a pretty significant amount of risk to the solution.
What’s more, though, there’s no opportunity for mitigation in the protocol. That is to say, there’s no way to tell how many legitimate messages are failing to get through (as is clearly and painfully demonstrated by my experience). You can be reasonably certain that spam is being blocked, but you can never be certain about what legitimate email might also be getting blocked.
And that results in situations such as mine, where all email from one domain is refused and, from the sender’s perspective, simply goes unanswered. Now, I’m naturally (and proudly, I might add) a squeaky wheel, and I worked damn hard to make sure that Business Catalyst heard my gripes. But how many people just never receive replies to their messages from the company and walked away silently?
Anti-spam activist Justin Mason listed off several other greylist failings over 5 years ago (For Reference: Why Greylisting Sucks). I’m surprised that this long after the protocol was introduced, with all of its inherent risks recognized, that it’s still in use without any safety net for legitimate messages having been introduced.
Business Catalyst suggested that the mail server at my email service provider, 01.com, may be incorrectly configured to support the sort of responsiveness that greylisting depends on. I asked the support staff at 01.com about this, and this is their response:
Right now, it looks like the recipient might not have things configured correctly on their end. I’ve had a server admin look into this and what is happening is their server is telling our server that a particular email address does not exist. Logically, our server stops attempting to send the email because it is being told no such address exists.
Great, so now as a user I’m the monkey in the middle. I’m not going to play that game, I didn’t like it when I was 5 (it’s why I quit wearing baseball caps) and I loathe it as an adult.
But, anyway, it’s sort of a moot point, isn’t it? If one mail server refuses mail unless all other internet mail servers being absolutely correctly configured, that’s leaving open a tremendous gap of failure in the system.
Just based on my experience, as an average email user trying to communicate with an established methodology, I’d say greylisting isn’t an acceptable method of spam prevention. There are other, more comprehensive and less risky methods like Spam Assassin or even desktop tools, such as Symantec’s Norton suite, that provide recipients a better opportunity to verify the quality of messages that they’re receiving and those which are being refused. Heck, even Gmail’s basic anti-spam methodology, which simply segregates what it considers to be unsolicited email from qualified messages would be better.
In closing, I’d like to close the loop and say that the folks at Business Catalyst/Good Barry responded proactively to my post yesterday and worked quickly to resolve the issue (they basically disabled greylisting). I think it was a bad decision on their part to enable greylisting in the first place, and it took longer than I would have liked for the resolution to arrive (I posted repeatedly to their support forums over many weeks about their failure to respond to my emails, but instead of a response from anyone at the company, I was simply ridiculed by other forum users).
Will I try Business Catalyst’s service again? Maybe. I think they have a solid, if rough, suite of unique tools for managing businesses online, and there is really no comparison to it. But the sheen is off my enthusiasm for the company and my trust in their ability to recognize and support my interests is dented.
But I’m a proud supporter of mistakes, which always yield new learning, and believe in the grace of the second chance. So, maybe…