I am sure that my ramblings here about customer complaints and expectations of e-mail systems will strike a cord amongst many of you who are tasked with looking after a corporate e-mail system. Often I am left posing a simple question “Where does my responsibility end?”. On the surface it's a pretty simple one to answer.... legitimate business e-mail correctly addressed to my customers are received and delivered to them within a reasonable period of time, similarly with outgoing e-mail. This is a corporate e-mail system so, theoretically, personal e-mails fall outside of my responsibility right? Wrong!
A little background on the infrastructure of “my” e-mail system. From the time an e-mail arrives at the public border of our DMZ to the point where it is delivered to a customers mailbox there are 13 filters/checks and it takes less than 30 seconds for a legitimate mail to negotiate these filters and be delivered. In our DMZ we make use of open source technology and on our private network we use licensed software like GWAVA and our e-mail system is GroupWise (yeah... GroupWise rocks). I could spew out volumes of statistics on how much spam, not to mention viruses, we block, how we block, where we block, etc... but these details are not relevant here.
In the eyes of my customers I control e-mail for the entire world!
A few days ago I got a call from an irate lady customer (customer #1) who had received one spam e-mail offering a product for the enlargement of male genitalia. She was demanding answers.... why is she not being protected from such offensive material, why do we not have any filtering in place, what action are we going to take to ensure that this never happens again and what are we going to do to the perpetrators? At this point I need to make something clear, I am not known for my people skills. Tact is not one of my virtues! What I really felt like doing for this customer was taking the 200 – 500 spam e-mails per day that I keep out of her mailbox and send them to her – here, take a look at this, this is what I am protecting you from and, oh yes, we do have filtering and we are doing our best to protect you. One spam e-mail in several months and you are complaining! I chalk this one down in the category of “ungrateful customer”. What I really did was take a close look at the spam e-mail, break it down and figure out how did this one get through my filters.
My phone rings again and this time I have an irate customer (customer #2) on the other end of the scale. They are receiving notification that e-mail being sent to them has been blocked for inappropriate content. This type of notification is not unusual in the bigger scheme of things, however, this particular e-mail is from a legitimate source. Unfortunately the “source” happens to be a commercial farm that artificially inseminate their cattle – you can just imagine some of the stock items listed in that particular spreadsheet! Irate customer #2 insists that nobody would ever send anything obscene nor offensive to them and I am to ensure that all e-mail addressed to them should bypass the filtering system. I'm thinking... perhaps I should put customer #1 and customer #2 together for a little chat.
Now getting back to investigating that single spam incident, I get another call.... “why are you blocking e-mail from my [relative]?”. Greylisting is a good thing to have but not when ISP's don't pay attention to RFC 2821 section 188.8.131.52 which states quite clearly that if the initial connection fails the mail should be queued and retried. Look closely... yes this is an ISP – surely they should know a thing or two about configuring their mail servers correctly? I explain this to the customer and explain that I may not login to the ISP's server and fix the problem because I do not control e-mail for the entire world. I nearly fell off my chair when the customer then instructs me to physically go to the ISP and work with them to fix their mail server. Note: the ISP is in a different country. Sure, I'm sitting here sweltering in temperatures in excess of 40 degrees Celsius, please requisition that plane ticket to the UK immediately – I would love a day or so in a cooler climate.
While dreaming about being in a cooler climate for a minute or two yet another customer calls me up to complain that they are not receiving e-mail from a friend. No problem, go straight to the log files in the DMZ only to find that the friend is using an ISP who's mail server has been black listed by SpamCop and a few other similar organizations. The customer then insists that I allow all mail from this ISP to bypass our filters. Sure, I'm going to allow all e-mail originating from a server that has been blacklisted for sending spam to be delivered to my customers mailboxes unchecked, I think not - see note above about customer #1 having received one spam e-mail.
I don't get it. How can an ISP setup a mail server in a manner that leaves it open to abuse? That also raises the question of how can an ISP setup a mail server that is not RFC 2821 compliant? Surely these are professional people who know what they are doing and are being paid a good salary for doing it?
Now I'm contemplating a slight career change and figure that I could make a killing contracting to ISP's configuring their mail servers when yet another misguided customer phones me and complains that a relative in country x is having problems sending an e-mail to a relative in country y and wants to know what I'm going to do to fix the problem.....................