Gandi Mail - Enhanced Security Measures
By Leland Vandervort on Friday 12 March 2010, 11:27 - Gandi - Permalink
As a result of increasing levels of misuse of our Gandi Mail service, we are obliged to take immediate measures to protect not only our infrastructure, but also the integrity and quality of the Gandi Mail service for all of our customers.
The Gandi Mail product is provided as a complementary service provided with domain names registered at Gandi. It is not, and never was, intended to be a "public" email (SMTP) relay service, despite it only being accessible after authentication. Of course, we also provide bolt-on functionality, at a modest cost, for our customers who require additional features such as additional storage space, more than five mailboxes, and auto-responders, etc. Nevertheless, the Gandi Mail service is only to be used for the sending and receiving of mails for our customers' domains registered with us.
Unfortunately, over the past several months a large number of users have been using the service to send emails "from" other domains, either not registered at Gandi, or in many cases domains which are entirely bogus. The vast majority of such emails have been revealed to be spam and/or "phishing" attempts.
As a result, effective immediately, and as part of the implementation of the new Gandi Mail platform, the Gandi Mail servers will only allow sending of emails from the customer's domain registered at Gandi. If the "from" address of the email does not meet this criteria, it will be rejected.
Again, we apologise for having to take such drastic action without notice, but these measures had to be put in place to protect not only the mail infrastructure itself, but also the quality of service for you, our customers, the vast majority of whom do indeed use the mail service responsibly and in the manner in which it was intended.
As usual, should you encounter any problems with your Gandi Mail service, please do not hesitate to contact our support team who will be happy to assist.
Comments
Hah! looks like SORBS was right after all. You guys do knowingly support spammers. Nice to see you proactive anti-spammer policy... yea right.
Wonder what other back doors you guys have for spammers to take advantage off... hey lets try your virtual server offer. Another haven for Wayne Mansfield and his associates.
Well that was a very mature response Michael.
Given Gandi's reputation, I think it is about bloody time that they put this into place because it was way too susceptible to abuse. The SORBS problem is not really related, since that is basically Michelle (formerly known as Matthew) on a personal vendetta against a small handful of named individuals. Unfortunately there are also a lot of so-called anti-spam activists who don't know how to read email headers either.
Good job, Gandi, for locking this down. A little late, but you've now caught up with the rest of the internet "best practice".
Brian J.
what I don't understand is if you knew people were abusing the system all this time, why didn't you take action against the abusers instead of penalising everyone in one foul swoop?
Or does this mean that you didn't actually keep very accurate log files of mail activity and now it's catching up to you?
Yes, it's a very good thing that you're doing this, but it should have been done from the outset because now you're faced with a situation where you alienate existing customers because of your own complacency -- ok -- maybe they shouldn't have taken advantage of the loophole in the first place, but nevertheless it comes as a foul blow to everyone now.
Just my 2 pence
Dave
Come on, Gandi. Let's face it. You got caught hosting and facilitating spammers and now you're holdung you customers hostage to cover up for your incompetence.
You guys should find a new line of work because email service certainly isn't one of your strong points!
Hope the rest of the clueful ISPs blacklist you just like AOL has!
Gandi is friendly to spammers!
Spamdi.net!!
Hi guys,
Thanks for your colorful comments
Brian is quite right, this is nothing to do with the SORBS issue, which all began because a domain registered through us was mentioned in a spam email. We did not send or relay any spam.
And regarding the open SMTP protocol we offered, we said that this was the focus on increasing misuse, but not that this misuse was effective. To give you an example, we process around 50m emails per day through our system. But only about 6m actually end up being sent, as the remaining mails are matched against spam databases (Spamhaus and ApamAssassin) and blocked before being sent.
So the misuse of our system has resulted in more work for us to continue to keep attempted spam out of circulation, not actually in us relaying spam. We tried to keep an open system that some customers appreciated, but the increasing misuse as forced us to stop this.
I hope that makes it a bit clearer. We're not spammers and nor are we supporting spamming activity
Joe
@all: Just a quick update to let you know that just because we haven't commented recently doesn't meant that we aren't listening
Some of the comments on both the english and french versions of our blog have been valid and useful. We are actively looking into the feasibility of reopening the SMTP as before, but obviously there would be certain precautions and limitations placed upon such a move.
We will update you again when we have implemented the solution.
Leland
Just to update everyone...
Whilst the precept remains that the Gandi Mail service is intended for domains registered at Gandi, we have nevertheless *removed* the SMTP restriction, whilst implementing a number of additional safeguards, though these should have no impact on the sending of emails. We are, of course, tolerant of fair use of the system, but will take rapid action in case of abuse.
We will shortly be communicating further with more details, but due to a few contractual amendments, we are not in a position to communicate on these specifics until our legal team has completed the validation process.
We will keep you updated in due course.
I am not a gandi user. I have been following this post because I have been considering transferring a couple of my domain names to gandi.net in order to take advantage of the e-mail service you provide.
Now I don't know whether this would be a wise move, as it seems, for reasons that I don't understand, that your policies are still too loose and might cause unnecessary problems to legitimate users.
What reason is there not to restrict the use of SMTP only to domain names and users who are registered with you and whose identity can be authenticated?
@Ok
All users of the Gandi Mail service are authenticated users with at least one domain registered with us. The risk was the fact that once authenticated, the actual email could be sent "from" any other domain, whether with us or not.
This has been somewhat mitigated now with the additional safeguards put in place which allow immediate action to be taken in case of verified abuse of the service.