I recently participated in an industry discussion about how email service providers manage risky client behavior such as co-registration activity that can result in wholesale blocks of their email and soil their reputation before they know what’s hit them.
In my view, co-registration activity is but one example of the age-old challenge faced by ESPs: reconciling their interests with those of a specific client whose practices may put them and other clients at risk. These are cases where an ESP’s client can be its own worst enemy, as counterintuitive as that may sound. The fundamental problem is that most ESPs don’t know that a client has engaged in overly risky behavior until the damage has been done, and by then they’ve been thrown into recovery mode.
This is the same issue we’re seeing manifest itself in some of the recent security breaches. It’s not the ESP being compromised, but its client. Someone has gotten their hands on a client’s access credentials, and before the ESP is aware of the situation, its system is being used to spew out spam or worse. While it’s very important to focus on preventative measures in both cases, my view is that we should acknowledge the inevitability of these situations.
There are simply too many points of vulnerability and variables to cover them all. Despite their best preventative efforts, ESPs will continue to suffer the consequences of bad client practices — intended or not — and compromised systems directly or through an unsuspecting client. These things will happen at some point to even the best ESPs, so they should acknowledge the risk and plan accordingly by making detection and reaction a key component of email delivery and security management plans.
Of course, none of these issues are unique to ESPs. Major enterprises deploying email from internal systems face the same challenges of individual business units pushing the envelope too hard or simply making a disastrous mistake, like pulling the wrong list. They too are targets for cybercriminals who seek access to their networks and customer data.