The Email Provider Cabal's Heel

At ClearOPS, we run on our own email servers on our own hardware in data centers. That means dealing with security patching, upgrades, account management and of course, spam. But for a privacy and security company, we still think it’s essential. There’s no third party reviewing content of our inboxes, and best of all, no long privacy policies for Caroline to read. And it’s one less service provider to monitor.

Running your own email server in the age of the email cabal isn't fun. You are the little person knocking on the castle door, and answering you isn't high on their priority list.

What is the email cabal? Think Google, Microsoft, Yahoo and the handful of email providers that account for most of internet email traffic. According to one article, Google’s Gmail, Apple iCloud, Microsoft Outlook and Yahoo account for almost 3 billion email accounts. In September 2021, Google's Gmail accounted for 36.5% of emails opened, and Apple iPhone email was 33%.

Having such an intense domination of the entire email ecosystem means that the email cabal really only has to care about email from other cabal members.

Bounce email from outside the cabal? Tough, it’s not their problem. You little people who run your own email servers need to sway to our whims.

This isn’t just about an email server correctly configured with a PTR in DNS, SPF, DKIM and DMARC records. I’m not going to explain those. But if you know what those acronyms and standards are, you get my point.

“We are the majority, and you need to play by our written and unwritten rules”, the cabal declares.

That's why it's fascinating to glance at certain unsolicited commercial email (UCE) today. This is not a reference to blatant email scams. It's actual business-related email from vendors looking to capture some of your business' expenditures. They email you three, four or even 10 times and open with lines like “I can understand your busy schedule, just wanted to circle back and…”.

One recent example's subject line is "Media inquiry for George."

The actual email sender is someone @gmail.com. But in the CC is someone-else @resultspublicrelations.uk, which also happens to be hosted by Google.

The clear pattern is UCE senders taking advantage of almost guaranteed email cabal delivery while safely putting their actual business' email domain in the CC field. It's a savvy approach to keeping a business' email domain "clean" while successfully spamming the recipient.

What happens when Gmail addresses the issue with a user spamming? The sender can move to another Gmail account and keeping the company’s email address in the CC unscathed.

Use, dispose, repeat.

I have collected a good number of other UCE doing the same thing. I hold no grudges but rather appreciate the creativity in the approach. It’s an operational non-orthodox solution to the traditional problem of “how do I spam yet not implicate my business email address or domain?”.

But now what?

Most decent anti-spam tools focus on the spammer’s email server’s IP addresses, not the email addresses themselves.

Are we supposed to now block incoming the Google IPs which accounts for 36.5% of email opens?

Monocultures, including technology ones, have enormous drawbacks for any ecosystem. The email provider cabal monoculture is no exception. In this case of UCE, it means email is delivered seamlessly, and there’s nothing you can do about it.

My buddy Michael W. Lucas, a bad-ass technical and horror author, is actually composing a book as I write this entitled Run Your Own Mail Server, which is open for sponsors. Michael has been blogging snippets regularly. Apologies for the shameless plug. You would too if you knew him.

About the author: George is a co-founder and CTO of ClearOPS. By trade, George is a systems administrator out of BSD Unix land, with long-time involvement in privacy-enhancing technologies. By nature, he thrives on creating unorthodox solutions to ordinary problems.

About ClearOPS. ClearOPS provides security program management software to security experts powered by Generative AI. The platform is rooted in assessments, such as gap, security, privacy, RFPs and risk. Once a knowledge base is formed, all assessment can be automated or used to automate other features. Inquiries: [email protected]