Avoid FastMail

[Updated: 2019/Oct/30]

In my quest of moving away from evil, I moved my email from Google across to FastMail. They come highly recommended, probably by people who have experienced no issues, but for me it’s been telling how dangerous they are. Read on for the details.

A step back

I did some investigation around email providers that are not Google, and a few kept popping up. Fastmail drew my attention as I’d tried them before and they have been around for over 15 years. This gave me confidence that they would be around some time still.

I started up a trial account on my personal domain to test them out. Everything worked like a dream. Smooth sailing for a couple of days, and I thought, “here it is, my solution!". They have email, calendar, contact and file support. Pretty much everything I need to move away from Google. I moved my family across by adding my family domain. I updated all my DNS records, set up my SPF and DKIM records and was up and away! I set up my family devices. I imported everyone’s email, contacts, and calendars. Everything was beautiful. Until Sunday morning…

“Login disabled. Contact Support”

My iPhone bleated about the FastMail password being incorrect when I woke up. Somewhat irritating as I’d used the FastMail preferred method of installing a profile. I don’t have access to that password. I can manually set things up but thought I’d go with the preferred way. Anyhow, I hopped on to my PC to login to see what could be wrong.

"Login disabled. Contact Support"

I contacted their support and fired up a new ticket. As a cursory check I tried emailing myself. As long as I am receiving email, a little outage is okay (it’s hardly a business account) right? But no, instead I see this:

"554 5.7.1 <mail-pg1-f174.google.com[209.85.215.174]>: Client host rejected: Address locked or deactivated; see http://mail.messagingengine.com/docs/locked.html"

The link provided omits “Client host rejected: Address locked or deactivated”. I assume that this is bad as I will not be receiving email. Although this is not a business account, it is an email address I’ve had for over a decade and is a main contact point. Note that my family mail is also down at this point, so this is not affecting just me.

I check the ticket status. No update. It’s an hour later, no status update. I move my personal email back to my DreamHost domain so that I can at least receive email before services start bouncing me off. It’s a bit of a pain in the proverbial as I have to update MX, SPF and DMARC records, but so be it.

Later yesterday

After having no update for most of the day, I finally see an update at 19:28, which reads:

Hi Brian,

The account has been locked permanently.

If an account is locked, it is usually for :

  • Fraudulent payment method detected
  • Account being used for fraudulent purpose.
  • Violating one or more of our “Terms of Service”

The most frequently violated “Terms of Service” include (but are not limited to):

  1. Item 3 (Message… and Other Limitations). Have signed up for more than one free/trial account
  2. Item 4 (Member Conduct): Using a free/trial account for commercial purpose Using the Service in connection with surveys, contests, pyramid schemes, multi-level marketing schemes, chain letters, junk email, spamming or any > duplicative or unsolicited messages (commercial or otherwise). Publishing, distributing, or disseminating any inappropriate, profane, defamatory, infringing, obscene, indecent or unlawful material or information.

Please carefully review the TOS to see which one you have violated:

https://www.fastmail.com/about/tos.html

The account will not be unlocked.

I go through the terms of service thoroughly. I cannot point to anything and say, “yep, my bad, I did that”. I probe for some more evidence from the support team as I still have no idea what caused their concern. Eventually they give me the bit I was looking for:

Your account was locked for sending mail from a @gov.za email address. Per the administrators of the domain gov.za, mail using from:@gov.za email addresses can only be sent from a specific set of IP addresses, which do not correspond with the IP addresses of our sending servers. Because of this, the account will not be unlocked.

So according to their systems I sent email from a gov.za address. If I indeed had done so, then I would most certainly be in breach of ther T.O.S. I knew for a fact that I could not have done this from Fastmail as I have no gov.za from address configured (I’m sure they checked that right?). Since I imported all my email from my two other accounts, I searched for email that was sent from a gov.za address there, and could find nothing. Not a single email. Two thoughts crossed my mind:

  1. Someone gained access to my account and sent email from a gov.za account.
  2. I had sent an email inadvertently, somehow, from a gov.za account.

I finally confirmed the latter was not an issue when I regained access to my account, no emails. I’m also sure that if someone else had gained access to my account that they would have had to bypass 2FA. I still have my device, so it can’t be that.

I decide to probe a little deeper in to my email. I finally come up with a clue. I use a feature in Apple Mail called ‘Redirect’. It allows me to send email to Evernote without all the forwarded email formatting. It’s almost like the email was sent directly there from the original sender. I dig through the email headers and realise the issue:

Received: from [**REDACTED**] (8ta-246-30-38.telkomadsl.co.za. [**REDACTED**])
        by smtp.gmail.com with ESMTPSA id d24sm57335357wrb.47.2019.02.19.19.55.16
        for <**REDACTED**>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 19 Feb 2019 19:55:17 -0800 (PST)
From: [email protected]
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_B280E20E-DA27-4A70-B6DA-B6570BB3EF94"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Mon, 18 Feb 2019 13:29:06 +0200
Subject: HOME AFFAIRS: ACKNOWLEDGEMENT OF RECEIPT OF APPLICATION
Resent-Date: Wed, 20 Feb 2019 05:55:13 +0200
Resent-From: Brian Johnson <[email protected]>
To: [email protected]
Resent-To: Evernote Inbox <**REDACTED**>
Message-Id: <[email protected]>
X-Mailer: Apple Mail (2.3445.9.1)

If they are looking at only the From: part, then of course it looks like it came from a gov.za account. But it didn’t actually come from that TLD, it came from my personal account, as can be seen by the Resent-From: header. It’s part of the RFC 822 standard. I can only assume that they looked in the wrong place.

I’ve moved my Family email back to Google.

I finally get a confirmation of the state:

I am sorry about what happened here. As you noted, your account was locked in error. I have now unlocked it.

Due to the large number of spammers/scammers that signup accounts, we now spam scan all outgoing email from new accounts and assign a spam score to them (the score is dependent on email content, number of recipients, time since signup, etc). If the email is over a threshold score, the account is locked.

This works well in 99% of the cases. In this case, as you noted, the email was incorrectly triggered as possible spam and your account got locked.

As mentioned, I have now unlocked it so you should now be able to use it.

The billing screen is inaccessible due to some issue after the refund was processed. I’ll check with our engineers so that this can be fixed and get back to you soon.

They opened up my account, so I grabbed all the family’s email from the weekend and moved it across to my current provider. I closed the ticket asking them to close the account.

Interestingly they appear to claim that my spam count was high here, not the “from address” issue. I’m still not sure which of the two was the main issue, but whichever it was, it was in error.

The dangerous part

To be fair, the 99% of users that use the system for spam would be correctly closed thus leaving a quality service for the rest of us. It’s the last 1% what concerns me.

And now the real reason I have issue here. Their reach on this issue is too far. They not only locked out my account, they also locked out my entire family. There was no warning. There was no way back in to my account. There was no person to speak to.

I was locked out from sometime on Sunday (Feb 24th 2019) through until yesterday after lunch (Feb 27th 2019 1:56 PM SAST). Potentially 3 days without email for an error on their side. Sorry FastMail, but this is not good enough. The error was a simple one to have avoided if you’d just understood email standards. This is your primary service; you have one job.

I cannot trust them as an email provider. I cannot trust that they won’t do this again. I cannot ask my family to move to them again, that’s for sure. I cannot recommend that anybody does to be honest.