Like many providers, we use domains strategically to protect your online privacy and security. Yesterday, our domain
fastmailusercontent.com was mistakenly added to a blacklist provided by Google. This particular blacklist is used by most web browsers. While blacklists were not put in place to lock out sites like FastMail, misclassified instances like this do happen.
The listing is not an indication that FastMail was compromised in any way, and there was no leak of personal information. However, it did result in webmail users having problems accessing their email for a few hours, and seeing an alarming red warning message.
If you experienced this yesterday, you saw a bit of the normally-invisible fence built in to browsers. They work to block sites trying phish your private information or install malware on your device. Since FastMail is not at all in this category, we were able to resolve the misunderstanding quickly.
How we wound up on a blacklist
Our primary domain is fastmail.com — this is where we host our website and the interface to your mail, calendars and contacts. When you open an email attachment, we use a different domain (
fastmailusercontent.com) for additional security. Browsers separate information by domain, so this ensures that a malicious attachment cannot gain access to the personal information or other data in your account.
To protect your privacy, we also load images via
fastmailusercontent.com. Requesting an image on your behalf means your IP address (which can often be used to determine your physical location), cookies and device information are hidden from the sender of the email.
While we don’t know exactly why
fastmailusercontent.com was added to the blacklist, we think someone opened an attachment from a phishing email and reported it.
How we resolved the immediate issue
As soon as we realised what was happening, we reached out to contacts at Google, who helped address the issue quickly. We are grateful for their support in expediting removal from the blacklist, so our service was once again available to all our customers.
What we’re doing to ensure seamless service in future
As privacy and security champions, we know that the internet’s protective ecosystem mostly works — and it’s crucial to protect users from the very real threat of phishing. However, mistakes can happen, and ensuring uninterrupted service for our customers is a top priority for us.
Abuse of trusted providers like FastMail is an expected part of providing service, and we devote a lot of effort to making sure one user’s bad behaviour doesn’t impact other customers. We are moving to unique subdomains of
fastmailusercontent.com for each session, so the impact of any future issue can be limited. We are registering
fastmailusercontent.com on the public suffix list, a community-maintained service that lets browsers know that content on different subdomains are not related and should not be given any special privileges.
Blacklists for safe browsing are there to do good. However, in working to protect you, they can cast a net too wide. We stay connected with the communities who are involved in protecting the internet so we can resolve situations like this quickly should they arise.
We apologise if you were affected by this issue. Stay safe, and as ever, thanks for using FastMail.