Failing Fast with FastMail.fm
So I thought I’d try a non-free email provider for a new domain I’m working on. I’ve used both complimentary email accounts for domains I’ve registered at places like GoDaddy, as well as free accounts at places like Yahoo and Google. I thought it would be interesting, for a change, to use a provider whose primary focus was email.
It was was actually kind of difficult to find anybody still providing email as a their primary business. I suppose it is hard to compete with free. After some research, I settled on FastMail.fm and created an account on August 29th, 2011.
I can summarize my experience to date with three words:
Worst. Service. Ever.
Signing up was easy enough, and a quick test email later confirmed everything was working. I logged onto my web hosting provider and began forwarding email for my new domain to my new FastMail account. I didn’t even have a web site up yet, so I didn’t expect much traffic.
Things went down hill from there.
I came back a few days later to add my account to Outlook, and I noticed several bounced messages in my inbox. Some looked like they’d been sent from my account, but I hadn’t sent them. I also noticed a lot of what looked like spam. I chalked this up to the fact that FastMail has been around a while, and from their blog, it didn’t seem like the strongest spam protection was enabled by default.
The bounced messages were disturbing. I hadn’t sent them, and they were clearly spam, but I’d chosen a strong random password for my account (117 bits, according to KeePass). I’d only ever accessed the account from home, not some unprotected wireless network at the local coffee shop, so I didn’t think my account had been hacked. I deleted the junk messages, configured Outlook, and logged out. I’d check back in a while to see if the spam persisted.
Nine days later, I started Outlook and went to check my messages to see if the amount of spam I was getting had changed. Outlook complained that my username or password for my FastMail account was incorrect. I double checked them, then tried again. No dice. I opened up a browser and tried to log into my FastMail account and was greeted with this message:
The account you are trying to access has been disabled due to over-quota use, or usage abuse. The system limits the number and size of emails you can send in an hour as described here and here. You will have been sent a warning email to your account, and your backup address when you reached half your usage quota, and again when you reached your full limit. These emails will describe the limit you reached, and why your account was disabled.
I scratched my head for a minute trying to think how this might have happened. Had my account filled up with junk because I was routing all email traffic for my new domain to it? I reconfigured email forwarding on my domain to bounce everything but one specific address, then logged into FastMail’s support page and left the following message on September 8th:
I tried to log into my account, and it said I was over-quota and that an email had been sent to my contact address, but I never received it. I haven’t sent out any emails on this account, so I’m confused why I’m getting an over quota problem.
I’ve attached the only email I’ve ever received from fastmail.
I attached my order confirmation email, the only email I’d ever received from FastMail. The next day, I received this unhelpful response from a FastMail admin by the name of Vinodh Khumar:
Hi,
Your FastMail account was recently detected sending bulk/duplicative emails. The Terms of Service that you agreed to on signup prohibits sending of “duplicative messages”.
—
http://www.fastmail.fm/docs/terms.htmSection 4
…
By way of example, and not as a limitation, you agree not to: Use the Service in connection with … any duplicative or unsolicited messages
—Consequently your account sending has been locked.
If you can ensure that you would not use your account for further bulk mails, we’ll be happy to unlock your account. If not, we suggest you look for another provider.
There are a number of other providers out there that provide much better ways for sending bulk emails.
I recommend you check out:
—
*** Newsletter sending servicesHelps you send newsletters and other regular correspondence to people on
a mailing list you have. Helps you build the newsletter with templates,
gain analytical insight (eg who reads the newsletter, who clicks on
links in the newsletter, etc), and maintain the mailing list (eg find
dead bouncing addresses, handle unsubscribe requests, etc).http://www.mailchimp.com/
http://www.aweber.com/*** SMTP/API/notification sending services
Helps you send emails like notifications or other custom emails. Provide
multiple integration APIs and monitoring services.http://aws.amazon.com/ses/
http://postmarkapp.com/
http://sendgrid.com/
———–They will allow you to manage your subscriptions and email sending much better than Fastmail can. Hope you understand.
FM Webmaster
This was not really the answer I was looking for. I tried to explain that I had not sent these messages.
I understand your terms of service, but I’m confused how my account is sending any emails at all. I only just created it and I don’t think I’ve ever sent anything from this account. I’ve only sent a couple of emails to this account, one directly and one via email forwarding I’ve configured for a new domain.
I did notice lots of bounced mail warnings and other spam when last I logged in, but I thought that was because fastmail.fm had been around awhile and got lots of spam directed to it.
To reiterate, I have *not* been sending bulk email from this account. Perhaps my account was hacked, I don’t know. All I know I that I have not been sending bulk emails from this account.
Can my account be purged and my password reset so that I can regain access to it?
Its been 3 days now. I’m still locked out of my account, and I’ve yet to I receive a reply to the previous message. My money’s gone, and frankly, I’m a little worried they have my credit card on file.
In any event, I guess I’ll be sticking with Gmail.
Update 2011-09-12
After nearly 4 days of waiting for a response to my reply above, my support ticket was unceremoniously closed without comment from Vinodh or anyone else at FastMail. I’ve opened a new ticket. At this point, I just want my money back.
Enforce Strong Django Passwords
We’re using Django 1.3 for a new project at work. One of the things Django provides us with out of the box are convenient password change/reset forms and views. However, they don’t enforce any kind of password strength. As the application touches on financial data, it was suggested we nudge our users towards stronger passwords.
A quick search found django-passwords by Donald Stufft. The source code can be found here.
The django-passwords application provides a PasswordField and validators for enforcing stronger passwords with a number of options. I’ll show you what I did to integrate it with Django’s built-in password change and reset views.
First, install django-passwords with with pip or easy_install. Next, edit your settings.py file and add the application and your preferred password strength settings.
[python]
INSTALLED_APPS = (
‘django.contrib.auth’,
‘django.contrib.contenttypes’,
‘django.contrib.sessions’,
‘django.contrib.sites’,
‘django.contrib.messages’,
‘django.contrib.staticfiles’,
# Uncomment the next line to enable the admin:
‘django.contrib.admin’,
# Uncomment the next line to enable admin documentation:
# ‘django.contrib.admindocs’,
‘passwords’,
)
# Minimum password strength settings. See the GitHub page for defaults.
# https://github.com/dstufft/django-passwords/
PASSWORD_MIN_LENGTH = 8
PASSWORD_COMPLEXITY = { "UPPER": 1, "LOWER": 1, "DIGITS": 1 }
[/python]
In the example above, I’ve configured settings.py file to require passwords that are at least 8 characters long and contain at least one uppercase, one lowercase, and one numeric character. Now, any place I use a PasswordField, text entered will be validated against these requirements.
If you wish to use Django’s included password reset/change views, you have one more step do. You’ll need to extend django.contrib.auth.forms.SetPasswordForm and django.contrib.auth.forms.PasswordChangeForm and add the validate_length, complexity, dictionary_words, and common_sequences validators to those forms’ new_password1 CharFields.
EDIT: Matt Austin was kind enough to point out that all your really need to do is override one of the password fields in SetPasswordForm and PasswordChangeForm with PasswordField, so I’ve replaced my convoluted brain-dead implementation with his suggestion below.
[python]
from django.contrib.auth.forms import SetPasswordForm, PasswordChangeForm
from django.utils.translation import ugettext_lazy as _
from passwords.fields import PasswordField
class ValidatingSetPasswordForm(SetPasswordForm):
new_password2 = PasswordField(label=_("New password confirmation"))
class ValidatingPasswordChangeForm(PasswordChangeForm):
new_password2 = PasswordField(label=_("New password confirmation"))
[/python]
I put mine in a forms.py file in my application package. Finally, you need to replace the default forms with the new validating versions in the password routes of your urls.py file.
[python]
url(r’^password_change/$’, ‘django.contrib.auth.views.password_change’,
{‘password_change_form’: TimeStampedPasswordChangeForm}),
url(r’^password_changed/$’, ‘django.contrib.auth.views.password_change_done’),
url(r’^password_reset/$’, ‘django.contrib.auth.views.password_reset’),
url(r’^password_reset_done/$’, ‘django.contrib.auth.views.password_reset_done’),
url(r’^password_reset_complete/$’, ‘django.contrib.auth.views.password_reset_complete’),
url(r’^password_reset_confirm/(?P<uidb36>[-\w]+)/(?P<token>[-\w]+)/$’,
‘django.contrib.auth.views.password_reset_confirm’,
{‘set_password_form’: TimeStampedSetPasswordForm}),
[/python]
Congratulations, your site should now be enforcing the heck out of user passwords. However, let’s not get too full of ourselves. XKCD explains why this probably isn’t solving the real problem of password security anyway.
