To block or not to block...Background: As of now, more than half of all email here is rejected at source by spam countermeasures and I can still count complaints about false positives on the fingers of one hand and have some left over.
That makes an awful lot of spam that is not being delivered, tagged and filtered here...
There seem to be two schools of thought on using blocking to control spam.
There are those who believe that blocking results in too many "false positives". The risk of rejecting just one "legitimate" email is simply unacceptable and therefore blocking should be weak (or possibly not used at all).
Instead, it is argued that a combination of DNSBL tagging and content filtering is better. Tagging permits email from spammy sources to be delivered to a spam folder. And content filtering permits naughty words to be spotted and emails silently dropped or sidelined at the router before ever reaching the user's mailbox. It is better, in effect, to suffer the slings and arrows of outrageous spam...
This tends to rule out the use of tagging by Spamcop (some accidental false positives), as well as SPEWS (some quite deliberate false positives).
In fact it causes significant difficulty for most other lists such as DSBL and ORDB (because real admins do foul up and leave MTAs open to third party relay from time to time).
So, using a small number of strategically chosen DNSBLs, mail is tagged and then content filtered and then...
Four problems emerge:
1 - Using weak DNSBLs to tag and content filtering looking for offensive content means that false negatives will abound. Spam will end up untagged and unfiltered in users' in-boxes. Just not the porno kind. Well, not much.
2 - But if there is much suspected spam in the spam folder (up to half or more of all messages), which user actually has time to spot the one message in there which is not spam?
False positives occur here too, but these are potentially worse, because the sender has no idea that his/her message was tagged; it simply becomes lost in the wasteland of the spam folder.
3 - Content filtering is improving, but it is still far from perfect. Messages that appear to be undesirable may in fact be completely legitimate and yet may still be quarantined or even silently dropped, never to be delivered. Again, the sender does not know this has happened.
Large sites may have just created a full time job for a spam administrator, to review quarantined messages and release those deemed incorrectly trapped.
4 - So far as the spammer is concerned, the message was accepted for delivery. While ever he/she sees a significant proportion of "250 message accepted for delivery" responses, he/she will not be discouraged.
On the other hand, there are others, like me, who believe that aggressive blocking is the best solution for now.
Why?
Because where mail is rejected (554 SMTP response), the original sender will see a bounce. When the sender sees a bounce, it is obvious why the email bounced. When it is a "false positive", our 'phone rings and senders tell us. And even if they don't, no-one is under any allusion that the mail was successfully delivered. Confusion is avoided and in a small number of cases, alternative arrangements are made for message delivery pending delisting of the open relay or whatever.
No full time job of spam administrator has been created. No expensive content filtering software has been purchased, tuned, found wanting, tuned again and turned off in embarrassment.
And spammy (going direct-to-MX through his trojaned proxy server in Mexico) sees an unequivocal "554 - your spam unwelcome here". Which has to be at least somewhat discouraging.
Category: Spam blocking rationale
Technorati: Spam blocking rationale
1. Chris Harvey29/07/2003 20:23:16
Homepage: http://chris.brotherhoodmutual.com/
You may be surprised, but I totally agree.
I fought hard when we first started tagging messages to get them blocked and in my mailfile anything tagged is deleted without making it to my inbox.
We use both spamcop and spamhaus and as you mentioned there are some (very few) false positives and my management just wasn't willing to block all those messages without a 'whitelist feature'. In my mind that is the BIGGEST missing feature in Notes 6.
Our company was simply unwilling to tell a sender 'please, find another way to communicate with us until your mail host is un-blacklisted. Management would have bought into blocking if our response could have been 'sorry for that, we'll just add you to our trusted whitelist and everything will be fine'.
Blocking is clearly the better way to go, and tagging is a lame effort. Our bandwidth and disk space is still abused by that 35-50% spam. But it is the lack of whitelisting with the blacklists has forced us to take the lame path.
2. Chris Harvey29/07/2003 20:28:45
Homepage: http://chris.brotherhoodmutual.com/
Of course my comments above are mostly preaching to the choir.
Chris, have you ever heard any positive response from IBM/Lotus concerning your plea for a Domino whitelist??
3. Chris Linfoot30/07/2003 08:59:04
Homepage: http://chris-linfoot.net
Re: whitelist
No. IBM has fallen silent on the subject and few other LDD users seem motivated to pitch in and ask for it. 
4. Stoomaroo10/09/2003 16:10:02
Homepage: http://have none
I'm in with Chris L. Discussions to IBM lead to "We'll think about adding it to our future releases", and I have been dogged by corporate intolerance to false-positives...(wow, can people scream!) This is my biggest problem.
So I slaughter on...have tried some pretty bad products (i.e. Symantec's content filtering) -- and have eyed some better ones, Gessworks MIMEShield, all in hope that I find a middle ground between the Miltonian struggle we're looking at.
I have also heard a theory that SPAM is just a passing phase -- i.e. "even out of 100 million folks, no one will purchase Viagra from them"...is it true? Maybe I should start my own pharmacy and find out...stew-boy
Unable to post a comment? Please read this for a possible explanation...
- 
