Re: [Asrg] Let's try something different

Kee Hinckley wrote:
> At 10:38 AM -0500 3/8/03, Chris Lewis wrote:
>
> > The hugely critical thing is how you handle false positives.  Do you
> > just sigh, and say "blacklists are STUPID!!!" and turn them off, or do
> > you take a broader view and get the open proxy fixed? It's not as if a
> > given FP is something you can't do something about.
> I used to spend time tracking down that kind of thing.  The volume 
> exceeded what I could deal with years ago.  But more critically, now 
> that I'm running a service, I simply cannot afford it.  Do the math on 
> what someone pays to have their email spam-free, and then compare that 
> to the amount of time it takes to track down and complain about 
> proxies.  No can do.
Simple.  Do what we do. We blacklist the open proxies, and let the 
people who hit the blacklist (if any do) report it. We provide pretty 
boilerplate responses for the sender to give to their provider. That's 
much easier than trying to figure out what the responsible email address 
corresponding to the IP of a given open proxy. By definition, the user 
hitting the blacklist will have a better idea of who to contact.
> > A FP or two?  So what?  If you're doing it right, the worst that happens
> > is that the email is delayed a bit.
> This is a common misconception.  "False positives aren't a problem, they 
> just go into a queue that people can check."  Technically, it's true.  
> Practically, it doesn't work.
I think you missed a step.  The sender sees the reject, and reports the 
FP as instructed in the reject.
> I've got bad news for you.  People don't check the queues.
Pardon my french: Like hell I don't!

In case you missed it, I'm the FP handler for the entire company.  When 
I say 5-10 FPs per day, that's for ALL email coming into the 50,000 seat 
company (a bad day at that, and that's including FPs not due to blacklists)
I process the queue.  There's too many people watching (CC'd on the FP 
handling address, many capable themselves of handling most FPs if I'm 
not around) for me not to.
[FP handling takes me about 15 minutes/day - for the whole company.  I'm 
in the midst of handing over the "problem resolver" tool over to 
operations, so I won't even have to do that anymore.]
So, let's say you don't want to funnel your FP reports into a 
FP-handling service, or you're worried that too FPs doesn't get reported 
by the sender.  Simple, do what Brightmail does (and we're currently 
trialing something similar).  Send each user, according to whatever 
schedule they may choose, a single email containing dates, froms and 
subject lines of mail that's been filtered. Give them the opportunity 
(via a link to your quarantine server) to view or discard the blocked 
emails.  Or even provide a mechanism for selecting automatic forward 
(ie: based on from) without having to adjust the front-end server-wide 
filtering.
Simply by scanning the email they get, they can decide not to bother 
checking, or, see something that perhaps shouldn't have been blocked, 
and go get it.
Then no user has a plausible excuse for missing anything - nothing to 
"remember" to check.  It's in their face, just as if the email got 
through in the first place.
Even moderately high levels of FPs (1-10%) are truly irrelevant if you 
handle them properly.
Full deployment of our spamviewer facility will permit the filters to 
become far more draconian than they are now.
Don't say it doesn't work.  It does.  We've been doing it for >5 years 
already, and nobody's shot me yet ;-)
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg