Re: [Asrg] Re: bounces, and anti-spam principles

> Before trying to reply to this whole thing, you might 
> want to scroll
> forward to Comment #6.  You seem to be assuming various 
> things about how
> filters have to work that simply aren't the case.
We'll get there.... :-)

> You _can_ handle false positives 100% without the 
> recipient controlling
> the rules or even necessarily know that a false positive 
> has occured. In
> effect, reducing your false positive level to zero, 
> without any
> recipient involvement.
>
> Our overall system is designed towards _zero_ false 
> positives.  In at
> least one way, we're theoretically (and near 
> effectively) there.  With
> DNSBLs and other techniques.
Obviously, I'd have to reserve judgement until I've 
experienced your "zero false positives" idea.  Let's just 
say that I've got a healthy degree of skepticism.
> In fact, in most ways we're far more aggressive than 
> other filtering
> schemes.  We can afford to have the filters misfire on 
> legitimate email.
> Simply because we've paid as much attention to finding 
> out about
> misfires and remediating them as we've done with 
> filtering itself.
Certainly making the consequences of questioning a given 
E-mail "acceptable" from a user standpoint gets you a long 
way.
> What happens after being blocked is just as much part of 
> a well designed
> filtering strategy as the filters are.
Agreed.

> > [comment #1]
> >
> > > > In any case, I still contend that simplistic blocking by 
> > > > IP address 
> > > > or domain name is a very poor approach, and for a whole 
> > > > variety of 
> > > > reasons.
> > > I will contend that there cannot be a content filter 
> > > that can 
> > > reliably separate spam from non spam. 
> > It doesn't NEED to be 100.000% accurate.
> Nor does any other form of filtering then.
Right.  If the USER considers it okay (and that's to some 
degree a moving target!) then it's "okay".
 
> > The bulk of mail most people receive comes from people 
> > they are familiar
> > with, and which fits certain patterns. A given sender 
> > (mailing list etc)
> > will typically have a signature file, for instance.  I 
> > know that Aunt
> > Matilda is NOT going to send me an E-mail containing a 
> > JavaScript
> > decryption routine, or an ActiveX enclosure.  She also 
> > is not going to
> > send me an executable attachment.  If stuff like that 
> > arrives here, it
> > is safe to presume it is NOT from her, no matter what 
> > the From: address
> > says (and even if it WAS sent from her computer).
> This does not work in the large scale beyond a limited 
> subset of users.
Why not?

> Not everyone has that small a set of correspondents to 
> cope with, and
> the "new correspondent" issue remains a big problem.
The total set of correspondents doesn't have to be small. 
It just needs to have a relatively small number of NEW 
correspondents that NEED to use "advanced"/riskier 
features and therefore require whitelisting.  Ideally, 
each such correspondent only requires ONE click (one time) 
for the user to agree to allowing them to use the more 
advanced features.  That might be done following an 
initial negotiation E-mail where the sender introduces 
themself and requests the ability to send more elaborate 
mails.
Introductory E-mails should NOT automatically presume the 
desire or willingness of the recipient to receive 
HTML-burdened E-mails.
> > I guess that depends on what you call "bulk", and how 
> > you propose to
> > detect it.  Again, whatever rule you put into effect (on 
> > a global-type
> > basis) is going to be discovered by spammers and they 
> > will engineer
> > their sending patterns to avoid violating it.  That's 
> > why you need a
> > really narrow and twisty 'gauntlet' they must negotiate, 
> > with DIFFERENT
> > RULES for different recipients, where they don't know 
> > and basically can
> > not figure out what rules they would have to comply with 
> > to get a
> > message through to a particular person.
> Having had almost 4 years of intimate operational 
> experience with what
> is probably the most effective single anti-spam 
> filtering method there's
> been (one specific DNSBL), I can assure you that it is 
> both more
> reliable in terms of FPs than any content filter I've 
> ever dealt with
> (we've always run hybrid content+source+other 
> techniques), I can also
> assure you that its effectiveness is _not_ declining - 
> in fact it's
> getting better.
The main problem with content filtering is caused by ruses 
based on HTML and attachments.  These techniques serve to 
obscure the content of the E-mail, and ALL BY THEMSELVES 
the presence of such content in E-mails (at least in 
E-mails from unfamiliar senders) can be a priori evidence 
of hostile intent, or spamming.
 
> Is it perfect?  No.  Does adding other filtering 
> techniques help?  Yes.
> But to claim that it's useless/trivially defeatable/too 
> many FPs/trivial
> to do better turns out to simply not be the case.
Certainly there are always special cases/special 
situations where just about anything can be made to look 
good.  That's like SPF, which is claimed to work well (but 
ONLY for the subset of the situations that it works for).
> > > The trick  is to stop accepting mail from that IP 
> > > address only until
> > > it has  cleaned up. 
> > Again, when you have a LOT of users (and possibly MANY 
> > servers) behind a
> > NAT router, denying mail from that IP address results in 
> > simply too much
> > collateral damage. More to the point, it's a very blunt 
> > instrument for
> > the job, and it's relatively simple to do very much 
> > better.
> So far, there's no indication of the latter being true. 
I do note you don't refute my objection on principle.  :-)

> Show me a
> methodology that (a) doesn't abuse innocent third 
> parties and/or (b)
> requires personal twiddling simply not achievable in the 
> large scale
> that's better than the CBL (or for that matter Zen), I 
> want to hear
> about it.
I don't consider that ANYBODY has the right to blindly 
haul off and presume that I'm willing to accept 
HTML-burdened E-mails from them.  So if YOU believe that 
such a restriction is "abusing innocent third parties" 
then we already disagree.
I also don't agree that my approach requires an 
unacceptable level of "personal twiddling" although it 
certainly DOES involve some degree of some recipient 
involvement, IF its capabilities are to be optimized.  If 
the software is well-designed, I don't believe that it 
will put off most users, especially if they have fought 
spam for any length of time before.
> > > Once the spam is gone there is no need to block the 
> > > address unless it
> > > has proven to be a repeat offender without an  effective 
> > > process for
> > > shutting the spammers down.
> > What about when the flow of spam is interleaved with all 
> > sorts of
> > good/important traffic as well?
> You make a cost-benefit analysis and/or apply other 
> techniques.  Even
> content.
>
> Why the insistance on choosing only one?  You don't have 
> to.
Agreed.  I never proposed my fine-grained whitelist all by 
itself.  It works best in conjunction with a good content 
filter (and in fact greatly improves the efficacy of the 
content filter).
> Effective spam filtering is best done with a hybrid 
> solution.  No one
> technique is complete on its own.
Agreed.

> > There is a lot of spam which is obvious.  That includes 
> > messages which
> > contain links to known-spam-promoted Web sites (at least 
> > in the absence
> > of contradicting factors, say being from a list 
> > discussing spam senders!)
> SURBLs are blacklists too, and can be equally as blunt 
> as a source IP.
> Or are you contending that the user should be explicitly 
> entering them?
I don't really claim either way, but I WILL say that there 
are a lot fewer valid links to spam-promoted Web sites 
than there are randomly-generated counterfeit "from" 
domains and E-mail addresses.
> With _individual_ spammers using 1000 or more domain 
> names to advertise
> the same thing, how effective do you think that can be?
Again, it's only one of a variety of criteria that can 
identify spam.  It's clear to me, though, that just using 
From: and Subject: lines are by themselves NOWHERE NEAR 
adequate, particularly if you want to receive E-mails from 
previously unfamiliar senders.
> > It also includes, for example, messages which are 
> > identical to messages
> > that some number (dozens? hundreds?) of other recipients 
> > at the same ISP
> > have already reported as being "spam".
> Have you done any work with checksumming/hashing spam, 
> ala DCC or Razor?
Not in that context, although I've used them in other 
contexts...
> Yes, they're useful.  But these days most high volume 
> spammers randomize
> content such that even highly developed de-hashbusting 
> techniques don't
> work very reliably.  Doesn't even work on graphical spam 
> anymore.
That's a good reason to simply make graphical spam no 
longer viable, by defaulting to not allowing images 
(whether attached or embedded) from unfamiliar senders.
 
> > One would think that ISPs could
> > locate and perhaps recategorize identical messages 
> > (again, perhaps
> > tempered by a specific recipient rule) which are still 
> > queued and have
> > not yet been delivered to their remaining customers.
> Yes, it will yield some results, but the overall results 
> are highly
> disappointing.
A lot depends on how big the ISP in question is.  Within a 
company of 15 users, that won't help much.  For a big ISP 
like Google or Yahoo or Hotmail, flushing all remaining 
similar/identical unread E-mails which have been 
discovered to be spam (by user reporting, as Yahoo does) 
can quickly purge them from the Inboxes of other users who 
haven't yet downloaded or read them.
> > But let me state again (and this is part of what made me 
> > respond,
> > starting this sub-thread) is that it is virtually NEVER 
> > a good idea to
> > send a bounce message after-SMTP-time, because you can't 
> > be sure where
> > to send it, and most likely you are just harassing 
> > another innocent
> > victim.
> That's something I'll certainly echo.
Thanks... it is VERY frustrating to me to have Yahoo start 
blocking all my outgoing Groups mail every month or so 
just because SOME virus-infected mail with a bogus return 
address gets bounced back to them as a "hard bounce". 
:-((
Hard bounces should NEVER be sent based on content, 
especially when you can NOT be sure who to send the hard 
bounce to.  And they should NEVER be sent back based on 
detection of a virus/worm which is KNOWN to counterfeit 
return addresses!!!
> > > Being able to "slam the phone down" on miscreant IP 
> > > blocks at the
> > > accept() or helo is much, much, less processing than 
> > > going thru the
> > > entire SMTP interaction and whatever it takes to pass 
> > > processing off
> > > to an end-user.
> > It's true that it costs less, but it's also true that it 
> > blocks a lot of
> > innocent and legitimate mail that might be
> > originating from the same IP address (NAT router?).
> This generally doesn't turn out to be a significant 
> issue in practise.
Tell that to the big company that will (eventually) find 
ALL their outgoing E-mails blocked (possibly for weeks) 
because of one or more infected systems behind their NAT 
router.  This kind of nonsense could literally put some 
kinds of companies out of business.
> If you spend the time you _should_ be spending to 
> research the DNSBLs
> (say) you plan on using.
I would not use that, because I consider IP-based blocking 
to be ultimately a fatally flawed approach.
I don't think it much matters HOW it is done.

> > There could be
> > dozens, hundreds, or even thousands of innocent users 
> > affected.
> There could be, if the DNSBL is built in such a way that 
> it's
> susceptable to that.  But it doesn't have to be.  And 
> the good ones
> aren't in any meaningful way.
How can it NOT be, if a given IP address is sending 50% 
spam and 50% legitimate traffic, all interleaved?
Sorry, I don't agree.

Even 2% legitimate traffic is too much to block, if that 
2% is critically important stuff.
[incentives to clean up infected machines]

> > ...the problem is that after 
> > (first!) SMTP
> > time, the (intermediary, or final) recipient doesn't 
> > really know who
> > they ought to notify...! Notifying the wrong person, or 
> > someone who has
> > no control over the situation, probably does more harm 
> > than good.
> You don't need to notify out-of-band.  Presuming that 
> recipient systems
> use DNSBLs in an appropriate fashion (inline rejects 
> with pointers to
> more information), legitimate senders find out that it's 
> blocked and
> why.  That's their notification.  
Again, I don't consider it acceptable to block good mail 
because someone ELSE using the same server or gateway is 
misbehaving.
> With decent DNSBLs, 
> that's sufficient
> to initiate resolution of the problem.  It sure is a lot 
> easier than
> tweaking Bayes or SpamAssassin (we specifically reject 
> whitelisting
> email addresses because of the forgery problem)
I consider a blanket "whitelist" as nowhere near adequate, 
because too many addresses are opened up.  That's why 
whitelisting must be done on a far more finegrained basis.
> Also, there's a remark somewhere on the CBL web site 
> that impressed me
> with its simplicity - something to the effect that "we 
> fully expect the
> vast majority of infected/blocked users _never_ notice 
> that they're
> listed, because they're using their provider's 
> smart-hosts as they
> should".  If an ISP wants to proactively scan for 
> infected IPs to see
> about getting them fixed, they can do that too.
You presume that spammers can't send out their spam using 
the legitimate user's "certifications" and "smart hosts" 
(and their "micropayment account" if pay-per-email were 
implemented).  I don't believe that's an accurate 
assessment.  (Even if they didn't today, they can change 
their strategy overnight to do so.)
> > [comment #4]
> I'm skipping this one because it takes too long to 
> comment on ;-) other
> than:
>
> > >  Executive summary...
> > >
> > >  - blocking email, because it meets some technical 
> > > criteria, is easier
> > >    on the technical side, but introduces legal problems
> It may, perhaps depending on exactly what the technical 
> criteria _is_
> and the rationale for blocking it, but taking risks when 
> the business
> case/result justifies it, is what people do.
If you NEED to do that, sure.  But I consider it a poor 
bet if there are better approaches which don't leave you 
exposed like that.
> You can forestall a lot, for example, by simply saying 
> "it's our policy
> to reject email from IPs that appear to be dynamic". 
> That says nothing
> about the spammyness of an individual sender, and if 
> mistaken in
> "appearance" simply needs to be fixed.  Or not.
Obviously you can set your policy however you like, but 
when it gets too cavalier, expect angry customers to start 
bailing.
Again, there is good NO reason to do things that way. 
(IMHO at least).
> > >  - blocking email, because the customer said so, may be 
> > > harder
> > >    technically, but avoids legal problems
> The ISP could equally establish a infrastructure where 
> the customer
> explicitly delegates filtering decisions to the ISP.
Sure, but don't be surprised when customers decide they 
don't like the ISP's decisions, and it wouldn't take much 
for an unhappy sender to team up with an unhappy recipient 
customer and sue the ISP.
> And the protections in law for ISPs to be held harmless 
> for mistakes in
> good-faith filtering go a long way to shoot down any 
> attempt even where
> the customers haven't formally delegated.  It ain't easy 
> for a sender to
> prove bad-faith.  An ISP hasn't been sued in ages.
I wouldn't want to be the first one to break that record.

[snip]

> > ....knowing that all the classical ruses 
> > to avoid spam
> > classification (text as image, embedded links, 
> > attachments, scripting,
> > disguised HTML links, etc etc) are a priori denied 
> > them.... certainly
> > takes a major bite out of spammers.
> It would if you could.  How can you tell that an image 
> is text?
It doesn't matter.  You simply block (by default) ALL 
images (whether embedded or attached) coming from 
unfamiliar/first time senders.  If they want to send 
images, they first negotiate that permission with the 
intended recipient.  (And that permission, of course, can 
be revoked by the recipient if the privilege is abused).
> Blocking spam with embedded links or attachments would 
> probably put us
> out of business.  More likely get me fired.
It will certainly put MANY spammers out of business, and 
put virtually ALL virus/worm authors out of business... at 
least as far as E-mail delivery goes.
I don't have a problem with a recipient ALLOWING a 
particular sender to send them that kind of stuff... as 
long as an introductory E-mail (in plain text) negotiates 
that permission with the recipient FIRST.
And, a given recipient might configure his setup so that 
he could look at E-mails that would have been blocked, to 
decide to allow them in the future... or he can just take 
a hard line and say "only if approved first!"  But in any 
case they could be marked as suspect/blockable to warn the 
recipient, before they open them.
There is NEVER the NEED to send HTML/attachments/scripting 
to someone in an INTRODUCTORY E-mail.  Not until you've 
established that they are willing and able to receive that 
kind of content from you.
> > And only allowing executable attachments, HTML, and 
> > "big" messages from
> > known/trusted senders basically eliminates E-mail as a 
> > vector for
> > virus/worm propagation,
 
> "known/trusted" senders by what measure?  Explicit 
> listing of them?
Sure.  Most users will not EVER need to approve ANYBODY to 
send them executable attachments.  ("listing" can be 
achieved by clicking an "allow this sender to send me 
content like this in the future" button.)
> Well, I can tell you about lots of viral attachments 
> from "known senders".
Absolutely, but MOST users don't need or want to accept 
EXECUTABLE attachments from ANYBODY (including "known" 
senders).  That's part of why it is a FINE-GRAINED 
whitelist and not a crude yes-or-no whitelist (which I 
agree completely is NOT adequate).  I might accept JPG 
attachments from Aunt Gertrude, but it's a safe bet that 
any EXECUTABLE attachment in an E-mail (claiming to be...) 
coming from her... well, I wouldn't touch THAT with a 
ten-foot pole.
I really don't understand why that's such a difficult 
concept for people to grasp.  That (VERY!) simple rule can 
basically eliminate viruses and worms (again, at least by 
E-mail) virtually overnight, if adopted net-wide.
Given that, it seems to me to be professionally 
IRRESPONSIBLE to NOT implement it.  That is the biggest, 
fastest thing that the IETF could do IMHO to cripple the 
recruitment of spambot zombie armies.
> > [comment #5]
> > That's certainly true, and one advantage of fine-grained 
> > recipient
> > blocking is that it doesn't require any great worldwide 
> > consensus, nor
> > any re-engineering of Internet infrastructure.
> Nor do DNSBLs ;-)
Again, I consider (IP-based, at least) blacklists to be 
unacceptably crude.  You're locking the door after the 
horse has left the barn.  A whitelist is better because a 
first-time spammer is still left facing a locked door.
> > What WOULD be helpful, though, would be a recognition by 
> > the IETF that:
> >  a) such fine-grained per-sender by-recipient blocking 
> > (and hopefully
> > augmented by subsequent content scanning) is an 
> > effective and desirable
> > approach to the problem, and
> As I've been saying, that has yet to be established.
I believe in any case that it is (by FAR) the most 
promising approach.  NOT by itself, but in conjunction 
with content analysis and possibly other techniques.  But 
it is the primary key to make the other techniques more 
successful.
 
> >  b) in the general case, blocking of all non-whitelisted 
> > E-mails
> > containing HTML, scripting (probably covered under 
> > HTML... is it
> > possible to put in scripting without HTML?), or 
> > attachments is a "best
> > practice".  (It is probably a good idea to suggest 
> > including a maximum
> > message size, too, as a way of preventing "denial of 
> > service" attacks by
> > sending big E-mails to someone which would be expected 
> > to fill their
> > E-mail inbox to overflowing, blocking subsequent 
> > legitimate E-mails).
> Obviously, you've not had to deal with the legitimate 
> mail traffic of a
> large corporation.  I mention those measures as comic 
> relief at
> meetings, because it always produces hysterical 
> laughter.  It'd shut us
> down.
Again, I don't consider anybody as having a legitimate 
need to send HTML or attachments in first-contact E-mails. 
If they want to send that stuff, then they should 
negotiate that permission with the intended recipients 
first.  And they should be prepared for some recipients to 
say "No, thanks, I'd rather receive plain text."
If it's a question of offending those who "laugh 
hysterically" or shutting down spam, I'll opt for shutting 
down spam.
And I believe that others would agree.

So if you think that such a rule would shut your company 
down (given that a user COULD grant you the permission to 
send them such mails, after a preliminary meeting and 
negotiating that) then I propose that your company's 
long-term future is not bright...!  I suggest you get them 
thinking about how your company could adapt to survive in 
such a more-responsible world.
[snip]

> > Again, the problem is the degree of collateral damage 
> > that IP-based
> > blocking produces.
> You haven't demonstrated what that degree _is_.  By long 
> exposure, I can
> assure you that the degree is surprisingly low.  If you 
> do your homework
> as you're supposed to.
If you block the mail from a big company's server(s) 
because one user within that company has an infected 
computer that's been recruited as a spambot, I don't think 
it's a great consolation that "gee, we hadn't seen that 
happen before."   Especially if the block thus established 
causes serious financial harm to said company.
> We're receiving 1-2 million emails per day.  80-90% of 
> that is spam.  We
> have less than 10 FPs per month against Spamhaus' 
> sbl-xbl (which is
> doing about 85% of our filtering).  We've arranged 
> things so that the
> sender finds out if they're blocked, and there's a well 
> established
> procedure by which they can notify us and we can 
> override listings.
> If an email is blocked, they contact us, and we forward 
> their email and
> fix the listing, is it really a FP?  No.
>
> If every sender correctly interpreted the error message 
> they got and
> followed through, then there'd be zero FPs.
Some VERY large ISPs (such as Yahoo) interpret a "hard 
bounce" message due to an infected E-mail as "this E-mail 
address is bouncing" and they disable sending all mail to 
the user involved.  Stupid?  Yes, of course.  But YOU try 
to convince them to change that policy.  They are totally 
non-responsive.
Worse, they only provide the now-disabled user with the 
SINGLE LINE saying the 5xx bounce reason message... saying 
what virus was found... thus NO clue as to WHO bounced the 
mail back, or where else it might have come from.  So, of 
course, this is totally useless.
> I wish our content filters even remotely approached 
> being _that_ good.
If you didn't have to contend with HTML (and the various 
ruses that allows to obscure content), and attachments, 
they would be FAR more effective.  Not allowing HTML from 
unapproved senders would also negate nearly all pfhishing 
exploits, since you couldn't have misrepresented links to 
click on, or buttons that take you to (hidden) 
disreputable Web sites using (invisibly-)obscured URLs.
> > [comment #6]
> >
> > [how users configure their whitelist rules]
> >
> > > The problem being that out of the 60,000 seats here, 
> > > perhaps less than
> > > 10 of them are able to competently configure a set of 
> > > rules like what
> > > you have.  
> > That's a software implementation issue, not an inherent 
> > problem in the
> > approach.  I envision a button to click on that simply 
> > says "allow
> > E-mails like this from the same sender in the future" 
> > and where the
> > software will open the keyway JUST enough to allow that 
> > type of message
> > if seen again from that sender.  How that recognition is 
> > accomplished,
> > whether by something crude like simple GREP-type 
> > scanning, or something
> > brain-damaged like RegEx pattern matching, or something 
> > still more
> > sophisticated like the pattern matching SNOBOL/SPITBOL 
> > offers, or even a
> > different sort of statistical ranking/rating approach 
> > like content
> > scanners use... will vary from one implementation to 
> > another.  The final
> > products will probably use a combination of techniques.
> I'm sorry, this simply isn't a human interface issue. 
> No amount or
> technique of per-sender whitelisting comes remotely 
> close to the
> accuracy of our production filters, entirely aside from 
> the new
> correspondent issue.
It's not a simple "per sender" whitelist.  It is a 
fine-grained per-sender PERMISSIONS list, which enables 
some types of HTML tags and SOME types of attachments and 
SOME other characteristics, on a sender-by-sender basis.
I don't believe it is possible to come up with as high an 
accuracy on ANY "one-size-fits-all" rule, "production" or 
otherwise.  There are some mails which I would accept from 
familiar senders, where the SAME mail (same content, same 
subject line) would be spam if it came from anybody else. 
You simply cannot possibly know who I would accept that 
mail from, and who I wouldn't, unless I tell you.
> You could give our users common filtering software (the 
> reader is
> already pretty much standardized) with every filtering 
> knob known to
> man, and perhaps three of our users could approach the 
> effectiveness of
> the production systems.  
I'm not suggesting that users have to "roll their own" 
from ground zero.  Agreed that 90% of users will have 90% 
of their senders operating on the defaults.  And your 
"production systems" can of course be tweaked and upgraded 
as spammers adopt new techniques.
That doesn't in any way demonstrate the lack of value in 
what I am proposing.
> I'm only including _me_ in that 
> list because
> it's me who built the production systems...  Over a 
> million decision
> items are being changed every day in our filters.
>
> Our users simply don't know effective spam filtering 
> techniques.  They
> push the wrong button, twist the wrong knob, and they're 
> blocking
> something business critical.  Or trusting malicious 
> content with forged
> credentials.  Or simply trusting...
Agreed that it ought to default to "simple".  But the 
defaults can still be HIGHLY effective.
There is VERY little excuse for ANYBODY needing 
traditional antivirus scanners for incoming E-mail.  That 
kind of garbage ought to be, and can easily enough be, 
squashed outright by responsible ISPs.
> My favourite incident was the user who repeatedly 
> insisted that he
> needed to receive the "important information from the 
> FBI" that was
> sitting in his quarantine, and the quarantine forwarder 
> refused to
> forward to his mailbox.
>
> Sorry, I said, but as much as you may want to see it, 
> forwarding the
> virus is a really bad idea ;-)
Obviously most phishing exploits work by "social 
engineering" to convince a user to let them in, or to 
provide them information they shouldn't provide.  And some 
users will always fall for the "Aggie Virus" approaches 
(like users who forward hoaxes).
I think we can agree, however, that by default delivering 
E-mails to clueless recipients that contains executable 
attachments is a Really Bad Idea too.  The trick is to 
decide how you can implement that restriction, while still 
allowing them to be sent in the 0.01% of the cases where 
the sender expects and trusts and WANTS them from a given 
sender.  I believe that my fine-grained whitelist answers 
that need, and does it (VERY) well.
> > Again, I consider IP-based blocking to be inherently 
> > flawed, to the
> > point where I consider it a dead-end.
> It's a remarkably vigorous dead end ;-)
If the only tool you have is a hammer, you'll try to make 
every problem look like a nail.
Popular does NOT mean that it's good.

[snip]

> > Yeah, I admit that I usually at least cast a cursory 
> > eyeballing of the
> > Yahoo mail "spam" folder too, rather than just emptying 
> > it. 
> > Occasionally I -do- find a non-spam message there. 
> > (Although that
> > happens seldom, as I almost never give that E-mail 
> > address to anybody...
> > It's almost useful as a "personal honeypot" to see 
> > what's being spammed
> > out, before going to my more usual E-mail accounts and 
> > possibly
> > wondering if that curious E-mail just MIGHT be 
> > legitimate).
> "Almost useful" is the key.  When you have users whose 
> spam load ranges
> from one or 2 per month, to 4000+ per day, you can see 
> that junk folders
> have only limited usefulness, and not to everyone. 
Agreed.  That's why users need to be able to choose what 
level of acceptance of the automated filters is most 
acceptable to them, and what level of time they are 
willing to devote to "questionable" mail.
> Nobody can find
> legitimate email in a 4000 spams/day feed, now matter 
> how the filters are implemented.
True enough, but if a person is willing to simply agree 
that they don't want to see HTML or attachments from 
unfamiliar senders, that instantly blocks a LOT of the 
garbage.  Simple, and HIGHLY effective.
AND it makes the remaining content-based filtering FAR 
more effective, by blocking stuff like 'text as image' 
(whether attached or embedded as a link... or even 
generated by a decrypting script).
And again, they can relieve that restriction on a 
sender-by-sender basis, if they need and want to, based on 
previous negotiation with such senders.
> Perhaps part of your problem is that you're not seeing 
> the big picture
> of how you can _use_ DNSBLs or any other filtering 
> technique.
I've been involved with BBSes and dealing with spam since 
the pre-Internet days, but please feel free to educate me 
if you think there's something worthwhile you can teach 
me.   :-)   I'm not too old a dog to learn new tricks.
> Your remarks seem to imply that DNSBLs necessitate no 
> notification
> anywhere, the email just disappears.  Or that filtering 
> in general is
> that way.
There are clearly all kinds of ways to deal with 
"questionable" mail.  That's something that is going to 
depend on how the software is implemented, and what 
options the recipient selects.  There is a lot of room in 
this area for programmer creativity.
> On the contrary, ours have never done that.  Indeed, 
> without anybody
> looking at quarantines, without anybody personally 
> twiddling filters,
> that 4000 spams/day user _does_ get the email that was 
> accidentally
> blocked.   Simply because we do inline rejects with 
> instructions on what
> to do, and problems get fixed fast and without harm.
Some antispam filtering obviously works better than 
others.
IMHO, if you don't have a finegrained permissions list on 
a per-sender basis, yours COULD work BETTER than it does 
today.
[snip]

> > The important thing is that the RECIPIENT
> > controls that, so they can decide the rule that 
> > determines what gets
> > blocked and what gets through.  That way they don't have 
> > to wonder what
> > SHOULD have been delivered to them and wasn't.
> But what if you arrange things so that the recipient 
> doesn't have to
> control the rules, and still doesn't have to wonder?
I think that a per-sender rule can ALWAYS make things 
better and more accurate.  That doesn't negate the value 
of good pre-sets and defaults.
But again, if by default you let executable attachments 
from unfamiliar senders get delivered (or if you block 
them for ALL senders) then your software COULD do better.
> Our false positives are handled usually without the 
> recipient even
> knowing that something got blocked.
OK, so how do you handle them, specifically?

> > Spammers have gotten good at throwing enough random junk 
> > into E-mails to
> > confuse Bayesian filters.
> And sender whitelisting and...
Again, don't confuse a simple sender-whitelist with a 
fine-grained per-sender PERMISSIONS list.  The difference 
is absolutely night and day.
Even if I allow Aunt Matilda to send me JPGS of her 
poodle, I don't care how many worms her infected computer 
sends to me with HER from: address and via HER mail 
server.  My approach will let me see ALL of her real mail, 
and rapidly and accurately discard all of the worms with 
executable attachments that her system sends me.
It is EASY to do discrimination like that.  And if I don't 
have ANYBODY set to allow them to send me executable 
attachments, or HTML to use links or scripting for that 
purpose, then it's hard to see how such a rule can be 
"confused" or bypassed by a spammer.  It's like trying to 
argue with a vending machine... you don't know until 
you've put your money in that it's not going to deliver 
your purchase, and it's absolutely pointless to try to 
argue with it after the fact.  :-)
[snip]

> > ....giving the recipient the ability to at 
> > least not see the
> > SAME kind of stuff over and over again, if they choose 
> > to use those
> > features, demonstrates the ISP's trying to give the user 
> > the tools to
> > reduce the frustration.
> If you can _detect_ the "SAME kind of stuff" over and 
> over again.  
Sometimes that's very simple.  For example, even the very 
limited filtering the Webmail I'm presently using offers 
allows me the ability to tell it that I don't want to see 
anything more from "Fifth Third Bank" (in either the From 
or Subject fields), where I am not a customer.  Anything 
from them is clearly spam.
It is frustrating that I can't use a SNOBOL/SPITBOL-like 
pattern to describe spam rules, but I readily admit that 
most users would rather not do anything that advanced. 
(That would CLEARLY however be my 'programming language 
of choice' to write such a filtering tool, though).  Even 
something relatively brain-damaged like RegEx pattern 
matching would be an improvement, although still 
frustrating.
> Even the best content techniques aren't very good at that 
> anymore.
Not automatically, no.  But if there is something the user 
considers adequate evidence of spam (say, a subject which 
contains both the words Penis and Enlarge) then it's 
satisfying to be able to at least block THAT case once and 
for all.  Lots of cases?  Sure, but every new rule at 
least saves you from seeing THAT one again.
Longer-term, more sophisticated rules would work better. 
But that's why one needs per-sender rules which include 
not just From and Subject but also content within the 
E-mail message body too.
Or for another example, somehow an E-mail address of 
"errorstogep(_dot_)(_dot_)(_dot_)(_at_)domain" got on a spammer E-mail targets 
list.  Any E-mail which contains that anywhere in the 
header is spam, even if it also contains my "good" address 
elsewhere.
> Correctly chosen and utilized DNSBLs do a vastly better 
> job.
They're certainly better than nothing.  But again, I don't 
believe that it's possible to do GOOD blocking, and 
minimize collateral damage, without per-sender 
fine-grained whitelisting which also takes into account 
the body content of the individual E-mail.
And as a recipient, it's very frustrating to see dozens or 
hundreds of similar E-mails continue to slip through an 
ISP's filters, especially when I can readily define a rule 
which IMHO adequately identifies them.  As a user, I want 
that ability, and to not continue to subsequently see 
those E-mails.
Gordon Peterson
http://personal.terabites.com
1977-2007  Thirty year anniversary of local area 
networking
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg