--On Thursday, November 26, 2009 9:20 PM +0100 Arnt Gulbrandsen
<arnt(_at_)gulbrandsen(_dot_)priv(_dot_)no> wrote:
Nate Leon writes:
I agree with Hector - the less detail the better when
communicating back to spammers.
Oh...?
People used to say that years ago. But now, we've had 15 years
experience with spammer. Mine is that spammers basically don't
bother to learn. They learn to pick up email addresses in
different ways, but other than that, no, basically not. So
based on my experience i'd say that less detail is _exactly_
as good or bad as more detail when talking to spammer. More
detail is better when talking to some non-spammers.
Let me say this a little differently. The argument against
supplying the spammers with information parallels the old
security argument against revealing whether telling which of the
user name or password caused an authenticate failure. The
validity of that argument ultimately depends on whether having
the additional information will make the attacker (or spammer)
smarter about organizing the next attack. In the case of
credentials and passwords, the answer is clearly "yes" -- it is
easier to attack the password if you know that the user name, at
least, as valid.
But, in the case of email, the spammers know that the addresses
they obtain are valid, or they don't care. They (or at least
the high-volume professionals among them) are perfectly capable
of running Spamassassin (or equivalent), understand how the
detection heuristics work, and take advantage of both to the
extent that they care. The odds of a particular message being
sent a second time regardless of why it is rejected the first
time is low, especially in a botnet environment, which is, by
the way, the reason why soft-timeout delay strategies work so
well (even though I continue to hate them).
So it seems to me to be of no value at all to avoid supplying
useful information to a legitimate user whose message might
accidentally have been caught in a spam trap because of some
theory that doing so will help the spammer.
Of course, if you know for certain that the sender is a spammer,
then returning "5yz FOAD" may be an appropriate response without
any additional information. But the reason for that is to avoid
consuming resources, not because the additional information
would somehow be helpful.
john