I started this post Wednesday evening but put it aside. In the interim John
Conover sent private mail to Sean, Mark from asarian-host.net, and me
detailing how his whitelisting system does what it can to avoid acting on
mailing list distributions, NDNs, and comparable "prove yourself" messages
from other whitelisters. (The last, of course, depends on the other
whitelisters' nastygrams' conforming to some expectation.) That's good, but
I didn't intend to say anything more about the damage these systems do when
the user blows off whitelisting a mailing list, so I'm picking up where I
left off.
Previously, John had explained on-list,
| The way it works is that the mail system on a gateway maintains a
| whitelist, (where the whitelist is only available to the system
| folks.)
So you wrote it for gateways, not for individual users? If it were for
keeping out non-business email that has no place entering a corporate
system, that would be a whole other story. But per your description an
employee's non-work acquaintance who is sending personal email can just jump
as instructed and get whitelisted, so it doesn't accomplish that.
Meanwhile, unexpected business-related mail gets blocked and refused.
Clients and suppliers alike must adore having their communication rejected
because the admins don't bother whitelisting them or because they wrote from
a different server at their own company. I can't think of anything less
professional than a "you have to prove you aren't a spammer" autoresponse to
a customer or an established business contact whose email address somehow
wasn't already on the whitelist. It sounds like a very good way to run a
firm into the ground.
| I really don't understand what all the emotion is about ...
Guess what, John: people aren't computers. We have emotions. We notice
insults and snootiness, and even when we don't retaliate we certainly don't
keep coming back for more.
You've obviously never been on the receiving end of it, never answered
someone's plea for help or a question mailed privately to you only to be
punished with the equivalent of "How dare you think you're worthy of
emailing ***ME***, insignificant speck! If you even dream that I'd read it,
you'd better jump through my hoops first!" I've been subjected to that crap
four times (including once through this list) in the past few years.
(Anyone else remember how Eli the Bearded's .sig used to say, "It is not my
responsibility to prove to you that my mail is not spam"?) Beyond being
insulting, it is foolish, as Sean explained, because the autoresponse can
achieve one of only four results:
[1] It will be directed to an invalid address and thus accomplish nothing,
because
[1a] the triggering message was spam with a forged return or reply
address, or
[1b] the triggering message was legitimate but a broken gateway hosed its
return address, so the sender will never get the autoresponse and never,
even if willing, follow its instructions. (However, its reply address was
intact, so it was possible to answer it if the whitelister ever read it;
or maybe it required no response but still should have been read.)
[2] It will be additional junk mail heaped upon an innocent party whose
address was forged as the return or reply address of spam and thus will be
spam itself.
[3] It will insult someone who was sending legitimate mail, often someone to
whom the whitelister had written first asking for help or for answers;
that's why [as you have acknowledged] most people do not bother groveling
for admission to the holy whitelist and valid email goes unread.
or [4] It will validate the whitelister's address to a spammer who uses a
monitored return or reply address.
In case 1a, the setup just uses bandwidth for no result; in cases 1b, 2, 3,
and 4, it does harm. It does not get the user off spammers' lists; it saves
the user from using the MUA's delete function but the price is missing a lot
of legitimate mail and becoming a spammer him/herself.
That's not to say the idea couldn't be made slightly less bad ("improved" is
too strong a word):
[a] The software should automatically whitelist (1) addresses to which the
user writes, (2) subjects of the user's outgoing email, and (3) subjects of
the user's posts to netnews, and then most replies to mail or posts from the
user would come through. (Whitelisted subjects, of course, should expire
after a while.) But none I've heard of, not even yours, support even a
manually maintained whitelist of subjects, and few, not even yours,
automatically whitelist addressees of the user's outgoing mail.
[b] The tone of the canned message should be sympathetic for having to ask
the sender to go to such lengths because of everybody's struggle with the
spam problem, but all those I've seen are presumptive, confrontational,
accusatory, and haughty. They are phrased with the deep conviction that the
sender of the triggering message can be nothing except a spammer, but as an
afterthought the whitelister, being a gracious and merciful superior being,
offers the unworthy sender one final and highly undeserved chance to atone
for the grave sin of sending email. Maybe the grand majority of these
autoresponses are triggered by the arrival of spam, but 100% of those that
reach human eyes are read by non-spammers, most of whom are responding to
email or posts sent by the whitelister. The correct attitude should be,
"Your email reached my site, but my email filtering routines took it for
spam and returned it to you; if you are reading this, clearly they erred and
they must be adjusted. Please forgive me and send it back by replying to
this message. Thereafter the filters will allow mail from your address
through without trouble. Thank you, and I'm very sorry about this. Usually
this rejection message goes to spammers, but unfortunately the system
sometimes mistakes good mail for spam." [Of course "sometimes" is a lie for
"almost always."] It should be phrased under the assumption that the
message was *not* spam; it should not boast about one's whitelisting setup
nor one's need to keep out the riff-raff; it should present the remailing
instructions as a way of getting past overzealous spam filters rather than
as a way of applying for admission to a whitelist of tolerated senders.
Do you follow? It should say that the whitelister is wrong for treating the
message as spam, not that the sender is wrong for sending email without
having first run the gauntlet to gain membership in the whitelister's tiny
circle of special friends.
Does your software come with a sample text or a default text that is phrased
for the non-spammers who will read it rather than for the spammers who will
not, and does it come with clear instructions that any edits to the text
should take that into account? I'm guessing that its default text is more
like, "We accept mail only from people on a list of pre-approved senders.
To get onto our list, reply to this message."
[c] Finally (you seem to have taken care of this, but many other
whitelisting systems do not) confirmation should be easy, such as just
replying to the autoresponse as you said, and should not require revising it
to include magic words or the like. But then that runs afoul of an
autoresponder at the sender's end. I can think of some ways around that,
but they're not so good. (For example, include two codewords in the
confirmation instructions and require that a confirmer delete the first but
leave the second one intact in the remailing; autoresponders will return
either none of the body, all of it, or a selection truncated from the
beginning, so they'll fail to confirm. But that's more involved than just
sending it again, so that's a drawback. Best solution: drop the whole
misbegotten notion.)
Even so, my suggestions will help only with #1b and #2. And still, despite
theories of how it could be improved, in practice it's just plain a bad idea
used by rude people with entitlement issues who order others to screen their
email for them and don't care what mail gets lost or bridges get burned in
the process. You are harming your reputation, John, by promoting a product
that implements it.
There is only one decent way to find out whether a piece of mail is spam,
and that is to look at its content. False positives are worse than false
negatives.
And there is only decent one way I can think of to use a whitelist:
1. Automatically add addressees of your outgoing mail and subjects of your
outgoing mail and netnews posts.
2. If an incoming message fails to match the whitelist, divert it to a
low-priority folder and check its content with your own eyes before you do
any conclusion-jumping or demand any hoop-jumping.
3. Do *not* autorespond. If a valid message lands in the low-priority
folder, quietly update your whitelist. It isn't the other person's job to
fix it for you.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail