[CLUE-Tech] If you administer a mail server, you might find this
useful.
Angelo Bertolli
angelo at freeshell.org
Fri Jun 4 11:55:45 MDT 2004
On Fri, 4 Jun 2004, Timothy Klein wrote:
> Date: Fri, 4 Jun 2004 10:16:44 -0600
> From: Timothy Klein <teece at silverklein.net>
> Reply-To: clue-tech at clue.denver.co.us
> To: clue-tech at clue.denver.co.us
> Subject: Re: [CLUE-Tech] If you administer a mail server,
> you might find this useful.
>
> On Friday 04 June 2004 10:05 am, Angelo Bertolli wrote:
>> For example, with our users it's
>> more important that they don't miss a valid important email, than it is
>> that their spam is zero. So spam gets through.
>
> Isn't that the case always? Shouldn't a false positive be a thousand times
> worse than a false negative, WRT spam?
>
> For what kind of users is it OK to throw a random email away once in a blue
> moon?
>
> That's something I have always wondered about with ISP-based or centralized
> SPAM filters. I check the spam folder on my machine every couple days, and
> it catches only spam, that I remember. Once in a while it catches spam-like
> commercial email that I had actually signed up for, but that is
> understandable. But what if I want that stuff from REI about sales, but my
> ISP throws it away?
>
> Curious to hear from people that actually work on that end.
>
I won't claim to be an expert in preventing spam, but I have some
experience with administering a small (less than 1000) base of email
users, so I have some opinions.
I think the reality is that spam makes money. That's the only reason why
people do it. And they do it easily because the Internet is a shared
resource where they costs of this resource are quite distributed.
That's a shame--the only other shared resource I can think of that we have
created is the road system, and people could abuse that too if it was
profitable for them to do so.
But the point is, the Internet and sharing of information such as in email
is more valuable when it is open and people play nicely. The spammers
don't. But I also think that if they get us to make too many compromises
to the functionality of this shared resource, they have hurt us more than
just letting the spam through.
The real and only way to win against spammers is to make their efforts
ineffective--as in preventing them from making a revenue. I think the
best way to do this is accept all messages for delivery, and then filter
them. I'm not convinced that blocking messages for delivery is a good
technique. I know this is very popular mostly because of the logic behind
not wanting them to waste your resources. However, I think this only
results in making them fight harder to try to get their spam through. I
think it's much better to let them think their crap is getting through,
only to find out one day that no one is willing to pay them to spam
anymore cause it didn't turn out to be effective. Making spam
unprofitable is the way to win against spammers in the long run.
I don't like tarpits or IP-based blocking. I think some of this is
acceptable, for example blocking known dialup IPs. But for the most part,
from a philosophical point of view it makes the assumption that either
there is only one person sending from point X and they're a spammer, or
all users from point X are spammers. And tarpits are really just an
exercise in satisfying revenge, as they take up both your own resources
(though not many), your time to set up the tarpit, and they are also
implemented as IP-based blocking.
So how do you filter? Well ideally, I'd say that if everyone used a mail
client which could filter spam, that would be the best thing for the long
run. This allows the end user to decide what they consider spam, and
puts the responsibility on the user to take care of their own mail.
However, it's not realistic that users will know how to filter their mail
properly, not to mention the fact that the software really isn't available
for them to use. (Does Outlook/Express do any sort of mail filtering?)
You have to remember that the kinds of people who pay for things
advertised in spam are also mostly the kinds of people who probably won't
bother to turn on their filter (for whatever reason).
So the judgement lands on the administrator of the mail server on how to
handle spam. Personally, my first and most important concern is to stop
email viruses. Email viruses can be used to spam, and they can turn
legitimate users (their computers) into spammers, allowing spam to
authenticate using the infected computer's SMTP setup, and even making it
look like your own server should be blocked. Knowing what I know about
our network, this means I can block attachments based on extensions.
Then when you want to block non-viral spam, you have to choose something
to pick to filter on. In general analyzing email headers is not a good
way to go IMHO. Following strictly the rules set by the RFCs doesn't stop
spam, and creating "extra rules" such as checking to see if "the version
of Outlook you claim to be from can send this kind of multi-part message"
is both easy to spoof, and creates extra assumptions that other may not be
aware of.
I think spam should be filtered based on content. So how do you choose
the content? Maybe block everything that has the word "viagra" in it?
This means that any legitimate emails about viagra won't get through.
Actually going back to the original point that spam is for making money,
filter based on that particular connection to how they get their money. I
would say that usually this is an http link. Once you have identified a
link in an email that goes to a page which is advertised by spammers,
filter it out. They don't deserve to make money off of it.
I'm sure a lot of people will disagree with me on some points--I'll keep
an open mind.
Angelo
More information about the clue-tech
mailing list