[CLUE-Tech] If you administer a mail server, you might find this useful.

[Angelo Bertolli]

On Fri, 4 Jun 2004, Timothy Klein wrote:

> Date: Fri, 4 Jun 2004 10:16:44 -0600
> From: Timothy Klein <teece at silverklein.net>
> Reply-To: clue-tech at clue.denver.co.us
> To: clue-tech at clue.denver.co.us
> Subject: Re: [CLUE-Tech] If you administer a mail server,
>     you might find this useful.
> 
> On Friday 04 June 2004 10:05 am, Angelo Bertolli wrote:
>> For example, with our users it's
>> more important that they don't miss a valid important email, than it is
>> that their spam is zero.  So spam gets through.
>
> Isn't that the case always?  Shouldn't a false positive be a thousand times
> worse than a false negative, WRT spam?
>
> For what kind of users is it OK to throw a random email away once in a blue
> moon?
>
> That's something I have always wondered about with ISP-based or centralized
> SPAM filters.  I check the spam folder on my machine every couple days, and
> it catches only spam, that I remember.  Once in a while it catches spam-like
> commercial email that I had actually signed up for, but that is
> understandable.  But what if I want that stuff from REI about sales, but my
> ISP throws it away?
>
> Curious to hear from people that actually work on that end.
>


I won't claim to be an expert in preventing spam, but I have some 
experience with administering a small (less than 1000) base of email 
users, so I have some opinions.

I think the reality is that spam makes money.  That's the only reason why 
people do it.  And they do it easily because the Internet is a shared 
resource where they costs of this resource are quite distributed. 
That's a shame--the only other shared resource I can think of that we have 
created is the road system, and people could abuse that too if it was 
profitable for them to do so.

But the point is, the Internet and sharing of information such as in email 
is more valuable when it is open and people play nicely.  The spammers 
don't.  But I also think that if they get us to make too many compromises 
to the functionality of this shared resource, they have hurt us more than 
just letting the spam through.

The real and only way to win against spammers is to make their efforts 
ineffective--as in preventing them from making a revenue.  I think the 
best way to do this is accept all messages for delivery, and then filter 
them.  I'm not convinced that blocking messages for delivery is a good 
technique.  I know this is very popular mostly because of the logic behind 
not wanting them to waste your resources.  However, I think this only 
results in making them fight harder to try to get their spam through.  I 
think it's much better to let them think their crap is getting through, 
only to find out one day that no one is willing to pay them to spam 
anymore cause it didn't turn out to be effective.  Making spam 
unprofitable is the way to win against spammers in the long run.

I don't like tarpits or IP-based blocking.  I think some of this is 
acceptable, for example blocking known dialup IPs.  But for the most part, 
from a philosophical point of view it makes the assumption that either 
there is only one person sending from point X and they're a spammer, or 
all users from point X are spammers.  And tarpits are really just an 
exercise in satisfying revenge, as they take up both your own resources 
(though not many), your time to set up the tarpit, and they are also 
implemented as IP-based blocking.

So how do you filter?  Well ideally, I'd say that if everyone used a mail 
client which could filter spam, that would be the best thing for the long 
run.  This allows the end user to decide what they consider spam, and 
puts the responsibility on the user to take care of their own mail. 
However, it's not realistic that users will know how to filter their mail 
properly, not to mention the fact that the software really isn't available 
for them to use.  (Does Outlook/Express do any sort of mail filtering?) 
You have to remember that the kinds of people who pay for things 
advertised in spam are also mostly the kinds of people who probably won't 
bother to turn on their filter (for whatever reason).

So the judgement lands on the administrator of the mail server on how to 
handle spam.  Personally, my first and most important concern is to stop 
email viruses.  Email viruses can be used to spam, and they can turn 
legitimate users (their computers) into spammers, allowing spam to 
authenticate using the infected computer's SMTP setup, and even making it 
look like your own server should be blocked.  Knowing what I know about 
our network, this means I can block attachments based on extensions.

Then when you want to block non-viral spam, you have to choose something 
to pick to filter on.  In general analyzing email headers is not a good 
way to go IMHO.  Following strictly the rules set by the RFCs doesn't stop 
spam, and creating "extra rules" such as checking to see if "the version 
of Outlook you claim to be from can send this kind of multi-part message" 
is both easy to spoof, and creates extra assumptions that other may not be 
aware of.

I think spam should be filtered based on content.  So how do you choose 
the content?  Maybe block everything that has the word "viagra" in it? 
This means that any legitimate emails about viagra won't get through. 
Actually going back to the original point that spam is for making money, 
filter based on that particular connection to how they get their money.  I 
would say that usually this is an http link.  Once you have identified a 
link in an email that goes to a page which is advertised by spammers, 
filter it out.  They don't deserve to make money off of it.


I'm sure a lot of people will disagree with me on some points--I'll keep 
an open mind.



Angelo