On 20 Sep 2016, at 20:40, Sebastian Nielsen wrote:

I would really suggest using DISCARD instead of "500 This TLD sends spam - g
e t lost.".
Thus the spammer dosen't get to know he got stuck in a spam filter and can
update their tools to bypass it.


Note that in this specific case of junk TLDs, the tool (low-cost domains) is critical to that class of spammer's business model.

DISCARD accepts the mail but throws it into /dev/null

The debate over this theory of spammer behavior has been going on for at least 20 years and in that time I've never seen convincing evidence that it is more true than an alternative theory that targets which seem to accept spam for delivery (i.e. DISCARD) attract more spam because spammers think they are verified as good targets and peddle their lists of verified deliverable addresses to each other, expanding the number of senders aiming at the apparently unfiltered address. If that behavior dominates, you still get morphing spam making it past content filtering because you have more variety of senders.

I have very noisy data collected over 15 years in a smallish spam-heavy domain which suggests that spam sinks (which simply accept and discard all their mail) and spam traps (which feed all their mail into local anti-spam measures) both attract more spam over time at a slightly higher growth rate than aggregate mail or spam for normal addresses in the same domain, but it's not a dramatic or uniform difference. Conversely, dead addresses that reject everything tend to get less mail aimed at them over the long term. In this case, normal users whose mail is either explicitly rejected in SMTP or delivered to their Inbox make up the noisiest subset; attempted spam generally gets worse over time but not always, and delivered spam (false negatives) can go either way.

The main conclusion I've reached from that long-term close examination of a small sample and shorter, shallower analyses of much larger systems is that there are no grand universal rules of spam that can apply everywhere to everyone. No one who gets a significant amount of spam aimed at them gets exactly the same spam as anyone else. Some spammers work hard at filter evasion, others do not. Some of those who work very hard at it do so with chronically and ridiculously poor results, at least against *some* common filtering strategies. The balance of competing spammer behavioral theories that form the basis of the REJECT vs. DISCARD argument is close enough overall to be a matter for subjective judgment on any particular mail system, but I think that as a practical matter there are 2 concrete issues that argue for REJECT in all cases where it isn't a recipe for significant backscatter:

1. No anti-spam measures are perfect. If you accept and discard mail that your anti-spam measures deem to be spam, then when they get that judgment wrong and toss out mail you actually would rather have delivered, it may never be noticed as a technical failure by anyone. Internet email is consciously designed to notify senders explicitly of delivery failures, and using DISCARD violates that design.

2. The most effective spam exclusion tactics in a mail system that uses a "defense in depth" model are ones which can detect spam at or before the RCPT command(s), allowing the MTA to reject spam it never actually receives. This spares the MTA from using pointless bandwidth and (more significantly in most cases) from maintaining a session for typically an order of magnitude longer than necessary, just to pipe message data to /dev/null.

Reply via email to