Jason R. Mastaler wrote: > >>Indeed should people with effective antispam solutions encourage >>spammers to waste their available resources spamming ineffectively? >>As this undermines the spammers economic model. > > No, I don't think so. Unless you are rejecting spam at the SMTP > level, the spammer will never know they are spamming ineffectively. > This applies to most popular methods including TMDA, SpamAssassin, and > other content filters.
We were discussing it at work where we were trying some radical solutions on one of our mail servers. For various reasons there are very few people who genuinely need to mail multiple recipients at that server (except us and we are allowed to relay to it), so we tried reducing the maximum recipients per envelope dramatically, and more than halved the number of emails we handle with no complaints or obvious problems. Although I suspect it works as the spammers assume MTA's will conform with RFCs :( We seem to have been the target of numerous dictionary attacks for harvesting addresses, so we were well over the ~60% spam industry average. Even though spammers steal resources, they have a finite resource in bandwidth (stolen or otherwise), so it seems logical to force them to use it inefficiently in as many ways as possible. Anyway I'm concerned at the proliferation of SPF systems (both number and type) - seems the world is more keen to solve the spam problem, than they are on the backward compatibility of email systems. I suspect Mirosoft's security initiative will kill more spam than their antispam initiative. As someone who is currently involved in supplying courtesy email addresses, we would be compelled by some of these schemes to manage authentication and outbound email services for 10,000's of thousands of users or be joe jobbed continually. Whilst I think the model my employer uses looks somewhat dated in this area, I'm not sure I want to see a whole area of business modified for what is likely to be a limited success in the war against spam (given compromised/spamming machines can already be easily identified, and port 25 can already be easily redirected by ISPs who care, and RBLs exist, I'm unclear what SPF will actually gain in terms of spam reduction, and it certainly isn't a strong enough authentication scheme to replace signing emails).
signature.asc
Description: OpenPGP digital signature
_____________________________________________ tmda-users mailing list ([EMAIL PROTECTED]) http://tmda.net/lists/listinfo/tmda-users
