On Aug 10, 2006, at 1:58 PM, Marc Perkel wrote:
I've been blocking a lot of spam at connect time that I am 100% sure
is spam. However I'm wondering if that is the best idea because it
gives spammers feedback as to what works and what doesn't. If I
silently absorb the spam and let the spammers think it's delivered
then they have no way to know if the spam is getting through or not.
Thoughts?
My thought is: silently deleting email (spam, virus, etc.) a violation
of RFCs, and I'm not interested in doing that. I'm more interested in
correctly handling the false positives than what happens with true
positives (I know, you said you're 100% sure it's spam, but I don't
believe in such a thing as automated detection of spam that results in
a 100% confidence value). So, the next generation anti-spam mechanism
I'm working on for work will reject spam during the SMTP session with a
5xx code. I'm planning on rejecting at a score of 10.
This means that if it's a directly attached spam zombie, it will just
disappear ... but in a way that doesn't make me an RFC violator. If
it's a false-positive, then the sender will know that their mail
disappeared.
If it's being submitted by an intermediate relay (such as the
spam-zombie's ISP's mail server), then it may get bounced back to an
innocent third party. But I don't consider that to be _my_
fault/responsibility. I consider that to be the fault/responsibility
of the intermediate relay for not having spam-scanned and rejected the
message themselves. By not accepting the message, I am not accepting
responsibility for the message's fate, either. If I were to accept the
message, THEN it becomes my responsibility to ensure that the message
doesn't disappear nor get bounced back to an innocent third party.
As for giving spammers feedback: I'd be somewhat surprised if spam
zombies actually give feedback to the source. If they do, then more
likely than not, I'm actually going to be catching the zombies with my
DNS checks (which happen before the spam and virus checks), so the
feedback they'll get is: you don't have properly configured DNS, or
your DNS makes you look like a dynamic/dialup host. Two things the
spam zombie and the spammer can't control. For those that do get past
that, sure, they'll see it was rejected because "it looks like spam".
But they wont know what score they got (except if they read this thread
and see my 10 cutoff), but they wont know what mechanism I used (I'll
be using 2 anti-spam engines, so the 10 only matters for SpamAssassin).
And, over time, they're going to be evolving around different engines
anyway, so it's just part of the ongoing escalation and upgrade cycle.
