Handling Anti-Spam Systems When You Aren't Spamming?

nautical9 asks: "Spam is a huge, annoying, and costly problem, there's no question. But what about those of us who run a valuable service, such as a newsletter, that users willingly sign up for and actually DO want to receive in their inbox every day? It's really too bad a few bad apples (ok, thousands of bad apples) are ruining the email system for the rest of us. Not all bulk-mailers are spammers, and large service providers do have a legitimate need to communicate reliably with their customers. But with everyone focusing on blocking commercial and unsolicited mail, no one seems to remember that there are valid reasons for having large-scale mailing lists." Maybe ISPs could utilize a system that could scan outgoing email for mailing list joins and then add those addresses to the "white" list for a specific user. Actually, why haven't ISPs adopted some form of user-level filtering system for email yet? It would seem like this would be the next sensible step in the fight against SPAM.

"Many large ISPs are implementing anti-spam filters based on how many emails they receive from a single sender to many of their clients (thinking that if they get over five mails in a few seconds, they must be bulk-mail spammers, and therefore block the rest of them), but this is hurting the delivery of services like ours. Worse still is that there is typically no error message returned to us - the emails simply get dropped, much like a standard packet-filter firewall works. Then we have clients wondering why they didn't get their expected message.

Sometimes, ISPs will add us to their "white" lists (as opposed to "black" lists of known spammers), which fixes the problem, but only for that one ISP.

(I find it ironic that the email system was designed to be quite reliable, so that you could send a message and have reasonable confidence that it got to its intended recipient, and yet we're now moving away from this in the effort to fight spam.)

Now I know we don't want to tell spammers how they can get around the anti-spam filters, but I'm wondering how have others fought the anti-spam problem with their mailing lists?"

Re:Play the game, but don't go too far.

Filtering on the number of incoming mails per second really is braindead. But it shows a problem: Today's automated content recognition systems are easily fooled by automated content synthesis. The simplest form is to add a random number to the end of spam mails in order to work around hash-generation schemes which are supposed to identify identical mails which are sent to many recipients. The hash-systems are of course equally problematic for mailing lists when used on their own. I think the solution is to move the filtering closer to the recipient. But because synergy effects are lost that way, there has to be another way of rejecting mail: The sender has to be identifiable. Not because he is legally bound to identify himself, but because the recipient can force him to identify himself in a reliable way or the mail won't get through. Imagine any number of "registries" which record complaints and rate senders based on this information. A recipient could say "I accept email from any list which is in Corp ListReg's list of responsibly acting mailing lists and everyone who is listed by Corp GoodGuy as non-spammer." Then of course you'd have to add cryptographic methods of signing mails. But recipients could also say "I'm accepting anonymous mails on a low priority basis (checked once per week)" and allow a smooth transition that way.

Re:Opt in?

The mail server has no way of knowing whether the recipients of a mass mailing have opted-in or not. A rejection scheme based solely on the number of similar mails coming from a single sender can not make the distinction between spam and legitimate double opt-in mailing lists: From the mailserver's perspective, they look exactly the same.

Stupid idea

[wackybrit]

Maybe ISPs could utilize a system that could scan outgoing email for mailing list joins and then add those addresses to the "white" list for a specific user.

That could probably go down as the most stupid idea I've heard so far this year. All this 'monitoring' is sounding way too authoritarian to me.

In the majority of cases, it should be the individual's responsibility to sort mail, not the ISPs. Would you like it if USPS decided to go through your mail throwing away whatever it thought was 'unsolicited'? You bet your ass you wouldn't. How about if they suggested 'looking through your outgoing mail' to find out what you were expecting to receive? If people like you were taken seriously, it'd be like the Third Reich.

I do not want anyone reading or filtering my mail except myself! If you want to be nannied, that's your choice, and you can go use AOL or whatever, but we don't want the majority of ISPs controlling mail delivery in this way. Even if their intentions are good, 'proper' e-mail could easily get thrown away, and worse.. if laws were passed that allowed governments to control ISPs in some way, they'd have a system already in place to 'control' mail delivery. No thanks!

The answer to this question is that any freedom loving citizen should be filtering their own mail and not relying on a nanny state to sort it out for them.