Trustic Anti-Spam Service To Close

An anonymous reader writes "I recently received an email from the anti-spam service Trustic saying: "We have decided to close the Trustic service. We have determined that the system as it currently is designed will not achieve the level of accuracy that we require, and an inaccurate system is worse than no system."" We covered Trustic's anti-spam service, which billed itself as "a community-based block list that prevents untrusted servers from sending spam", as recently as a couple of weeks ago.

On blocking spam

Say what you want about statistical anti-spam methods implemented server-side or locally, but they work. Either SpamAssassin or SpamPal do their job at above average level.

Re:On blocking spam

[OMEGA+Power]

Either SpamAssassin or SpamPal do their job at above average level.

Agreed, I've been using SpamAssassin and would say it averages about 2 missed spams per 1,000 messages and almost no flase positives (I don't have a exact number but I would estimate about 1 in 20,000)

Re:On blocking spam

[Czmyt]

One trick is to use all of its features. Use its auto-whitelist feature, use its bayes filtering, use its blocklist recommendations (sign-up for spamcop.net and/or mail-abuse.org if possible), and use the collaborative spam message databases (Razor2, DCC, etc.), in addition to SpamAssassin's built-in pattern-based rules.

I use SpamAssassin for one of my clients who lives and dies by e-mail, and it is pretty effective for them. There is an ISP who I deal with sometimes and they also use SpamAssassin. They must not have it tweaked because their scores are much lower than the scores that my client's SpamAssassin installation assigns to the same messages, so there is a lot of variation depending on how you configure its optional components.

In order for the bayes filtering to work well, SpamAssassin needs to have a database of a few thousand messages. I am not sure how well this would work for a large ISP where their customers have such a wide range of non-spam messages, and I'm not sure that the bayes filtering scales very well to large system-wide SpamAssassin installations.

It really wasn't very accurate

[sgifford]

I've been doing some research about the accuracy of different spam-blocking solutions, and Trustic had a huge false-positive rate. It misidentified 8% of my personal non-spam mail as spam, including mail from my Mom (it blocked our local cable ISP completely), my aunt (it blocked some AOL MX's), my insurance company (who the hell knows why), security warnings from CERT, and the NANOG mailing list.

It did have a good blocking rate---65%---but using a combination of other RBLs (the most optimal I found was DSBL + SpamHaus + Blitzed) it's possible to block nearly 75% of spam with only a .02% false positive rate (a single mailing list correspondent with an Argentinian ISP that has open relays was blocked).

It really is probably best that they laid this project to rest.

Re:It really wasn't very accurate

[Czmyt]

I had very similar results when I tried it last Friday. I ran it for about an hour before deciding that what it did block (AOL) was going to cause a lot of false positives.

Re:Bad Philosophy

[Tackhead]

> I'm guessing that the people at AOL Time Warner/Roadrunner care more about ridding their network of spammers than they care about losing a few customers who don't want to be associated with the same netblock as bunch of spammers who have already moved on.

I think we'll have to agree to disagree here.

You see, judging from the metric fuckloads of spam coming from 24.0.0.0/8, I'd guess that AOL-TW cares more about the pubic hair on Ted Turner's soap bar than ridding their network of (clueless residential broadband lusers with open proxies abused by) spammers.

Granted that still puts them ahead of 4.0.0.0/8 (now Verizon DSL) and 12.0.0.0/8 (all of AT&T) and the sewer that Comcast calls an ISP.

The problem with Trustic

[waynemcdougall]

The problem faced by Trustic was a lack of positive recommendations. People were quick to complain about spam, but slow to make any positive recommendations.

The effect of this was that large mail servers (eg cable gateways, etc) which let through a very small percentage of spam but s detectable quantity, would get a host of negative recommendations and the server would become untrusted.

I don't think this was an unsolvable problem - it requires dealing with trust, and positive versus negative recommendations, and volume assessments. But it should be possible to come up with a function that would give meaningful responses even in an inherent;y untrustworthy system of recommendations, and disproportionately few positive recommendations.

For one thing an inappropriate listing of untrusted would provoke a host of positive recommendations.

And of course you could/should whitelist your Mum's cable based SMTP server anyway.

There are people who want to pick up the Trustic idea (or keep Trustic going if possible), and I wish them every success and will support any such efforts.

I think there is a place for cooperative based recommendations estabishing a trust network. It will just take time and thought to determine how to balance the positive and negative recommendations.

What I particularly like about Trustic is that I can make recommendations based on IP address alone - if a mail server tries to send email to clearwater@codeworks.gen.nz I KNOW it is sending spam - I could reject the recipient, and report the IP without incurring the time and bandwidth of accepting the mail message.