Are Spam Blockers Too Strict?

Myrte writes "Wired.com has a long piece on whether spam blockers are blocking wanted messages." From the article: "For years, e-mail users complained that torrents of unwanted messages clogged their inboxes and crimped their productivity. Now, e-mail users, marketers and mailing list operators are more worried that spam filters are blocking out too many wanted messages. AOL isn't the only company to face charges that it improperly blocks legitimate messages. But, as the world's largest ISP for years, it has long borne the brunt of complaints from mass e-mailers over the problem."

Norton Antispam

[devphaeton]

The absolute biggest piece of hilarity is Norton Antispam. People rush out and buy it, and install it on their computers. Usually they never do anything in the way of setting it up (just expect it to work magically), but that makes no difference because it continually reconfigures itself on its own whims.

And then they call and abuse their ISP support personnel for days on end of "I'm not getting any of my damned email!!"

And it's all right there in their 'Deleted Items' folder. :rolleyes:

Eh...

[vertinox]

I can't send email from my work place to my free register.com hosted account because I had emailed myself some links to look at while at home. Apparently the spam bot assumed messages with just a subject and links and flagged my work address as spam.

I couldn't get them to undo the change... But it is a free service and I figured I won't get anywhere if I push it and these days I just send any emails with links to my hotmail account.

SpamAssassin can do this

Pretty easily. You can tell it which languages are good, and which ones aren't ones you'd be expecting. I get a lot of German spam because of my last name, so it's pretty easy to pick out.

Re:I'd like it if my spam filter could "mod up"...

[onebuttonmouse]

You can do it in spamassassin. For example, just add ok_languages ja zh to its local.cf

I've Definitely Had Problems With AOL

[John_Booty]

I used to work for a company that sent emails to medical professionals regarding ongoing clinical drug studies.

These emails absolutely took "opt-in" to the next level.

Not only did the doctors opt-in to receive these emails, they had to go through a fairly rigorous screening process to be eligible to receive them. On top of that, it actually would have been highly illegal for us to send these emails to others!

So, needless to say, the emails weren't spam and were going to modestly-sized email lists of 100-1,000 total recipients, approx 25% of which were AOL users.

And still, we had countless problems with AOL blocking them. AOL never listened nor responded.

Re:I've Definitely Had Problems With AOL

[Andrew+Penry]

One of my major clients has had trouble with AOL's spam blocking policies. He runs a site where people who own vacation properties can list details about the properties. People can then do a search to find a certain set of properties, and then request quotes from the property owners that meet their criteria. The site handles the email to both the owners and the vacationers. Both parties want to receive the emails, and are expecting them. In fact, the owners are paying for the emails. But what happens is a few non-internet people see that they got 5 emails from owners (which they requested), but decide they only like 1 of the offers. So instead of just deleting the other 4, they hit the giant AOL "This is spam" button. Pretty soon, the email is blocked for a few hours (too many complaints of spam in a given period). Many of the property owners have AOL accounts, and when they complain that they aren't getting email, the best we can offer is a recommendation to find a new email provider. We set up an RSS feed for users so they wouldn't have to rely on email, but the people who use it are not the same people who use AOL. On a good day, 200 emails go to AOL and none are bounced. On a bad day, we can have 50% of them come back.

The problem with AOL is that the system is automated based on the responses of users who do not really know the definition of spam. Any email they don't like is marked as spam, whether or not it is an email they requested.

Getting whitelisted isn't an option because the amount of email my client sends isn't enough to qualify for AOL's whitelist. How screwed up is that? To get whitelisted, you have to be a bulk mailer.

Not all commercial email is spam. Not all bulk email is spam. Not all messages that are reported as spam by users are spam.

Start using SPF already

[Twillerror]

OPENSPF.ORG

I know this isn't the final answer, but to me it is by far the most responsible and far reaching.

• No cost. You already have DNS servers for your MX record if you are a valid server.
• Using DNS means that we already have a great infrastructure.
• Doesn't stop emails from people like amazon.com if you want them, but adding @amazon.com to your block list is now valid.
• Faster and more reliable then content filtering.
• Makes phising a bit harder, as you can no longer send support@citigroup.com.

Will spammers register real domains, yes. Will they send emails with a fake from address that has at least a valid domain, yes. It makes it just that much harder, and makes it harder to use farms. If the SPF record has a huge subnet then the spam blockers can ignore it, and then put it on a watch list. At least we are adding some level of authentication to the process.

The cost of SPF is so little, I don't understand why their is not more push for it, and why we can't just give it a shot. I'd rather do that then go thru some authentication process with a company and then pay for some type of certicificate. Lastly, as a programmer I hate when all of the suden we have to do quadruple opt-outs, when the real problem is people sending gobs of rolex adds from their dorm room with or without their knowledge.

I think he knows his own language's name

Faroese is a North Germanic language with around 47,000 speakers in the Faroe Islands (Føroyar). Faroese is closely related to Icelandic and the dialects of western Norway, though as a result of the isolation, the Faroese language has a distinctive character of its own.

The solution of coruse, is...

[hacker]

The solution to all of this, is dspam, of course.

We were previously running SpamAssassin for about 4 years with 13 RBLs and blackholes.us, and we were at 90% accuracy or so, and still seeing 10-20 spams slip through per-day.

I gave dspam a test, and after 3 days, we were already up to 95% accuracy, with ZERO spams slipping through.

Today, about 3 years later, we're now at 99.726% overall accuracy, again, with ZERO spams slipping through to any user's mailbox. For false-positives, the users can go to the web interface, check the "legit" emails getting incorrectly marked as spam, and have those sent to their mailbox, retrained as HAM. After a user receives 'n' number of messages from a specific address, they're auto-whitelisted.

dspam blows away anything I've ever used, ever. We're not seeing a single spam in any user's mailbox in 3 years, and we're at about 85% incoming spam per-day with 1 RBL.

Spammer by reputation

[kwerle]

This is one of the things SPF (http://www.openspf.org/) is meant to end - false positives. One of the problems with SMTP is that you can't build up a reputation by domain because anyone can claim to be you.

If a verified sender is sending [lots of] unwanted email, they are a spammer and should be blacklisted. Otherwise, verified senders should probably be trusted.

senderID is dead. domainkeys is deprecated.

[Medievalist]

You meant to say SPF and DKIM.

"senderID" was an unsuccessful non-standard created by Microsoft hijacking SPFv2 with submarine patents and other deceits. Read up on MARID and see what I mean. senderID is dead, do not try to implement it, do SPFv1 or domainkeys if you want the current gold standard.

DKIM is the successor to domainkeys, and it's looking pretty good.

There is no "easy" involved in crypto, however. If you want "easy" do SPFv1... spoofing prevention with 5 minutes of work by any competent DNS administrator.