Are Spam Blockers Too Strict?

Myrte writes "Wired.com has a long piece on whether spam blockers are blocking wanted messages." From the article: "For years, e-mail users complained that torrents of unwanted messages clogged their inboxes and crimped their productivity. Now, e-mail users, marketers and mailing list operators are more worried that spam filters are blocking out too many wanted messages. AOL isn't the only company to face charges that it improperly blocks legitimate messages. But, as the world's largest ISP for years, it has long borne the brunt of complaints from mass e-mailers over the problem."

Spam blockers ruined my life.

[Rob+T+Firefly]

Thanks to my damn spam blocker, I've missed out on hundreds of opportunities to accept millions of dollars from Nigerian royalty.

Re:Spam blockers ruined my life.

[c0d3h4x0r]

You think that's bad? Thanks to spam blockers, my dick is only one inch long.

Norton Antispam

[devphaeton]

The absolute biggest piece of hilarity is Norton Antispam. People rush out and buy it, and install it on their computers. Usually they never do anything in the way of setting it up (just expect it to work magically), but that makes no difference because it continually reconfigures itself on its own whims.

And then they call and abuse their ISP support personnel for days on end of "I'm not getting any of my damned email!!"

And it's all right there in their 'Deleted Items' folder. :rolleyes:

I don't understand

[linvir]

it has long borne the brunt of complaints from mass e-mailers over the problem

Does this mean mailing list owners or something? I associate "mass e-mailer" with "spammer", so my first instinct was "You may continue to cry". So are there other mass e-mailers? Does it mean the likes of Amazon? If so they too may continue to cry. I don't need to know about This week's hot deals on Electronics & Photo at Amazon.co.uk.

Re:I don't understand

>> I associate "mass e-mailer" with "spammer"

That's an invalid assumption.

People sign up for newsletters. There are 300,000+ who've subscribed to ServerSide, for example (mostly Java developers). That's mass e-mailing.

I'd like it if my spam filter could "mod up"...

[VMaN]

I'd like it if my spam filter could "mod up" non english email.

most of my email correspondance isn't in english, while most of my spam is in english... I've instructed my dad to delete ANY mail with an english subject if he doesn't know the sender before opening it, and that seems to work out fine, english is his 3rd/4th language and only has 2 contacts using it. If something is important enough, he'll get at call about it :) (this probably wouldn't fly at work, but for his personal email it's fine)

It's not that they're too strict

[Nijika]

It's more that SMTP is too broken. The model we use to communicate with each other is sadly too open, given the potential of the technology for automation. The real solution is to extend or replace SMTP completely.

Re:It's not that they're too strict

[hackstraw]

The real solution is to extend or replace SMTP completely.

People say this from time to time, but they conclude that its still best the way it is. I value mailing lists, and making people pay or whatever proposed mechanism there is simply does not cut it.

I get spam sent via email. I get spam in my snail mailbox. I get spam on my fax machine. I get spammed by cold calls from sales drones/marketers. I've never had this happen (yet), but I've seen someone's phone get spammed with hundreds of porn text messages over a 10 or 15 minute time period. The user was initially billed for the porn spams and had to call the phone company to get them taken off of there bill.

It just seems as though open communication is just going to be subject to spam. Don't want it? Use your own private network to communicate.

How is this a "gray area"

[TubeSteak]

A particularly troublesome gray area, Schneider said, involves affiliate marketers. These marketers often send e-mails to people who signed up on a website with whom the affiliate has a marketing agreement. The recipient of the e-mail, however, probably isn't aware of the arrangement and has no idea why they're receiving the message.

Translation: people are getting e-mails they neither want, nor expected.

It's like inviting someone to a party & you agree that they can bring their "affiliates" along. Your invitee shows up with 20 strangers & whoever you have working the door says "I don't know all these people, they aren't allowed in."

The solution isn't to cry about the "gray" area, it's to explicitly tell people who the fark these affiliates are & what they'll be sending.

Confirmation challenge

[Spazmania]

When I get a message with a moderate probability of being spam, my spam blocker sends a message back requesting that the sender confirm the message. Works great. Those few legitimate senders stuck on a problematic server can still get their messages to me and so far no spammer has attempted to bypass it.

The only time it doesn't work is when the sender's spam blocker dumps the confirmation request or when the sender doesn't understand what to do.

Re:Confirmation challenge

[Josh+Triplett]

Or when you spam all the people spammers use as their forged From addresses.

Don't send mass e-mails

[iamacat]

Just like door to door salesmen and tele-marketers, mass e-mailers have ruined their reputation as a group and are no longer effective at what they are trying to do. If you want to keep your customers updated, offer an RSS feed, personalized with their user id if necessary. Times change, deal with it.

Re:Don't send mass e-mails

[c0d3h4x0r]

Your point is actually true in a more general sense.

In general, if people want something, they will seek it out for themselves.

People don't want or need to be advertised at in any way via any means. This applies to companies trying to sell products or services, religions trying to amass followers, or political activists trying to rally voters. It's all BS.

If I want something, I'll go seek it out for myself. Leave me the hell alone. It's not your place to constantly bother me.

Yes and no

[Bogtha]

If a user has signed up for a mailing list, and doesn't get what they asked for, then that's a false positive, no matter how commercial the mailing list. And this does happen. So in that respect, spam blockers are too strict.

But on the other hand, I fish out a few false positives from my spam dump every month and look to see why they were blocked. In most of the cases, it's because the mailing list operator is doing something dumb. For instance, the last false positive I received - for a legitimate, informative mailing list I deliberately signed up for - triggered my spam filter because of forged headers, two counts of malformed headers, and every other line was in all caps.

The reason why they were caught out was because they used what appears to be a mass mailer designed for sleazy purposes, and they didn't bother with any QA.

Anybody who is running a mailing list should follow a few simple rules:

1. If you outsource, outsource to a reputable company.
2. If you run the mailing list yourself, use reputable software.
3. Set up an email account for every popular spam blocker, and include those addresses in your mailing lists. Check those accounts every time you send out an email, to see if you are blocked by any of them.
4. Never buy email addresses. Ever.

That's what I consider to be common sense, but apparently common sense is hard to come by these days.

Re:Not a chance

[CastrTroy]

I use spam assassin, and I found it only blocked stuff that was actually spam. I set it to 4, and it still let things like marketing emails from Nintendo and Sony though (I like being on the mailing list), and other newsletters I subscribed to. It rarely if ever blocks anything that I want to see. It's very good at blocking stuff that I didn't want to see. I don't really see a problem with spam blockers. And I had mine set pretty low.

I've Definitely Had Problems With AOL

[John_Booty]

I used to work for a company that sent emails to medical professionals regarding ongoing clinical drug studies.

These emails absolutely took "opt-in" to the next level.

Not only did the doctors opt-in to receive these emails, they had to go through a fairly rigorous screening process to be eligible to receive them. On top of that, it actually would have been highly illegal for us to send these emails to others!

So, needless to say, the emails weren't spam and were going to modestly-sized email lists of 100-1,000 total recipients, approx 25% of which were AOL users.

And still, we had countless problems with AOL blocking them. AOL never listened nor responded.

Block and tackle

[Billosaur]

Listen, when you go to your snail-mailbox and get the mail, you can pretty much tell which mail is good and which is junk, right? I mean, it's easy to tell letters and cards from family members and friends from bills and unsolicited junk. It's easy because there's a physical form of recognition taking place.

Email is tougher, because in most cases all you have to go by is a sender's email address/identifier and the subject line. Now I don't knwo if you've looked at those two things closely, but it's usually easy to tell when the email is spam (how many freinds do have named Lemon T. Viceroy?). Now, as reported, phishers are getting more sophisticated and they are making much more convincing emails that are tricking people into believing the email is from their bank. They's be able to save themselves some time and frustration by checking the email address vs. a legit email they've received from the bank.

I think blocking has to start at the user end. You have to put up a wall and say that only these addresses are legit and anything else is suspect. You dump suspect emails into a separate folder and peruse it for emails that are actually legitimate, and add a pass-through for them to your wall. It requires maintenance and vigilance, and cooperation from banks, credit card companies, etc., who have to make sure you know what legitimate addresses they will send emails to you with. Any left over emails you fire back to the senders and alert your ISP

Putting the responsibility for screening mail on the user is problematic, but it's certainly a lot more efficient than having to listen to complaints about legitimate mail getting blocked constantly. I do this very thing constantly with my personal account and by using my ISP's spam filter, I'm doing a pretty good job of screening out the crap. By alerting my ISP of definite frauds, I'm hopefully making things easier for others. Of course, you have to make this system easy to use, or users will get frustrated and it won't work properly.

Maybe snail mail isn't dead yet for a reason.

Start using SPF already

[Twillerror]

OPENSPF.ORG

I know this isn't the final answer, but to me it is by far the most responsible and far reaching.

• No cost. You already have DNS servers for your MX record if you are a valid server.
• Using DNS means that we already have a great infrastructure.
• Doesn't stop emails from people like amazon.com if you want them, but adding @amazon.com to your block list is now valid.
• Faster and more reliable then content filtering.
• Makes phising a bit harder, as you can no longer send support@citigroup.com.

Will spammers register real domains, yes. Will they send emails with a fake from address that has at least a valid domain, yes. It makes it just that much harder, and makes it harder to use farms. If the SPF record has a huge subnet then the spam blockers can ignore it, and then put it on a watch list. At least we are adding some level of authentication to the process.

The cost of SPF is so little, I don't understand why their is not more push for it, and why we can't just give it a shot. I'd rather do that then go thru some authentication process with a company and then pay for some type of certicificate. Lastly, as a programmer I hate when all of the suden we have to do quadruple opt-outs, when the real problem is people sending gobs of rolex adds from their dorm room with or without their knowledge.

Spammer by reputation

[kwerle]

This is one of the things SPF (http://www.openspf.org/) is meant to end - false positives. One of the problems with SMTP is that you can't build up a reputation by domain because anyone can claim to be you.

If a verified sender is sending [lots of] unwanted email, they are a spammer and should be blacklisted. Otherwise, verified senders should probably be trusted.

Spammers can use mail fiters as weapons

[WebCowboy]

The closer spam looks like legitimate email traffic the harder it is to block them without also blocking some legitimate email.

Your argument makes sense but there is more to it than that. Spammers are starting to catch on that their techniques to thwart mail filters can be used to manipulate those filters to block other people's emails. THAT is still pretty inceniary. Let me explain what I mean:

Some time ago I signed onto the "bluesecurity" website as I was intereste in their counter-spam efforts. As we all know here on /. a top-tier spammer was aggravated by their efforts and managed to get a list of addresses for those who signed onto bluesecurity. I just checked the "junk box" on my email server and have found that in the past 12 hours there have been about 50 emails entitled "bluesecurity.com" with a body containing the WHOIS record for their domain. Apparently, the spammers are already striking back with a vengeance.

Besides annoying the heck out of those unfortunate enough to be on the target list, the thought came to me that this could be a crude attempt to train email filters to block out any (legitimate) correspondence affiliated with bluesecurity.com. I think we're going to see a lot more of this in the future: Spammers for whatever reason select a victim (anti-spam organisations, Microsoft, Symantec, etc) and start sending out massive spams that either repeatedly mention the victim's name, website address domain, etc, or are crafted to look like legitimate correspondence from the victim. The scummy vermin that send out the spam are the same types that go on phishing expeditions so they've had practice imitating others.

Since so many people run email filters, once these filters intercept and mark those messages as spam then legitimate email from their victims are more likely to be blocked as spam. That's all I need is for a spammer to send a few dozen emails that look like Microsoft correspondence, only to have the email filter get trained to filter out REAL email from Microsoft about my MSDN subscription for example.

senderID is dead. domainkeys is deprecated.

[Medievalist]

You meant to say SPF and DKIM.

"senderID" was an unsuccessful non-standard created by Microsoft hijacking SPFv2 with submarine patents and other deceits. Read up on MARID and see what I mean. senderID is dead, do not try to implement it, do SPFv1 or domainkeys if you want the current gold standard.

DKIM is the successor to domainkeys, and it's looking pretty good.

There is no "easy" involved in crypto, however. If you want "easy" do SPFv1... spoofing prevention with 5 minutes of work by any competent DNS administrator.

Re:Confirmation challenge -- Thank you so much!

[alexo]

> When I get a message with a moderate probability of being spam, my
> spam blocker sends a message back requesting that the sender confirm the
> message. Works great. Those few legitimate senders stuck on a
> problematic server can still get their messages to me and so far no
> spammer has attempted to bypass it.

Well thank you so much!

Since the lowlifes started forging "from" addresses using my domain, I am getting several such "confirmation" messages every day. And while my spam filter is doing its job pretty well, I have not found a way to filter out your smug verifications without getting rid of the legitimate ones.

So, thanks to people like you, I get 5 times more verification requests than actual spam.

You better hope that there is no higher power because if there is, and it decides to grant my wishes just when I get yet another verification, you'll have a bit of a problem removing that sequoia from your rear orifice.