Archives

Categories

Please Turn off Your Spam Protection

Hi, I’d like to send an email from a small domain that you’ve never heard of or from a big ISP that’s known for being slack about spam (*), I can’t send the mail to you because of your anti-spam measures. I think that this is unfair, it’s discrimination, and you are cutting off your nose to spite your face in rejecting my mail.
So please reconfigure your mail server now and accept more spam in your inbox, my message is important enough to justify the extra time you will spend manually deleting mail and the risk of accidentally deleting legitimate mail while deleting heaps of spam (I am in fact more important than you).
By not accepting my mail you are being an asshole. I only receive a dozen spam messages a day and I don’t mind it, without even knowing you or having bothered to do a web search to see how well your email address is known I’m sure that you don’t receive any more spam than me and therefore you too can turn off most anti-spam measures and manually sort through the spam.
You don’t really have a problem with spam, you are just paranoid, I’m sure that you installed your anti-spam measures before receiving any spam and then never bothered to check the hit rates.
My sys-admin knows that one of the DNSBLs has an old entry from when his server was broken, but he won’t request that it be removed – so you can change your server because my sys-admin doesn’t want to click on a URL that you sent him.
The RFC-ignorant.org service is used and run by ignorant people – I know this without even reading their web site to discover how it works.

The above is a summary of a number of complaints that I have received about my anti-spam measures. I’ve para-phrased them so that they make sense, I have not actually had someone directly say “I’m more important than you so you should just accept more spam”, but the implication is quite clear.

Now there are some legitimate reasons for requesting that anti-spam measures be reduced. In the distant past almost everyone had working reverse DNS entries which matched the forward entries and it was common to reject mail from systems that didn’t have valid DNS. Nowadays there are many big ISPs that delegate IP address space without permitting reverse DNS entries, and there are companies that have one department in charge of IP addresses (who don’t have a clue about reverse DNS) and another department running mail servers (who are cluefull). So the environment has changed to make reverse DNS checks a non-viable anti-spam measure. Requesting that people remove such checks is reasonable.

Anti-spam measures that attack innocent third parties are bad. Sending “warnings” about viruses has made no sense for many years as all modern viruses fake the sender address, an employee of one company once admitted to me that they were sending out anti-virus “warning” messages as a way of sending unsolicited advertising to random people (I reported them as a spam source). Some time ago on a routine upgrade of ClamAV I accidentally copied in a default configuration file that made it send such warnings – I was grateful when someone informed me of my mistake so that I could fix it. Challenge-response is another technology that causes harm to others. I think it makes a lot of sense for mailing lists (every modern list server will confirm subscription requests), while it does result in sending unwanted mail to innocent third parties (every time a new virus becomes prevalent I receive a number of confirmation messages from list servers), but it’s not something that I will use on a regular email account (but I am prepared to do paid work implementing CR for other people).

Requesting that manually implemented blocks be removed is quite reasonable. Occasionally I find that mail from one of my servers is blocked because a previous owner of the IP address space did bad things. In such a situation it is quite reasonable to provide an assurance that the new owner takes abuse issues seriously and to request that the block be removed.

Requesting that I make any change to my system without making a minimal effort to get your broken mail server fixed is totally unreasonable. If the system administrator is not prepared to click on a URL to get their system removed from a black-list or if the user is unwilling to report the problem to the sysadmin then I will probably be unwilling to make any change to my system. The only exceptions to this rule are for clients, colleagues, and for people who use mail services that are large and unresponsive to users (IE the users don’t directly pay). I recently made a white-list entry for a large European ISP that is used by a Debian Developer for their work, as the ISP is known to be unresponsive to requests and mail related to Debian work is important to me I added a white-list entry.

One thing I am planning to do is to document my anti-spam measures and then allow people the opportunity of suggesting new anti-spam measures that I haven’t tried yet if they want me to turn off any of my current protections.

(*) I’m not aware of any big ISP that takes strong measures against spamming customers and customers whose computers are trojaned. I am aware of one having done it in the past, but I suspect that they may have ceased doing so after their brush with bankruptcy. I suspect that many ISPs simply rate-limit their customers connections to the outbound mail relays and hope that they don’t get enough infected customers at any time to get themselves listed as a spam source.

5 comments to Please Turn off Your Spam Protection

  • Jaymz Julian

    To be fair about DNSBL’s, getting off some of them really does range from difficult to impossible. While I agree with your general tone, still I wonder about the continuing usefulness of email in this environment.

    We’re all fucked, and I have no idea what the answer is*

    –jj

    *I have some ideas, but none of them are _the_ answer. And they all suck. I’d make SPF work, but it’s hard to make work right with upstream. Domainkeys requires MTA patching that is a pain for qmail. changing MTA’s is also a pain. etc. Killing the spammers is neither violent enough nor painful enough.

  • Helmut

    Could you publish raw numbers? I.e. how much spam do you currently receive and what percentage is filtered out? I’ve seen that rates about 1 mail/minute is perfectly manageable. Maybe yours is higher.

    In any case is is good to hear that you don’t use whois based block lists (they block the de first level domain among others) (reponse to your last entry on this topic), so it looks like at least my server would be “enough” compliant to work with yours. %-)

    Helmut

  • etbe

    Jaymz: If one of the DNSBLs that I use is impossible to get removed from for someone who is not matching the criteria then I will probably stop using it. But the complaints about difficulty in removal from DNSBLs seem mostly based on the dial-up lists and the complaints come from people who have dynamic IP addresses – or IP addresses from the same range that their ISP uses for dynamic IPs.

    Qmail is anti-social in that it will bounce spam to non-existent addresses.

    SPF is good for protecting the reputation of the sender and protecting against joe-jobs. But any spammer can register a domain like peypel.com, put in a valid SPF record and start sending out SPF compliant mail.

    DKIM (the successor to DomainKeys) is similar in benefits to SPF but uses cryptographic signing instead of a list of valid sender addresses.

    Helmut: Yesterday my mail server rejected 8335 messages, that’s 5.8 per minute. While there are some other accounts in my domain, the vast majority of spam is targeted at me personally.

    Regarding the whois list, I have idly considered configuring my mail server to use the whois list for all top level domains other than .au, .de, and any others in a similar situation.

  • It is interesting how arbitrary spam levels are, which still strongly suggests that most of it is controlled by a relatively small number of people.

    I guess McColo proved that was the case for most of the growth in spam in the last year. I have two servers, with similar numbers of domains pointed at them, one rejects twice as many emails a day as the other.

    The utility of email is probably more threatened by badly done spam solutions. A good blacklist, a decent MTA, and greylisting will kill the bulk of spam (with little risk of error), and a Bayes filter in your email client will kill most of the rest (with some risk of error).

    I’m more worried that as spam filtering gets better the bad guys will switch botnets to other roles.

    I get more grief from our users about SPF stopping genuine email (and we don’t use SPF), and Hotmail deleting genuine emails, than I do about spam that gets through.

  • Hi Russell – Happy New Year from Maryland, USA! I read this post awhile back, and just happened upon your site while doing some updates, figured I’d share this story.

    I remember when I first setup my mail servers, a client forwarded me a rejected message. I contacted the systems administrator about it – it was a mismatched reverse DNS record and the host name of the mail server. I requested a bypass, and the sysadmin was polite, but incredibly firm that there was no way it was going to happen.

    That made an impact, and since then, I’ve been quite serious and detailed about how all our email networks are setup.

    Therefore, I support your position. Though my documentation is a bit sloppy, I’ve written up a lot of my spam prevention strategies here:

    http://www.docunext.com/blog/2006/12/13/postfix-uce-spam-settings-page-1/