5 Things the Boss Should Know About Spam Fighting

Esther Schindler writes "Sysadmins and email administrators were asked to identify the one thing they wish the CIO understood about their efforts to fight spam. The CIO website is now running their five most important tips, in an effort to educate the corporate brass. Recommendations are mostly along the lines of informing corporate management; letting bosses know that there is no 'silver bullet', and that the battle will never really end. There's also a suggestion to educate on technical matters, bringing executives into the loop on terms like SMTP and POP. Their first recommendation, though, is to make sure no mail is lost. 'This is a risk management practice, and you need to decide where you want to put your risk. Would you rather risk getting spam with lower risk of losing/delaying messages you actually wanted to get, or would you rather risk losing/delaying legitimate messages with lower risk of spam? You can't have both, no matter how loudly you scream.'"

Nothing lost?

[Anonymous Coward]

Their first recommendation, though, is to make sure no mail is lost.

Nice goal, but you are going to lose mail. It is either going to get buried in the pile of spam or misclassified as spam by your software and pitched. What you need to do is pick an acceptable level -- it is all about trade-offs.

I like to REJECT (not bounce!) spam, so when you accidentally mark good stuff as spam, the sender has a chance to get the message to you later.

Re:

[Skater]

I like to REJECT (not bounce!) spam, so when you accidentally mark good stuff as spam, the sender has a chance to get the message to you later.

Yeah, thanks. Then when someone fakes my email address as the return address, I get thousands of bounce messages.

Re:Nothing lost?

[Anonymous Coward]

Yeah, thanks. Then when someone fakes my email address as the return address, I get thousands of bounce messages.

Did you miss the part about:

I like to REJECT (not bounce!) spam

If I reject the mail, then you'll only get a message back if your SMTP server was the one that was sending it. If I bounce the mail, then you'll a message even if it was forged elsewhere.

People who bounce spam are almost as bad as the spammers. Rejecting spam is much better than just deleting it because it gives the sender a chance to fix your mistake.

Re:

[Skater]

Ah, okay. I didn't catch that distinction. Sorry - I'm just bitter from the thousands of messages I've had to clean up, including a mailbomb or two.

Re:

[jeremyp]

If I reject the mail, then you'll only get a message back if your SMTP server was the one that was sending it. If I bounce the mail, then you'll a message even if it was forged elsewhere.

Err, no. If you reject a mail, the SMTP server that tried to connect to your SMTP server (and got a 5xx response) will send a bounce message back to what it perceives as the sender - who is almost certainly forged in a spam e-mail.

People who bounce spam are almost as bad as the spammers. Rejecting spam is much better than

Re:

[mckyj57]

Err, no. If you reject a mail, the SMTP server that tried to connect to your SMTP server (and got a 5xx response) will send a bounce message back to what it perceives as the sender - who is almost certainly forged in a spam e-mail.

I don't think you know what you are talking about.

Sure, if you have a bogus mail server which would just forward random spam, it would do that. But presumably your mail server does not.

Someone has to handle a misaddressed message. The way to handle it is as the OP said, to reject

Re:Nothing lost?

[Anonymous Coward]

Frankly I find this hard to believe.

Just to be clear:

• Eve is a spammer sending mail
• Clueless ISP (clueless.xxx) is being used to send the spam
• Alice's address (alice@alicedomain.xxx) is being forged by Eve
• Bob at bobdomain.xxx is the intended receiver for the spam

Typically Eve sends an amazing offer "from" alice@alicedomain.xxx through clueless.com to bob@bobdomain.xxx. If Bob bounces the spam, it would go from bobdomain.xxx directly to alicedomain.xxx. I suspect this is what you are seeing, and happens because Bob is doing his spam filtering after he has accepted the message from clueless.xxx.

If Bob rejects the spam while in the process of receiving it from clueless.xxx, clueless.xxx would get a bad status code. Chances are the mail program is just a bot which would ignore the error (or retry the same message a couple of times). If Eve is using an MTA on clueless like exim or sendmail, and it is badly configured, then Alice might see a bounce message generated by clueless.xxx. Alice can complain to the administrators at clueless, or get clueless added to RBLs. The good news for Alice in this situation is that she isn't dealing with thousands of bots. In any case, Bob didn't send a bounce message, he just didn't accept the incoming mail.

Rejecting spam at the SMTP level is the best practice, and is different than bouncing spam.

Re:Nothing lost?

[mabu]

A good RBL-based system never loses mail. Any legitimate mail that is blocked causes the original sender to be notified. Content-based filtering systems don't work like that scheme, so people that use mail filtering do lost more legitimate mail, and the worse part is, the senders never know their mail was lost. This is why content-based filtering doesn't work and RBLs do.

Re:

[digitig]

RBL-based systems do lose mail. A potential customer emails me and a competitor with a request for a quotation. From me they get a blacklist notification, from my competitor they get a quotation. The potential customer, upset at being accused of being a spammer, never bothers trying to email me again. I've not only lost their original email but I've lost all future email from them too.

Re:

[kisielk]

Damn, mis-moderated. Posting here to undo my moderation.

Re:

[secolactico]

Indeed. Problem is, examining the data is a problem when you get a huge influx of email regularly. You can always host spamassassin on a separate server and call it from the smtp server, I guess.

I know several people has said it on this thread and on almost all mail/spam threads, but it can't be stressed enough: Reject the message on the SMTP phase! DO NOT accept the message and then bounce it. I guess viruses you can discard if you want, but DO NOT bounce them!

Exchange admins, please configure your se

WTF?

[Watson Ladd]

How does the CIO not understand what the IT deparment is doing and still become CIO? Can someone clue me in on the way a manager can know nothing of what they manage and still be a manager?

Re:WTF?

[cyber-vandal]

Because the people who appoint them don't understand IT either and believe it to be so simple that anyone can manage it.

Re:

[cavtroop]

Welcome to big corporate America, where it's not what you know, but who.

Re:WTF?

[winkydink]

The majority of the CIO's I know come from the Apps side of the house, not the Ops side. Please note, I said the majority, not all.

Do you really believe that a CIO understands all of the underlying technology in the IT department, even at a basic level? Trust me, most don't. It's near impossible, especially when most CIO's haven't been individual contributors for many years.

Re:

[Nimloth]

Do you really believe that a CIO understands all of the underlying technology in the IT department, even at a basic level? Trust me, most don't.

QFT... I'm in the process of customizing SugarCRM Open Source for our company's needs, and after I'd pitched a demo to my CIO to show him what we'd be able to do with it once finished, he was really impressed. A week later I hear him in a meeting with management: "Yeah, it's open source, which means it's the same guys that did this that wrote Linux.".
*shrug* At l

Re:

[honkycat]

I think that doesn't mean he knows LESS about the technology so much as that he knows MORE about how to talk to management... As you say, he got you your approval...

Re:

[IL-CSIXTY4]

Many CIOs today cut their teeth on the systems of yesterday, and have spent many years in middle and upper management since their days "in the trenches". They've gotten good at management, but they've lost touch with the day to day realities of what they're managing.

For example, a CIO I worked under advised us that we could increase the efficiency of our database-driven app by reading the records in a random-access manner, rather than processing the whole "file" of orders sequentially each time we wanted t

Re:

[JimDaGeek]

For example, a CIO I worked under advised us that we could increase the efficiency of our database-driven app by reading the records in a random-access manner, rather than processing the whole "file" of orders sequentially each time we wanted to retrieve a record.

Oh man... I just spit something out of my nose! Did anyone correct your CIO? To me this sounds like the last time this dude had _any_ knowledge of IT, it was with COBOL/CICS type stuff.

May you be blessed my son :-)

Re:WTF?

[StarvingSE]

Managers may have lost touch with the latest techno-babble, but they should not be berated because of it. They are obviously smart individuals who were neck deep in the technology of their time. When you are a manager, you have a reasonable level of expectation that your employees will be knowledgeable of the most current technology.

Many high level concepts such as requirements, design, group management, etc can be managed by people and they don't have to have intimate knowledge of the latest technology. I am not saying that management should not learn it, but they should expect their employees to be the experts.

Why is it that there are a lot of people in IT who are so snobbish "omg!!!@!!!.... you don't know about xyz technology, you made a mistake hahahhadjhaflkdjfs luser." Are other technical/engineering fields like this? (not a knock on the parent post, just askin' in general).

Re:

[AeroIllini]

Why is it that there are a lot of people in IT who are so snobbish "omg!!!@!!!.... you don't know about xyz technology, you made a mistake hahahhadjhaflkdjfs luser." Are other technical/engineering fields like this? (not a knock on the parent post, just askin' in general).

Yeah, they are.

When you talk about the snobby people in IT, you're usually referring to those at the bottom of the heap, organizationally. These are the guys in the server room who don't really have the authority to make any decisions, and

Re:

[melikamp]

The Peter Principle [wikipedia.org]

Re:

[beakerMeep]

The article seems to be a tool for CIOs to educate CEOs . But I like your "I-didn't-read-the-article-but- im-going-to-feign-indignance-anyways" thing you got going there.

Re:

[thogard]

That is why I'm disappointed that it didn't focus on the "go talk to your local elected official about making this illegal"

Spamers have stolen the usefulness of email away and if its not fixed real soon, it will be completely worthless to more and more people. I'm hearing from more and more people "oh, I don't check email much anymore, its all junk"

Re:

[Phroggy]

It's amazing how quickly Slashdotters switch from quoting the Bill of Rights in order to defend freedom of speech that they want to ignoring the Bill of Rights in order to to condemn freedom of speech that they don't want. It's no wonder American lawyers earn so much!

Commercial speech isn't protected the same way that non-commercial speech is. For example, advertisers are not legally allowed to lie about their products in television commercials, but I am legally allowed to lie about those same products all I want (as long as I'm not committing slander or libel). For example, without supporting evidence, I'm not allowed to say that drinking Coca-Cola causes cancer, but I am allowed to say that drinking Coca-Cola raises your IQ. The Coca-Cola Company is not allowed to

Re:

[Phroggy]

But surely that's a legal interpretation? AFAICS it's not inherent in the bill of rights itself, and so it presumably doesn't have the same force?

Yes, it is interpretation, but my understanding is that this is how the Supreme Court has interpreted the First Amendment. Until the Supreme Court reinterprets the law in a different way (which isn't likely), their interpretation has the full force of law.

Re:WTF?

[rucs_hack]

managers manage well by having people below them who know their jobs. That way they manage the people themselves, not micromanage everything they have to do.

A good manager should appear to have very little to do, because everything is so well organised.

A bad manager is very easy to spot. People under them feel unsupported, become over relient on rules and regulations, and everything takes so long to do that nothing gets done.

I've experienced both types of management, the bad type is painful. When I've managed (in medicine) I worked very hard to train my people to trust in their own abilities and take on and enjoy responsibility.

Nothing to do with spam in this post I realise, but then I hate spam, nasty fatty stuff.

Re:WTF?

[Jonny do good]

How does the CIO not understand what the IT deparment is doing and still become CIO? Can someone clue me in on the way a manager can know nothing of what they manage and still be a manager?

Because managers are there to manage, not to be technicians. The most effective managers should know something about what they manage, but they do not need to know the details. They are supposed to be "big-picture" people and leave the details to the experts they hire. When a manager knows too much about what they manage they tend to micro-manage and I am sure we all dislike that more than ignorant managers.

Personally I would rather have a manager that gives me the responsibility and flexibility to make the decisions that are within the scope of my job function who knows nothing about what I do and how I do it than one that is more knowledgable but ties my hands when it comes to getting things done. The CIO should dictate the overarching business strategy to the IS department and help ensure that their work helps accomplish the goals of that strategy. The details are for the rest of the department to figure out. Remember, the IS department is a supporting function, no different from accounting, marketing, or HR... it is not the business.

I'm sure I will be flamed for this response, but it is typical of technical people (not just IT, but in all functions) to have disdain for those in charge because they don't know what we know. But it isn't their job to, or else they would have no reason to hire us. A CIO position is NOT a technical position. Expecting a CIO to know everthing going on in the IS department is the same as expecting the CEO to know it as well.

Re:

[Ykant]

I'm constantly reminded how lucky I am. About ten years ago, my current CIO was the person who did all the coding, back when the company was much smaller. We've grown a lot, there's an actual IT department of 20 now (as opposed to the three "computer people" we started with) but everything is still built on the stuff she coded way back when. She spent many late nights coding, coding, coding, up until about 3 or 4 years ago. She's happy enough with the current team that she's taken a step back, and just

Re:

[sjames]

It's all a matter of degrees. A CIO need not know how to configure a mail server for example, but SHOULD understand what a mail server does and have some idea of what sorts of things can be done by configuring. A CIO SHOULD know enough to tell the difference between a trivial and a herculean task. A CIO should understand enough that once something is explained, the gist of it is retained.

For another example, a CIO should be able to understand that spam filtering is a statistical process and so errors one

Re:

[JimDaGeek]

Oh...Boy!!!

I have worked for 3 fortune xxx companies. None of the CIO/CTO have know _anything_ about IT. Nothing. All have been business people that were transfered from some other department. A lot of the bigger companies like to play "musical manager" where the "upper" level management gets moved around so they know more roles of the company. This gets them promoted faster... go figure.

I just recently went through a corporate re-org. The new CIO is actually a "financial" chick (though her know

Re:

[t14m4t]

I work at the Naval Submarine School in Groton, CT. Actually, I'm the CIO there (until the 26th when I transfer to Norfolk), how apropos.

Anyway, I took over the job when the fileserver crashed, and the CIO at the time didn't understand the difference between a workstation and a server, and couldn't figure out what "no backup" meant. Bless her soul, she's a great leader over a good many things. But she was assigned to the job because the commanding officer at the time was not IT-savvy, and said "it's just

Re:

[nighty5]

Because the higher you go, the more you manage just people, resources and money.

What they actually do has little to do with it, this is especially the case in larger govt organisations where the CIO's are people with almost no understanding of computers.

Re:

[Venik]

CIO at our company has a law degree and no IT background (well, I am sure he knows how to use Word, not that he needs to). His second in command also has a law degree and no IT experience. I guess, as a CIO of an IT organization with thousands of employees, you will always be able to find someone with IT background to tell you how to do your job.

Something for nothing and spam for free

[canuck57]

You can't have both, no matter how loudly you scream.

Trouble is how many CIO understand the technology they supervise enough to make a good business judgement?

The one thing I will tell them follows like this:

Trust your own I/T staff for maters of technical choice and direction, they have the most to gain, the most to lose and have to live with the consequences. Vendors know how to sell problems then the solutions, users know how to blame their lack of patience and personal issues on computers. I/T personnel often are the ones to eat the heat on organizational issues beyond their control. This includes the flawed systems we use today. Let I/T participate in business descisions, not to rule but nor to be a door mat for the next irrational business type having a conniption fit.

Re:

[Phroggy]

Damn, I just replied to something else and lost my mod points. You've hit the nail on the head here. It's totally fine for the CIO to not know the details of the technology, and just manage the people (who in turn know the details of the technology). But it's not OK for the CIO who doesn't understand technology to make purchasing decisions without the input of the people who do understand the technology and will actually be directly working with the products and services being purchased.

POP?

[Corporate Troll]

SMTP and POP

Now, nothing against educating management... but POP? POP doesn't belong in the enterprise. Even at home I have my own IMAP server. POP is a relic of the dialup-time where you only had access to your own computer and nobody else (seemed) to have one.

A shame that gmail doesn't support IMAP, I'd prefer it that way instead of that poor POP3 hack they use...

Re:

[MichaelSmith]

POP doesn't belong in the enterprise.

Where I work we can use either. Inboxes on the mail server have a 16MB limit and they regularly fill up. Because I need to keep more than that I use POP.

Re:

[Corporate Troll]

16MB? Wow... That's suckitude pure... My personal mailserver can cope 2Gig, and that's only because the /var is a separate partition of 2Gig. I don't know what it is at work, but I haven't reached it yet.... I get those funny videos all the time, but I delete them at once, so my space usage isn't all that big. Haven't heard complaints of the management types yet, so I think that the limits are very reasonable.

Frankly, tell IT to buy a few disks.... 16MB is about what I had as a student at the Univer

Re:

[AeroIllini]

I work in a giant company of 150,000 employees. Each of us gets 20MB of space on the Exchange server, for mail and calendar.

Every employee, outside of the factory, has their own computer to use at their desk, and if you need to bring files away from your desk frequently, it is not difficult to swap out your desktop for a laptop. (I'm not sure how much extra the laptop costs in a given manager's budget, but it's not much.) There are bigger network servers available for passing files around, but they are paid

Re:

[AeroIllini]

And it's all backed up daily, I'm sure.

As a matter of fact, it is. Each backup diff file is compressed, encrypted, and stored on a server, every day.

So I take it you never work from home or the road, and are never on call.

People work from home and the road all the time. I've done it myself. You bring your laptop home with you, and tunnel into the company network via a VPN. People on call are issued Blackberries, and special accounts that expand to fill their needs. These people are in the extreme minority.

M

Re:

[torrentfuze]

I prefer to download all my emails and read them using POP than have to wait for the network lag to give me my emails.

Re:

[Corporate Troll]

I understand that, but that falls in the category "dial-up".... On a LAN, the network lag should be insignificant. Sure, that 10M powerpoint from my boss, won't open immediately, but with POP it would take ages to download it in the first place. I just delete it without opening it ;-)

Re:

[vadim_t]

Then use offline IMAP. It's the best thing of both worlds: Mail's on disk, so it's quick to access, but it's also on the server so you have all your mail anywhere.

Re:

[DogDude]

What's wrong with POP? I don't see any limitations or problems with it.

You can have some of both

[timeOday]

Would you rather risk getting spam with lower risk of losing/delaying messages you actually wanted to get, or would you rather risk losing/delaying legitimate messages with lower risk of spam? You can't have both, no matter how loudly you scream.'

This is misleading. There's no reason one spam filter cannot provide both higher sensitivity and higher specificity than some other inferior spam filter. Once you pick a filter then, yes, there is a tradeoff in selecting your decision boundary.

Why Is It?

[George Johnston]

Was my spam filter installed backwards? It seems to let the ads through and trashes emails from my friends... Don't mind me, I am just auditioning for a CIO job. It pays a lot better.

Beware the combination of spam and UETA

[grandpa-geek]

Around 2000 there was legislation adopted in many states called the Uniform Electronic Transactions Act (UETA). Under UETA a legal notice sent by email is considered delivered to the recipient when it enters the recipient's ISP, regardless of whether the recipient ever sees the email. This was the UETA drafters' attempt to create the equivalent of something called the "mail box rule" for email. AFAIK, under the mail box rule, if you give a legal notice to the post office, it is considered delivered.

There

Re:

[nuzak]

> AFAIK, under the mail box rule, if you give a legal notice to the post office, it is considered delivered.

Delivered, yes. Received, no. Try serving a subpoena that way.

Five Things Everybody Needs To Know About Spam

[mabu]

Forget CIOs... there are many system administrators who don't know the real issues regarding spam. Here are some things everyone needs to know:

1. Content filtering is not a solution.

I hate to say it, but it's the truth. Filtering mail based on what's in the e-mail message is a never-ending battle that does not work. It slows down mail service, causes legitimate mail to be blocked more often than using RBLs, and violates peoples privacy, costs more money to maintain and makes the mail system inherently less efficient and reliable.

E-mail used to be instantaneous. Now it isn't, because all the major ISPs toss their mail into big queues where they go over it and file it away or pass it on. If you send something to a Bellsouth users nowadays, they *might* get it 6+ hours later! Stupid, content filtering doesn't work and creates worse problems.

2. The Spam problem is mostly a law enforcement issue and not a technological issue.

99.9% of spammers break the law. The reason why spamming is such a problem is because national and international authorities won't get off their lazy asses and prosecute the spammers for the laws they break. In the end, you'll do more to reduce spam by petitioning your local district attorney to prosecute spammers than installing some obnoxious cpu-chewing filter that will become obsolete within two weeks. And no, the jurisdiction issue is bogus. Technology exists to track all these spammers right back to where they are. There are spammers all over the world and especially in the U.S. that can and should be in jail right now, but they're not because the Feds are more interested in going after people like Tommy Chong. Call your D.A. Call your Congressman. Complain that your reps aren't putting these guys in jail.

When I say "spam" I mean the big spam operations. The industry can easily police itself of low-level, incompetent opt-in schemes, but that's not the real "spam" problem we're talking about.

3. Don't listen to the anti-virus/anti-spyware software companies.

These companies make their living off of spam. There is an inherent conflict of interest in relying on Symantec or any other company to be trusted to help deal with the spam problem. They need spam and they'll never do what's necessary to stop spam from becoming more of a problem. This is analagous to why car manufacturers won't build more reliable/efficient cars when they are capable of doing so -- it's not profitable for them. Stop looking to McAffee or any of these other foxes to be trusted in helping you guard your henhouse.

4. Most anti-spam methods do nothing to stop spam, except relay blacklisting.

Spammers steal bandwidth, violate peoples' security, tamper with third-party computers and bog down the Internet. Content-based filtering does not hurt spammers. RBLs do. Relay blacklisting is the single most effective deterrent in the war on spam. PERIOD. No other method both stops spam, and makes it exponentially more expensive and troublesome for spammers to do their job.

Relay blacklisting works. If you don't like RBLs, chances are you just had a bad experience with a bad one. Try a different one or create your own. They work. They work exceptionally well and best of all, they save bandwidth and resources from the spammer's grimy hands. They also have the added benefit of stopping the propagation of worms and punishing irresponsible ISPs who allow their zombie users to pollute the Internet. There is NO BETTER THING CURRENTLY you can do to combat the spam war than by feeding and using RBLs (aside from following #2 and complaining that spammers aren't being prosecuted).

5. There are not that many spam operations. The spam epidemic is not unstoppable.

The amount of spam going around on the Internet has increased but only proportionally to the amount of user and bandwidth growth, and not due to more and more people getting into the spam business. A cursory examination of most spam clearly indicates that there are

Re:

[bill_mcgonigle]

4. Most anti-spam methods do nothing to stop spam, except relay blacklisting.

Greylisting is quite effective as well; partially because it pushes the economics of spamming back on the spammers.

Re:

[xdroop]

Greylisting is quite effective as well; partially because it pushes the economics of spamming back on the spammers.

Greylisting works in the large end of the small market; it doesn't work elsewhere.

In order for greylisting to work:

• you have to have control over your own domain and operate all the systems which are listed as MX'ers for that domain. Why? Because if you have a secondary or tertiary MX system hosted by a different ISP, then all your spam is going to get relayed in via that system. Which,

Re:

[bill_mcgonigle]

Bigger companies believe that email should be here NOW, and for the most part they ain't gonna play the greylisting game.

Hmm, all the ones I've work with I explain that I induce a 3 minute delay on our side, that the other side may retry at a slow interval, but that after three good messages, there's no delay, and that it reduces spam by 75-80%. Every time I hear, "that's a no brainer!". I don't greylist internal mails.

I used to use postgrey but bdb eats itself whenever the moon is waxing - sqlgrey is rea

Re:

[SanityInAnarchy]

Content filtering is the only workable solution I've found. If done right, it doesn't slow anything down at all (my own email is instantaneous), and is more accurate than anything else -- I NEVER lose mail, the worst that ever happens is it goes in "unsure". I get maybe 100 spams a day, maybe 200, and less than 10 gets to "unsure", less than 1 a week gets through to my actual inbox.

Spam cannot be solved with law enforcement. Even assuming we had a 100% reliable definition of spam, and it was illegal everywh

Re:

[Phroggy]

1. Content filtering is not a solution.

Yes and no. It's not the "right" solution, but when all other available solutions have been exhausted, content filtering is better than the alternative. You're absolutely correct that it eats up resources - you can't just enable content filtering and walk away; you have to constantly keep writing new rules that will no longer work next week.

E-mail getting delayed 6 hours isn't strictly a problem with content filtering. Sure, if you eliminated content filtering, you'd probably also eliminate the 6 hour d

Strawman fallacy

[gvc]

Where's the evidence that RBLs provide lower false positive and/or false negative rates than content filtering? Just because you think it's so doesn't make it so. Or that filtering introduces 5 hour delays? etc.

The above rant is just a string of strawman arguments without an iota of evidence. It ascribes to filters disadvantages which do not exist, and to RBLs fantastic properties that also don't exist.

Maybe RBLs are useful in the fight against spam -- maybe not. To suggest that they obviate conten

Re:

[mabu]

I suspect you work in an area where you need spam to exist to maintain your job security or you wouldn't be asking that question. Either that or you have minimal experience with this technology and field.

The bottom line is that it takes an ongoing effort to update both RBLs and content-based filter. The main difference is, there is a FINITE amount of IP space, so the RBL war is worth winning. There is an INFINITE number of combinations of keywords and imagery that can be forged as spam. Common sense ind

Re:

[gvc]

CEAS (www.ceas.cc) will be running a live spam filter test Aug 2-3.

I invite you, or anybody else who wishes to prove that (a) content filtering is hopeless and/or (b) RBLs are a slam-dunk, to demonstrate your superiority by participating in this test.

Guidelines will be posted shortly.

For further information email information@ceas.cc

Re:Heres a way to end spam. Completly.

[Beryllium Sphere(tm)]

>The trick is to target the one vulnerability all spammers have: A website to sell their goods.

Not any more. The stock scammers can get their money without any contact information whatever in the spam.

Re:

[sjames]

If the SEC REALLY wants to enforce the law, all they need is a single email account to collect a bazillion pump and dump operations. It shouldn't be that hard to come up with a good list of suspects by watching what stocks get pumped, and then see who dumps. That alone could get rid of about 25% of the spam.

Re:

[SanityInAnarchy]

Problem: What happens if the spammers discover you doing this, and send new spam with a link to your website?

Even if people do it manually, this is going to sting legitimate people who have nothing to do with the spam.

mail is broken

[maynard]

I'm shutting down our lab mail server and migrating a large userbase to central university mail services because of all the problems we're experiencing with supporting an internal mail server. Everything from excessive spam (and it's well over 90% of all incoming connections), people using email as for storing files (as if it were a home directory), and recent rulings demanding that IT offices track email and IMs [go.com].

I worked out how much staff time we spend maintaining and supporting our mail server and was shocked. For a service that's commoditized and available for free from any number of vendors (never mind our uni's central IT service we're already paying for), and I worked out that last year we had spent ~100 hrs/yr of staff time. Looking back I realized that in years previous we had spent far less on a per year basis. IOW: staff consumption on mail service was growing while prices for commodity email service was plummeting (all the way down to near free).

Dumping email support is the only rational solution.

Where will this go? I think email (as in RFC822, etc) is doomed. The protocol is broken. It has no safeguards to confirm the legitimacy of the sender or recipient, no mechanism to secure the communication during transmission (like a real envelope), and as a result the protocol begs to be exploited by Internet fucktards. Which is exactly what's happening. Time to toss SMTP and start from scratch.

Re:

[flyingfsck]

Uhm, if you are spending that much time on it, then you are doing something wrong. Well over 99% of email coming my way is spam, but it never enters the server - it simply gets rejected using RBLs, grey listing and other methods. The remaining little bit, is filtered very well by Spam Assassin and I only tune the server once a year around Christmas time.

Re:

[nuzak]

> I think email (as in RFC822, etc) is doomed

If you really demand a uniform end-to-end authentication mechanism, X.400 is over that-a-way.

A full blown information war is being waged over email, and it's surviving quite nicely. I eagerly await your perfect solution that changes human nature itself. I tire of the pontifications of armchair architects.

Re:

[bill_mcgonigle]

The protocol is broken. It has no safeguards to confirm the legitimacy of the sender or recipient, no mechanism to secure the communication during transmission (like a real envelope), and as a result the protocol begs to be exploited by Internet fucktards. Which is exactly what's happening. Time to toss SMTP and start from scratch.

Why not use DomainKeys, SPF, and SMTP over TLS instead of trying to rebuild all of the existing infrastructure?

Refusing connections from domains not using those technologies will

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Sorthum]

Using SMTP callbacks is abusive, given that most of the headers in an email are forged...

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Sorthum]

Doesn't matter. If a spammer pulls a joe-job and sends out 100K messages with my email address as the forged sender, then I get idiots like you doing the callback thing. I block such sites at the firewall as soon as I see 'em.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Sorthum]

Oh? In real life I assure you "my" domain has SPF records, and ~60K users. My private domain is in a state of flux, and will have one shortly once DNS stabilizes.

I'm also not the only one who feels this way. SMTP callbacks ARE abusive, and they can and do take servers offline

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[thogard]

Certs these days are trivial to get. The records for my cert aren't much better than what the domain name company has. All the cert says is that a company exists and its trivial to set up a untraceable company in most countries including all the ones where most of the spam comes from.

Have you ever used a x.400 gateway? It is not a reasonable alternative to anything other an over weight budget. Isode was great compared to some of the other x.400 options and its the poorest bit of software I ever tried t

Blue Frog

[crapjunk123]

I really miss my Blue Frog. Just a promising little pet that never had a chance. Maybe Okopipi will make an appearance someday.

Uhh... you can have both...

[JimDaGeek]

remember, Bill Gates said he would end spam. As a "trusting" MS user, I believe him. So, since spam has ended, I don't know what these "systems" guys are complaining about. Geeez.

Re:

[Jonny do good]

remember, Bill Gates said he would end spam. As a "trusting" MS user, I believe him. So, since spam has ended, I don't know what these "systems" guys are complaining about. Geeez.

And I am going to ditch my firewall as soon as I get Vista because Bill says it will be a secure OS.

Re:

[JimDaGeek]

It was supposed to be a joke... A bad one :-)

I think the most important thing is..

[Anonymous Coward]

..make sure it is clear to your boss that they might lose some legitimate email with porn because of spam filters.

Question

[955301]

Here's a stupid question? If 99% of email is spam now, why don't we all just switch to a protocol and servers that authenticate and force identities based on a distributed trusted service? Sounds like there is so much to gain by jumping off the SMTP ship.

Re:

[account_deleted]

Comment removed based on user account deletion

Spam fighting can be a source of income!

[www.sorehands.com]

From my read on the anti-spam laws, the company would be an ISP for the employees. Given that, the company can sue the spammers that use deceptive headers and subject lines in their e-mails. Under California law, a recipient or ISP can get $1,000 per illegal e-mail.

When it starts costing spammers more money than they make, they will stop. In my experience, asking spammers to stop nicely does not work. Filing a lawsuit usually is the only way to get them to stop. I have one spammer that still spams after get

Re:

[www.sorehands.com]

CAN-SPAM nullified state laws on the matter.
Sort of. CAN-SPAM includes explicit language that carves out an exception
to the nullification --- that state laws that prohibit falsity and deception
can still survice.

Despite the 4th circuit opinion, I have a court that ruled that California law (17529.5) is not preempted by CAN-SPAM.

So, don't use verizon.com, etc.?

[imagerodeo]

If CIOs instituted a policy of disqualifying any vendor of Internet, data or communication services that appears anywhere on Spamhaus's top 10 list from doing any business with the company, Varshavchik feels, "the spam problem will pretty much disappear, mostly overnight."

That list (http://www.spamhaus.org/statistics/networks.lasso ) has verizon.com, att.net, serverflo.com, xo.com in spots 1, 2, 3, 4. Should CIO's stop using Verizon, ATT and XO until they clean up their act?

Re:

[LauraW]

Should CIO's stop using Verizon, ATT and XO until they clean up their act?

Yes

What I know about spam fighting

[Triv]

It hurts more if you leave it in the can.

Triv

1 Thing the Boss should know about Spam

[Qbertino]

Enforce one standard of encryption internal, for all employees and all clients that want to do email communication with the company. Bounce all messages that aren't encrypted.
Voila!
All Spam problems solved instantly.

Neat side effect: Your emails are safe and contract proof.

Re:

[SanityInAnarchy]

Other neat side effect: You now have 3 clients instead of 300.

I would say use PGP internally and enforce it, and include it in your spam rules. That way, clients who send encrypted/signed messages can be sure they get through, but clients are not required to use encryption.

Well for one thing ...

[IchBinEinPenguin]

... email is not delivered by trucks driving through tubes.

We almost have a Silver bullet

[jidar]

We spent most of 2006 looking for the best possible solution to our spam problems and had many meetings and spoke with many 3rd parties. At the end of that discovery, despite my strong distaste for it, we outsourced. I hate taking on additional periodic expenses, but in this case it just made too much sense. The spamassassin solution we had been working on constantly was costing us too much in manpower for not very good results.

We used an outfit called Red Condor. They offered external filtering by setting the MX to systems on their network, plus in-house filtering by way of an appliance that you can purchase and deploy. They allowed us a 60 day trial, which went extremely well. The bottom line is this, we now pay about ~$11k a year for ~10k mailboxes and get filtering every bit as good as what you get from the major email players like Gmail or Hotmail. The only downside is there are occasionally delays of up to 15 minutes. Hence it is almost, but not quite a Silver Bullet. These are issues that I expect can be somewhat resolved by purchase of additional appliances and load balancing.

This sounds like an ad, but I have no affiliation with Red Condor beyond being a customer. Spam and it's associated problems made 2006 the worst year of my 10+ year career and probably had contributed to more sleep deprived nights than any other thing for me. If you're like me and looking for a solution to what has become an epidemic, this is could be it.

Everyong saying Content filtering doesnt work? BS

[jidar]

To all of you people in here saying content filtering doesn't work:

How can you say that knowing that Yahoo, Gmail, Hotmail and AOL all do extremely effective content filtering? They aren't perfect but they're very very good with a low false positive rate.

I haven't seen a single spam in years... literally

[hacker]

"This is a risk management practice, and you need to decide where you want to put your risk. Would you rather risk getting spam with lower risk of losing/delaying messages you actually wanted to get, or would you rather risk losing/delaying legitimate messages with lower risk of spam? You can't have both, no matter how loudly you scream."

Yes you can, its called dspam [nuclearelephant.com], and it works beautifully.

I, and none of my users, have seen an single spam email in over 3 years. I added graymilter [acme.com] and Project Zen [spamhaus.org] fr

Re:

[SuiteSisterMary]

No, you're not getting both. You're just going for the risk of seeing something late, rather than the risk of losing something legitimate. Obviously, a quarantine means that you won't see the false positive until you specifically go check, but you won't lose it, unless you don't check for it before the quarantine's auto-delete timeout. Graylisting, by definition, introduces a delay in mail transmission.

Re:

[hacker]

Obviously, a quarantine means that you won't see the false positive until you specifically go check, but you won't lose it, unless you don't check for it before the quarantine's auto-delete timeout.

There is no auto-delete timeout for the quarantine, not by default, and not that I can manually set without futzing in the code itself. I'm thankful for that, and so are my users.

Graylisting, by definition, introduces a delay in mail transmission.

A delay of 25 minutes is barely perceptable. Email is not I

Re:

[maynard]

Now try to implement your suggestions on a mail server that supports 500 users or more. Good luck.

Silver Ricochet..

[tempest69]

You have a nice start, but it has some weird consequences.

1. Sending email gets infuriating as your machine slows to a crawl anytime someone hasnt whitelisted you.

2. Maintaining a Taint Free Whitelist gets to be a bit tricky.

3. How is this going to work for services like Gmail and Yahoo? A minute of chug time on a machine is expensive if your offering it for free. If you whitelist them it doesnt do much good because then spammers just use those accounts

4. How does this work for people in poor areas

Re:

[imroy]

Anonymous Coward said:

Incoming messages not on the whitelist are automatically returned with a challenge.

Translation:

It's not enough that I get spam, I wish to share the problem with all the people whose email addresses are being used by spammers!

Thanks for spreading the problem, idiot.

Re:

[Sorthum]

A horrible solution, Challenge Response is... Let's assume, for a minute, that it's all handled server-side and the user doesn't have to deal with misdirected bounces. Realize that with the advent of botnets, bandwidth and computational power is something spammers have in spades-- far more so than legitimate mailers.

Let's also consider mailing lists. I manage a site that has tens of thousands of users, running on two MX boxes and one outbound SMTP box. I'd have to get a whole new RACK to handle the load

Re:

[realmolo]

"...about 200 employees with mailboxes."

That is such a small number of users, that you anecdotal evidence is meaningless.

You don't get spam because you don't have many users sending mail, your users are in a controlled corporate environment that (probably) keeps their machines virus/trojan/spyware free, your users probably are somewhat careful to only use their "work e-mail" for "work-related" stuff, and you have a domain that isn't very widely-known.

Try running an ISP with hundreds of thousands of

Re:

[Mr. Roadkill]

200 users is NOTHING. Until you are processing hundreds-of-thousands of messages per hour, you don't know how difficult it is to stop spam.

You want to know the really scary thing?

Both you and grasshoppa are right... for the subsets of the spam problem that you have to address.

My credentials? I run the mailfilters at a university with +50k student addresses, and around 3000 staff addresses. We typically reject a couple of hundred thousand messages daily. So, while our situation would probably turn gras

Re:

[fuzza]

Uh, from TFA: "Sequestering it is only slightly better than dropping it, because you have to look through the sequestered spam, and most people don't bother."