At 11:12 26/09/2003 +1200, Juha Saarinen wrote:
Steve Withers wrote:
Am I right in thinking Mailmarshall still allows the spam to be delivered? It just filters it.
The problem with much spam is that while you can decide to drop .cn, .kr, and .ng, plus 200/8, much of it arrives via seemingly legit sources. This can be a large ISP's smarthost forwarding spam from customer hosts that have been trojaned by spammers.
That's why you start filtering after DATA, but even that doesn't always work and as Mail Marshal has shown, can be prone to false positives. A further nuisance is that you have to receive the message in order to filter it.
I think that from here on in, this is going to be the only way to do it unfortunately. (Decide after the DATA is already transfered if the message is spam) Look at the information spam filtering software has available before the body of the message is delivered: IP address of the immediately proceeding mailserver - trusted. Hello response - untrusted, and largely meaningless. Claimed envelope sender and recipient - untrusted, easily forgable. And thats it. The *only* thing that means a hill of beans before you have the whole message in your lap is the IP address of the sending server. And I honestly think that alone is not sufficient for fine grained (read, no collateral damage) differentiation between spam and non-spam. In other words apart from a couple of trustworthy lists like spamhaus.org, which can help to "pre-filter" some of the worst offenders with minimal chance of FP's, I honestly believe that the days of outright blocking based on server IP address are well and truly over. You simply can't block all the spam this way without blocking tons of legitimate messages. Each message needs to be tested on it's own merits if the world is to avoid baulkanisation of email to the point where it is unusable, which is why I believe strongly in the approach taken by SpamAssassin, even if it does have its own flaws. (Mainly implementation flaws, rather than flaws to the basic approach)
Basically, neither DNS blacklisting nor filtering work well enough currently. And no, challenge-and-response systems aren't the answer either.
Agreed. Imagine trying to apply challenge response protocols for postal mail ? Phone calls ? Why do it with email ? :) Regards, Simon