Re: Is predictable spam filtering a vulnerability?

[PSE-L () mail professional org (Sean Straw / PSE)]

At 10:44 2004-06-24 -0700, John Fitzgibbon wrote:

> This, IMHO, is a cop-out on the part of the receiving mail administrator.

You're welcome to your opinion.  I don't happen to agree with it.

Many sites employ SpamAssassin and the like to simply FLAG messages and 
pass them along to the intended recipient, who can then employ their own 
filter process within their email client (or with procmail, etc) to do as 
they wish with the messages (which I assure you, doesn't generally involve 
bouncing any NDNs to the apparent sender, and is so far past the SMTP 
transaction that result codes aren't part of the picture).  Unfortunatley, 
those users who don't have shell access generally end up having to DOWNLOAD 
the crap and THEN deal with it.  Speak with users who value their time, and 
you'll find in most cases, they're rather keen on not downloading junk to 
their workstation.

Then there's the least common denominator: the mass-market internet 
consumer user.  The yo-yo using whatever ISP was cheap the day they went 
looking to get online, and end up with usernames ending in numeric 
sequences.  They either hawk over their email, or more commonly, check mail 
about twice a week (if that), and when they're deluged with junk, they 
select a pile of email in their inbox and hit DELETE to get rid of it all, 
figuring that if someone sent them something important, they'll send it 
again, or give them a call.  I'm ashamed to say, I've got relatives who fit 
into this category, and despite frequent reminders, they still do this and 
send out a followup message to everyone in their addressbook saying "I'm 
back online, and just deleted all my mail, so if you sent me something 
important, just send it again."

Reasonably intelligent folk can manage with an archive-and-report mechanism 
just fine.  The rest of the net however, wouldn't know the difference 
anyway.  Most endusers can't comprehend a standard bounce message, and a 
bounce message referring to a DNSBL or any number of other rejection 
reasons really sends some people for a spin as they fail to sort WHO 
refused the mail.

On a good ISP, users on the receiving host NOT wanting to subject their 
email to post-SMTP time mail filtering certainly have the ability to opt in 
or out of such filtering.  So, if the RECIPIENT has opted to silently 
discard (well, archive and report) mail which has been classified as junk, 
why should the sender have to be notified?

Of course, what do I know?  Up till now, I assumed intelligent folk could 
manage to send a reply to a listserv without also sending an unnecessary 
carbon to the original message poster, and if not, at least courteous 
people would pay attention to the sigline making such a request...

> You're telling your clients, "Here's the list of 100's of emails per day that
> we silently ignored on your behalf, now you go figure out if you needed any
> of them".

Er, as versus bouncing messages to the sender, in which case the recipient 
doesn't even KNOW that someone tried to send them anything?  That logic is 
no better.  If the sender knows of no other way to reach the intended 
recipient, how is it that they're supposed to get through?

Does the same logic apply to twit filters?  If someone were on a mailing 
list and BOUNCED messages because of the author of those messages (and yes, 
this does happen), I'd consider that abuse and kick the filtering user -- 
either those messages are bouncing to the admin (who sure as hell doesn't 
need the extra crap), or to the author, who was posting to the LIST, not to 
the individual recipient.

The archive and report approach means that the intended recipient HAS 
CONTROL over their email - if something was misclassified, they can recover 
it from the archive, greenlist the sender, and get on with life.  Compare 
that to someone trying to email them something and getting a bounce and not 
necessarily having any alternate method of establishing contact.

For me, glancing through the report takes barely over a minute each 
morning, and is a *LOT* less aggravating than pouring through some 
mailfolder and finding it peppered with spam.  I personally find that when 
there are false positives, they're worthless junk anyway - mumbling idiots 
on a listserv using an abundance of punctuation in the subject line, HTML 
only email, and a flakey email address, etc, and thus aren't even something 
I'd have elected to read had it shown up in my mailbox to begin with, so I 
spend virtually no time recovering messages from the archive.

> For all the good that does, you may as well just deliver everything
> and let the user sort through their inbox.

The user isn't forced to deal with DOWNLOADING the crap in their regular 
mail stream, and yet they retain control over recovering from false 
positives.  This is a cop out?

This beats the turd out of the moronic "prove you love me" schemes where in 
order to send a message to someone (who may have emailed you directly to 
begin with, so you're actually REPLYING to them), you've got to respond to 
some automated system at their mail server that insists that if you're not 
a spammer, you've got the time to manage THEIR spam problem for them.  Even 
EARTHLINK does this.  I don't bother to waste my time with them - when met 
with a PYLM autoresponder, I just quit corresponding -- invariably, it 
seems to be when I'm wasting my time answering a question someone sent me 
out of the blue anyway.

> A 5xx provides timely feedback to legitimate senders, (without bouncing to
> faked addresses), so that they can find another means to contact the
> receiver.

What on earth do you mean "without bouncing to faked addresses"?  Sure, 
totally bogus addresses won't get bounces (not that the mail system won't 
attempt to deliver them - and I can attest that doing so CAN in fact get 
you blacklisted - yahoo for instance dynamically blocks all mail from your 
server after you've attempted to deliver mail to a sufficient number of 
invalid recipients - not just in ONE message, but a plurality of messages) 
- but Joe-Jobs and other forgeries get FLOODED with bounces for messages 
THEY DID NOT SEND.  As an administrator of several mailing lists, I can 
tell you that getting bounces from A/V systems that send advisories to the 
From: address on messages containing viruses KNOWN to employ forgery is 
rather aggravating.

> Archiving the dropped mail *and* terminating with a 5xx would be a much 
> better approach.

I believe your opinion of how much better this approach is would be 
dramatically different once you've had actual experience cleaning up after 
a joe-job.

Perhaps it'd help if you looked at the archive and report approach from 
another perspective: what if the user received the email but didn't bother 
to open it because the subject/etc looked like spam anyway?  There's 
nothing that says that just because delivery was successful that someone 
will actually READ the email, so why should the user have to download it to 
their system?  If they have ready ACCESS to the messages, it is virtually 
the same as if it was delivered to their mailbox, and as a new user becomes 
more familiar with the archive-and-report mechanism and finds that it 
virtually never has a significant false positive, checking it becomes more 
an issue if you were expecting a message (or received a phone call about 
one) that you didn't see in your inbox.

This is my last post on this topic - while spam is a problem many have an 
interest in dealing with, we've gone *FAR* afield of any security issue 
related to sending or not sending bounces, and there are much better lists 
for discussion of spam fighting techniques.


[big snip]

Bugtraq has a webarchive, so wholesale copies of previous messages seem a 
major waste of bandwidth, esp when you factor the number of recipients on 
this list, each receiving a custom delivered copy of the message.

---
 Please DO NOT carbon me on list replies.  I'll get my copy from the list.
 Founding member of the campaign against email bloat.