[BBLISA] State of spam filtering?

[Tom Metro]

Steven M Jones wrote:
> For home I use SA, Spamhaus' Zen RBL, and a greylisting milter with 
> sendmail as the underlying MTA. Works pretty darned well.

I imagine that the already small population of geeky people who ran mail
servers for personal use has gotten even smaller. It used to be the best
reason to run your own server was to retain control and have mail
received at a domain you control. Over the last decade spam has gotten
worse (or at least leveled off from a significant volume), while mail
hosting has gotten a bit better and cheaper. Now you can find lots of
providers that do an OK job hosting a domain you control for little
money, if not free. Unless you have some specialized needs, it is hard
to justify the effort to keep up with spam filtering tech.

One remaining use case for self-hosting is privacy. Any time you
outsource your data to the cloud, you're relying on people you don't
know to implement security, and resist social engineering exploits.
Plus, recent court cases have suggested that in some cases the
government can consider mail stored in the cloud as abandoned if it has
been read and is more than 90 days old, and thereby access it without a
warrant or notice. (I don't have the link to the article handy, but I'm
sure someone can dig it up.)

So it could still be valuable to have a self-hosted server to receive
financial correspondence and to use as an email contact on the countless
services that will gladly reveal your password (or reset it) for anyone
who can receive (or intercept) your email.

Has anyone tried implementing a home mail setup that forgoes all the
spam filtering and simply limits access to a manually controlled
whitelist of clients?

Obviously the challenge is determining who a client is, with IP address,
as guided by SPF, being the likely choice. Though what about clients
that don't use SPF?

The very type of senders you'll want to receive mail from, like large
banks, are notoriously bad at making use of "new" tech, like SPF. (They
even have a tendency to outsource their mail to 3rd parties that send it
using the provider's servers and domains. Great way to train your
customers to ignore important signs that a message might be a phishing
attempt.)

Is it time for SMTP 2.0? (That's a metaphorical 2.0.)

I used to scoff at the impracticality of the various schemes proposed in
the 1990's to secure SMTP with PKI and other similar tech. What good
does knowing who a sender is if you don't know whether that sender is
someone you want to hear from or a spammer? And email was often used as
a point of first contact, where putting up barriers between you and the
sender would defeat the purpose.

But in a more constrained and controlled environment where you've
accepted that your mail server doesn't open its door to any and all
senders, does it makes sense to have some sort of "SMTP 2.0" protocol
and only speak to senders that use SMTP 2.0? (Practically speaking there
would be a long transition period, so you'd have to use some sort of
whitelisting scheme in parallel.)

Even if SMTP 2.0 was widely adopted, this would likely mean refusing
mail from sites like gmail.com that send massive amounts of mail on
behalf of third parties, with a whitelist to permit only specific
senders from gmail.com.


John Miller wrote:
> Any new shared-hash solutions like Razor?

I'm curious about that as well, but I don't think the cost/benefit is
there. It takes enough effort to implement such a system that it won't
be widely adopted unless there is a substantial upside. The same could
be said for "SMTP 2.0."

 -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/