[BBLISA] State of spam filtering?

Tue May 21 09:30:21 EDT 2013

> From: bblisa-bounces at bblisa.org [mailto:bblisa-bounces at bblisa.org] On
> Behalf Of Tom Metro
> 
> Over the last decade spam has gotten
> worse (or at least leveled off from a significant volume), while mail
> hosting has gotten a bit better and cheaper. 

I agree - with either office365, or google, you can pay approx $2-$4 per month per person.  Both do a great job of spam filtering.

> Unless you have some specialized needs, it is hard
> to justify the effort to keep up with spam filtering tech.

I noticed the OP was sending from brandeis.edu.  I presume he's hosting tens of thousands of email addresses, for students and staff.  Even with volume and educational discounts, the cost can be significantly high, just because the number of users is so high.  And it all needs to be run on private educational institution funding resources.

> Has anyone tried implementing a home mail setup that forgoes all the
> spam filtering and simply limits access to a manually controlled
> whitelist of clients?

Here's what I do, that I'm extremely pleased with:  I never give out the same address twice, and as soon as I receive any junk on any address, I simply discard that address.  You'll notice my current address on this list is bblisa4, implying three times I've started receiving junk addressed to whatever address I used on this list.

For a larger domain, with individual users, you could implement the same thing on a subdomain level.  anything at eharvey.company.com.   It's unconventional, and there are a bunch of applications that wouldn't support it very well (such as shared calendaring and address list in an exchange environment, etc)

So in general, the world isn't ready for such a solution.  But in both theory, and in practice, it works extremely well.  I wrote an app for my phone, whereby I launch the app, and it will either randomly generate a new alias (proxy address) for me, or I can manually specify one.  And the new address is active within approx 30 seconds.

> Obviously the challenge is determining who a client is, with IP address,
> as guided by SPF, being the likely choice. Though what about clients
> that don't use SPF?

Definitely use SPF.  But it's only one ingredient in an overall solution.  Because a lot of senders who implement SPF will use a soft ~ or as mentioned, a lot of senders have no SPF at all.

> What good
> does knowing who a sender is if you don't know whether that sender is
> someone you want to hear from or a spammer? 

Well, for one, it opens the door for prosecution of opt-in laws, and if a person is sending malicious (worm) type messages, they can be tracked down to a source and disabled.  And verifiable identity (or verifiable authenticity or authorization I should say) reduces forgery.

Without being able to "trust" the authenticity / authorization of a claimed sender, you have nothing, and your white lists are ineffective. 