On 20 Sep 2016, at 20:40, Sebastian Nielsen wrote:
I would really suggest using DISCARD instead of "500 This TLD sends
spam - g
e t lost.".
Thus the spammer dosen't get to know he got stuck in a spam filter and
can
update their tools to bypass it.
Note that in this specific case of junk TLDs, the tool (low-cost
domains) is critical to that class of spammer's business model.
DISCARD accepts the mail but throws it into /dev/null
The debate over this theory of spammer behavior has been going on for at
least 20 years and in that time I've never seen convincing evidence that
it is more true than an alternative theory that targets which seem to
accept spam for delivery (i.e. DISCARD) attract more spam because
spammers think they are verified as good targets and peddle their lists
of verified deliverable addresses to each other, expanding the number of
senders aiming at the apparently unfiltered address. If that behavior
dominates, you still get morphing spam making it past content filtering
because you have more variety of senders.
I have very noisy data collected over 15 years in a smallish spam-heavy
domain which suggests that spam sinks (which simply accept and discard
all their mail) and spam traps (which feed all their mail into local
anti-spam measures) both attract more spam over time at a slightly
higher growth rate than aggregate mail or spam for normal addresses in
the same domain, but it's not a dramatic or uniform difference.
Conversely, dead addresses that reject everything tend to get less mail
aimed at them over the long term. In this case, normal users whose mail
is either explicitly rejected in SMTP or delivered to their Inbox make
up the noisiest subset; attempted spam generally gets worse over time
but not always, and delivered spam (false negatives) can go either way.
The main conclusion I've reached from that long-term close examination
of a small sample and shorter, shallower analyses of much larger systems
is that there are no grand universal rules of spam that can apply
everywhere to everyone. No one who gets a significant amount of spam
aimed at them gets exactly the same spam as anyone else. Some spammers
work hard at filter evasion, others do not. Some of those who work very
hard at it do so with chronically and ridiculously poor results, at
least against *some* common filtering strategies. The balance of
competing spammer behavioral theories that form the basis of the REJECT
vs. DISCARD argument is close enough overall to be a matter for
subjective judgment on any particular mail system, but I think that as a
practical matter there are 2 concrete issues that argue for REJECT in
all cases where it isn't a recipe for significant backscatter:
1. No anti-spam measures are perfect. If you accept and discard mail
that your anti-spam measures deem to be spam, then when they get that
judgment wrong and toss out mail you actually would rather have
delivered, it may never be noticed as a technical failure by anyone.
Internet email is consciously designed to notify senders explicitly of
delivery failures, and using DISCARD violates that design.
2. The most effective spam exclusion tactics in a mail system that uses
a "defense in depth" model are ones which can detect spam at or before
the RCPT command(s), allowing the MTA to reject spam it never actually
receives. This spares the MTA from using pointless bandwidth and (more
significantly in most cases) from maintaining a session for typically an
order of magnitude longer than necessary, just to pipe message data to
/dev/null.
