Re: [Ietf-dkim] What makes this posting different from the original posting?
> On 1 Sep 2023, at 03:49, Grant Taylor > wrote: > > On 8/31/23 8:02 PM, Bron Gondwana wrote: >> The classic case was that spam about V*gra was very common, but blocking >> that word in every anti-spam filter would create something that was really >> not fit for purpose for Pfizer to use for their email system. The sender >> and recipient really make a difference about what is spam - and as the >> sender you don't know who the end recipient is, because there are plenty of >> recipients. > > I've seen -- what I consider to be -- too many systems -- read more than zero > -- that apply some amount of spam filtering to inbound message and no spam > filtering on outbound messages. You don’t know that they don’t do spamfiltering on outbound messages. You don’t see what they catch and don’t send. What you do see is when that spam filtering fails. > I've also seen many of these systems wonder why they ended up black listed > when an account was compromised and someone was sending spam through said > system. > > I feel like there should be basic spam filtering on outbound messages. Even > if it's as simple as logistical checks; making sure the from makes sense, > probably running the message through something like a default configuration > of SpamAssassin (without Bayes), and probably through something like ClamAV. > Just basic sanity checking on messages. Many ESPs are doing that, and doing blocklist checking on URLs. But all it takes is for one message to slip through and amplified. > Dare I say, I'd add SPF between the MSA and MTA. I don’t understand how this is going to address the problem. > Things to prevent blatant spam / viruses much closer to the -- likely to be > authenticated -- sender. > > I'll say it this way, if there's a 90% chance that your inbound system would > block it, then why should your outbound system send it? As Bron said: the inbound system has a lot more information about the mail than the outbound system. I’ll also point out that if it’s one-to-one or one-to-few there are legitimate reasons to send spam. Say, mail to an abuse address reporting spam. I’m sure we can agree that MTAs shouldn’t be blocking abuse reports, yes? What you’re asking for means a lot of spam reports will be blocked (or incomplete). >> Fact: recipient spam filter has more information than sender spam filter >> Result: recipient spam filter can be more restrictive without causing excess >> damage. > > Yes, there is different data. > > But there is still data on the sending side that can be used to perform basic > checks. You’re asserting there are no basic checks being done. Do you have any evidence other than sometimes mail evades the outbound filters? >> There's no hypocrisy in recognising the asymmetry, and designing with that >> in mind. > > I still think that it's hypocritical to have zero spam filtering on outbound > email while having any spam filtering on inbound email. laura (participating) -- The Delivery Expert Laura Atkins Word to the Wise la...@wordtothewise.com Delivery hints and commentary: http://wordtothewise.com/blog ___ Ietf-dkim mailing list Ietf-dkim@ietf.org https://www.ietf.org/mailman/listinfo/ietf-dkim
Re: [Ietf-dkim] What makes this posting different from the original posting?
On 9/1/23 3:32 AM, Laura Atkins wrote: You don’t know that they don’t do spamfiltering on outbound messages. You don’t see what they catch and don’t send. What you do see is when that spam filtering fails. I do know that a small number of operators don't do any outbound spam filtering because it has come up in conversations comparing systems / configurations. Many ESPs are doing that, and doing blocklist checking on URLs. I'm glad for the ESP's efforts. I wish more people would do so. But all it takes is for one message to slip through and amplified. I'm not talking about the false positives / false negatives. I'm talking about the lack of any outbound filtering period. Not what slips through said filtering. I don’t understand how this is going to address the problem. It won't solve the problem. No single thing will solve the problem. But it's another simple test that can be done between the MSA and the MTA to reject things early in the flow. As Bron said: the inbound system has a lot more information about the mail than the outbound system. Having more or less information doesn't have anything to do with acting on the information that you do have, especially if it's verifiable and reliable. I’ll also point out that if it’s one-to-one or one-to-few there are legitimate reasons to send spam. Say, mail to an abuse address reporting spam. I’m sure we can agree that MTAs shouldn’t be blocking abuse reports, yes? What you’re asking for means a lot of spam reports will be blocked (or incomplete). I'm trusting that's not a "but think of the children" knee jerk response along the lines of "we can't filter outbound spam because we want to not block spam reports." There's reasonable basic filtering and then there's deep filtering. I'm sure that we all know what we need to do t in order to get spam reports through our respective systems. 1) Try forwarding spam as a message/rfc822 attachment. 2) Try forwarding spam headers as a text/rfc822-headers attachment. 3) Try putting #1 in a zip file. 4) Try putting #2 in a zip file. 5) Try password protecting #3. 6) Try password protecting #4. ... n) Ask your postmaster how you are supposed to report spam. I maintain that basic spam and virus filtering should be done on outbound email. You’re asserting there are no basic checks being done. Do you have any evidence other than sometimes mail evades the outbound filters? I have had conversations with multiple small email operators over the years that have told me that they only do any spam and virus filtering on inbound email and that they do not do any such filtering on outbound email. -- Grant. . . . unix || die ___ Ietf-dkim mailing list Ietf-dkim@ietf.org https://www.ietf.org/mailman/listinfo/ietf-dkim
Re: [Ietf-dkim] What makes this posting different from the original posting?
> On 1 Sep 2023, at 18:31, Grant Taylor > wrote: > > On 9/1/23 3:32 AM, Laura Atkins wrote: >> You don’t know that they don’t do spamfiltering on outbound messages. You >> don’t see what they catch and don’t send. What you do see is when that spam >> filtering fails. > > I do know that a small number of operators don't do any outbound spam > filtering because it has come up in conversations comparing systems / > configurations. Are those operators being targeted with replay attacks? if they’re not, I don’t think this discussion is really relevant to the group. laura (participating) > >> Many ESPs are doing that, and doing blocklist checking on URLs. > > I'm glad for the ESP's efforts. > > I wish more people would do so. > >> But all it takes is for one message to slip through and amplified. > > I'm not talking about the false positives / false negatives. > > I'm talking about the lack of any outbound filtering period. Not what slips > through said filtering. > >> I don’t understand how this is going to address the problem. > > It won't solve the problem. No single thing will solve the problem. > > But it's another simple test that can be done between the MSA and the MTA to > reject things early in the flow. > >> As Bron said: the inbound system has a lot more information about the mail >> than the outbound system. > > Having more or less information doesn't have anything to do with acting on > the information that you do have, especially if it's verifiable and reliable. > >> I’ll also point out that if it’s one-to-one or one-to-few there are >> legitimate reasons to send spam. Say, mail to an abuse address reporting >> spam. I’m sure we can agree that MTAs shouldn’t be blocking abuse reports, >> yes? What you’re asking for means a lot of spam reports will be blocked (or >> incomplete). > > I'm trusting that's not a "but think of the children" knee jerk response > along the lines of "we can't filter outbound spam because we want to not > block spam reports." > > There's reasonable basic filtering and then there's deep filtering. > > I'm sure that we all know what we need to do t in order to get spam reports > through our respective systems. > > 1) Try forwarding spam as a message/rfc822 attachment. > 2) Try forwarding spam headers as a text/rfc822-headers attachment. > 3) Try putting #1 in a zip file. > 4) Try putting #2 in a zip file. > 5) Try password protecting #3. > 6) Try password protecting #4. > ... > n) Ask your postmaster how you are supposed to report spam. > > I maintain that basic spam and virus filtering should be done on outbound > email. > >> You’re asserting there are no basic checks being done. Do you have any >> evidence other than sometimes mail evades the outbound filters? > > I have had conversations with multiple small email operators over the years > that have told me that they only do any spam and virus filtering on inbound > email and that they do not do any such filtering on outbound email. > > > > -- > Grant. . . . > unix || die > > ___ > Ietf-dkim mailing list > Ietf-dkim@ietf.org > https://www.ietf.org/mailman/listinfo/ietf-dkim -- The Delivery Expert Laura Atkins Word to the Wise la...@wordtothewise.com Delivery hints and commentary: http://wordtothewise.com/blog ___ Ietf-dkim mailing list Ietf-dkim@ietf.org https://www.ietf.org/mailman/listinfo/ietf-dkim
