Jared Johnson wrote:
Hi,
The product I've been working with allows th user to set Rejection and
Deletion thresholds, at which a message identified as spam will be
rejected with "550 - Message is Spam" etc., or accepted with "250 OK"
but dropped on the floor, respectively. Historically it has been
believed that if we have a high enough confidence that a message is
spam, it is adventageous to pretend we have accepted the message in
order to avoid allowing spammers to know whether their methods are
working. I have not verified anywhere that this practice really does
have a negative impact on spammers. This would especially be
invalidated if most of the rest of the spam filtering world does not
make use of 'delete' and simply issues rejections -- in that case, if
the spammers don't get the information from me, they'll get it from
the next guy.
I do know that having a delete threshold occasionally causes false
positives to go undetected by end users. That is a bit of a
disadvantage. The suggestion has also been raised that claiming to
accept spam rather than rejecting it might invite spammers to send
more spam your way.
Does anyone have any knowledge or opinions on these matters? Does
pretending to accept a message contribute to the "fight against" spam
in some way? Or does it invite more spam? Is it worth it?
I don't think you should care, because different spammers act
differently, and they can also change their behaviour. here are few points.
- if the user discards mail, it's the user problem. (no RFC can force a
user to read any mail).
- to avoid backscatter, you can only reject during the smtp transaction
on the edge of your network (when receiving mail from "strangers". if
you receive mail from a relay of yours, it's too late)
- rejecting based on the envelope (before reciving DATA) is generally
better since you don't have to receive the message. if you read the
message, then reject is not necessarily better than discard/quarantine.
- some clients will try to resend if you reject. here is an example:
May 24 00:02:42 victim postfix/smtpd[24555]: NOQUEUE: reject: RCPT from
unknown[88.244.89.158]: 554 5.7.1 <[88.244.89.158]>: Helo command
rejected: Literal IP Helo is no more accepted because of spam;
from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]>
proto=ESMTP helo=<[88.244.89.158]>
May 24 00:03:22 vicim postfix/smtpd[24555]: NOQUEUE: reject: RCPT from
unknown[88.244.89.158]: 554 5.7.1 <[88.244.89.158]>: Helo commmand
rejected: Literal IP Helo is no more accepted because of spam;
from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=ESMTP
helo=<[88.244.89.158]>
...
I don't know whether they retry if the first spam was accepted. here,
they retried the same recipient by changing the sender address.
sometimes, they change the helo name. sometimes they retry with the same
envelope...etc.
- if you discard, you must make sure to never discard legitimate mail.
- if unsure, you can provide a "quarantine" (Junk folder being one
example). however, a quarantine full of junk is generally equivalent to
discard (except maybe for the ability to save an FP if the user is made
aware of it via other means).
