reject vs. delete

[Jared Johnson <ja...@nmgi.com>]

Hi,

The product I've been working with allows th user to set Rejection and 
Deletion thresholds, at which a message identified as spam will be 
rejected with "550 - Message is Spam" etc., or accepted with "250 OK" 
but dropped on the floor, respectively.  Historically it has been 
believed that if we have a high enough confidence that a message is 
spam, it is adventageous to pretend we have accepted the message in 
order to avoid allowing spammers to know whether their methods are 
working.  I have not verified anywhere that this practice really does 
have a negative impact on spammers.  This would especially be 
invalidated if most of the rest of the spam filtering world does not 
make use of 'delete' and simply issues rejections -- in that case, if 
the spammers don't get the information from me, they'll get it from the 
next guy.

I do know that having a delete threshold occasionally causes false 
positives to go undetected by end users.  That is a bit of a 
disadvantage.  The suggestion has also been raised that claiming to 
accept spam rather than rejecting it might invite spammers to send more 
spam your way.

Does anyone have any knowledge or opinions on these matters?  Does 
pretending to accept a message contribute to the "fight against" spam in 
some way?  Or does it invite more spam?  Is it worth it?

Jared Johnson
Software Developer and Support Engineer
Network Management Group, Inc.
620-664-6000 x118

-- 
Inbound and outbound email scanned for spam and viruses by the

DoubleCheck Email Manager: http://www.doublecheckemail.com

Re: reject vs. delete

[Jari Fredriksson <ja...@iki.fi>]

> 
> Does anyone have any knowledge or opinions on these
> matters?  Does pretending to accept a message contribute
> to the "fight against" spam in some way?  Or does it
> invite more spam?  Is it worth it? 
> 

I accept all spam, and then (for higher spamminess automatically) report them thru SpamCop. If I would not report them, I would reject them at once. No report, no idea to accept spam.

It depends.

For all spam I report, only one or two ISP:s send a message back confirming a kill. So I have no idea if reporting via SpamCop helps in the fight or not.. But that's what I do.

Re: reject vs. delete

[Aaron Wolfe <aa...@gmail.com>]

On Fri, May 23, 2008 at 3:00 PM, Jared Johnson <ja...@nmgi.com> wrote:

> Hi,
>
> The product I've been working with allows th user to set Rejection and
> Deletion thresholds, at which a message identified as spam will be rejected
> with "550 - Message is Spam" etc., or accepted with "250 OK" but dropped on
> the floor, respectively.  Historically it has been believed that if we have
> a high enough confidence that a message is spam, it is adventageous to
> pretend we have accepted the message in order to avoid allowing spammers to
> know whether their methods are working.  I have not verified anywhere that
> this practice really does have a negative impact on spammers.  This would
> especially be invalidated if most of the rest of the spam filtering world
> does not make use of 'delete' and simply issues rejections -- in that case,
> if the spammers don't get the information from me, they'll get it from the
> next guy.
>
> I do know that having a delete threshold occasionally causes false
> positives to go undetected by end users.  That is a bit of a disadvantage.
>  The suggestion has also been raised that claiming to accept spam rather
> than rejecting it might invite spammers to send more spam your way.
>
> Does anyone have any knowledge or opinions on these matters?  Does
> pretending to accept a message contribute to the "fight against" spam in
> some way?  Or does it invite more spam?  Is it worth it?
>


I prefer to follow the spirit if not the letter of the RFCs.  If I am not
going to "take responsibility" for a message, I reject it.

I do accept some things and quarantine them rather than put them into a
user's mailbox, but I never just throw anything away after saying I will
deliver it.

There are plenty of sites that do silently throw away mail, and plenty that
will reject.  unless you are a *really* big site I really don't think
spammers are going to care what you do, if they notice at all.  I'd worry
more about the legitimate users and what happens to their mail in a false
positive situation.

-Aaron



>
> Jared Johnson
> Software Developer and Support Engineer
> Network Management Group, Inc.
> 620-664-6000 x118
>
> --
> Inbound and outbound email scanned for spam and viruses by the
>
> DoubleCheck Email Manager: http://www.doublecheckemail.com
>

Re: reject vs. delete

[mouss <mo...@netoyen.net>]

Jared Johnson wrote:
> Hi,
>
> The product I've been working with allows th user to set Rejection and 
> Deletion thresholds, at which a message identified as spam will be 
> rejected with "550 - Message is Spam" etc., or accepted with "250 OK" 
> but dropped on the floor, respectively.  Historically it has been 
> believed that if we have a high enough confidence that a message is 
> spam, it is adventageous to pretend we have accepted the message in 
> order to avoid allowing spammers to know whether their methods are 
> working.  I have not verified anywhere that this practice really does 
> have a negative impact on spammers.  This would especially be 
> invalidated if most of the rest of the spam filtering world does not 
> make use of 'delete' and simply issues rejections -- in that case, if 
> the spammers don't get the information from me, they'll get it from 
> the next guy.
>
> I do know that having a delete threshold occasionally causes false 
> positives to go undetected by end users.  That is a bit of a 
> disadvantage.  The suggestion has also been raised that claiming to 
> accept spam rather than rejecting it might invite spammers to send 
> more spam your way.
>
> Does anyone have any knowledge or opinions on these matters?  Does 
> pretending to accept a message contribute to the "fight against" spam 
> in some way?  Or does it invite more spam?  Is it worth it?

I don't think you should care, because different spammers act 
differently, and they can also change their behaviour. here are few points.

- if the user discards mail, it's the user problem. (no RFC can force a 
user to read any mail).

- to avoid backscatter, you can only reject during the smtp transaction 
on the edge of your network (when receiving mail from "strangers". if 
you receive mail from a relay of yours, it's too late)

- rejecting based on the envelope (before reciving DATA) is generally 
better since you don't have to receive the message. if you read the 
message, then reject is not necessarily better than discard/quarantine.

- some clients will try to resend if you reject. here is an example:

May 24 00:02:42 victim postfix/smtpd[24555]: NOQUEUE: reject: RCPT from 
unknown[88.244.89.158]: 554 5.7.1 <[88.244.89.158]>: Helo command 
rejected: Literal IP Helo is no more accepted because of spam; 
from=<ak...@banditphoto.com> to=<vi...@example.com> 
proto=ESMTP helo=<[88.244.89.158]>

May 24 00:03:22 vicim postfix/smtpd[24555]: NOQUEUE: reject: RCPT from 
unknown[88.244.89.158]: 554 5.7.1 <[88.244.89.158]>: Helo commmand 
rejected: Literal IP Helo is no more accepted because of spam; 
from=<ak...@sina.net> to=<vi...@example.com> proto=ESMTP 
helo=<[88.244.89.158]>
...

I don't know whether they retry if the first spam was accepted. here, 
they retried the same recipient by changing the sender address. 
sometimes, they change the helo name. sometimes they retry with the same 
envelope...etc.

- if you discard, you must make sure to never discard legitimate mail.

- if unsure, you can provide a "quarantine" (Junk folder being one 
example). however, a quarantine full of junk is generally equivalent to 
discard (except maybe for the ability to save an FP if the user is made 
aware of it via other means).