[LINK] SPAM to my link only address: Fwd: within my wrath of you.

[Craig Sanders]

On Sat, Jan 06, 2007 at 06:40:35PM +1100, Howard Lowndes wrote:
> Craig Sanders wrote:
> >On Sat, Jan 06, 2007 at 05:54:47PM +1100, Howard Lowndes wrote:
> >>I hate to tell you but the Link archive is an open archive, one reason 
> >>why I use:
> >>X-No-Archive: yes
> >>in my mail headers.
> >
> >it makes no difference anyway. munging your address or using
> >X-No-Archive or whatever is completely pointless - your address WILL be
> >harvested by spammers no matter what you do. and once it's harvested
> >once, it will spread to more and more spammer lists.
> 
> No, it's not pointless at all.  It reduces the exposure and hence is all 
> part of an overall spam control plan.

no, it doesn't.

the probability of being harvested is not reduced at all. p still equals
1.0.

at best, it means your address might take a few months to get harvested
rather than a few weeks....but you've been using your address for years.
it has already been harvested many times.

it makes no difference if your address is only harvested by spammers
once or ten times or hundreds of times - your address will still end up
on hundreds or thousands of spammer lists.

it may provide you with some sense of satisfaction, but it doesn't
actually achieve anything. address-munging is a useless ritual as
effective as prayer or waving a dead chicken over your modem. your time
and effort is better spent on improving your anti-spam rules.

i gave up on munging years ago. now the only thing close to that i use
is to create unique addresses (either an alias, or a simple plussed
address like cas+websitename at taz.net.au) when registering with various
web sites. not to block spam, but to make it obvious when a particular
site misuses the personal data i give them.


> > so, it's a waste of time. it's far better to concentrate on blocking
> > and filtering spam.
>
> The trouble is that if you do really aggressive filtering then you
> suddenly find all the borked mails servers out there that belong
> to SMEs - mostly M$ Exchange servers where the HELO record is not
> correctly set and they use the default somewhere.local hostname or
> Win9X machines that don't use domain parts to the HELO clause.  If you
> do filtering on HELO records then that is not only contrary to RFCs
> but has too many false positives.  The other problem is IP addresses
> that are static but still don't have PTR records - come in Comindico.

yes, there are many broken mail servers out there. more generally, every
anti-spam method has false-positives and will block legitimate mail.
that is unavoidable.

it is up to you to decide the point at which your tolerance for
false-positives meets your intolerance for spam and construct your
anti-spam rules accordingly. that's different for every person, and
every organisation.

whatever your decision, though, you will never get 0% false-positives,
nor will you ever get 100% spam blocking. you can get very close (i do),
but there is always the risk of both FPs and false negatives (undetected
spam).


(and for those who can't do their own anti-spam stuff, their best bet
is to use one of the anti-spam mail services, like fastmail.fm. trouble
is that while they have some scope for individual customisation, you're
largely dependant on someone else's decisions about anti-spam rules.
that would be unacceptable for me, but is a lot better than nothing for
the unskilled).


> I had a go the other day about the need for persons/orgs operating
> computers to have the same legal requirement to ensure that they
> use a serviceable computer as they are required to ensure that they
> use a serviceable vehicle, and that computer should be subject to a
> routine inspection.  Controversial - yes, but just as a vehicle has
> the potential to cause injury to persons or damage to property, so
> computers have the potential to cause damage to the economy.  One
> prediction for 2007 is a major DDoS on a stock exchange.

yes, i've made similar arguments over the years - IIRC, using the car
roadworthiness analogy like you and also an analogy about leaving a
loaded gun in the back seat of a car. negligence is negligence and the
law doesn't admit ignorance as an excuse.



> >there's NOTHING you can do to prevent your address from being harvested.
> >even addresses that have never been used, not even once, can end up
> >in spammer lists because spammers use dictionary attacks (and similar
> >methods - e.g. randomly combining known-good localparts (i.e. the bit
> >before the @ symbol) with random domains) to compile lists of *possible*
> >addresses. unless your address looks like line-noise, it will eventually
> >be discovered this way.
> >
> >and once your address is in a spam list, it will never, ever be removed.
> >it will just keep on being added to more (e.g. my mail server is still
> >rejecting spam for addresses that didn't exist 10 years ago, still don't
> >exist now, and never have existed....they were added to a spam list by a
> >vengeful spammer, and must have now spread to pretty nearly every spam
> >list out there)
> 
> Don't be defeatist - fight back.

i do. my postfix rules block over 99% of the spam attempting to get into
my system, and i detect and tag all but of a handful of the rest with
spamassassin.

e.g. a recent week had 103398 spam rejected by postfix. a further 145
spams were detected by spamassassin, tagged, and filtered to my spam
quarantine mailbox (and used to construct or refine my anti-spam rules).
1271 legitimate messages were delivered.

Percentages:
spam ratio      (103543/104814) 98.79%
tagged messages (145/1416) 10.24%
rejected spam   (103398/103543) 99.86%

of those 1271, there were probably a few (anything up to 4 or 5) that were
false-negatives (undetected spam).  that's not bad compared to the >100,000
spams that would have flooded my mailboxes otherwise.

i don't see that as being in the slightest bit defeatist. i just know
where to concentrate my efforts for best results.


craig

-- 
craig sanders <cas at taz.net.au>           (part time cyborg)