Don Marti

Sun 17 Apr 2005 08:33:51 PM PDT

Principles for spam fighting

In our zeal to "fight spam" it's important not to permanently ruin the character of the net's mail system as we know it. When all the merchants on a street put steel shutters on their windows, crime actually goes up. Why? Because steel shutters create the impression of an "unsafe" street, people don't go there unless they have to and don't linger if they do, and legitimate foot traffic is the best deterrent to crime. Don't make shortsighted anti-spam decisions that will just make the problem worse.

Principle 1: No filtering is perfect. Make filtered-out "spam" available to the user somehow. This doesn't mean just put a header on it and let the user's mailer handle it; if you have POP or IMAP mail ysers, maybe put mail tagged as spam into a separate mailbox, so that users woudn't have to waste their precious bandwidth downloading it. But users should always have an emergency override to get at false positives.

Principle 2: Do not auto-report based on heuristics. Auto-report only (1) mail that a human has confirmed to be spam or (2) incoming mail to a clearly identified spamtrap address. If Vipul's Razor users wanted their mail filtered based on SpamAssassin heuristics, guess what--they could run SpamAssassin too.

Principle 3: Don't block open relays based on automated tests. It might look like an open relay to your script but have its own abuse prevention policy you don't understand. Filter mail from open relays only if they're actually relaying spam.

Principle 4: Don't auto-challenge new correspondents with a "reply with HAIL_THE_MIGHTY_SPAM_FIGHTER in the headers to get through to me" message. It's arrogant, probably doesn't work all that well, and is the kind of thing where one mistake can cause a deadly mail challenge storm.

Principle 5: Just hitting delete on questionable mails can never make you look stupid. Many spam-fighting tools can.

Principle 6: Don't make the Internet an ugly, suspicious place by hiding from spam. But you've heard that from me already.