Hall of Shame

Here are some examples of widely-used anti-spam measures that are really bad ideas.


SMTP Phasepre-DATA
CPU Uselow
Memory Uselow
False Positiveshigh
Maintenancelow
Effectivenesslow

DNS-RBLs

DNS-RBLs - Domain Name System Realtime Black Lists. In theory the idea is fine. You have a set of sites that you blacklist, and you want to let other folks use the same list so you distribute it using DNS, which is a nice efficient de-centralized database. What's not to like?

Well, I don't know why, but in practice every single DNS-RBL eventually comes under the control of power-hungry weenies. They start listing sites unreliably, and if you complain you find yourself listed. And there's usually no way to get off the list.

A lot of people tell me I'm wrong about this. They say that certain DNS-RBLs are ok, with objective criteria for inclusion and simple procedures for getting off the list. The thing is, they give conflicting recommendations for which lists are good and which are bad. Some of these folks recommend lists which I know from personal experience are bad.

This problem is really inherent in the way DNS-RBLs are set up. You cede control of your mail system to a third party, with no real possibility of checking how they are doing. The people running the lists get overwhelmed with bogus feedback from spammers and/or idiots, to the point where they assume all their mail about the lists is from spammers and/or idiots.

If the lists you use have not yet descended into corruption and chaos, consider yourself temporarily lucky.

Do not use DNS-RBLs.


SMTP Phasepost-DATA
CPU Uselow
Memory Uselow
False Positiveshigh
Maintenancelow
Effectivenesslow

Challenge-Response

A challenge-response system intercepts mail from senders that have not been seen before, saves it in a quarantine area, and sends back an automated message asking the sender if he really sent the mail. These systems suck for a wide variety of reasons. They are annoying to legitimate senders, many of whom (myself included) will simply ignore the challenge and let the mail go undelivered. Also, since spammers always forge the sender address, the challenge message for spam will always go to someone who didn't send it, annoying them too. And since the more clever spammers use forged sender addresses that are likely to be known to the recipient, and therefore are likely to be in the database of verified senders, these systems don't even work very well, which annoys the recipient. In fact the only people guaranteed to never be annoyed by challenge-response systems are the spammers.

Do not use challenge-response systems.


SMTP Phasepost-DATA
CPU Usehigh
Memory Useunknown
False Positiveshigh
Maintenancehigh
Effectivenessunknown

AOL

A friend recently got a bounce message from AOL. The mail he was trying to send was a monthly report on web site activity. The report contained URLs, of course. Some of the URLs had numeric IP addresses instead of hostnames; nothing too unusual about that, for instance if you look at a cached page on Google you get a numeric URL. But AOL refused the mail, saying:

One or more URLs in your message contain an IP address in place of a domain name.
That's right, if you have even a single numeric IP address in your mail, you cannot send it to AOL. This wasn't even an HTML message, it was just plain text.

You can see their full list of AOL's email errors here: http://postmaster.info.aol.com/errors/. It makes amusing reading. I guess they think they are big enough that they can just define their own internet standards, and everyone else will adapt to them. Well, no.
<<< [Bayesian] <<< >>> [Conclusions] >>>