Note to Mail Server Admins: Spammers Lie!

This post is not going to contain any original insights into the spam problem, but I need to vent a bit. And, as the title suggests, apparently the news still hasn’t reached all the people it needs to reach, so maybe it won’t hurt to repeat it again.

So yesterday, as happens every couple of months, a spammer somewhere in Pakistan decided to randomly pick the mwolf.net domain as the fake ‘from’ address for his various unsavoury commercial offerings. Which means, of course, that I get a few hundred bounces from well-meaning but naive mailservers, configured by well-meaning but naive admins.

Hello everybody: spammers lie! Their pills don’t work, their stock tips are scams, they won’t deposit several million dollars into your bank account if you just let them use your account number for a couple of days, and their return addresses aren’t valid. If you have determined that a given e-mail is probably spam, then sending anything to the ‘from’ or ‘reply-to’ address is just about the least useful thing you could do. It makes you a part of the problem, not the solution. By sending an automated response to that address, you are allowing the spammer to use your server to effectively spam me. I get plenty of spam myself, but SpamAssassin deals with that pretty well; the bounce messages are a bigger problem.

In a world where e-mail to a non-existent username is a lot more likely to be spam or a virus than an innocent typo, sending reply messages to such mail should be condemned as bad netiquette. Either accept all mail for your domain and swallow the spam silently, or set up your system so that it generates an error message as part of the SMTP exchange. And never, ever send any kind of response to a message which your filter software has already identified as being probable spam.

And then, of course, there are the ‘callback’ systems, which send an automated response to every mail they receive, asking the server to click on a link or in some other way prove that they are a real person. Of course, this also means that they send out one harassing message to an innocent third party for every spam message they receive, thus effectively becoming a spammer themselves.

In other spam news, and related to my previous post: it turns out that some of my own legitimate mail is not being received because it is being identified as spam by over-eager filters. Why? Because my ADSL account, with a server running 24*7 on a fixed IP address, is listed as a dial-up in some blacklists. Now, I can kind of see the logic behind that — after all, blocking dial-up users is probably fairly successful in getting rid of a lot of spam from botnets. But there’s a baby in the bathwater: a lot of technically savvy people like to run their own mailserver, ironically often with spam filtering as an important motive. As I once tried to explain to my previous employer: are these really the people whose job applications you want to block? There are much better ways of spam filtering, which don’t yield so many false positives. Please don’t do it.