We currently believe that Greylisting (and its derivatives) together with SPF are the most appropriate techniques to fight the ever rising tide of SPAM.
The volume of SPAM is rising - rapidly. SPAM increasingly threatens the effectiveness of email as a medium for doing business. Something has to be done.
SPAM and email based attacks are becoming increasingly sophisticated but the sheer volume of low tech SPAM is clogging the arteries of the internet and the inboxes of legitimate users.
There is nothing more annoying and frustrating than to receive a bounce message saying that a mail item - which you did not send - was rejected because it contained a virus or other offensive material. Someone has forged your address. Someone has stolen your identity.
It is estimated that well over 15 billion SPAM messages are sent every day. Some days it feels like they all arrived in our mailboxes!
The problem is finding a cure that is not worse than the disease.
We have reviewed and rejected some potential solutions:
Black lists: We refuse to implement a Black List because we feel it can too easily penalise legitimate mail while doing very little to stop SPAM - your SPAM clogged mailboxes are witness to the total lack of effectiveness of Black lists. Having been the unwitting victim of a blacklisting which took less than 2 hours to fix when brought to our notice but took over five years for all the effects to finally disappear we feel the implementation even in major, so-called, professional organizations is not production quality. On its own it is a fatally flawed technique. In combination with other techniques and properly implemented (with constantly refreshed lists) it can add value.
Incoming Mail SPAM Filters: It is not up to us, nor should it be, to decide what constitutes SPAM and what does not. One person's legitimate mail may be another persons SPAM and vice versa. While not doing anything to demean the quality of spam-filtering software, the technology relies on inspection of the mail content. This is a very subjective matter and will inevitably lead to false positives which is why most such systems place suspected spam in a special folder. You still have to check this material - much of it profoundly offensive. How effective is that. Finally, spam filtering has two other problems. It uses the good guy's resources (high-quality spam filtering is resource intensive). It does nothing to hurt the bad guys. See Greylisting for an alternative approach.
There is action on both technical and legal fronts.
A number of countries and states have passed legislation providing for increasingly stiff remedies to cope with SPAMers but until the problem reaches manageable proportions authorities worldwide will be swamped. How do you stop 500,000+ spammers. Get that number down to a couple of hundred and the authorities stand a fighting chance.
On the technical front the IETF (the group that sets technical standards for the Internet) looked at the problem under the MARID Working Group and failed to come to any consensus. The technical debate was just too fierce. SPF appears to be moving slowly forward as an experimental service. Perhaps to be followed by a progressive series of enhancements each squeezing out more and more email vulnerabilities.
We believe it is reasonable for us to reject mail which we know has forged its origin. It is trivially simple for SPAMers to use a legitimate email addresses to send SPAM. Checks to verify this form of SPAM were historically doomed to failure.
But things are changing.
The Sender Policy Framework (SPF) initiative was started in early 2004 to provide a simple means to verify that mail most likely originated from the real sender. The SPF proposal is now an Internet standard (RFC 7208). We have provided right hand menu links where you can read more about the SPF initiative.
Having examined SPF we believe it can play a significant role in reducing SPAM and especially in the case of identity theft (forged mail using your email address) which we know is especially troubling to users. SPF uses only Public Domain technologies.
Google mail and many others have implemented SPF. Microsoft's alternate proposal SenderID has now been synchronised with SPF. With this kind of commitment and the ~1m domains that have registered their use of SPF (as of mid October 2005) we believe the SPF initiative can be effective and has industry traction.
We support the SPF initiative as a First step to making SPAM a manageable problem.
We request your help in supporting both our, and industry wide, initiatives, to help reduce SPAM. We cannot promise these measures will stop SPAM, we cannot even estimate how effective these measures will be in reducing SPAM. We promise only two things:
We will in all cases be the 'guinea-pigs' and experiment on our own domains first.
If we do nothing - the problem will simply get worse.
Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.