In my previous post, I mused about what it takes to do outbound spam filtering. If customers use us for outbound mail and start relaying spam, it damages our reputation and credibility. Ergo, we need to come up with a solution wherein we don't deliver spam. But the problems are not trivial:
These are the major issues surrounding policy. We're still in the beginning stages of how we want to treat outbound spam - we can either implement policies that behave upon individual spam messages and senders, or we can implement policies that affect the domain and sending IP as a whole.
"What should we do with mail we identify as spam? Quarantine it? Bounce it? Drop it?"
Bounce it. Prepare for complaints, some of which will be well earned, and accept them. Here are reasons for bouncing 100% of the time:
(a) It's a false positive.
(a1) It was an important message, the user needs to know that the message wasn't delivered, and they'll find another way to communicate. Expect the user to swear at you. Accept it. Fix your bugs.
(a2) It wasn't an important message, but it's still better to inform the user than to deceive the user. Expect the user to swear at you. Accept it. Fix your bugs.
(b) It's really a spam. The user will get lots of well-earned bounces. They'll discover that they're infected. 90% of the time, expect the user to swear at you. Tell them if they send another spam they'll be TOS'ed. If they send another spam then TOS them.
"is there an outbound Safe Senders?"
And what about outbound Safe Recipients? I'm hardly a Legal team member, but if a spam reaches me then I report it to the administrators of the ISPs that sent it and that serve the spam websites or drop boxes.
My complaints should be bounced by spam-only ISPs who bounce reports of their spams because they correctly detect that their spams are spams
and should not be bounced back to me by my own ISP.
So yes, you have to do different work for outbound spams than for inbound spams. If one sender is sending up to maybe 10 copies of a spam, it might not be spamming.
How do we actually filter outbound mail? Do we assume it works the same as inbound?
i think there is two options:
no filter fo outgoing emails if it comes from your internal users and if they signed an antispam chart
otherwise same inbound filter (more restictive)
> and if they signed an antispam chart
Unfortunately that's not good enough. A 0-day exploit could still join them to a botnet without their knowledge. Outbound servers still have to count the number and kinds of messages from each user and inform the user if things look suspicious.