Terry Zink: Security Talk

Discussing Internet security in (mostly) plain English

Final post on interview with the spam chief

Final post on interview with the spam chief

  • Comments 6

Following on from my previous post on my comments on Mark Risher of Yahoo, with whom there was a user interview, I'd like to respond to a couple more of his responses to users.

Mindy: What are you recommendations for handling blocks due to complaint volume, since FBL requests are not accepted at the moment?

Mark: The FBL, or feedback loop is a way that Yahoo! communicates back with commercial e-mail senders to let them know their messages are being marked as spam by Yahoo! Mail users. One of the most important ways that Yahoo! Mail is able to block spam is by listening to its users.

Yahoo! is the largest webmail system on the planet, and if someone is sending mail our users don’t want to receive, those users let us know.  We recommend commercial e-mail senders ensure they’re sending mail that Yahoo! Mail users want to receive. This means following recommended practices like confirming — and even periodically re-confirming — that users want to be on their mailing lists and proactively removing anyone who doesn’t read their mail.

A feedback loop (FBL) is something that many vendors have set up.  Basically, you tell an email provider what IPs you send email from.  When a user receives a message from one of your outbound IPs and clicks "Report Spam" when it lands in their inbox, the email provider (in this case, Yahoo) takes that spam message and emails it back to you (say, abuse@example.org) as if to say "Your users are sending my users spam."  This way, you can take steps to cut down on your own outbound spam.

The problem with Yahoo is that you can't sign up for their feedback loop unless you sign your outbound mail with DomainKeys.  Personally, I think that is totally unnecessary.  If you know what IPs your outbound mail goes through, that ought to be enough.  There's no reason to also have to sign with DK/DKIM.

Finally, I thought that Yahoo was the largest webmail system on the planet.

Mel: Not really a question but a comment with the hope that Yahoo! will figure out why a lot of postdated spam shows up. For instance, on the 28th I got several spam emails that were dated August 1. Shouldn't these be easy to stop since they obviously aren't legitimate emails? I used to get pre-dated emails, i.e. emails that were dated from the '70's, before the internet came to be. Yahoo! ultimately learned to stop them in their tracks because it's been about a year since I've seen one. Maybe the same can be done for postdated emails. Thanks!

Mark: Hi Mel, W’m glad you asked. With hundreds of different spam attempts every day, we have to prioritize the feature areas we work on.

For this particular spammer, we’ve been throwing 100% of his messages into the spam folder for a long time. Talk about an unabashed spammer; instead of cleaning up his act or giving up the fight, he decided he just wanted to be at the top of the list — the spammiest of the spammers. So he started setting the date way into the future so that people who sort their messages by date would see his garbage first.

While this one is really irritating — and I completely share your frustration — because the messages are in the spam folder, we’ve been focusing our efforts lately on other areas.

I can share Mark's pain here.  Over here in Exchange Hosted Services, we have a backlog of about a dozen features that we want to get to!  Prioritizing them is one of the things that I have to do and I order them by how many times a complaint is escalated to me and I second sort on how much additional anti-spam effectiveness said feature will add to our product.

To answer Mel's question, if you get an email from some time in the future (say, August 30th and today is August 15th) or some time late in the past, it is often indicative of spam.  But, not always.  One thing I have long since learned is that even though lots of spammers do things that most legitimate emailers don't do, the key word is most.  There are a lot of mail servers that are misconfigured and have date/time stamps that are not consistent with today's date.  So, blocking outright on this is likely to produce a pile of false positives because you can't count on everyone to do things properly.

Leave a Comment
  • Please add 8 and 7 and type the answer here:
  • Post
  • PingBack from http://hoursfunnywallpaper.cn/?p=1544

  • "If you know what IPs your outbound mail goes through, that ought to be enough.  There's no reason to also have to sign with DK/DKIM."

    Consider a scenario of multiple sites sharing the same IP.  With a traditional, IP-based feedback loop, they can't have separate feedback streams.  But if the FBL looks at the sender's authenticated domain to determine where to route the feedback, those can be discrete.

    Similarly, a domain-based FBL means that a sender can get feedback on mail they sent which was forwarded from one account to another, because DomainKeys & DKIM usually survive forwarding.

    A domain-based email universe has some very big, interesting differences from the IP-only viewpoint we've been stuck in for so long....

  • OK, you have a point there.

  • Does Frontbridge/Exchange Hosted Services have a FBL that postmasters can sign up for, either IP or domain name based?

  • No, we don't.  Our users get emails to their inboxes directly so we don't have a web interface through which we can harvest information and put it in a useable format.  So, mail clients like Exchange, Lotus Notes, Outlook Express, etc, strip important information out of the headers that do not survive forwarding.

  • IP's are intresting but as @J.D. Falk explains domains are nice on top of this the notion that people are not using DKIM and SPF really frustrates me why not use everything we have to prevent malicious messages ?

    this is a standard (DKIM) why doesn't Frontbridge/Exchange Hosted Services support this ?

    (lots to do but really CERN (something about hypertext...) managed to put together a C♯lib so implmenting a sink should not be that much effort )

    once implemented DKIM and SPF  you could actually claim to be using every weapon in the arsenal to identify mail and the good senders...

    please go for it !

    regards

    John Jones

    http://www.johnjones.me.uk

Page 1 of 1 (6 items)