Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English

Why silently dropping mail is a bad idea

Why silently dropping mail is a bad idea

  • Comments 4

As someone who is responsible for filtering mail, there are a number of options that we have when it comes to filtering spam.  We can do any of the following:

  • Reject it in SMTP with an error message
  • Quarantine the message to cloud storage
  • Mark it with an x-header so that the user can filter it in their mail client without having to log in to a spam quarantine
  • Modify the subject line and do the same as above
  • Redirect the spam to another alias, such as an admin account (don’t know why you’d do this, but some people do)
  • Silently drop the message

These are not all the options there are, but they are the most common.  Of the ones above, the first five are good ideas.  The last one is a bad idea.

Why?

I want you to imagine a situation where you send a snail mail to a friend of yours who is not living close to you.  Suppose you send him (or her) a wedding invitation saying “Come celebrate with us!  Please respond by such-and-such a date so we can add you to our list!”  You send out a bunch of wedding invitations to all of your friends.  You look up their addresses in the phone book (ha, ha, ha, just kidding; I mean the Internet) and write out all of their home addresses, stamp each one and drop them in the mailbox.

Well, weeks go by and you hear back from various people.  Some say they can come, others say they can’t.  Some people don’t respond at all.  Your wedding comes, you have a great time, and you get on with your life.

Until you run into a friend one day who didn’t respond (you forgot to follow up in person because you’re lazy even though the wedding checklists all say you should do this).  “Hey!” you say at the brief encounter.  “Why didn’t you respond to my wedding invite?”

“Huh?” says your friend.  “What wedding invite?”

“The one I sent you in the mail!”

“I didn’t get a wedding invitation from anyone?”

“Sigh,” you sigh.  The Post Office either misdelivered it or it got lost in the mail somewhere.  Yet neither you were notified nor was your friend.  For all you know, the mail got there just fine.  For all he knows, you never sent him anything to begin with.  So how would he know to expect it?  Unfortunately, a very important piece of communication went missing and neither sender nor receiver knew that the other missed anything.

It’s for this reason that silently dropping mail is a bad idea.  Because spam filters are not perfect, they will occasionally generate false positives.  If the mail is rejected in SMTP, the sender knows there is a problem right away and can move to correct it.  If the mail is marked as spam by the receiver’s filter, it is delivered to a quarantine or junk mail folder.  Yes, it might take them a little longer to receive it (who checks their junk folder or quarantine every day? No one, that’s who), but at least they can retrieve it eventually.  The mail is still retrievable.

But if mail is silently dropped, then an important piece of information has gone missing.  Neither the sender nor receiver knows about it.  What’s the receiver supposed to do?  Ask everyone he knows if they sent him an important mail?  What’s the sender supposed to do?  Follow up with everyone they send mail to and ask “did you get my mail?”  That’s ridiculous.  Because of the risk of accidentally eating important mail and nobody will ever know about it (try troubleshooting that problem), silently dropping mail is a good idea.  Don’t hide behind the false positive SLA; lost mail is lost mail.  One is too many.

Why would anyone even silently drop mail?  I can think of one reason:  You don’t want to store spam.  This eats up server resources and bandwidth; you are storing disk space for junk mail and you want to maximize efficiency.  Well, guess what?  Stop whining!  As of this writing, here is how much free disk space Gmail gives you:

image

That’s over 7.6 gigs.  Obviously, Google is not worrying about a lack of disk space for a product that they give away for free (although they are charging advertisers for the privilege of your eyeballs).  Google does throw away spam after 30 days but the key point here is that they do it after 30 days – they give you a chance to review it first.

There isn’t a good reason to do silent drop.  Either tell the sender you are blocking it or tell the receiver.  If you tell no one and toss the message, that’s simply irresponsible.

Leave a Comment
  • Please add 5 and 4 and type the answer here:
  • Post
  • How about backscatter SPAM, thats one of the big problems we get with some customers? I know some products will deal with backscatter like forefront protection but others cant.

    I get your point about not just deleting messages however I'm not sure I agree in some scenarios. We have a customer who has zero tollerance for SPAM, any messages that get through have to have a "special rule" created to block it in future so the "let the client decide" wont really work there and in my mind sending back NDRs is irresponsible when it is so simple to fake the sender address..?

  • Backscatter messages are dealt with through a technique (or similar technique) called Bounce Address Tag Validation, or BATV.  It is prone to some FPs, though, which is why you shouldn't drop the mail.

  • It's a tradeoff. What price are you willing to pay for that occasional falsely spam tagged e-mail? Also, it's no absolutism; scoring systems are meant to help tag e-mail with a spam/ham "probability" matching words and using black/whitelists and RDNSBL systems, tarpitting, optionally greylisting, etc. I personally have no issue with throwing away e-mail with a high spam score when the sender is also on a DNSBL. Also, informing senders means informing spammers. They love to know if that e-mail address is valid or not. Finally, like you analogy, when they sent that invitation by snail mail, it's also no guarantee the receiver will get your invitation; smail gets lost all the time, probably more than e-mail :)

  • It's not the space.  It's the fact that someone has to look at those and if you can get rid of messages with a 99.999% accuracy then go for it.

    I seriously doubt that Google delivers all mail to me.  I run a mail server at work and I get a ton of foreign language based mail in my spam device.  I also receive really poor formatted English emails as well.  I receive none of that in my gmail spam folder.  I'm almost positive that if a spam server in China tries to send mail to Google they cut them off before they get a chance.  I do this as well and by blocking a few hundred ip ranges I'm brought my spam down from 45,000 a day to 5,000.

    Just my two cents.

Page 1 of 1 (4 items)