Thursday, September 21, 2006

Spam: blacklists are back, and the war may be turning

I didn't expect to have anything good to say about the spam wars after my recent Gmail meltdown. Surprise.

It began when I finally accepted that Google is a set of adaptive algorithms rather than a traditional corporation. That meant I could sit back and rethink things. Google was malfunctioning because I had redirected an unfiltered mailstream at Gmail, and Google seems to be effectively doing something I'd asked for years ago: selective filtering based on the managed reputation of an authenticated sending service. In this case Google was treating the 'sending service' as my redirector (which I don't think authenticates), rather than the distal source of the email. That meant acquired a reputation, from Google's perspective, as a really bad place.

Well, I can't be too mad if they're doing what I'd long urged everyone to do. It would have been nice if I'd known about it earlier, but them's the breaks. Don't do redirection to Gmail and expect it to like you for long.

So I turned off all the redirects, forwarded from Gmail to my ISP (VISI), flowed and to VISI's Postini service, and finally dropped all my email lists. Lists are very 20th century, this is the age of subscription/notification (Atom/RSS). Good-bye lists. The world calmed down.

With all the lists gone, and postini churning away, it was interesting to see what spam got through. Lots of political solicitations (Note to dems: you can get my money again when you stop spamming me) and various incredibly annoying newsletters. What they all had in common were that the domains were real. Yes, spam with persistent, verifiable, domains.

Some had unsubscribe links and some of those even worked -- though my experience with the political spam is that one's email gets back on their lists shortly after it's removed (recycled by the trading of addresses), just as in the world of physical junk mail. No matter, because with persistent and verifiable domains, personal blacklists work.

I've blacklisted 9 domains, all of whom have failed multiple unsubscribe attempts, and with postini and these few filters, my spam is gone. (Note Gmail filters will do this easily too).
I have less spam in my inbox than I've had for five years. Wow. Sure my postini spambox has hundreds of entries, but I've reviewed them -- all spam, no false positives.

The war, dare I say, is turning. Next step, once I've verified with spamcop, is going to be to redirect my mailstream through spamcop and back into Gmail, which will then be receiving a "purified" stream. I'm hoping Gmail will "learn" that the domain has been "rehabilitiated". Gmail can forward copies to my VISI account, so I'll be back to having a local store of my email as well. Updates to follow.

Update 9/22/06: Spamcop approved my plans and Gmail is back in the loop. This is the current setup:
  • several less used email accounts, including an ancient mindspring account, all forward to
  • my email forwards to my address where the heavy filtering occurs. I
  • my spamcop address forwards to my gmail address, that's where I keep a set of blacklist filters as above
  • my gmail account keeps a copy and forwards to my address
  • I use POP and IMAP on various machines to view and collect email from
So the mail I'm forwarding to Gmail is now cleansed by spamcop, which does a pretty darned good decent job. This also means that is no longer the proximal forwarding account, so what spam there is should count against it. BTW, a good tip for creating a "secret" mailbox like the visi account I use for POP services -- use GRC Passwords to create the username, something like "1E22F67AFD3116925A". That prevents spammers "guessing" the username and putting spam through.

Update 10/4/06: Since my original post, a few updates:
  • spamcop does a decent job, but not quite as good as VISI's postini. I may try moving their spamassassin settings up a notch (default is minimal, spamcop is very domain focused)
  • I added a Gmail filter so that email sent directly to my Gmail address gets a unique tag. Since only spammers and Gmail use that address it helps me quickly identify spam. More importantly, it's safe to mark email sent directly to my Gmail account as spam. If spam gets redirected to my Gmail account I delete it, I don't mark it "as spam". I think if I mark redirected email as spam Gmail assigns a poor reputation to the redirector, which I don't want.
  • I'm now getting about 3-4 spams in my Gmail inbox daily, of which 75% is spam that passed through the spamcop filters. I'll see if I can improve that a bit but it's tolerable.
Update 9/6/09: An updated version of the problem. In the years since I wrote this I've taken Spamcop out of the picture, but a new quirk may have arisen.


JGF said...

Hi Brian. Great to hear of a kindred spirit. I checked your blogger profile, but, alas, no blog for me to read.

I added an update on what I do most recently. I only report spam that's sent directly to Gmail, and I identify direct spams through a tag I attach via a Gmail filter.

Unknown said...

After a year and a half does Gmail consider your domain rehabilitated? When you said email from your domain to a Gmail address and you aren't on the recipient's contact list is it automatically considered spam? If you were able heal your reputation by not forwarding spam, how long did it take?