OT Re: [Nottingham] Re: Tux Games mail is still unread

Michael Simms michael at tuxgames.com
Tue May 25 19:01:05 BST 2004 

On Tue, 2004-05-25 at 18:16, Martin wrote:
> Simon Huggins wrote:
> >>If one of my friends gets hit by a virus and their address book is
> >>raided, then I'll just get the spam from them or from other's forging
> >                                                         others
> >>that source address. Very easy to narrow down and fix.
> > 
> > Fix how?  Do you then block all of that person's mails?
> 
> You ask them if they've been hit and mention that their address is on 
> the spam list.

Well, in reality nothing will be fulproof, but if someone gets a virus
and it sends me an email, ok so I get a spam email, 1 out of 1,000 is a
good rate of filtering in my books. It makes it managable.

> > No, the penalty of CR is those emails you never see because people
> > couldn't be bothered to jump through your hoops in order to get you to
> > see their mail.
> 
> Then they aren't interested in talking to me, or they are just too 
> self-important to waste their time with me.

Agreed. If they cant be bothered to spend literally 10 seconds to make
sure I get the email, chances are it wasnt that important to begin with.

> >>At the moment though, CR is an easy fix until the mail protocols get
> >>tightened up or the spamster scammers get 'nailed'...
> > 
> > I don't really see it as a fix.  It just causes more junk email traffic
> > and more hassle for people who are legitimate senders of email.

If they spent 3 minutes writing the email, then an extra 10 seconds isnt
a massive burden. Yes it is a bit more hassle, but for 5,000 spams a
week, it saves me having to spend money hiring an extra fulltime
employee JUST to stop the spam. Thats a lot of money saved. Ideally no,
I would like to not have to do it, but I do, blame the spammers for
making it neccesary.


> Whether or not it is hassle or even works depends on your context. If 
> this email address was my business address, then I'd invest in a more 
> thorough and more transparent system.

I personally cant think of a better system that does not ever generate
false positives. That is the important thing, false positives are
unacceptable. If a customer needs the help of my support department, I
cant have his email eaten by a spam filter. Same for a sales enquiry.

In the 18 months since I wrote the filter, we have had 2 maybe 3
complaints. Compared to the number of complaints Id have had if Id have
had to put up my prices to pay for an extra staff member, I can live
with that.

> > Why don't content filters work for you?

False positives. Not acceptable. A couple of companies I deal with have
content filters and sometimes I can send 3 or 4 emails before one of
them gets through their filters.

> > Why are you special?  Why should I have to jump through hoops to send
> > you mail? :)

If you want to talk to me, 10 seconds isnt jumping through hoops, it is
a reasonable overhead. If 10 seconds is more time than I am worth, then
really, do you really want to talk to me that much? If 10 seconds is too
much effort to contact me, then 10 seconds is more time than I will be
willing to spend reading the email.

On Tue, 2004-05-25 at 18:10, Cam wrote:
> For the record, I get a lot of spam to my work address, which I don't 
> publicise (and haven't publicly used for years). It's typical to have 
> to, cc or from headers faked to other legitimate users from the same 
> domain. It seems a common tactic of spammers, maybe to try and get 
> around white lists.

I agree completely, no system is 100% fulproof, but it catches 99.9% of
spam emails, which makes it managable. Far more managable than it was. I
had to turn off the spam filters about 6 months ago due to a server
relocation and other fun, and instead of taking me 20 minutes a day to
read my email it took THREE HOURS - just on email to my personal
mailbox. I just dont have time for that.

On Tue, 2004-05-25 at 17:52, Simon Huggins wrote:
> Ok, and you start sending out lots of little messages confirming your
> address to spammers.

Yes, but so what, they spam it and it never gets to me. On the RARE
occasion that a spammer actually whitelists himself, I have a blacklist
response that is easy enough to use.
In reality very very few spammers will bother to read the bounce
responses. When 50% of the emails on a spam list are dead addresses, who
is going to read 6 million email bounces to catch the few that are
genuine and CR replies?

On Tue, 2004-05-25 at 17:13, Mike Cardwell wrote:
I wrote a similar system my self, and it has been very very effective.
> Any email that isn't from someone on my whitelist is filtered through
> spamassassin. 

I hadnt thought of that - that is a DAMNED good idea, and I will have to
impliment that rightr away! Well there goes my next few evenings off {:-)

On Tue, 2004-05-25 at 16:22, Simon Huggins wrote:
> But it doesn't solve spam.  It just means spammers have to spam with
> addresses on your whitelist.  So say anyone's address on this list could
> be used to spam Michael.

But how do they know what is on my whitelist? In reality spammers will
not spend that much time on the process. The system that is used these
days just involves sending so many millions of emails in the hops that
if you throw enough of them some will get through. There is little
inteligence behind mass mailers right now. Their limits of cleverness
currently involve finding open relays that arent blocked by the global
blacklisting companies, and sending the email with the sender spoofed as
the receiver (which DOES currently get past my spam blocker but not for
long). 
There is NO concept currently of knowing who the receiver is. and
knowing who may be on any whitelist they may have.

On Tue, 2004-05-25 at 18:30, Simon Huggins wrote:
It's insignificant to *you*.  I think your system is better as you're
> combining a challenge response with spamassassin checks before people
> see your mail but you're still imposing a penalty.

Agreed, but the penalty is on average less. Looking at the facts from my
CR system.

We receive about 5000 spams a week. If it would take say, 10 seconds to 
look at the mail, spot it is spam and click on a delete button, that is
a total of 10*5000 seconds a week, 50,000 seconds = 13.9 hours a week, lets
call it 14 hours a week.
So over the 18 months it has been running, the system has saved 1,008 man hours
of work.
On the other hand we have a database of 1,680 people who have validated
themselves, lets go to an extreme and say it takes 60 seconds to validate
(which it doesnt) - that is a total of 28 man hours on the other end.
Thus the time tradeoff is a ratio of 36:1

This I think is a fair tradeoff, and you know what, if people dont like it, 
they should complain to the damned spammers that have made it all 
neccessary. I dont like it, but I simply cant afford to pay extra staff 
hours to read spam email.

> Maybe you don't want to see mail from random people.I occasionally get
> mail about odd web pages I've written about linuxy things or people
> submitting patches to things I've written.  I really wouldn't want to
> force them to have to jump through hoops mostly because I don't think
> they would.

Actually you would be surprised. The VAST majority of people are
completely understanding of the need. Only a minute proportion of people
have complained. The thing is, the people who are having to respond to
the CR are also people that have had problems with spam themselves (cos
everyone has) so they can see where we are coming from. We have actually
had more people ask us for the source to the filter than we have had
complaining about it.

Not that there are 0 gains for you.  I'm sure there are.  You'll
> certainly cut the number of emails you read down.  It's just that this
> isn't necessarily the same as cutting out all the crap in your inbox and
> leaving the good stuff.

But really, it is. If someone cant be bothered to validate themselves, was 
the email REALLY worth reading? In my experience no. I used to look through
the spam logs once a week or so, and there were ZERO emails that were 
interesting - some of them were people that hadnt bothered to validate 
themselves but who HAD emailed us directly, and you know what, each of the 
emails was a pointless email that was a throwaway thought. They didnt see it 
as important enough to pass through and I agreed with them, so hey, now we
have an extra layer of filtering that NO filter short of AI would catch. The
directed email that is pointless. {:-)
-- 
Michael Simms - CEO, Tux Games
http://www.tuxgames.com

More information about the Nottingham mailing list