[BBLISA] State of spam filtering?

[Steven M Jones]

On 05/20/2013 08:48 PM, Tom Metro wrote:
> Steven M Jones wrote:
>> For home I use SA, Spamhaus' Zen RBL, and a greylisting milter with
>> sendmail as the underlying MTA. Works pretty darned well.
> I imagine that the already small population of geeky people who ran mail
> servers for personal use has gotten even smaller.

True enough - many I know who did have dropped to just a mailbox 
integrated with their mobile device, or have parked their domain at 
Google. I would have expected more BBLISA subscribers to be so inclined, 
as an opportunity to maintain their skills and do a little 
experimentation outside of the office. But then, I suppose most places 
are using Exchange, an appliance, or a hosted solution, and perhaps this 
specialty isn't even relevant to most sysadmins any more.


> One remaining use case for self-hosting is privacy. Any time you
> outsource your data to the cloud, you're relying on people you don't
> know to implement security, and resist social engineering exploits.
> Plus, recent court cases have suggested that in some cases the
> government can consider mail stored in the cloud as abandoned if it has
> been read and is more than 90 days old, and thereby access it without a
> warrant or notice.

If the government wants it, you must assume they already have it. The 
folks at the Associated Press might have a few recent thoughts to share 
on such matters...

No, it's the question of commercial exploitation that stands out in my 
mind. Have you watched the online ads follow you from website to 
website, when you aren't using any tracking countermeasures? Anything 
that can be gleaned from the contents of your email or the patterns of 
activity it reflects is just more grist for the ad targeting and user 
profiling mill.

No real complaints about Google on that score, really - at least they 
tell you what they're going to do with whatever data you store with 
them. Facebook seems more insidious to me, since they just talk about 
having you come play with your friends online. Well, always remember: If 
you aren't the customer, you're the product.


> Obviously the challenge is determining who a client is, with IP address,
> as guided by SPF, being the likely choice. Though what about clients
> that don't use SPF?
>
> The very type of senders you'll want to receive mail from, like large
> banks, are notoriously bad at making use of "new" tech, like SPF. (They
> even have a tendency to outsource their mail to 3rd parties that send it
> using the provider's servers and domains. Great way to train your
> customers to ignore important signs that a message might be a phishing
> attempt.)

Well, funny you should mention that. One of the reasons I run my own 
servers is to be able to fiddle with email authentication. But in line 
with your first theme, the largest mailbox providers - 
Microsoft/Hotmail, AOL, GMail, Yahoo - are in fact trying to lead the 
way. Have a look at DMARC.org, and note that all of these providers have 
implemented DMARC. And some of the largest banks are doing so from the 
sender side, as well as eBay/Paypal and LinkedIn.

DMARC allows the domain owner to coordinate with the mail receiver and 
leverage SPF and/or DKIM in order to block messages trying to use the 
domain owner's domain without authorization.

There can be issues around third party senders, but they aren't really 
that hard to resolve. The fact is that the best and/or largest of these 
services have come up to speed and will try to educate their customers 
if anybody there is willing to listen.


I wouldn't suggest things are great, but they are improving.

--S.