see ya open relay database!

The Open Relay Database service has called it quits finally. ORDB provided a blacklist of known and/or suspected spamming SMTP services based largely on IP addresses.

This was always a bad idea. I dislike lame workarounds for a problem inherent in the protocol itself: lack of authentication. Trying to tack on security just won’t work here. You might be able to shun a large swath of spam, but you also catch a lot of dolphins in the net as well. Take me for instance. My home mail server is on a DSL or cable line. The ORDB labeled my connection as a home-based system or even “dynamic IP” and thus anyone using their blacklist dropped any email I sent. Most companies that used this blacklist also did not accept free mail services like Gmail and Hushmail. It truly made communicating with some companies extremely problematic. I never did get a response from ORDB about my reservations (to put it lightly). You can drop 100,000 spam messages and no one will care. If you drop 1 extremely important email from a VP, heads roll. This does affect most any spam protections, but shunning by IP is not the solution.

Likewise, I’ve heard tales of legitimate companies being placed onto the blacklist, and having a huge hell of a time trying to get off the list. There is no real definitive threshhold or line drawn where, when complaints cross it, the site is put on the blacklist. This means that the larger the institution, the more likely a few clueless people will report legitimate mail that they requested, as spam, and screw up the company. Not a cool model.

So, rather than just complain, what do I recommend? Honestly, I’m not sure. There must be signature-based detections, but that relies on someone keeping the signatures updated (outside service). This should be accompanied by automatic denial of certain types of emails, such as emails with .com attachments and so on. There should be some measure of bayesian/subjective analysis, but that can’t be terribly draconian otherwise legitimate emails will be dropped. When it comes to my home network, I’d rather delete a few rogue emails than lose a few mis-categorized emails. I also believe in layered defenses, so this network-based detection can be augmented by utilizing any client-side “junk” filters. Most email programs today include some sort of manually-configurable junk filter that can “learn” as you use it. Utilize that for anything that gets through the initial procedures.

The rules change a bit when you talk about corporate email systems, however. No one wants their users to get even any spam mail, let alone something offensive or not appropriate. In a corporation, I really believe either the company needs to accept some measure of spam (typically smaller companies with less budgets, who also may be more needing to see emails from servers like mine) or spend the money to fully outsource it to a professional spam blocker. For comprehensive and intelligent and highly accurate spam blocking, I feel no company can do this alone. We use Postini at work, and I have to say I’ve been quite happy with it. Basically get a service upstream, filter emails, and then receive only the good stuff. This helps take pressure of corporate IT to become spam experts 24/7. That’s just not practical.

Ultimately, I’ll have more opinion on this after I play with SpamAssassin some more. I really do believe SMTP is a good protocol, but the Internet has grown larger and more depended-upon than SMTP was designed for. I consider it an already-dead technology that will linger for many, many more years simply because of the low cost and ease of usage. It will eventually be replaced with voice services or SMS and messaging services. The only effective difference between email and IM is the ability for mail to be held on the server until the user logs in and retrieves it. Yahoo does this in IM and has done it for years, and Google continues to make Gmail and GoogleTalk features more and more overlapped to achieve that switchover.