Day in a life of a spam killer: pre-greeting traffic

ExchangeDefender, OwnWebNow
Comments Off on Day in a life of a spam killer: pre-greeting traffic

Yesterday we implemented some new magic against tar-pitting smashers and man does it make a difference: Since noon EST we have rejected an average of 46,128 messages per-node. We then ran a report – 100% of the IP addresses that had their email rejected had mail delivered to the SureSPAM Quarantine the day before.

The significance? System performance, employee efficiency.

System Performance – Any bit helps. By rejecting the messages at the perimeter (yes, even ExchangeDefender as a perimeter service has a perimeter network) we save network resources because we have less messages to process through bayesian filters, less statistics to calculate and ultimately less spam that we’ll have to store.

Employee Efficiency – Two fold: First and less important, the remote likelyhood that the mail produced by these spamming hosts does not get properly identified as SPAM and ends up in the users inbox. Second and most important: less mail for the employees to review. Since I can guarantee that no legitimate mail was sent by these systems I can save my customers time from having to browse through meaningless quarantine reports and let them look at the stuff that is actually likely to be SPAM.

That last part is where I and some of my partners have very vocal arguments:

My mission is to cut down and eliminate spammers and their impact to the customer, not create pretty graphs.

My partners need the graphs and the data to prove to their customers that the SPAM is really bad enough to justify ExchangeDefender.

I think pretty much anyone who would spend a day on IMF/Outlook-only protection would scream their lungs off and rip their hair out over the amount and volume of junk thats floating out there. And while I can understand that sometimes people need to be shown what they are paying for I am not a fan of selling the fear. People either have a problem with their email or they don’t. And I’ll tell you this much – we do not lose customers. Nobody that has ever become a paying ExchangeDefender customer has ever left (short of AUP violations and going out of business) so I’m doing the right thing here, I really don’t think that at the end of the day the customer is going to be concerned about the value if they see 0 junk in their mailbox – they all have multiple accounts and contacts that are being flooded, they know the impact.

The second and more techical reason for what I do — By rejecting a message on connection basis I am saving back-scatter. When I reject the message with an SMTP error code the remote mail server is left holding the bag. When I accept the message and then have to send it back due to the prohibited content or system policy I am doubling the amount of junk that is being sent over the Internet. “But Vlad, why don’t you just not send it at all, just junk it?” – supose the message was legit but did not meet the policy requirements, or had questionable content, or did not meet the security requirement (some customers only accept encrypted messages or only specific senders), or had a virus, or had an attachment that customer would not accept, or, or, or.. My whole technical point here is that there are many good reasons for sending back an NDR and we (ISPs) need to be good Internet citizens and not flood the network with the meaningless ones.