On Oct 29, 2013, at 9:31 AM, David F. Skoll <d...@roaringpenguin.com> wrote:
> On Mon, 28 Oct 2013 21:42:29 -0400 (EDT) > "John R. Levine" <jo...@iecc.com> wrote: > >> But outbound filtering is far more useful when it, you know, actually >> works. > > Outbound filtering is far trickier than inbound filtering. Unless you > really want to annoy your customers, you have to hold suspect mail > (anything scoring let's say 5.0 to 8.0 or so on SpamAssassin's scale) > for review rather than rejecting outright. Once you start having more > than a few thousand outbound users, you end up spending a lot of time > reviewing suspect mail. > > We take another approach and apply per-sender rate-limits. If a given > sender or IP sends to more than X recipients in a given window of > time, we hold all mail from that sender/IP and alert. This has > enabled us to catch and shut down several phished accounts over the > last few months. Rate-limiting also helps if a phished account is > used to blast out large quantities of spam that nevertheless are not > detected as spam by content filtering. Given my experience working as the guy charged with outbound spam at a mjaor freemail provider, i can say this : the difficulty with a rate-limiting approach is the criminals reverse-engineer it pretty quickly, and just spread the joy over numerous accounts. generally speaking, they pretty much trickle spam out over ATOed accounts instead of doing it all in one fell (foul?) swoop. But yeah, i think John underestimates how difficult it is to do outbound filtering for more than a few dozen users who expect their mail to be delivered immediately, for some value of immediately. Emailin’ ain’t easy.
