My Take On Spam

I don't think I've ever talk publicly about my feelings on spam, and after reading Moving Beyond RBLs, which I mostly agree with, I figured now is as good a time as any. I'm sure I've nothing new to bring to the discussion, so I'll just begin (I assume you know what I'm talking about).

First off, some background stats. I've been using the same email address since 1997. Prior emails are permanently redirected to my current one. I get about 500 messages a day over a dialup modem, and about 70 of those are spam. I use a POP3 server, and multiple machines ranging from Linux, OS X, and Windows. I work at an ISP. That ISP uses the SpamCop RBL, and blocks 5000+ messages a day because of it. Another 1000+ are due to "invalid user names', which could be attributed to dictionary attacks, old databases, or simply user error.

The machine I'm on most is OS X, where I use Eudora (I also use Eudora at work under Windows 2000). Being a Linux and Perl fan, I've got fetchmail configured to log into my ISP's POP3 server, download the mail, process it through procmail (which forks SpamAssassin), and then deliver all that mail to the Eudora mbox files. I've had this set up in place for about six months, and have used it only once (simply because there's no easy way to map "Check Mail" in Eudora to "fetchmail then restart Eudora so that it'll reload its mbox cache"). Changing email clients is not an option - Eudora works great and I've tried many others... none sit well with me.

Besides the SpamCop RBL, I don't do any further processing for spam. Ultimately, if the SpamCop RBL died tomorrow, I'd be perfectly happy going without any spam protection at all.

Why? Welp, quite simply, I liken spam to TV commercials. When a commercial comes on, I reach for the remote and scan around for something else. The amount of mental bandwidth for me to say 'nope, don't want to watch this' is exactly equivalent to the amount I spend saying 'nope, don't want to read this'. I type Ctrl+D, the email is deleted, and the next one pops up. If it's bad, I hit Ctrl+D again, if it's good, I reply or save it for later. This is why the spam issue is so hard to "solve": I know some people who are absolutely rabid over commercials, praising their TiVos for removing the distraction. Honestly, I find some commercials (and thus, spam) amusing. Far be it from me to remove an avenue of humor, especially considering the world I live in. I don't block web banner ads for the same reason (although I do block popups for disturbing workflow).

And don't forget that the "spam wastes bandwidth" argument doesn't apply just because I'm on a dialup modem. I check my POP3 server about 150 times a day over a 53k connection - it doesn't bother me whatsoever (but granted, I've downloaded 30 gigs of mp3s over a 56k modem too, so I'm probably an oddball here). The benefits of an automated, client-side system like SpamAssassin fail because a) it doesn't integrate with my workflow, b) it's not built into my email program, c) it's not easily crossplatform.

As for the SpamCop RBL, I had a say in whether to implement it on a server hosting 1000+ mailboxes, against SpamCop's own maxim of "don't use this in a production environment". I knew that a) if a bad piece of mail was blocked, it takes me five seconds to whitelist it, b) expecting users to learn new software like Apple's Mail (with its built in spamfiltering) or pay for software add-ons that interact with existing clients, was suicidal - our users don't know how to set up an Outlook Express filter, much less transition to a whole new way of doing things, c) expecting users to proactively send mail to a Vipul's Razor hasher was equally "not part of the workflow" (much less the fact that Vipul's Razor suffers the same "invisible authority" and "is this really a spam?" that an RBL does).

SpamAssassin and other content based filters are too slow to be used on a heavy server, and opt-in systems invariably create more tech calls ("I opted-in and now ALL my mail is gone! All gone! You're blocking all my mail!" when the server logs reflect no mail being send to the user in question). The very thought of an automated filter makes people dream up wild accusations of their importance, as has been the case when new phone numbers are added: "I tell ya, ever since you added that new number (which I've never used, nor do I realize it doesn't affect the number I'm currently using), my connection speed has gone way down! all my email is gone too!". Manual procmail filters are downright time consuming and eventually become obsolete ("m0rtg@ge rates haVE droppped!").

Generically speaking, end users are end users - by the time they're using something, they want everything to be done for them. They don't want to opt-in and they don't want to learn new programs - they just want it to work. With that, along with the implementation and processing restrictions placed on heavy servers with no dedicated "person who deals with spam fulltime", I don't really think there's a perfect ISP level solution. Third party filters that cost money and add another chain of "who's server is down?" is not a viable option, in my opinion.

Laws or their benefits, like Habeas or Lessig's ADV, only go so far geographically and depend upon slow due process. Whitelisting isn't worth the effort, since I get about 150 emails a week from people I've never heard of. To cut this short (as you've grown tired of reading it), as I've been since time began, I'm still happy with ignoring spam, much like I ignore commercials.