7 votes

SPAM blocklisting is out of control

7 comments

  1. [5]
    simplify
    Link
    There are two reasons why I can understand someone wants to host their own email. One, for funsies. It's fun to play around with an email server if you're trying to learn, though not much fun...

    There are two reasons why I can understand someone wants to host their own email. One, for funsies. It's fun to play around with an email server if you're trying to learn, though not much fun anymore once you do it professionally. And two, for privacy. But with self-hosting comes a whole bunch of headaches, like what this author is now experiencing. Personally, I don't believe spam blacklisting is out of control. I still get a few spam messages coming through every week. I'd like to see zero.

    From the privacy angle, there are plenty of privacy-focused email hosts. I've been with ProtonMail for almost 5 years and I'm very happy with both the service and privacy elements. I pay $12 a month for it. It's inexpensive for me and also a business write-off. It's encrypted. I don't worry about ProtonMail having access to my email. If you want privacy, you have to pay for it on the modern internet.

    When you self-host email servers, you have to understand that you could be seen as a bad actor simply because it's a bit suspicious for someone to be self-hosting email these days. Should it be? Of course not. But too many people have abused the system. This is just where we're at.

    The author mentions that users in their IP block are spamming, which is why they've been blacklisted. And then they go on to say that of course their cheap host won't shut down the spammers because of money, but they also don't want to leave said host because of the price and inertia. This feels like the author is just creating a problem for themself. If I was paying for a service that didn't meet my needs, I would leave that service. No brainer.

    Sometimes we can't see when we're responsible for our own problems in life. It's a blind spot. I can't help but feel like I'm responsible for my own lack of greater success in my industry, and I'm pretty sure I know why--it's not a blind spot anymore--but inertia has me trapped for the time being. It's hard to break out of inertia, maybe due to the sunk cost fallacy, maybe it's expensive to pivot, or maybe it's the egotistical feeling that you're right and they're wrong. But complaining about having your self-hosted email server blacklisted feels like one of those things where the solution is obvious.

    7 votes
    1. [4]
      NaraVara
      Link Parent
      I think the fact that basically every company tries to send you "legitimate" promotion emails that are literally spam that people don't know how to opt out of has started to make it harder and...

      Personally, I don't believe spam blacklisting is out of control. I still get a few spam messages coming through every week. I'd like to see zero.

      I think the fact that basically every company tries to send you "legitimate" promotion emails that are literally spam that people don't know how to opt out of has started to make it harder and harder for spam filters to parse which sorts of solicitations are actually unwanted. It naturally ends up being weighted much more towards the sender's address than the content of the email.

      1 vote
      1. [3]
        simplify
        Link Parent
        I don't really have this problem. I unsubscribed from as much as I could about half a dozen years back, and whenever I create a new account with some retailer, if they auto-add me to their list I...

        I don't really have this problem. I unsubscribed from as much as I could about half a dozen years back, and whenever I create a new account with some retailer, if they auto-add me to their list I unsubscribe as soon as I get that first email. The spam I get is mostly phishing attempts or get-rich-quick schemes or some "hacker" telling me to send them Bitcoin or else they'll send a video of me masturbating to my entire contact list. And all of those are on an older email address that regrettably got leaked in some data breach years ago. Fortunately, it all filters into my spam folder. So at least I know it's garbage before I look at it. And even so, it's quite rare. Just a couple a week.

        The only reason I still have that older email address active is so if someone from my past wants to randomly reach out, they will find me. But maybe it's time to just turn it off.

        4 votes
        1. [2]
          NaraVara
          Link Parent
          It may not be a problem for you individually, but it is a problem for the spam filtering software that has to learn the patterns of wanted and unwanted solicitations based on analyzing volumes of...

          I don't really have this problem. I unsubscribed from as much as I could about half a dozen years back, and whenever I create a new account with some retailer, if they auto-add me to their list I unsubscribe as soon as I get that first email.

          It may not be a problem for you individually, but it is a problem for the spam filtering software that has to learn the patterns of wanted and unwanted solicitations based on analyzing volumes of email traffic.

          1 vote
  2. [2]
    pallas
    (edited )
    Link
    Edit: it appears that the title change here was the result of the author originally having a typo in the title, then changing it, resulting in an ambiguity, so my comments on changing titles don't...

    I notice that the title here has been subtly modified from the author's title, which is problematic, because blocklist includes the specific connotation of blocking, while blacklist, the word used by both the author and UCEPROTECT, does not. One of the lists mentioned explicitly recommends that it not be used for blocking, but instead be used in score-based analysis. As I didn't initially notice that the author's title had been changed, the title here led me to assume the author was confused about the purpose of the lists. Blanket changing of words of others, especially without regard to how they change meaning and without calling attention to the change being made, seems inappropriate. Referring to DNSBLs as DNS-based lists arguably makes the most sense, because they aren't necessarily blacklists or blocklists, and don't necessarily have a positive or negative implication.

    Edit: it appears that the title change here was the result of the author originally having a typo in the title, then changing it, resulting in an ambiguity, so my comments on changing titles don't really apply. However, I would still note that 'blocklist' is problematic in this context, in implying blocking, which the organization running the DNSBL in question explicitly recommends against using it for: 'blocklist' is not entirely synonymous with 'blacklist'. In this specific context, 'DNS-based list' is probably the better option.

    And I have to assume that most servers are using DNSBLs as part of score calculations for spam, not as blocklists, especially for a list like UCEPROTECT2, and even moreso for UCEPROTECT3. UCEPROTECT itself notes for level 2, 'be prepared to lose a few mails too', and for level 3, 'This blacklist has been created for HARDLINERS. It can, and probably will cause collateral damage to innocent users when used to block email.' They recommend, themselves, that level 3 only be incorporated into a scoring system without a high enough score to trigger the filter by itself (eg, +2 points of of 5). UCEPROTECT3 actually blocks entire ASNs, and appears to be blocking around one percent of all the ASNs in the world at the moment.

    So, realistically, the author seems to be complaining prematurely. Yes, these will count against their emails if people are using these, though as the organization seems sketchy, which the author points out, I'm not sure many people even use them. But if the emails are personal emails, and the server has a modern, authenticated setup (DKIM, SPF, DMARC, etc), a reasonable score-based system will probably give the emails such a low/good score that the penalties from lists like these won't matter. In many cases, when I've seen complaints like these, they've ended up actually being from small companies sending legitimate but automated emails that score poorly in default setups (eg, lots of HTML, images, and links).

    My personal email server on Hetzner is on UCEPROTECT3, and though I'll eventually probably move it to a range in my own ASN, I've rarely had problems with delivery. In my experience, for small personal servers, there are three types of spam systems that you interact with:

    1. Default spam filtering of major providers. These actually seem reasonable if, and perhaps only if, you are small, sending non-automated emails, and implement DKIM/SPF/DMARC. I haven't had problems getting to Gmail or Outlook themselves.
    2. Spam filtering set up by organizations running their own servers. These are usually reasonable, because the administrators are considering these potential problems for their own email, and have some idea what they're doing.
    3. Wonky setups, usually of organizations using Google, or especially Office365. These will often send your email to spam, but they'll also often be so poorly configured that they're unreliable in receiving anything that isn't Google or Microsoft (or, in even worse case, anything at all), so your small server doesn't fare much worse than if you weren't self-hosting. In one case, I was annoyed that a university in a small European country, using Office365, was consistently flagging my emails as junk, but we found that the spam filter was so badly configured it was also flagging essentially anything outside of the country as junk, including emails from household-name university domains with correct DKIM+SPF, and emails from any non-Microsoft provider, including Fastmail. (Sadly, the IT department at that university fundamentally does not understand scholarly collaboration, and still insists on altering and adding large warnings to any email arriving from outside the university, breaking DKIM signatures, because they seem to assume most email will be internal.)

    So realistically, I think a personal email server doesn't fare much worse than any other non-Google/Microsoft setup. Yes, you might be flagged as junk, but those servers have a good chance of flagging your emails as junk even if you aren't self-hosting.

    1 vote
    1. hungariantoast
      (edited )
      Link Parent
      There was originally a typo in the title of the blog post

      I notice that the title here has been subtly modified from the author's title, which is problematic, because blocklist includes the specific connotation of blocking, while blacklist, the word used by both the author and UCEPROTECT, does not. One of the lists mentioned explicitly recommends that it not be used for blocking, but instead be used in score-based analysis. As I didn't initially notice that the author's title had been changed, the title here led me to assume the author was confused about the purpose of the lists. Blanket changing of words of others, especially without regard to how they change meaning and without calling attention to the change being made, seems inappropriate

      There was originally a typo in the title of the blog post

      2 votes