When I self-hosted email I used Spamhaus to as a block list and Spam Assassin to filter the rest. Gmail users made up the biggest chunk of spam that got through but it was never from Google/Gmail domains, it was almost always from a Gmail user with a custom domain.
I wonder if SPF / DKIM / DMARC have improved this.
Google domains doesnt make it quite as easy as other hosting providers, and to be honest if they were super serious about email abuse they should encourage every domain to use it.
There is a marketing company that is constantly adding me to new spammy lists they are creating. They are using AWS SES / SendGrid / other reputable providers.
The emails all pass SPF/DKIM/DMARC and filing abuse reports seems to get me taken off the list I complained about but I quickly get added to a different one.
I am this close to auto-blocking anything from these large providers and switching to allow-listing the legitimate domains that can send me e-mail.
I feel this. Because of a Google Group I briefly followed one of my email addresses got incorrectly associated with my Kickstarter account on some marketing list somewhere and gets added to so much "legitimate" marketing lists for fly-by-night Kickstarters. It's really frustrating and the accident of it being a "wrong" email at least makes it somewhat easier to manage (though I worry if I ignore that mailbox too much I may miss the rare once in a few years important email to it).
For a while MailChimp was the only one of the major/reputable providers I trusted the Unsubscribe button on because they had a "I did not sign up for this button" that supposedly dinged the mailing list owner's reputation with them, but more than that would supposedly make it a bit tougher for the next mailing list to just dump that email in without a verification step or a cool off period.
That button disappeared recently and I guess MailChimp no longer cares either. Shame.
> For a while MailChimp was the only one of the major/reputable providers I trusted the Unsubscribe button on
Mailchimp is up there with Marketo and Sendgrid for me. Getting unsubscribed from something I never opted into… well I still haven't figured out how to do that.
SPF does not protect you from a pown smtp server (neither DKIM/DMARC, then SPF is "enough" for self-hosted smtp servers, and does force you to use DNS (the SMTP protocol works without DNS).
Spammers use vpn nowadays. This make these spammhaus like services useless. They change IPs every week.
Most mail protection models against spam don't work.
I have an idea of a method that could help reduce spam and undesirable mails. It would be free for non-spammers and spammers would pay.
The problem is that I'm not sure if people would be ready to adopt it. There is also many different ways to execute, and I'm not sure which one to pick.
Then the spam is coming from the email servers which are used to relay that spam. Headers can be forged, so the source before the spam server can't be trusted as real.
With Sonic I have to use their servers for outbound stuff since they block outbound SMTP without a static IP (and they don't offer static IPs with fiber). It's a price I'm willing to pay since I typically don't see false positives (and ye I check my logs periodically) with Spamhaus.
Unfortunately I've moved to Proton and the increase in spam is pretty damn frustrating.
Spamhaus is blocking by IP which can be an smtp server or a client. The SMTP protocol does not allow to distinguish a sending SMTP server from a client.
By using a VPN, you "randomize" the IP address and thus make spamhaus and equivalent services useless. I created my own IP blacklist and tracked it.
The only method I found to filter my spammers is to reject mails from hosts without a name. This eliminated 80% of spam, but it won't last long.
I am seeing Google constantly fail to catch obvious spam emails. At this point I suspect there is some institutional error on their part, where bad actors inside the org are allowing certain domains to simply not be spam filtered.
I've done some experiments with Gmail/Outlook/other spam detection clients on different types of spam/phishing etc. There's always someone who claims simple naive bayes algo would do better than Google.
I'm not able to share the research data, but Gmail filter is a lot better than everything else you see on the market, especially when it's not a newsletter-like advertisement spam, but an actual phishing attack on Org.
Some people say Outlook has better filtering func, but usually tests are not representative and Outlook simply has stricter rule for unwarmed-ip. Which is not that great of a feature in real world scenario.
Anecdotally, I have to say I rarely have issues with FastMail's spam filtering, which uses SpamAssassin (not sure what their setup is exactly of course). I rarely get spam in my inbox (maybe an email or two a month), and it almost never marks things as false positives (last one was years ago).
SpamAssasin does ok only on subset of spam emails.. The problem is that underlying model is not capable to differentiate fake email from your boss (unless it's really simple) VS many other external emails you get.
I guess you would still want that 2nd level of protection for your ORG with sensitive data even if some "please buy X" - spam emails are still getting in.
> The problem is that underlying model is not capable to differentiate fake email from your boss (unless it's really simple) VS many other external emails you get.
But that's not really "spam", right? That's targetted phishing, which is quite a different thing.
My experience mirrors yours. Fastmail’s filtering is at least as good as Google’s for my inboxes, but Google and the other big players don’t seem to have spam filtering better than Fastmail’s on balance. Casually controlling for things like inbox age, I still get a bit more spam in my Google inboxes than in my Fastmail inboxes.
Once you’ve warmed up/activated the personal mail filter in Fastmail, it seems to work better than anyone else’s.
how do mail delivery services work with this in protecting users from spam because their aim is to reach the inbox for their customers, spammers included
I've been seeing some cleverly encoded emails with multiple MIME parts that bypass the spam filter. Gmail decodes one representation but displays another. Luckily the content they show to the spam filter is mostly static so a regular filter can catch it.
I'm aware, but I would've thought that marking something as spam would stop more almost-identical messages from the exact same email address. Having to create a custom filter for all the individual spammers that make it through is frustrating.
Sorry, a "your account has been locked, please reset your password" email to an .edu address from a gmail.com address is 100% always fraudulent, a 5th grader could tell you that, yet google lets it go through.
Looks like a very personal list. I would not advice anyone using this as part of anything. Rohith[1] is in India and most of the spam domains (did a quick split) in the list are similar sounding names of a lot of Indian companies/Startups. Not that the companies do not spam (they do) but emails/domain registration has become so easy that there are tiny setups/operations in every nook and corner of the streets/chawls/shanties of India trying to spam people.
You appear to be trying to argue against something, but it reads as "this is a lot of Indian stuff, which is chock-full of spammers". Read like that, it seems like the list is a good one.
Ah! I'm sorry if it came out wrong. However, I was trying to make an observation when I saw the list. You want to start optimizing your spam-block list or something like that and realized you are not typically the target. You might end up looking and scouting to hit something that never came your way.
My email(s) on my own domains has been on the Internet for more than two decades and I'm always happy to look at ways to prevent spam on them.
In theory one can set any domain to "from" field, what about actual servers that sent the spam? How many of those spam emails have unsubscribe and/or complaint headers?
In theory the domain you set the "From:" field to will have DMARC, DKIM and SPF set up and in theory the recipient that implements those protocols will discard your mail as sent from an unauthorized server.
The spam emails pretty much ALL have unsubcribe headers now. I mean, they are all WORSE than useless since they are sending signal back to spammers, but Gmail is asking me to [Unsubscribe and Report Spam] anyway.
These are usually domains that belong to a disposable email service, be it public or private.
I maintain a 100% free API [1] to check if an email belongs to a disposable email service. We dogfood the same API endpoint to prevent users who abuse disposable emails to create fake accounts for free trial credits.
We use the domains found at https://www.stopforumspam.com/downloads amongst other sources of data. Works pretty well. We have close to eliminated fake account registration with the use of Recaptcha.
> We dogfood the same API endpoint to prevent users who abuse disposable emails to create fake accounts for free trial credits.
I usually use disposable emails to test services but don't want to be spammed. Often, I later upgrade to a paid plan if I like the service. If they block disposable email addresses, I will not even try them at all.
Congratulations, you make the internet worse for actual humans and better for corporations. Making the world a net worse place, for everyone that matters.
I suspect "fake" is the wrong word, maybe "very low reputation" is better. The parent post discusses avoiding giving unlimited free trials to people who just keep creating new accounts. You'll want to restrict that, especially if each trial costs a non-trivial amount of money. Efficiently detecting such abuse allows the company to offer generous free trials.
A side effect is that a small number of people who use disposable email addresses to manage the spam they receive will also be blocked (see other comments). A business looking at this issue may find it hard to prioritize, the group is small, and they can choose to use a non-disposable address if they want to continue.
The group of people that go through the hassle of signing up and setting up everything again to avoid paying is probably equally small. If the account setup is so frictionless that a lot of people do it again and again, you should work on adding benefits to loyal accounts instead of banning new users.
You can actually check how many users it impacts by watching how the bounce rate changes after a user with a disposable email address is told their address isn't accepted. Adjust course based on your metrics.
[1]: https://drewdevault.com/2021/02/25/Gmail-is-a-huge-source-of... , https://news.ycombinator.com/item?id=26265329