[srmarm]

I've been using SpamAssassin for at least 15 years and it's sadly gotten less useful as the spam arms race has moved on. We regularly see people on here post about deliverability issues with Gmail/Outlook but the truth is that sender reputation is by far the biggest indicator of whether a message will be spam - these type of rules are just counting deckchairs on the titanic in comparison.

And this plays into the strengths of the big mail networks in detection. It's a bonus to them that every time they block a smaller host there is a good chance that sender will consider a move to office365 or Google Workspace for their mail.

As an aside, not sure if OP is related to them but updown.io is a nice service and I appreciate the simple PAYG pricing! For what it's worth their mails seem to get through successfully to me too.

Also for those facing mail delivery issues (or just practicing good email hygiene) - I recommend www.mail-tester.com - they give you an email address to send a mail to and carry out a heap of tests - including checking against SpamAssassin + blacklists, SPF/DNS/etc testing.

[rlpb]

> It's a bonus to them that every time they block a smaller host there is a good chance that sender will consider a move to office365 or Google Workspace for their mail.

The irony is that a substantial amount of the spam I receive comes from those platforms.

[nradov]

Are you certain the spam is actually coming from IP addresses controlled by those platforms? It's common for spammers to fake the SMTP headers.

[dalke]

50% of my spam are from a single Google Groups source - unsolicited job applications, all ending:

  You received this message because you are subscribed to the Google Groups "jan-09" group.
  To unsubscribe from this group and stop receiving emails from it, send an
  email to jan-09+unsubscribe@googlegroups.com.
  
  To view this discussion on the web visit https://groups.google.com/d/msgid/jan-09/0

14101da368d$0bdc8160$23958420$@gmail.com.

I cannot email that unsubscribe link because it says I am not subscribed. I cannot visit that page, I have not subscribed to that group. I've had to set up a special filter to look for that footer.

I am not the only one with this issue. See https://support.google.com/groups/thread/68075070/i-get-goog... .

... Wait! You've indirectly helped solve the issue!

They are being sent to "info@" my domain, an alias that forwards to my real account. I set up a new outgoing account with that From address, sent from there, and managed to get Google to unsubscribe something I never agreed to in the first place.

It's been like this for a year, and with multiple attempts to fix it.

Thank you!

[tempestn]

This reminds me, it would be nice if Google had an easy way to blacklist a sender and/or subject such that it wouldn't even go to spam. I have enough spam false positives that I needed to scan my spam folder periodically, and I'd love to have a way to permanently filter out regular crap in there. I've created explicit filters for some of the more prevalent ones, but a one click blacklist button on spam emails would be great. (Along with some way to edit the blacklist in case of mistakes.)

[bombcar]

Quite a bit is "genuine", at least with Gmail, because infinite monkeys can sign up for infinite accounts.

[Aachen]

I had spam bounces coming from Microsoft. Someone had convinced MS that they owned my domain and was apparently sending spam via an MS SMTP server (failing SPF was apparently not a problem for them), and any that bounced were being sent to my server: the real mail server for that domain. I reported the malicious org and explained what I had found out, but they obviously denied that it could possibly actually come from themselves and misunderstood what was happening (took me a bit to puzzle that out as well, those mystery emails showing up in my inbox). MS sending out spam isn't my problem, but I figured I'd be nice. Alas.

Few months later, they started bouncing my server's new IP address and that, too, wasn't their fault of course: "we're not seeing a block for your IP address so there cannot be bounces". Denying reality is super effective. The punchline was that they had blocked the new ISP's whole range rather than just my IP, so they weren't getting any hits when searching for my IP address. I found this out through some back-and-forth with a friendly sysadmin at the ISP, who was also banging their head against MS' wall...

These people must be so underpaid they're probably giving MS money for the privilege to work for such a correct business

[ceejayoz]

I get plenty of spam from Gmail accounts with SPF and DKIM passing.

[derefr]

Plenty of dumps of stolen personal Gmail usernames+passwords, that anyone can feed into a bot that will use browser automation to sign into Gmail on those accounts and “hand write” some spam messages to send.

(If you haven’t realized, this is why Gmail has SMTP message origination disabled by default — these days requiring not only enabling it for your Gmail account, but also fiddling with app passwords to get it working. If it was enabled by default, the “spam from stolen credentials” problem would be so, so much worse. Whereas, at least with the webapp route, Google can block you if you look like a bot [i.e. if you’re doing an insufficiently good job at fooling them.])

[Mailtemi]

I've got sometimes a legitimate Google or MS dev newsletter emails going into their own spam folders :) .

[8organicbits]

I've seen mail from my work Google Workspace that I sent to my own personal Gmail get flagged as spam. It's me sending to me. Google to Google. Logged into both account on the same computer.

If anything I'm nervous to recommend Google because they flag too many legitimate emails as spam. After years of not checking, I'm checking spam again.

[cj]

> mail from my work Google Workspace that I sent to my own personal Gmail

Does your company do outbound marketing/sales?

I've seen multiple companies spin up outbound email marketing campaigns where someone compiles a list of 5000 email addresses based on certain demographics, and then send automated emails (that look not automated) over the course of a month, rinse, repeat. Google Workspace will let you do this, but if you're too aggressive with email volume it can kill the reputation, and therefore deliverability of any email from that domain.

(Which is why most companies send outbound sales emails from a domain other than their primary domain to separate out the sending domain reputation)

[iamacyborg]

There is a significant amount of spam coming from google accounts, yes. Just think about all the “sales automation” junk that businesses uses.

[cbsmith]

Because of course, its an arms race.

[paulnpace]

> Because of course, its an arms race.

Somewhat out of context, but greylisting works as well as the day it came out.

[cbsmith]

Probably should put "works" in quotes...

[paulnpace]

I've been using it for over a decade and I have only one domain I've had to make a rule in Postfix for because their admins don't know how to configure their racks of SMTP servers.

[BSDobelix]

I like rspamd much more (performance and redis) than SpamAssassin, and as you mentioned:

-https://www.mail-tester.com

-https://www.learndmarc.com

-https://mecsa.jrc.ec.europa.eu/en/

Are exellent tool's to check your "deliverability".

[CableNinja]

Suprised to not see https://mxtoolbox.com in this list too

[BSDobelix]

Truetrue sorry, I forgot ;)

[op00to]

I switched from GMail to a personal Microsoft 365 domain when Google decided they didn't want to give me free email/domain services anymore. 365 was cheaper. I got about 10x the amount of spam to my 365 Junk folder than I did to the Junk folder in GMail. I would spend 10 minutes a day going through the junk folder to pick out false positives. I woud have inexplicable issues with missing email with 365, where the root cause was always SPF issues from a third party sender. The big issue was event tickets mailed from a third party ticket service provider using the venue's domain name rather than the ticket provider's domain.

I switched back to GMail a few months ago, and not only do I see less stuff in my Junk folder (indicating Google is blocking stuff rather than identifying it) but also I have not seen a single false positive. Hopefully that means Google is more effective, but there's no way to tell if I'm missing legitimate email. So far, no complaints.

[yabones]

Microsoft's spam filter is fundamentally broken. It's been that way for decades. There's an entire cottage industry of snakeoil salesmen that want to sell in-line antispam gateways to bolt onto 365, and the worst part is that they have a very good reason to exist...

[fer]

Strange, while I keep my GMail address I don't use it for anything new anymore since roughly 50% of the positives are false (no false negatives, though).

[alexis2b]

> As an aside, not sure if OP is related to them but updown.io is a nice service and I appreciate the simple PAYG pricing! For what it's worth their mails seem to get through successfully to me too.

Not related in any way except as an happy customer. They added a blog recently and this article caught my eye because of the nightmare that is mail delivery issue for everyone.

I found it particularly ironic that you now have to think like a spammer (i.e. look at spam detection engine source code to find a way to circumvent their heuristics) in order to get your totally valid email delivered (^_^).

edit: typo

[adrienjarthon]

Thank you

[andrewfromx]

there needs to be like a mozillia vs chrome thing here no? What's the best try so far for something like letsencrypt or mozilla foundation for not owned by big tech email so "will consider a move to office365 or Google Workspace for their mail" the sender has this other awesome option?

[jeffbee]

If you wanted to operate a haven for independent email hosting, where you want to assure deliverability in the face of Gmail's sender reputation system, you would need to classify your outbound traffic, and have a death penalty for spammers. If you tolerate any activity that peers classify as spam, that would tank your reputation.

[jmyeet]

> ... the truth is that sender reputation is by far the biggest indicator of whether a message will be spam

I couldn't agree with this more. I want people to remember this whenever the topic of decentralization or federation comes up. People see this as a technical problem. it's not. It's a political and organizational problem. Even with email, which is fully decentralized (other than the ICANN TLDs) running your own node still incredibly difficult. And those reasons aren't technical at all.

[JohnFen]

I've kinda given up on reputation scores to indicate spam/ham, personally, and rely more heavily on textual analysis rules. Going by "reputation" caused me far too many false positives.

[Retric]

Reputation works well because of those other rules. If every office365/gmail email got through and everything lose was blocked spammers would just move to those platforms. Thus email inspection is a critical component enabling reputation based filtering.