October 6th, 2008



I used to have a long long set of firewall rules that prevented inbound SMTP connections from "notorious" spammer networks, mostly in Asia. At some point I realized that nearly all my spam comes straight to my machine from zombie machines all over the place (thanks to the lucrative and prolific SanCash operations). When all your spam is for King Replica Watches or VPXL, you figure that some spam control measures are working and others aren't.

Perhaps this is not news to anyone. But over the weekend I took the drastic step of changing those firewall rules to allow inbound SMTP from a very small set of networks and refuse all other SMTP. This has worked, with only one piece of spam arriving in the last 36 hours. And my "spam-smtp" firewall chain is only 7 rules long now instead of 519.

Most of my mail should be inbound from the campus main relay and redirection systems anyway, which have a sophisticated and aggressive spam filtering/rejection feature of their own that works pretty well. But if you've been using my specific machine address instead of using netid redirection, you probably won't be able to reach me, now.

The overarching problem is that with no central control over the Internet, authenticated exchange of email is impossible to implement, and large providers are loathe to take intermediate steps with SMTP-AUTH because it's "too hard" for the end user. I think the only answer to this will be to eventually abandon SMTP altogether; a new mail distribution architecture could easily be designed from the ground up and since it would be relatively free from mass spam, should prove to be commercially viable.