Why Spamcop sucks
I’ve been having intermittent email outages at a client site that I’ve been trying for months to diagnose. Finally managed to get my hands on enough information to do so, and I find the problem is spamcop.
The client has a lot of field people, who have yahoo email accounts. The web hosting service the client’s domain is on subscribes to spamcop. And among the million or so email yahoo emailers is a spammer.
So, spamcop blacklists one of the Yahoo email servers, effectively shutting down communication between my client and the field people. Server blacklisting is effective when aimed at an organization, but in the case of Yahoo, or Google, or any one of the large concentation email servers out there, it fails. It punishes thousands, even millions, of people because of the misdeeds of one, hardly an efficient measure.
Yes, I’m familiar with the contention that this sort of “death penalty” is meant to be sure hosts police their customers. But it’s hogwash, pure and simple. If we start with the assumption that a company can predict with 99.999% accuracy whether a potential customer is a spammer (completely bogus, I’d expect a number far less than 90% to be more likely) that still means that one customer in 100,000 will get misdiagnosed. Which is still enough to keep a server like Yahoo or Google blacklisted forever.
Remember, the spammer doesn’t care if the server gets blackisted; he just moves on to another server. It’s only the poor suckers who have built a contact list based on that email address that get burned. It’s like nuking Kabul to get bin Laden; you kill lots of innocent bystanders while the real target slips away, laughing.
Yes, spam is a problem. But so is this. Yes, if they hang ’em all, they’ll get the guilty. But before you applaud, think: that means they’re going to hang you, too.
I do use domain banning on my forum because I was getting a ton of spammers using free e-mail addresses. While it’s inconvenient for some users most people have non-free accounts and by using these I know a real person has registered. I also ban any domain used by a spammer which doesn’t pose any problem for legitimate users because the domains are typically .ru or some obscure corporation, not a “home” address. I would prefer it if I could ban an individual so that no matter what computer or server they are using they would be blocked, but that’s not possible on my forum. I can ban IPs (and I have) and I can ban domains–and least effective of all—usernames. I don’t like “dropping the bomb”—it makes me feel like a facist—but on the forum I don’t have any options with finesse. 🙁
Banning an individual isn’t possible on any forum that doesn’t require biometrics for signing up. Ban “Floyd Smoot” and the same person can log on as “Smiley Burnette.” And you’ll never know they were both Sam Drucker.
“On the Internet, no one knows you’re a dog.” The anonymity of the ‘net is both a strength and a weakness.
Spamcop blacklists based upon number of complaints received. Seems to me that needs to be based on a percentage of messages sent: A server that sends 20 spams out of 22 messages seems a better site to block than one which sends 30 spams out of 5 million messages. (The problem, of course, is that no one knows those statistics, so there’s no way to use them. I’m just using them to point out the problem with using numbers without context.)