Due to feeling 'under the weather', I've decided to stay at home and keep my suffering to myself. Unfortunately, I can't get back to sleep. I got up at my usual time, didn't feel well but decided to get up anyways to see if it eased off. It didn't, but I'm now awake regardless. Doh.

But a friend's plurk started a train of thought and I'm compelled to explore it.

A lot of antispam measures kick in after the fact - an IP spews a lot of spam, gets reported/noticed and is subsequently blocked via DNSBL/RBL or more manual measures by recipient services.

Some responsible providers block outbound SMTP traffic to anything but their own servers, thus allowing a certain degree of throttling based on a variety of criteria. Other providers actively monitor RBL's

It occurred to me though that there really aren't a lot of tools out there being effectively used to trigger alerts in a more proactive fashion, providing an early warning of sorts. Of course, things like this require resources and varying levels of infrastructure depending on the size of the provider.

Possibilities:

A second and non-interactive spamassassin instance for outbound email. It could be configured with slightly harsher parameters since it wouldn't by design be interacting with the email itself for delivery purposes. The trick of course then is to output the results of those SA tests to something that can aggregate the results to identify customers that are hitting a lot of rules.

Dynamic email address monitoring. The vast majority of email users are responsible folks who don't send a great deal of email. While this would take some significant lead time to ensure the db was properly populated with data, the end result may be worth it. It would essentially involve a few trending criteria to be put in the db itself. Sending IP, email address, recipient address, SA score, volume per day, usual sending times, age of email address.

Long time users who have regular sending habits are unlikely to be in need of a lot of extra scrutiny for outbound email, and this can be reflected in how their email is routed out. New accounts that start sending high volumes immediately would be flagged. Long time users who suddenly email 100+(n) recipients they've never emailed before would raise an alert. A sending email address utilizing more than 1 IP in a short period of time would be valuable information to have. I'm sure there are a lot of other opportunities with even this limited set of data to make some useful correlations that can be used for alerting and perhaps even delivery decisions.

There are a lot of things providers already do to protect their customers from inbound spam. It would be interesting to see measures like these implemented, as it would certainly improve the email reputation of anyone doing it.



Code so clean you could eat off it