RSS to replace email? Nah.

I've heard a lot about how Outlook 2003, both alone and in combination with Exchange Server 2003, has been beefed up to fight the war on spam. From a client-only perspective, it doesn't look too promising. Apart from filtering messages that have been externally processed -- for example, by SpamAssassin -- the primary strategy appears to be blacklisting or whitelisting senders. As this screenshot illustrates, Sobig-like worms destroy that strategy. I can neither whitelist nor blacklist email appearing to be from Dave Ogle or Anne Manes or Tom Thompson or Lowell Rapaport. Quite likely, none of these folks has even been infected with the worm. Their names just happened to be chosen randomly from the address books of users who were infected. sobig

For what it's worth, my current lines of defense are:

  1. SpamPal, a local proxy that I use for RBL (realtime blacklist) checking. I point Outlook 2000 at SpamPal on localhost; it rewrites the headers of RBL positives; Outlook filters send them straight to Deleted Items for review.

  2. SpamAssassin. Mail to my InfoWorld address is checked by SpamAssassin. Until Sobig came along, I wasn't getting much mileage out of SpamAssassin, because the IW guys have it running in a conservative mode. SpamBayes, my third line of defense, was doing most of the work. But this SpamAssassin rule has been highly effective against Sobig:

    MICROSOFT_EXECUTABLE (10.0 points) RAW: Message includes Microsoft executable program

    Again, Outlook filters send these straight to Deleted Items for review.

  3. SpamBayes. I'm quite sure that SpamBayes alone would have adapted to Sobig. But by letting SpamAssassin do the grunt work, I reserve SpamBayes for subtler discrimination. You'd think that during this onslaught, my MaybeSpam folder -- where SpamBayes puts messages it's not sure about -- would be overflowing. In fact, only five or 10 messages a day land there, and as usual they are messages that I legitimately have to decide how I want to handle.

The only real accommodation I've had to make is to reduce the amount of mail I leave on the server, because the volume -- which seems not to be slackening -- was causing quota problems. Also, to be fair, I spend more time scanning for false positives, though nowhere near the amount of time I used to spend sorting things out before I implemented this layered strategy.

There's been a lot of talk about replacing email with RSS. I don't buy it. Although I am a huge fan of RSS, and expect it to largely replace email for subscription-related purposes (e.g., mailing lists), I don't see it as a general solution for ad-hoc person-to-person communication. Nor do I buy the argument that we need to toss SMTP. Obviously, we need to use it in a slightly different way. Of the various proposals floating around, the RMX idea -- a DNS-based solution that enables a receiving mail server to verify whether the sender's IP address is authorized to send from the domain within the sender's address -- seems particularly interesting. (I mentioned RMX in the Canning Spam article last month.) But it would be nuts to throw out the SMTP baby with the spam bathwater, and I'd be really surprised if that were to happen.

Former URL: http://weblog.infoworld.com/udell/2003/08/29.html#a786