2007-01-02
My current views on webmail providers
I have come to a grumpy realization recently:
Unsecured webmail systems are today's open SMTP relays, and it's high time that they got treated the same way.
The comparison is all the more striking because (once) major ISPs appear to have decided that they can run open webmail systems without consequences, much as people once shrugged off running open SMTP relays.
(I am particularly depressed by the move of places like rr.com, comcast.net, and adelphia.net into webmail systems that are open enough to let people in Nigeria spam us. Today's candidate for the dunk tank is tucows.com, who to my shame are based in Toronto; as is traditional, the spam message originated from a thoroughly blacklisted IP address that is in SBL33810, a listing that dates from July 9th 2006, among other places.)
This implies that there should be a list of webmail providers that source spam, and people should be encouraged to block such places using the list. (People would have to whitelist Hotmail and Yahoo and so on; personally I consider that a feature.)
If I was running such a DNS blocklist, I would drive it from spamtrap data, with simple time-based expiry. Listing durations would be based on the volume involved and on how much the webmail provider should have known better, based both on how badly SpamAssassin et al score the mail and on how listed (and in what) the origin IP address is. Keep generating advance fee fraud spam email and your listing stays. (This would make Hotmail et al perpetually listed, which is fair; they're perpetually sending out spam email. See above.)
(I have been banging this drum for some time, in various forms.)