As I sort of mentioned in yesterday's entry, I have historically written SMTP time rejection messages and other things with an eye towards denying spammers information about exactly why their attempts were rejected. This certainly looks like a perfectly rational decision; if we leak (detailed) information about rejection reasons, we give spammers a head start on working out what about their attempts needs to change in order to get their spam through. And indeed you can find plenty of large sites, like GMail and Yahoo, that absolutely refuse to give out any detailed information about rejections for this stated reason.

There's a difference here, though; we're not Yahoo or GMail. We don't have millions of users that spammers really want to send spam to; we have a thousand or so. The payoff for working around GMail's spam filtering is very high; the payoff for working around ours is extremely low. As a result, the odds that any spammers are actually paying attention to our SMTP rejection messages is, well, very low. In practice it's extremely likely that most spammers never even see them and have no interest in attempting to work around our specific tricks.

(I suspect that there are still some spammers who are paying more attention, such as people doing targeted phish spam runs and the conference spammers. Both of these groups are definitely at least somewhat targeted, and the most precise and alarming of the phish spammers are at least doing a reasonable amount of specific research on us.)

Given this realization, I've come around to feeling that your spam rejection messages might as well be reasonably informative (unless you're a big target for some reason). Maybe once in a while a spammer will read one and get a leg up, but in practice they're far more likely to be read by someone's dealing with a false positive or some other similar problem (such as trying to send an attachment type that we block). We might as well be reasonably helpful to those people, especially since some of the time they may be us (as we try to diagnose why a rejection happened).

This has probably always been the case, but I also think that when you're actively trying to block spam it's easy to get into a mindset where, to put it one way, everything is personal. Clearly the spammers are out to get their spam past you in particular and so you'd better be careful, just like the big people are. It's humbling to think that our small mail environment is generally insignificant from the spammers' perspective.