My current views on webmail providers

January 2, 2007

I have come to a grumpy realization recently:

Unsecured webmail systems are today's open SMTP relays, and it's high time that they got treated the same way.

The comparison is all the more striking because (once) major ISPs appear to have decided that they can run open webmail systems without consequences, much as people once shrugged off running open SMTP relays.

(I am particularly depressed by the move of places like,, and into webmail systems that are open enough to let people in Nigeria spam us. Today's candidate for the dunk tank is, who to my shame are based in Toronto; as is traditional, the spam message originated from a thoroughly blacklisted IP address that is in SBL33810, a listing that dates from July 9th 2006, among other places.)

This implies that there should be a list of webmail providers that source spam, and people should be encouraged to block such places using the list. (People would have to whitelist Hotmail and Yahoo and so on; personally I consider that a feature.)

If I was running such a DNS blocklist, I would drive it from spamtrap data, with simple time-based expiry. Listing durations would be based on the volume involved and on how much the webmail provider should have known better, based both on how badly SpamAssassin et al score the mail and on how listed (and in what) the origin IP address is. Keep generating advance fee fraud spam email and your listing stays. (This would make Hotmail et al perpetually listed, which is fair; they're perpetually sending out spam email. See above.)

(I have been banging this drum for some time, in various forms.)

Written on 02 January 2007.
« Solaris's impressive ABI compatibility
The problem with C's volatile qualifier »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Tue Jan 2 23:29:27 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.