Recommendations for Receiver Setup

Using the Registry of Public Email Senders

The recipient should have full control of what is rejected, and not make the receiving ISP have to defend its policies.  The exceptions to this are 1) an initial rejection of forgeries where there is a clear sender policy, and 2) blocking of heavily-spamming IPs that are causing excessive loads or denial of service.

 

Default Setup for Recipient's Options

Reputation = 100  # No more than 1 spam per 100 emails

Whitelist = []    # None initially

Blacklist = 'Moderate' # Compromise between spam and false rejects

SpamFilterThresholds = (50, 75)  # Spam, Unsure, Ham

These options may be set through a web interface.

1) Threshold for acceptance of Reputable Senders.  How much do you really hate spam?

2) Whitelist of acceptable sender domains.  Just a few that you will accept in spite of their failing to meet your standard.

3) IP Blacklists: Safe - Moderate - Aggressive.  Rejection occurs if the sender is on any included blacklist.  The more aggressive blacklists you include, the greater chance of false rejects.

4) Thresholds for Ham - Spam - Unsure.  Ham will be delivered immediately to your inbox.  Spam and Unsure will be sorted by spam score for later review.

Q&A

Q1) How can individual whitelists be effective?  Every recipient will want dozens, and most will include common names like aol.com with tons of spam.  Wouldn't it be better to not include entire domains?

A1) The critical difference is that we are working with *authenticated* names.  When the user whitelists aol.com, he is *not* asking for every piece of spam claiming to be from AOL.  Big names like this will have a well-established spam score, and most users will be happy with just setting a single threshold for reputation.  The most advantageous use of a whitelist entry is for some domain that does not have a good reputation, but is needed by a particular user.

Q2) You show the spam filter as being part of the receiver's setup.  Isn't it better to have have each recipient run his own spam filter, so the filter can learn exactly what that user considers spam?

A2) That is certainly a more effective filtering setup, however, many recipients don't want to be bothered with installing and maintaining their own filter.  A recipient with his own filter can disable the shared filter.

Q3) All these options and choices will make for a very busy helpdesk.

A3) You may want to offer the options only to premium accounts, and just use a default setup for the rest.

DMQ  10/04/05