And this plays into the strengths of the big mail networks in detection. It's a bonus to them that every time they block a smaller host there is a good chance that sender will consider a move to office365 or Google Workspace for their mail.
As an aside, not sure if OP is related to them but updown.io is a nice service and I appreciate the simple PAYG pricing! For what it's worth their mails seem to get through successfully to me too.
Also for those facing mail delivery issues (or just practicing good email hygiene) - I recommend www.mail-tester.com - they give you an email address to send a mail to and carry out a heap of tests - including checking against SpamAssassin + blacklists, SPF/DNS/etc testing.
The irony is that a substantial amount of the spam I receive comes from those platforms.
-https://mecsa.jrc.ec.europa.eu/en/
Are exellent tool's to check your "deliverability".
I switched back to GMail a few months ago, and not only do I see less stuff in my Junk folder (indicating Google is blocking stuff rather than identifying it) but also I have not seen a single false positive. Hopefully that means Google is more effective, but there's no way to tell if I'm missing legitimate email. So far, no complaints.
Not related in any way except as an happy customer. They added a blog recently and this article caught my eye because of the nightmare that is mail delivery issue for everyone.
I found it particularly ironic that you now have to think like a spammer (i.e. look at spam detection engine source code to find a way to circumvent their heuristics) in order to get your totally valid email delivered (^_^).
edit: typo
I couldn't agree with this more. I want people to remember this whenever the topic of decentralization or federation comes up. People see this as a technical problem. it's not. It's a political and organizational problem. Even with email, which is fully decentralized (other than the ICANN TLDs) running your own node still incredibly difficult. And those reasons aren't technical at all.
Brevity has value. Having to bloat content (an email to get past anti-spam; a cooking blog to rank better within Google SEO; ...) brings back memories of high-school english papers, or the modern equivalent ChatGPT.
Any smart spammer will just tweak his spam to not hit these rules... And if he hasn't, it's because the vast majority of people don't use SpamAssassin
Well-known rules will block most spam, some with occasional collateral damage but many with no realistic chance of collateral damage.
Entity-encoding @ as @ in email addresses in HTML will block the vast majority of email address harvesters, with no collateral damage.
Adding a honeypot field to an HTML form, with the label “If you are human, leave this field blank” and hidden by CSS, will catch practically all spam submissions, with no collateral damage.
I am sure there are plenty of smart spammers, but it also seems like a lot of spam comes from folks using scripts and email lists they use without fully understanding. It appears SpamAssassin would help with those operations.
So I wasn’t expecting Postgrey to provide much benefit. As it happens, in 10 years of running my own mail server, it’s the only anti-spam measure I’ve had to bother with.
Spam is all about high-volume/~no-cost delivery of crap. Time spent tweaking the spam - to evade $Defense_1, $Defense_2, etc. - is added cost. Especially if $Defense_n is only used by a few of the prospective victims (folks too savvy or paranoid to be suckered do not count), then tweaking to get around $Defense_n is a losing strategy for the spammer.
Bingo. Not that there aren't a lot of people running SA, but spammers want to be able to deliver to the big players(1) (gmail, o365, etc), not the size folks out there running SA. It's not worth their time to devote effort to optimizing for a rounding error in the deliverability equation.
(1) Unless they're selling 'targeting' services where you're paying to deliver to a specific domain/user which might be behind SA. Plenty do, but that's a little bit farther down the criminality spectrum and vastly less volume than shilling peener pills or warranty extension scams.
edit: formatting
The problem wasn't just the number of FPs (which were much higher than the 'Cuda) -- it was that they came from real people, who were often common senders. This is not corporate email, or anything that was even remotely spam (except as SA's crazy ruleset determined). These all required whitelisting, and it became a real chore for all my users to keep up with all the whitelisting.
So back to the Barracuda for another year. It lets a little more spam through, but virtually no FPs. I just couldn't make SA get the same performance, even with many tweaks to the weights and rulesets.
I basically trash all emails not in my contact lists. Easy.
Most spammers and marketing/sales sleezoids never think they are doing anything wrong. They are totally empathy incapable. Or they know they are scum and don't care. Either way.
OP talks about adding "invisible text" and other such common spammer tactics to get around some of the rules. Zero self-awareness.
At no point did this person ever think "did I do something wrong?". No, it's that shitty Spamassassin!
Each rule has a score associated with it. By default a message needs to reach 5.0 to be marked as "spam":
* https://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_Spa...
The threshold is configurable. An header is added post-processing, e.g.:
X-Spam-Status: Yes, score=21.6 required=4.0 […]
One can then choose what do to with this information (via procmail or Sieve). There is another header as well:
> X-Spam-Level: This displays your spam level with asterisks, with one asterisk displayed per point, rounded down. For example, if your overall SpamAssassin score is 4.3, it will display ****. If you score less than 1, for example, 0.5, it will display nothing.
But that's a problem that will resolve itself over time, in a variety of ways. And the spam systems can play the same tricks with only invoking it on a fraction of emails too, of course. It's just at current expense levels, that would be a very small fraction indeed. I'd hazard that trying to use modern AI on spam classification at scale could easily consume 10x-100x of all current AI hardware and still make less of a dent than you'd hope.
https://spamassassin.apache.org/full/3.0.x/dist/doc/sa-learn... https://cwiki.apache.org/confluence/display/spamassassin/Bay...