Spam Quarantines Do Damage

You may have heard us predict the death of email spam before. Briefly, the argument goes like this:

  1. as more people's mailboxes are protected by anti-spam filters,
  2. and as those filters get more accurate,
  3. fewer spam messages get delivered,
  4. so fewer products get bought from spam,
  5. so less commission goes to spammers,
  6. so the economic incentive to spam dries up.

However, there's a wrinkle in this oh-so-neat reasoning... quarantines. Anti-spam products keep most of the spam email in a holding pattern, just in case they accidentally filter out a legitimate message (a "false positive"). Users can browse the quarantine to check that the filter isn't deleting good mail. The problem is that the quarantine will be full of the very solicitations that we need to keep away from users' eyes if we are to defeat spam. (There are other problems too, such as the wasted productivity involved in checking the quarantine.)

What should be done? Anti-spam software should delete messages that are clearly spam. When modern spam filters assess a message, they do so using a battery of tests and criteria. This process usually produces an aggregate score. Some spam messages score so high that they're clearly spam. There's practically zero chance that this might be a legitimate message. Anti-spam software should only present gray-area messages to the user in the quarantine.

Author: Richi Jennings

One Comment

  1. Posted August 9, 2005 at 1:28 AM | Permalink

    It’s a reasonable theory, but it has two flaws in my experience:

    – Users (IT admins) *demand* quarantine; they’re all terrified of any risk of losing mail for the CEO – no matter how much it looks like spam. Eg the CEO’s weekly golf mailing. Sadly these people cannot be persuaded that it is safe to delete *anything*

    – On the positive side, almost all users stop checking their quarantine after a very few days of first having access to it – assuming of course that there is an extremely low false positive rate. Thus the downsides of quarantine that you identify do not actually materialise in practice. In fact because users get used to not looking at it, in the event that they genuinely lose a legitimate email they rarely think to actually look in quarantine for it!

  2. Posted August 12, 2005 at 12:09 PM | Permalink

    I agree that gray zone spam quarantines should be used to reduce the workload for IT staff in reviewing thousands if not millions of quarantined spam. These should be made available to end users to recover into their Inbox or simply be deleted after a time that makes ense to the enterprise (possibly 90 days). For the key executives and the CEO, a simple white list would allow all their email (spam or not) to be let through and a filter to be applied on the ones that are 100% spam content and have the others manually reveiwed – possibly by an assistant or someone trusted by the CEO to view all their email.

  3. Posted November 17, 2008 at 12:32 PM | Permalink

    It is 3 years since you wrote this, and I think it is more relevant than ever. As spam volumes have increased 5X since you wrote it, it is more important than ever to minimize what the end user has to inspect. My goal is to have the quarantine hold only 4% of received spam. For a user who receives 250 spam messages per day, that means there are only 10 messages to inspect. That is a manageable number.

    I wrote a blog about this which confirms your opinion:
    http://blog.maysoft.org/blog.nsf/d6plinks/FPAO-7LANC3

Post a comment

You must be logged in to post a comment. To comment, first join our community.