A Little-Known German Spam Control Regulation

In Germany, the law says that organizations must not delete spam once their mail exchanger (MX) has accepted it from the Internet. In effect, you must reject before SMTP's DATA transaction, or quarantine.

So if you're an international organization and you don't want to quarantine even the most obvious-looking spam, consider not placing any MXs in Germany!

... Richi Jennings

One Comment

  1. Posted July 17, 2006 at 1:45 PM | Permalink

    Richi: Do you know whether the German law forbids traffic shaping of SMTP connections as well? We have found that 90% of spammers abort by the time a connection has been open for 30 seconds — and some of our customers exploit this to reduce their spam traffic a great deal without blacklisting.

  2. Posted July 18, 2006 at 2:02 AM | Permalink

    I hardly think it’s likely that a law could successfully regulate SMTP. Shaping, tarpitting, greetpausing, and the like are currently useful tactics to separate zombie senders from legitimate MTAs. Their behavior is within the protocol specs.

    Emphasis on currently, BTW — there’s evidence that some zombie code is getting more sophisticated at correct MTA behavior.

  3. gino
    Posted July 18, 2006 at 4:42 AM | Permalink

    What system is really able to decide, effectively, what is “most obvious-looking spam” ? difficult to answer…that is why we believe it is better to store every “accepted” message in quarantine (btw: we are in Germany). the user gets a notification about his SPAM mail stored in the quarantine, and after a while (e.g. 30 days or whatever the user will decide for himself) the quarantine messages are deleted. German law is OK with that because users are able to verify what has been blocked, and in case to unblock it.

  4. Posted July 18, 2006 at 5:32 AM | Permalink

    Gino, most anti-spam engines generate a “spamminess score” for each message. Increasingly, installations are discarding messages with a very high score — for example, a SpamAssassin score higher than 15. The idea is to reduce the burden on users of examining the quarantine.

    Our understanding is that this would be illegal in Germany.

Post a comment

You must be logged in to post a comment. To comment, first join our community.