Bulk Blocking

From Roaring Penguin
Revision as of 12:12, 18 April 2017 by JohnMertz (talk | contribs)

Jump to: navigation, search

Roaring Penguin regularly receives requests about being able to make "Block" (formerly "Blacklist") rules for a large chunk of email addresses or domains at once.

In the context of importing rules, this is very easy to do using Rules->Bulk Entry or by using the API. However, most of these requests are made in the context of taking bulk actions on existing Quarantined messages from the Pending Message notifications or the WebUI Quarantine. The following is discussion of the impact we believe that such action would have.

Efficacy of Block Rules

Block Rules are often not as useful as you might initially think. Spammers tend to utilize or generate new sender addresses for every message they send (see this article discussing a single spamming operation with 1.4 billion compromised accounts at its disposal). This means that a given recipient will rarely receive two spams from the same sender. You can see this by going to Rules->Sender and Rules->Domain which maintains a hit counter for all of the rules that currently exist.

At the time of writing approximately 60% of the Sender rules that currently exist have never been hit. It is noteworthy that these include the false-positives discussed in the next section but does not account for the fact that we automatically expire rules created using the training links or quarantine actions after 30 days if they go unused. Thus the "useless" rules from the last 30 days out-number the "useful" rules from all time.

Risk of Unintentional Rules

Allowing users to Block all senders or domains within their quarantine would also greatly increase the likelihood that a user would accidentally add a rule blocking a legitimate sender whose false-positive they overlooked. Accidental rejection of trusted senders or domain-level rejection of domains like gmail.com is already one of the most common problems experienced by our users; removing a user's need to discriminate more closely before they create such a rule is very likely to exacerbate that problem.

Our Current Position

As a result of the overwhelming risk and minimal potential positive impact, we have no plans to make this feature available, even to administrators.

Other Approaches

Bulk Rejecting

We DO provide a "Reject all as Spam" option both at the bottom of the Pending Message notifications as well as in the WebUI at the top of the page. Rather than immediately submitting with "Reject all as Spam", the WebUI also has this button (image) which automatically changes all of the selections in the Action column to "Reject" but does not submit. This allows you to selectively change specific messages to a different action.

Rejecting messages will remove them from the quarantine and will train the Bayesian filter to be more likely to reject similar content in the future, but this will not create any absolute rules.

Creating Rules in Bulk

If the user has the Drop-Down list (Preferences->Preferences->P-500) as their method for selecting actions, they can manually set all messages to "Block Sender" or "Block Domain", given that they have the permissions to do so, which will allow them to make a rule for all entries on the page, but will discourage them from doing so without more scrutiny.

As mentioned at the top, you can create block rules in bulk using the Rules->Bulk Entry tool or the API. If you have a list of block rules from another service or other source that you would like to add, you can enter them there or provide the list to Roaring Penguin support staff who would be happy to help. This is not meant to be a convenient way to react to new quarantined content, but instead to import lists that are proven to be useful for your needs.

Other Ways to Automatically Reject Messages

In lieu of an absolute block rule, regular messages from any sender can be automatically reject such that they do not appear within the notifications or the user's quarantine. Taking this approach is much more helpful as it addresses future mail from unknown senders without the need to constantly create more block rules that are unlikely to help.

The primary way to limit the number of messages included in the reports is by changing the auto-reject threshold (S-100).

Once a reasonable threshold has been selected, many of the troublesome messages will be filtered out automatically. If specific types of messages persist in making it through to the quarantine you can use a wide variety of other rules, such as those suggested in this article.