The vast majority of operations in these fields are mind-bogglingly simplistic.
Well-known rules will block most spam, some with occasional collateral damage but many with no realistic chance of collateral damage.
Entity-encoding @ as @ in email addresses in HTML will block the vast majority of email address harvesters, with no collateral damage.
Adding a honeypot field to an HTML form, with the label “If you are human, leave this field blank” and hidden by CSS, will catch practically all spam submissions, with no collateral damage.
I am sure there are plenty of smart spammers, but it also seems like a lot of spam comes from folks using scripts and email lists they use without fully understanding. It appears SpamAssassin would help with those operations.
I'm starting to think the smart spammers are the ones selling worthless spam tools to the dumb spammers, because so much spam is entirely unactionable.
Part of the smart spammer approach is to condition people to what spam looks like, so you're more likely to let through the ones they really care about.
Spammers seem to be really lazy. The only time I’ve received spam on my own domain was when I changed servers and forgot to enable the Postgrey service. Grey-listing has been around for long enough (a couple of decades) so I would have expected spammers to be resending emails that are rejected with a temporary error.
So I wasn’t expecting Postgrey to provide much benefit. As it happens, in 10 years of running my own mail server, it’s the only anti-spam measure I’ve had to bother with.
Hi, Adrien here author of this article (and of updown.io).
That is true and I actually hesited to write the article for this reason, because it could make the spammer life easier. But after seing some of the legacy and nonsense in here I though it's still worth it so people at least understand what they are using.
Spam is all about high-volume/~no-cost delivery of crap. Time spent tweaking the spam - to evade $Defense_1, $Defense_2, etc. - is added cost. Especially if $Defense_n is only used by a few of the prospective victims (folks too savvy or paranoid to be suckered do not count), then tweaking to get around $Defense_n is a losing strategy for the spammer.
it's because the vast majority of people don't use SpamAssassin
Bingo. Not that there aren't a lot of people running SA, but spammers want to be able to deliver to the big players(1) (gmail, o365, etc), not the size folks out there running SA. It's not worth their time to devote effort to optimizing for a rounding error in the deliverability equation.
(1) Unless they're selling 'targeting' services where you're paying to deliver to a specific domain/user which might be behind SA. Plenty do, but that's a little bit farther down the criminality spectrum and vastly less volume than shilling peener pills or warranty extension scams.
Spam is a minimal effort endeavor. A lead generator for scams. Only 0.1% or 0.01% response rate is good. They only want the unsophisticated, naive recipients. Expending effort to tweak rules is not worth the effort. (Although if they can get AI to do it, then that's back to near zero effort)
It’s effectively no different from a spammer running their spam mails through a local SpamAssassin to see how it goes, and tweaking them until they pass.
Any smart spammer will just tweak his spam to not hit these rules... And if he hasn't, it's because the vast majority of people don't use SpamAssassin