Outbound filtering - Part 1

We are nearing the end of the dev cycle of our next release and the plans naturally start to look forward to our next release.  Don't get me wrong, there's still a ways to go in our current release.  We have to hit code complete on January 31, go through Test and reduce all of our bugs to zero (hitting Zero Bug Bounce, or ZBB) and then we release to Operations.  That's scheduled for April.

However, we need to have the pipeline full for the next big thing.  Normally, I like to plan for things that are my idea, but occasionally we take special requests from other departments.  The current hot issue of the day is outbound spam filtering.

Most big services that I am aware of do not do outbound spam filtering.  Hotmail doesn't do it, Gmail doesn't do it, we don't do it.  The assumption is that all of our customers are sending legitimate mail and none of them are spammers trying to hide behind our outbound mail service.

I believe that this is a reasonable assumption but the problem now is that many times, customers using us for outbound mail are 0wned.  Thus, they get a system on their network that is infected (turned into a bot) and pumps out tons of spam, and then that spam gets relayed through us.  The result?  We get listed on 3rd party blacklists.  For big guys like Hotmail or Gmail, that's not that big a problem because they have a lot of clout.  Who'd be foolish enough to block all mail from those guys?  We, by contrast, don't have quite so much leverage.

Plenty of departments keep telling me that we need to do outbound spam filtering.  As I will go into in my next post, this is only the first step in the direction we need to head.  We want to keep our IPs clean but outbound mail filtering is a complex task.