The BondedSender Program (BSP) con.

I don’t know how this happened, but for some reason the antispam community seem to have walked right into quicksand. Why?   Well, consider this: If you existed to come up with ways to stop spam, you would think that implementing a way to establish trust relationships with sender would guarantee* that they wouldn’t send you spam.

* – No there are no guarantees.

Well recently a configuration option within SpamAssassin caused me alarm since it was occurring more frequently in spams that were getting through to me. Looking into the RCVD_IN_BSP_TRUSTED score I found that spamassassin gave it a -4.3 weighting which unless the email is particularly spammy, it means the net score for that email will result it it being classified as non-spam.  Trouble is – this is spam, so why is spamassassin being so nice to it?

Looking it up, I ended up at The Bonded Sender Program .org (this is the Internet friendly face) which "turns the spam problem upside down by identifying legitimate email traffic".  Oh?  Further reading shows that the BSP has a corporate side that companies pay the BSP (read: IronPort, who also happen to own and run SpamCop) so their emails get positively flagged as non-spam.

Am I the only one spotting the delicious conflict of interest?
1. Spamassassin catches spam
2. Users report spam to SpamCop
3. SpamCop blocks spammer.
4. Spammer has less success because their servers are blacklisted

Now SpamCop, aka IronPort, aka BSP goes to spammer "Pay us a wodge of cash and we can make sure a) you don’t get flagged as spam, and b) your servers can’t get blacklisted". Sounds like a sweet deal.  Why wouldn’t any spammer go for it?

In any other industry this would be blackmail. e.g. Mafia: "Pay us your insurance so you can be sure you or your shop doesn’t meet with an unfortunate accident".

Now the BSP apparently takes abuse of their system very seriously.  I beg to differ.   I reported an instance of abuse, to which the initial reply sounded positive, but that same customer is still spamming away.  I shall post some example spams that BSP claim isn’t spam as comments.

So, anyone reading this.  If you use Spamassassin, add this to your user_prefs:

Companies or Email senders – if you hit this page whilst researching about using the BSP, then please don’t.  It is a dirty way to get your message across – if anything it will make people like myself even more vehemently outspoken against you and your products.

BSP/SpamCop/IronPort – if you want to regain some credibility, perhaps you will take your abuse reports seriously and actually kill off those customers who do use you as a ticket to get spam through.

This is my personal opinion based on my experience of spam emails I have received via the Bonded Sender Program.