Slashdot Mirror

I have used the (well named) Geek ISP for years now. All open-source, secure, and the guy really knows what he is doing.

http://www.geekisp.com/prices/plans.php

More info: they have IMAP, POP, at least 2 different webmail suites, SpamAssassin and (for those really into anti-spam) TMDA.

TMDA does everything one needs. It can do whitelisting, blacklisting, time-based email addresses, challenge-response, and even includes a proxy you can use to automatically tag outgoing email for you.

That is covered in the FAQ. http://wiki.tmda.net/TmdaFaq#head-ee35633e2369946d a0d2496b4600b7411ec8be50

I use qconfirm myself but there's also tmda and others.
*If* you are serious about getting rid of the spam then just do it. The technical part is readily available.

I deployed that almost a year ago and never looked back. I still see the occassional spam in a
mailing list folder because those go through unfiltered for obvious reasons but I couldn't care less.
My inbox has been spam-free since then and that's what matters.

I don't quite get why people are still bothering with greylisting, spamassassin, razor, dcc, bayes and
the ilk. I tried them all and they're more trouble than it's worth. You get false positives, false negatives,
it's a stupid game that you can't win.

TMDA catches all my spam. I does not examine content. It sends a request for response to all unknown senders. Since the vast majority of spam has forged return addresses, no responses are sent back and the mail stays in the TMDA pending queue until it expires. Humans, on the other hand, reply, and their mail is removed from the pending queue and gets through. When I set up TMDA, I populated the whitelist with all the email addresses of my correspondents and lists.

Around 75% (150/200 daily) of my email is spam. After a month my false positive rate was around 0.5% (1/200) and most of those were mass mailed offers I would not miss. My false negative rate is around 0.02% (1/6000); every month or so a spam message is validated; I just move the address from validated to blocked so I'll never see it again.

I never have to see the 150 spam messages that come each day. I check the pending queue only when a business that sends email with a non-responding return address is sending me a message, like an online order confirmation.

The user can generate a keyword address when signing up for a list; messages from this address are allowed through without whitelisting. If later compromised; that address can be put on the revoked list.

I use tmda.cgi for configuration.

TMDA and others have implemented solutions like what you are proposing. The main draw-back is that when the botnets send out mail forged from cucucu@example.com, poor cucucu is buried in requests to verify mail that he didn't send out. The second problem is that people are surprising dense about responding to those verification requests.

Yeah, they're annoying, and doubly annoying for anyone joe jobbed, and poorly setup C/R systems annoying mailing lists, but there's one thing that can't be beat about them: You can guarantee a human at the other end (assuming it takes more than a just pressing reply) and you can track spammers down that bother to put the effort in. Oh, and you don't need to "upgrade" SMTP or get someone to adjust your DNS server (Here's looking at you, SPF!) to get them to work.

The net cost of getting humans to reply to C/R mails means spam becomes expensive.

Yes, it sucks, and yes, there's the people out there that refuse to work with C/R systems. But I don't care. I don't need to talk to everyone on the internet, and the 1% - 2% that won't deal with C/R can FOAD for all I care.

The issues of C/R systems having infinite loops, etc, have been worked out over the years. That doesn't happen anymore with the latest versions. I would reccomend looking at either TMDA for a server side solution, or ASK for a client side solution.

(Of course, there's specific instances where C/R systems are simply too annoying, like trying to get sales leads, etc, but for the average person, that's not an issue.)

The best design would be a SPAM filter with a C/R system for mail that isn't marked SPAM. Joe jobs become much less of an issue, and you still don't get any SPAM.

"Running mail at home is a waste of my time. It can be done, but you get nothing but hassle out of it..."

• Mail clients are filtered through my firewall: I blackhole bogons for example, and certain abusive networks.
• RBLs of my choice: There are good RBLs and bad RBLs. I like the ORDB list, DSBL list, the Spamhaus SBL and XBL lists, the SORBS DUL list, and the Spamcop blocking list.
• Greylisting: This is effective for eliminating the remaining spam that makes it through your SMTP-time filters.
• Challenge-response: Yeah, I know... love 'em or hate 'em. TMDA has been useful to me in the past, though I'm not sure I'm going to keep it much longer.
• One-time email addresses: If you maintain your own server and domain, then you can have as many email addresses as you want. Expire them on your schedule, or perform special processing for mail received at those addresses.
• Forget about artificial mail-size limits: My ISP's email accounts cut off attachments at something like 2MB. So much for that camping video my friend wanted to send me. My personal mail server is much more forgiving.
• Flexible and secure access: My mail clients use POP3 and IMAP inside the firewall, and IMAP via SSH port-forwarding from the outside.

It's called TMDA

Can't spammers just setup an auto-responder to defeat TMDA?

Unfortunately, TMDA uses messy addresses that my friends, family and vendors have trouble dealing with. (I had one vendor just pitch the email address because in their system they have to retype the address by hand!)

Can't spammers just setup an auto-responder to defeat TMDA?

Unfortunately, TMDA uses messy addresses that my friends, family and vendors have trouble dealing with. (I had one vendor just pitch the email address because in their system they have to retype the address by hand!)

For those who don't know, TMDA is a challenge-response based server-side system. It's open-source, all written in Python. Works with all client mail readers. Check it out

I have changed to TMDA http://www.tmda.net/ whitelist/blacklist to handle spam blocking. Filters and having to tune them/update them just got to annoying. It keeps the mails where they are viewable (with a CGI utility) so I can look through them if I think I have missed something by blocking it. I can optionally send out confirmation notices to the tune of "This addess is not on my whitelist please hit your replay button to send this message back to allow the mail through" I have this turned off it was a waste of bandwidth really.

I have always wanted to conbine this approach with a filter such that incoming mail hits the filter first, then if it makes it past the filter the whitelist/blacklist gets applied. I figure it would cut down on the number of messages I needed to double check from time to time.

Challenge/response can be quite irritating, in particular when someone post to a public mailing list and uses C/R.

Any C/R request goes to my trash folder.

I know that this is going to start a religious flame war. And I apologize in advance. But since I started using challenge/response (specifically TMDA) I just don't care. I give anyone my email whenever they want. I register on websites with an address that expires. So it works for long enough for them to send whatever it is that I need from them and then stops working after that.

Do I still get spam? Yes. The 419 scammers can get through. I see one of them once every 6 months or so. I just blacklist them. 2 spams a year is much easier to deal with than 12000. Do I see automated spam? Nope. Haven't seen one of those in my mailbox since 2001.

IMHO, C/R is the best tool that I've seen to allow me to not worry about giving out my email address to others. I wish there was a way in which we could create a small experiment on the internet in which everyone used C/R, and see what happened to spam. My prediction: it would disappear. And when that happened, no one would be afraid to give out their email address. No one would be worried about companies leaking their email addresses. This story would not be interesting enough to make the front page of /.

(FWIW, I fully understand the argument that says that C/R is bad. I do not agree with it's accuracy nor it's validity. I'm happy to argue about the merits of C/R, but recognize that a lot of these arguments have been addressed by TMDA and other well behaved C/R.)

I know that this is going to start a religious flame war. And I apologize in advance. But since I started using challenge/response (specifically TMDA) I just don't care. I give anyone my email whenever they want. I register on websites with an address that expires. So it works for long enough for them to send whatever it is that I need from them and then stops working after that.

Do I still get spam? Yes. The 419 scammers can get through. I see one of them once every 6 months or so. I just blacklist them. 2 spams a year is much easier to deal with than 12000. Do I see automated spam? Nope. Haven't seen one of those in my mailbox since 2001.

IMHO, C/R is the best tool that I've seen to allow me to not worry about giving out my email address to others. I wish there was a way in which we could create a small experiment on the internet in which everyone used C/R, and see what happened to spam. My prediction: it would disappear. And when that happened, no one would be afraid to give out their email address. No one would be worried about companies leaking their email addresses. This story would not be interesting enough to make the front page of /.

(FWIW, I fully understand the argument that says that C/R is bad. I do not agree with it's accuracy nor it's validity. I'm happy to argue about the merits of C/R, but recognize that a lot of these arguments have been addressed by TMDA and other well behaved C/R.)

TMDA works great for me too. But it's best to combine it with a content-based filter to reduce the number of challenges you send out.

Is there any other challenge/response system that allows for the unimpeded receipt of third party emails? Is there any other challenge/response system that avoids challenging every unique correspondent? Yes. TMDA. Bite me. In fact, bite me >here< (but you'll have to be quick, this address expires in three days).

You might think that this is a major flaw, but most C/R solutions have already anticipated this and come up with a solution. Here's the solution using TMDA.

If I buy airline tickets online and they don't tell me the source email address, how am I supposed to get the itineray

This is easily resolved by using a keyword address

if somebody (even a friend) uses them I won't bother unlocking with a response, and I won't use email to contact them again. It's their loss, not mine.

I don't see how this is my (or any other C/R user's) loss. You're the one who sent the email in the first place. Presumably you had some reason for doing so. Whatever that reason was, that's what is lost. If your email wasn't important enough to you to ensure it gets to me, then I don't feel much loss for having ignored it.

And you're a very strange friend, who values a particular email system over your relationship with that person. Good luck with that.

how do users who challenge get through to users who need to respond if those users won't get the challenge until their challenge is met?

By properly configuring the C/R system.

1. It sets the "Precedence: bulk" header.
2. It sets the "Auto-Submitted: auto-replied" header.
3. In the body of the message, as the first line, it says: "This message was created automatically by mail delivery software (TMDA)."
4. The confirmation is actually a MIME attachment with the following MIME header: "Content-Description: Confirmation Request".

Wrong. You assume that all email I challenge comes from legitimate addresses that are forged. While you're right that the number of spams that come in from forged addresses is greater than zero, it's no where near 100%.

I used to have a program installed that would delete emails from my pending list that were from invalid adddresses. An invalid address was determined by getting a bounce when it failed delivery. The bounce would contain a reference to the file in my pending list and it was pretty easy to just delete that file. This program deleted about 95% of my pending list. Which is to say that 95% of spam comes from invalid addresses. Only 5% of email that I challenge comes from real working addresses. I would *LOVE* if I could prevent the 5% of people who are wrongly getting my challenges from getting them. But, by definition, I don't know who they are. As a consequence I can't possibly know whether they're sending spam or not.

The solution for that 5% of people is to use TMDA. Then they will know, just as I do, which email responses are from email that they legitimately sent and which ones are a result of forged addresses. And then they can just reject bounces from the forged stuff just like I do.

Of course if my MTA signed my messages with a random key, and the challenge message sent the key back, my MTA could filter out anything I didn't actually send. Unfortunately that requires coordination which the various email/spam task groups do not seem to be capable of.

In my case, I interract with a lot of TMDA users. The ONLY challenges and bounces that I see are from email that I sent. All challenges or bounces sent to my mailbox as a result of someone forging my email address get dumped into the SPAM bucket. TMDA knows that I didn't send that email so it knows exactly what to do with it.

There have been dozens of these wildly espoused challenge/response systems over the years. They don't work because users hate them, because vital automated systems such as bill payment and delivery verifications can't get past them.

I've been using Challenge/Response for nearly 3 years. And I disagree with your critiques. Let's take this point by point:

• Users hate them: There is a kernel of truth to this. Some users do hate them. Those users hate challenge/response so much that they instigate fights. They submit their IP addresses to RBLs for blacklisting. These are a very annoying, and vocal MINORITY. By far most users are agnostic. They deal with the challenge once and then they're done.
• automated systems can't get past them: Again, there's a kernel of truth here. If you have badly configured your C/R you're going to be in trouble. But a properly configured C/R has absolutely no problems.

  I use TMDA. I've got it configured so that any email I send to unknown addresses will be allowed to respond for 7 days. After that, they go into C/R. For my bill pay services, I give them a special address that allows them in forever, but that's tied to them so that I'll know if they ever hand it out to someone else.

• they're almost always subverted: Really? In the last month I've had over 4000 pieces of email delivered to me from unknown addresses. Only 10 of those have been confirmed. Of the ones that were confirmed 2 of them were spam. This was easily remidied by removing those 2 addresses from my whitelist and adding them to my blacklist.
• never will gain the acceptance of the user community enough to become effective: While C/R may never gain the acceptance of the user community, I don't think it's for the reasons that you cited. I think the reason is that it's too hard to set up correctly. But that being said, it doesn't need the acceptance of the user community to be effective. It works for me today whether or not you use it.

  Personally, I think it'd be better if the entire world started using C/R. It'd be better because then everyone would understand that sending email to an unknown party involves a formal introduction process. This would cut down on the number of people who get confused when they receive a challenge. But if this doesn't happen it's not that big a deal. The number of confused people is already small.

/Me too!/

TMDA is absolutely great and the best solution so far. Highly recommended!

What I use now (alongside SpamAssassin) is TMDA. This is basically an "approval queue" for messages. If someone not in your approved list send you mail, they get a reply telling them they need to send mail to a specificly generated address in order to allow the mail to pass through to me. Eventually mails that don't get approved time-out and get added to a blacklist for the future. I also quickly review the queued items every morning in case someone didn't see the approval mail (it has a tool that allows you to easily peruse the list with just subject and sender info). So far I've gotten NO spam through this method -- NONE. I used to get hundreds a day, and now I have a spam-free INBOX because of TMDA.

While I highly recommend using TMDA, it may not be for people running businesses or waiting for mail from clients. The auto-reply message can perhaps strike some as inconvenient, even though they only have to do it once (once they've sent mail to the approval address, they're added to the whitelist for all future mails). So far spammers haven't found a way around TMDA it seems...so far.

Tmda?

I have seen several web pages written by people who don't like these challenge-response mechanisms, including one earlier today which went so far as to say that if he receives such a challenge, he will delete it- even if it's from one of his customers asking for help. This seems a bit extreme to me, but I can understand his frustration- it is an extra step which shouldn't really be necessary. It's a pain to have to deal with it, both for the sender (who has to respond to the challenges) and the recipient (who sends out the challenges, and has to deal with people calling on the phone to complain about them.) It's a very touchy situation, having to ask your clients to prove that they are human beings instead of spam-sending robot programs... but if you keep a close eye on the mechanism, manually whitelist as many legitimate people as you can, and watch the log file to catch anybody you know, it can be a workable solution (as it has been for me.)

However, having spent ten years building and running ISPs, I can say that there is no way I would ever force something like this on my clients. I might try to find a way to ALLOW my clients to use it on their mailboxes if they want to, but I certainly wouldn't just turn it on for every single email address- trying to explain it to somebody who receives a challenge is hard enough without having to try and explain the whole mechanism to some old lady who knows nothing about computers and just wants to receive email from her grandkids and her sewing circle. I remember the pain of trying to explain blacklists to these people...

On the subject of whitelist only solutions, I have been using tmda, http://tmda.net/ for about 6 months now. I have received no spam at all and the only messages that get stuck in the "pending" queue are newsletters which I haven't added to my whitelist.

I have been very impressed. In short it works by bouncing mail that is not delivered from an address in the whitelist. The bounce message gives the sender the chance to validate their email, confirming that they are infact a real person. When they do that, the mail is delivered and they are added to the whitelist so they are not bothered again.

Simple but effective

Works very well for me too, using TMDA.

A little bit less draconian are challenge-response systems like TMDA. They are whitelist based too, but allow senders to add themselves to a greylist, if they reply to an initial challenge. So if someone has a legitimate interest in contacting you, they can still do so. OTOH, Spammers won't see the bounces and will not reply to the challenge.

And for all those who would object about backscatter, it is a piece of cake to configure your MTA or MUA to filter out TMDA challenges. If you know that you didn't contact someone, you can safely ignore their bounces.

TMDA is a wonderful system that is pretty effective. In many organizations, it reduced the amount of spam by over 99.2%. Unlike content based filtering, it doesn't have problems with false positives.

tmda

Filtering spam generates way too many false positives. Challenge/Response schemes are IMHO much more effective. TMDA and similar programs can be configured with whitelists for your regular mail partners, auto-whitelists for everyone who confirms their e-mail identity, and, if necessary, with blacklists too.

A success rate of 95% really sucks when (like me) you get just over 2,500 spams a day. That'd still mean around 125 spams a day would be getting through. (I've had the same email address since the early 1990's, back when there was no reason to keep your email address "secret.")

Personally I do use SpamAssassin, but as an intermediate step.

First step: Check a whitelist of known senders. Deliver if the sender is on the list, AND the message originated from an IP subnet that I allow for them personally.

Second step: Scan with SpamAssassin. If the score is really high (above 20) throw it the hell out.

Third step: If the score is less than 20, and the person wasn't whitelisted, run the message through TMDA and politely tell the sender I'm not sure who they are, and I get a lot of spam, and could you please click this link to prove that you're a real person.

I've been using this three-step system for eighteen months now, and out of over one million messages that have come into my mailbox (really), exactly FOUR spam messages have made it all the way through. Apparently the spammers decided to go ahead and click on the little link, or they used a real person's return address, and when that person got they autoreply, they were too stupid to understand what was going on.

Even better, I have not received ANY indiciation that I've lost any messages; at least, no one has ever mentioned anything about an email that I didn't get.

I've got five other people at my domain using the same system, although for not quite as long (one for fifteen months, three for about a year, and one for just a month now); they have all had similar success.

So based on those numbers I'd estimate a success rate of 99.9997% for eliminating spam (which is, admittedly, COMPLETELY INSANE), and a false-positive (or at least "lost message") rate of 0% so far (fingers crossed). A few people have had to confirm their messages, of course, but I've whitelisted them as that happens.

I actually wrote all the connecting code in PHP, believe it or not, with a MySQL database as a backend. It's invoked using .qmail files. PHP is indeed good for things other than web pages; and was a little bit easier for me to maintain and deal with than Perl. The whole thing is less than 25KB of code. There is also a web backend which I use to configure it; that adds another 40KB.

The whole system took about twelve hours of programming to set up, on one Saturday.

Now, for correspondence to companies (such as Microsoft, or Amazon.com), I use a different scheme (although it's handled by the same PHP code). I create up a unique email address for each of them, which ONLY allows mail to or from that domain (for example "rptamazon@mydomain.com" only allows messages from amazon.com). Those addresses are also easily cancellable, individually, if the company starts to annoy me with spam. Basically, each email address can be assigned its own unique whitelist, and can be cancelled individually at any time, through the little web interface.

I also have a number of email addresses for things such as customer support for our company (I write computer software). I'm using the same system for those, also, but instead of checking whitelists based on the sender, I've found a simple way to do it is to check for ANY of our product names anywhere in the message body or subject. If the message doesn't mention any of them, it sends a simple autoreply back similar to that in (3) above, but mentioning that the message didn't seem to be about any of our products, but if it was, please click here, blah blah. We don't have a high volume of support messages (about one or two a day; we're a small company) but in the last year only three or four people have had to click through like that, and, honestly, their support requests were so f*cked up anyways that I'd rather it just dropped them on the floor. ;-)

Then, as a very last ste

Thanks for writing back.

For the last eighteen months, I've actually been using TMDA myself.... I made an initial whitelist of everyone I correspond with, and changed the challenge-response system for unknown senders so it is web-based only ("click here if you are a real person"). It works OK, but it's not perfect; out of nearly 900,000 email messages, seven spam emails have gotten through, all of which where the person sending the spam went through and clicked on the link. I'd like to eliminate those, too, of course, but I don't really know how I'd do that.

In the years before that, I'd tried various filtering methods (SpamBouncer, SpamAssassin, etc.). They were unacceptable to me because there were mislabellings in both directions.

How often do you go through the "spam" you've received to look for legitimate messages? If POPFile has the same accuracy in both directions (I don't see why it shouldn't), around 1/150 legitimate messages should end up being tagged as "spam" as well.

With TMDA, you can generate time-limited addys. Works pretty well.

For personal use, I am still a big fan of Tagged Message Delivery Agent which I use mainly for its challenge-response and auto-whitelisting functionality. I don't get any spam, and this on an email address that has been on a popular public website for years.

Of course, TMDA is probably not what you want to use for a business, but for personal use it is great!

TMDA allows you to specify "keyword" addresses. Simply pick a keyword, and a new e-mail addy is generated. If it gets swamped with spam, put it in your blacklist and get on with life.

I also use SpamAssassin, but I couple it with TMDA. Messages which fail SpamAssassin are challenged by TMDA. Users can adjust their threshold.

The nice thing is that any given email can only fail once (if they confirm), and it does not delete a legitimate mail, if the sender ever reads his e-mail.

The default SA score is 7, but users can lower it if they want.

And if many different companies ran IM servers that were all part of the same system, how long before SPIM became rampant?

With XMPP/Jabber, packets are not domain spoofable like in SMTP. This means that XMPP is already as effective on spam as a basic email challenge/response system like TMDA, but without any of the drawbacks since it is built-in.

And with clients like gaim and trillian, why does this matter to anyone except the competitors?

Since AOL's AIM network has no server-to-server bridge, the only way to talk to AIM users is to actually log in as a client to the AIM network, using an AIM account, which is ridiculous. Logging into multiple services from the same client does not change this. It gives a false sense of bridging between networks. In the meantime, you have to worry that these companies might try to break your IM client.

Also, I don't think "competitors" is the right term. Sure, there might be businesses that want to compete against AOL in the IM space, but I think the majority of those that would run IM servers are _users_. I run a personal Jabber server at andbit.net for about 10 people. Universities and businesses are gradually switching to XMPP/Jabber. We are all users of IM, and we simply want interconnectivity.

* Mailing lists. [...] if there is a way for legitimate mailing lists to bypass the challenge, then spammers can equally bypass the challenge.

Hashcash is generated for the mailing-list address. The recipient would add the mailing-list to their list of addresses they accept mail as, and a spammer can not send to the list without including hashcash. So the limitation for mailing-lists is that the spammer can send mail to many people (the list subscribers) for the cost of one stamp; if he sends directly he has to send one stamp for each recipient.

* Robot armies [of 0wned machines].

Clearly someone wit lots of owned systems can send lots of mail; but still less mail than they could without hashcash.

* Legal robot armies. [...] Large spam groups can afford purchasing hundreds of systems for distributing an computational cost.

They can do this (and doesn't matter with it's legal or not btw, they'll do it anyway), but it will cost them more per mail which will cost them, so they will send less mails and be economically incentivized to target their mails by buying demographic data etc. (eg. so you would be less likely to receive spams in languages you can't read, or on topics you are not interested in).

Another aspect is that legitimate users do not send mails to lots of new recipients; most email exchanges are conversations over a period of time with sends and receives. Some of the hashcash based systems use hashcash only for introductions, and exempt recipients from hashcash after that based on crypto tokens (or just whitelists) (eg CAMRAM, TMDA do this).

The argument here is that hashcash can be set to higher cost as it is only borne once per new recipient for normal users.

I use TMDA with spamassassin - it works great! TMDA is set to let through anything that SA doesn't think is spam. I then set my filters fairly paranoid.

If someon sends me a message that gets marked as spam, he will get a confirmation message back to make sure the from address is not spoofed.

Also, any replies to messages I send get dated (automatically bypass filters), I can use keyword addresses and sender addresses to make sure people and sites I need to send me mail can reach me (I can always revoke them later), and most (95% or so) never have a challenge at all. It just works.

I blow through over 1800 spam messages per day. Never lost one legit one yet (to the best of my knowledge).

TMDA is an open source software application designed to significantly reduce the amount of spam (Internet junk-mail) you receive. TMDA strives to be more effective, yet less time-consuming than traditional spam filters. TMDA can also be used as a general purpose local mail delivery agent to filter, sort, deliver and dispose of incoming mail.

The technical countermeasures used by TMDA to thwart spam include:

* whitelists: accept mail from known, trusted senders.

* blacklists: refuse mail from undesired senders.

* challenge/response: allows unknown senders which aren't on the whitelist or blacklist the chance to confirm that their message is legitimate (non-spam).

* tagged addresses: special-purpose e-mail addresses such as time-dependent addresses, or addresses which only accept certain kinds of communication. These increase the transparency of TMDA for unknown senders by allowing them to safely circumvent the challenge/response system.

Yes, that a poorly configured challenge/responce system. With TMDA it's possibly to have any address to which you send mail automatically added to your whitelist --- that allows people to reply to mails sent from you.

You're right, such a system is extremly efficient. The Tagged Message Delivery Agent implements such a system: TMDA.

With TMDA you can make several neat tricks with your email address, such as making short-lived addresses for one-time only uses and special addresses that only special senders can send mail to.

These guys support Exim, qmail, Postfix, Courier, and Sendmail. And as far as I can tell it IS the next best thing to sliced bread. It might not be a perfect answer, but its a hell of a lot better then nothing. If you offer hosting let me know, I'd love to move my site over to a service that uses something more effective then Spam Assassin or Bayesian filters.

"Important Notice
Melbourne, Australia - 1 October 2003

Bluebottle has found itself under constant attack from numerous sources over the past couple of months making it almost impossible to deliver spam free email to your account in a consistent and timely manner. We have therefore decided to cease offering protection for external accounts, and will be removing the verification protection from Bluebottle accounts.

This has not been an easy decision to make but has been necessary in light of the delays currently being experienced in email delivery. Whilst work is still being performed to address these issues, as it currently stands, Bluebottle is unable to ensure the timely delivery of mail for Bluebottle accounts. You are certainly welcome to continue using your Bluebottle account, although no verification protection will be applied to inbound mail.

We have done everything in our power to address these attacks although it has had little effect. We are obviously very disappointed that we cannot continue to provide you our service at this time.

Bluebottle's email verification system is best provided in a distributed manner making it considerably more difficult for these attacks to be effective. We will therefore be making our software available to any service provider or enterprise to protect their end users from unwanted email, and by doing so make it a more secure solution given that it is provided in distributed environment.

Please accept our sincere apologies for the inconvenience our decision will cause.

For further information please contact;
Robert Pickup
Bluebottle Systems Pty Ltd
61 407 528 349

1 or 2 a day? Ever since installing TMDA, the only spam which ever gets through is spam from entries on my whitelist (such as mailing lists.) This ends up being more like 1 or 2 a month.

tmda