Slashdot Mirror

If the list managers and TMDA users had things configured correctly, this wouldn't happen at all. Next time you get a TMDA auth request from a mailing list subscriber, point them to Tim Legant's Cookbook for using TMDA with mailing lists - also linked from The TMDA FAQ.

tmda. i've been using it for several months and it blocks pretty much all spam i get. currently my tmda pending directory has over 700 files which are all most likely spam. i hold them for a week and then i delete them.

or rather tmda holds them for a week and then cron deletes them.

no one has had trouble reaching me. if you'd like to check out tmda, see here. and if you'd like to see what it's like to email a tmda protected address, mail me at kevin@ie.suberic.net.

btw, i'm not a tmda developer, i just happily use their s/w. it is of course free s/w.

Neither is saying, "Please put me on your do not call list." While they're both effective, the only way to drive annoying commercial marketing into the ground is to make it more expensive than it is profitable.

1. Phone marketing: Feign interest, then ask the telemarketer to please hold for a minute (someone's at the door, etc...). By yourself, you can cut into their profit margin a little and have the satisfaction of getting back at the people that are bothering you so much. If enough people did this, it would be DEVASTATING to the telemarketing industry. Why? When a telemarketer is on the phone with you, their machine stops dialing new numbers. This seems like a smart idea - there's no reason to call someone if the telemarketer is busy talking to someone else. Usually, those machines dial 10 numbers at the same time and the telemarketer clicks over to the one that gets a live person. That's where those hangup calls come from: out of the 10 numbers the machine dialed at once, yours was one of the two that yielded a live person, and the telemarketer decided to go with the other one. What does this tell us about the telemarketing industry? They just hate it when their telemarketers are sitting around waiting to make a sale (i.e. while the machine is dialing). If they're waiting for you to get the door, guess what? They're sitting around waiting to make a sale.

2. Junk mail: This is really easy. I have no idea why nobody has started advocating this so far. Whenever you get junk mail, open it up, find the "postage paid - business reply mail" envelope, stuff everything else into it, seal it, and put it back in the mailbox. You're charging them postage to throw away their garbage. If you want to remain completely anonymous, just tear out the parts that have your name and address and mail the rest back.

3. Spam: Ok coders, this one is for you. Implement selective whitelisting as described here in your favorite open-source SMTP server. Yeah, server-side. Just make it a flag that can be turned on for individual email accounts so that the server will automatically start building a whitelist from confirmation emails. As long as this remains a *nix-only client-side spam-blocker it will never see widespread use. Why? Well, a server-side implementation has many benefits:

* It only has to be installed once. Every time a piece of software is installed on a computer, it's an opportunity for something to go wrong. A client-side program could install itself incorrectly, the user could become frustrated with an interface shortcoming, or it could trash some part of the user's system (possibly turning them off to spam blocking tech forever). If it's installed (carefully and by the ISP's lead tech) on a single mail server, suddenly thousands of people have the ability to block spam with no more effort than a call to the ISP to turn on the feature.

* ISPs would provide it as a competitive service to their customers. Most ISPs (in my limited experience) use open-source *nix mail servers, so implementation in existing systems would be easy. Perfect spam-filtering (that guarantees no false positives - meaning no lost important mail) would definitely influence a consumer's ISP choice now that most are competing based on cost. Considering how easy it would be to implement, it's a no-brainer for another ISP to offer the same service once the ISP across the street does.

* The principles are easy enough to explain to most people. Granted, most ISPs don't explain the details of their spam-blocking tech to new customers, but when they make a claim like, "No false positives, guaranteed!" it will be easy to explain if a customer gets curious.

Eventually, when no spam gets through, or just not enough to pay the bandwidth bills, spam will stop. What if selective whitelisting doesn't work? Well, it does, go read the web site. ;) The worst case scenario would be that spammers would have to buy three times the bandwidth to send the amount of spam they do now, as well as maintain a working and valid From: address.

4. Banners: Go download privoxy right now. Combined with mozilla's popup blocking feature, I've seen maybe 3 ads in the past 3 months, and I spend hours surfing the web every day. It's absolutely amazing. Same deal with selective whitelisting as above, too. If ISPs ran privoxy, they'd be able to offer a service to their customers that, well, once addicted they couldn't live without. It's also the perfect way to implement caching and cut down on ISP backbone bandwidth costs.

Think these are good ideas? Help me spread them around. Think they suck? Tell me why so I can improve my explanation.

I lkie the soun of this one - seems like it should eliminate all false positives sent by real peope and all false negatives. I worry about auto-responders and auto-reminders, though. TMDA (Tagged Message Delivery Agent)

Congratulations, you've just more or less reinvented the Tagged Message Delivery Agent (TMDA).

Since I don't have a company to promote, I'll promote some good free software: TDMA

The system implies that anything not sent by a human being is spam. This is not necessarily the case today. A lot of today's e-mail communications are auto-generated.

The Tagged Message Delivery Agent provides solutions to this problem and more. Basically it's a whitelisting mechanism, if the sender is unknown, the mail is "parked", a confirm request is sent and the mail is delivered upon (human) confirmation.

This leaves problems with auto-generated mails as you describe, but TMDA has more options:
1. you can use a mailadress that is only valid for a certain amount of time
2. you can use a mailadress that is only valid for mail from a specific sender domain/mailadress

So to order something you'd use one of the above and thus avoid sending out a confirmation request. At the same time you can make sure that an adress is valid only for the relationship you intended it for, e.g. if they use it after a transaction is over or sell it to adress harvesters it will not work.

Check it out, it's really a clever concept IMHO. Of course I completely agree that this shouldn't keep us from fighting spam on other fronts, using RBLs and legal means in addition to filters.
I just think whitelisting works far better than content filtering.

An alternative approach is to automatically ask any unrecognized email addresses if they belong to a real person. TMDA does this for all non-whitelisted email addresses. The idea is that spammers do not put real email addresses on their spam, so will not be able to respond to a request for authentication. If the emailer doesn't respond to the authentication request, then TMDA blacklists the address for the future. Result -- no spam.

It already exists.

What you've described is exactly what TMDA does.

Read the FAQ for the reasons WHY they don't support Exchange.

I can't exactly blame them. Unix based MTA's are still the dominant share anyway. Better planning should have been done before deciding to go the Exchange Server path, to consider these kinds of issues. If that planning did occur, then this conflict shouldn't be anything new and was already accepted as a risk. Deal with it. :)

-Alex

Sure, unless I'm also running it. Then, we can't talk to each other because our polite automated replies won't be read. That seems like a nasty Catch-22. I wonder what the solution is?

This is good advice, but it's not the only option.

I put my email address on the web all the time. Here it is:

mark@hornclan.com

I post to USENET.

I don't get spam.

T.M.D.A. It stands for tagged message delivery agent.
Read more here

Thanks for posting the link, I had heard about this product but couldn't recall the name.

After reading over the features, though, I should note that the mail is accepted whether it is spam or not. It just doesn't get delivered to your inbox if it is not "confirmed." To the end user, such as my father or sister, this is great -- they don't get spammed.

However, as a system administrator and bandwidth hoarder, I would hesitate to install TMDA, and only TMDA on a mail server. The problem is that the spammers' mail systems will believe the message was successfully delivered (250 OK - message accepted for delivery, etc at the end of SMTP session). This has two downsides: 1) The spammer knows your address is valid, and 2) Repeated delivery of spams wastes (precious/expensive) bandwidth.

Now, let's consider the outgoing messages... remember that confirmations are sent out to the sender (by the way, is this the header's From: address or the Return-path: address?). As most from addresses are forged, or quickly fill with flames, etc, your messages will simply bounce. And if your mail system (or perhaps TMDA) isn't smart enough, it will repeatedly try to deliver the confirmation request. Again, a waste of bandwidth, and possibly a waste of storage space.

I'm very interested in TMDA, and I will definitely try it out. However, I also believe that some sane Sendmail rules and use of various DNS blacklists will stop the majority of spam. In fact, I don't recall the last time I got spam at my personal account. My email address is easily spiderable on my website...

My Sendmail rules will bounce messages during the SMTP transaction... not after. This way a bounce message is returned immediately to the sender. If spammers are listening to my mail server, they will remove my address from their list, believing it is invalid.

The goal in fighting spam should be to reduce the list of "valid" email addresses. If we accept spam but simply delete it (eg, using client-side MUA filtering or TMDA) then that is just another "miss" on the spammer's mailing list. But if their list starts shrinking due to "invalid" addresses then it will be less and less economical to send out so much spam.

Think about it for a moment. If a spammer sends out a million emails, and 10% are filtered on the client side, that's still 900,000 addresses from which they may get a "hit." Let's say the spammers expect .1% of their targets/victims to respond. That's 1000 responses (remember, this is calculated on the million initial messages). What if the 10%, though, rather than deleting the message after delivery, denied delivery to begin with. Now the spammer's list shrinks by 10%. Now spammers have to expect a .111% hit rate to make the same amount of sales. By continuing this process, at some point their victim list will be too small to "reasonably" generate a profitable response.

Those of you in California may choose to add a "this server located in California" to your SMTP greeting message. It should help if you decide to prosecute a spammer for UCE. SBC/PacBell has some good information on California spam laws.

Obviously, a better solution would be a combination of the two... TMDA and some good Sendmail rules (or whatever MTA you like). But I would hope that TMDA could deliver fake bounce messages to those who do not confirm their messages.

Yes, but see this FAQ entry.

T.M.D.A.

It stands for tagged message delivery agent.

Read more here

Number of spam recieved since I installed it 3 weeks ago: None!

Go ahead, dmarien@dmarien.com spam the hell outta me. It wont get though! Sell my e-mail! Post it on any message board you want. I'm not gonna get any spam.

If any of you /.ers are running qmail and managing your own email server, i wholeheartedly reccommend you investigate tmda. I enjoy checking my mail again.