Building A Better Inbox

vudujava writes "c|net is reporting that a new free (Update: not free, actually, read more for details.), web based email service is opening it's doors today. They promise to deliver "100% spam free" email to their users by using a challenge-response system to all incoming, first-time mail. Catch the entire story here. Although the idea isn't new, it shows that we are notching up the "war on spam"." Alert reader George Hotelling points out this post on Politech which may give you pause when it comes to the new mail service's Terms of Service. And kraksmoka writes "As reported on this article on MSNBC : 'Hotmail subscribers are now limited to sending only 100 messages a day "in an effort to prevent spammers from using Hotmail to spread spam," said Lisa Gurry, MSN lead product manager.'" dlanod writes "In your snippet on the main page you report mailblocks.com as "a new free, web based email service". Looking at Mailblocks' site, it actually costs $9.95/year for the standard service, or $24.95/year for the expanded service with no free option listed (https://app1.mailblocks.com/register.htm)."

Fastmail RULEZ!!!

[ChaoticChaos]

Best damn email on Earth is at http://fastmail.fm

If you're still using Hotmail or Yahoo, upgrade. Now. This minute.

Re:Fastmail RULEZ!!!

[ChaoticChaos]

Heh. I went from "2: Informative" to "1: Troll".

I tell you, the gods are mad!

Re:Fastmail RULEZ!!!

Don't know why this is a troll... I use fastmail, and trust their well-informed owners to do their best to manage the spam. Besides, for those few spams that do get through, nothing is more rewarding than having the ability to 'bounce' it back to 'em!

Re:Fastmail RULEZ!!!

[ChaoticChaos]

How about the server-side scripting via Sieve?

Fastmail is to Yahoo/Email what a rocketship is to a bicycle.

Re:Fastmail RULEZ!!!

[EvilBudMan]

But ya gotta pay for it. I like free mo betta.

Re:Fastmail RULEZ!!!

[ChaoticChaos]

They have free account!

Re:Fastmail RULEZ!!!

[EvilBudMan]

Not with the spam feature.

Re:Fastmail RULEZ!!!

[Mr.+No+Skills]

Don't know why this is a troll...

Seems like "off topic" is closer. Maybe trolling for a big discussion about "fastmail" vs. others? Which, is not really on topic...

Maybe there should be a moderation class for "shameless product plug"?

Re:Fastmail RULEZ!!!

[germanbirdman]

I agree, I have an enhanced account there.

Spam assassin and a sieve script takes care of spam permanently.

All my spam comes in via the gmx and university address I forward to it, but close to 100% of spam end up in my designated spam folders.
OK, it took me a while to fine tune spam scores together with spam assassin hit criteria to make it work 100% for me, but I love it sooo much!!!

I would recommend fastmail.fm to everyone, and I do not work for them.

Definitely not new

[jbellis]

I've contributed code to TMDA, a python implementation of this idea that's been around for over two years. The earliest I know of though is a C implentation called mapson. It was abandonware for a while, but it's apparently been resurrected on sourceforge. I _think_ the original version dates from the '90s.

BTW, mailblocks.com isn't free; it's $10/yr. However, that's still only half what fastmail.fm charges annually for their spam filtering service (with SpamAssasin).

Re:Definitely not new

[abhisarda]

"Before allowing e-mails through to your in-box, Mailblocks automatically transmits a numerical password to first-time correspondents. The senders must then retype the code into an onscreen dialog box before the system acknowledges them as legitimate.

Ok, lets say I subscribe to the headline mailing list of slashdot. That means that the sender(slashdot) must retype the code into an onscreen dialog box? What if slashdot is mailing this to 100,000 people. Isnt retyping the code for even a fraction of those going to be stupid? And why and who at slashdot will do it anyway? Could somebody clarify this?

Re:Definitely not new

[jbellis]

all the systems of this kind I've seen allow recipients to selectively mark senders as OK before OR after receiving something from them. If I don't do that, the filter will be doing exactly what I want it to do by rejecting any mass mailing, from /. or anyone else.

that's kind of the whole idea, after all.

Re:Definitely not new

[reverse+flow+reactor]

But Fastmail.fm allows me to use subdomain addressing. All email sent to *@username.fastmail.fm gets delivered to username@fastmail.fm.

So I give out the address "amazon@username.fastmail.fm" to amazon (just to randomly pick on someone). If I get spam at that address, I add a rule to automatically delete all email coming into that email address. Plus, I can go to amazon and tell them that I KNOW they sold me out, as I only gave out that address once. That is very worthwhile to me.

If $20/year for a quailty email account is too much for you, fastmail.fm has other options, including a $14.95 one-time fee. All info is on their page at fastmail.fm

Your mileage may vary. If you are serious about either, try them both and stick with the one you like. Me, I'm a happy fastmail customer. Although perhaps some competition may convince them to add this whitelist option.

Re:Definitely not new

[MindStalker]

You can add addresses to a list to make them not get challenged. You can also set up aliases addresses for different commerical contacts so yo can manage that contacts spam input.

Re:Definitely not new

[NearlyHeadless]

I think what needs to happen to kill spam is this:

• Some group of ISPs implement a TDMA-like system.
• An ISP or other mail server can have mail from its users automatically approved (not go through the hassle of responding to a challenge) if it signs a contract that binds it to certain anti-spam rules.
• Outgoing mail from these ISPs (or even individual users) is cryptographically signed so that it can be recognized as non-spam and any violations traced.
• It is still SMTP, so these messages can go to non-participating mail servers and vice versa.
• Users of non-participating mail servers will have to respond to a challenge. This annoyance will encourage them to get their ISP to change (or move to another ISP).
• The certificates to sign a mail as non-span cannot be given out completely free and in bulk, otherwise spammers will just acquire thousands of them.

Re:Definitely not new

[howardjeremy]

BTW, mailblocks.com isn't free; it's $10/yr. However, that's still only half what fastmail.fm charges annually for their spam filtering service (with SpamAssasin).

Well, mailblocks.com is $24.95 for 50MB, whereas FastMail.FM is $19.95 for the same size. mailblocks.com say in their TOS that they give your details to 3rd parties and send you ads, whereas FastMail.FM says they won't give your details to anyone.

(Disclaimer: I'm a director of FastMail.FM)

Re:Definitely not new

Yes, not at all!

I can think of Active Spam Killer (ASK), TMDA and Qconfirm (QMail Only).

I personally use ASK and it works well. TMDA also works very well but requires complete control of your mailserver to install. Qconfirm is Qmail only .

All these are absolutely free.

UN resolution #4882372

This undeclared "war on spam" is unauthorized imperialist aggression!

Re:UN resolution #4882372

[B3ryllium]

So that's what all this is about? Saddam got modded "-5, Flamebait" on Slashdot?

Re:UN resolution #4882372

Aw, come on, B3ryllium (571199) is taking a big hit for the team here!

We saw some absolutely splendid "Operation Iraqi Freedom" threads earlier today, before things petered out. Hopefully, tomorrow, the boys will pace themselves better. If they do, I predict an absoulutely record-setting Troll Tuesday!

Re:UN resolution #4882372

an obscure UN Resolution# 1337d00dz allows for the spamming of spammers as an act of counter-terrorism. Imperialist aggression indeed!

Re:UN resolution #4882372

Now, please, Mr George of the Bush, drop your bombs, launch your cruise missiles on spammers.

We'll give you a banana, ok?

Re:UN resolution #4882372

This undeclared "war on spam" is unauthorized imperialist aggression!

The "war on spam" would be mostly the U.S. bombing the shit out of themselves and so be a domestic affair which is not under the jurisdiction of the UN. Go right ahead I say.

Not Free!

[MiTEG]

Mailblocks is not free! They charge either $9.95 or $24.95 a year depending on the file size limitation you choose.

Re:Not Free!

[2MuchC0ffeeMan]

erm.... well, hopefully they 'garentee' that '100%' spam free claim...

i figure, if i spend 10 minutes on the phone yelling trying to get them to deliver on their garentee and give me a refund, it'll even out to the time i spend deleting messages each year.

Re:Not Free!

[BaCkBuRn]

I still do not understand why people with hotmail accounts dont just block anyone not in their address books. Think of it this way, with that feature you get to control who gets to talk to you. -bb

Re:Not Free!

I do but even teh bloodly staff@hotmail crap gets through... they now spam me more than everyone else put together.

Re:Not Free!

[BaCkBuRn]

That is true. I just breathe deeply for 10 seconds and say "its free" 20 billion times. -bb

Re:Not Free!

[Tralfazz]

But then your email just becomes a very slow chat program ;p

Re:Not Free!

[Chief+Typist]

Any system that relies on the receiver paying is doomed to failure.

Cringley has been thinking about the problem for the past few weeks and has come to the conclusion that the sender must pay.

I'm not sure that I agree with his implementation, but the general idea is a sound one. The barrier to entry must be raised...

Re:Not Free!

[Safety+Cap]

That's easy! First, set up a folder called "junk" (or somesuch). Then add a filter to automatically move any mail received from "staff@hotmail.com" to "junk."

All you have to do after that is periodically delete everything in that folder.

Re:Not Free!

[BaCkBuRn]

I never though about that, awesome tip. To bad i have no points to moderate you up :P

Re:Not Free!

[letxa2000]

One word: Bayesian. No, it doesn't fix the spam problem but if everyone uses it (perhaps at the ISP level) then no-one will see spam and the motive of sending spam will go away.

I just finished implementing my Bayesian filter on my system and I'm currently blocking 99.6% of all incoming spam--just slightly higher than what Paul Graham claimed--and not a single spam hjas gotten through in the last week. What a relief...

Call It A Night, Cowboy!

[sulli]

Because limits on posts work so well for the slashdot trolls.

Seriously, who spams from Hotmail anyway? Don't all the real spammers use custom software with a built-in smtp server? I've gotten enough spams advertising it, after all.

Re:Call It A Night, Cowboy!

[phorm]

You can spam from hotmail without using the web-client, since it has an interface for using /w outlook etc (http mail still though I think).
However, I myself don't get many *hotmail* spams, and many which I do are forged headers and not real hotmail addresses.

Limiting regular customers to emails-per-day actually sounds like a really good idea to me, so long customers sending mass mail (usergroups, proper mailing lists, etc) were able to sign up for a "special account" allowing them to continue. I don't know many normal people who would send >200 messages a day, and not many spammers who might bother to identify themselves when signing up for a special "mass-mail" account.

Re:Call It A Night, Cowboy!

From my understanding, the custom software that spams uses constantly updated lists of other peoples open relays anyway. Send out a few thousand mail messages and reach millions.

Re:Call It A Night, Cowboy!

[donutello]

Don't all the real spammers use custom software with a built-in smtp server? I've gotten enough spams advertising it, after all.


That just proves that spam does not work! Not even the spammers are using the software sold using spam.

Re:Call It A Night, Cowboy!

[localghost]

Domains in today's batch of spam:

yahoo.com (3)
hotmail.com (2)
earthlink.net (1)
popstar.com (1)
hot-shot.com (1)
ayna.com (1)
voile.net (1)
bigfoot.com (1)
mindless.com (1)
amexmail.com (1)
forum.dk (1)
servadmin.com (1)

Some of those are faked, of course, but it would seem that a lot of it comes from free providers.

(And thanks to SpamAssassin, none of that made it to my inbox)

Re:Call It A Night, Cowboy!

[sqlrob]

You can't make any claim about coming from free providers with what you posted.

Post the owners of the IP that these were received from and how many of *those* were from (intentionally) free providers?

Re:Call It A Night, Cowboy!

Actually, all the REAL spammers find open relays and hack those to send UCE. This is the ultimate way they have to forge an email header. If an open relay is hacked and you receive an email from it, there is no way you can find out who actually sent it.

Somehow, this is not considered "illegal", although it may go against the TOS of the ISP that hosts the open relay, and their service may eventually get shut down as a result. Many of the hackers that attack open relays do not experience any consequences from their ISP... I know this because I have received countless attacks on my mailserver from several IP's, regardless of whether or not I complain to their ISP.

It seems that the "war on spam" is a losing battle...

Re:Call It A Night, Cowboy!

ruleset=check_rcpt, arg1= rapeyourserver@yahoo.com

Yeah, this will work. I bet it will stop people from using the yahoo/hotmail return addresses too.

I sure get some good spam return addresses from my sendmail logs...

Yahoo

[SpamJunkie]

I've been using yahoo mail for a while now and it is virtually spam free. The built in filter is great. Occasionally one makes it into my inbox, we're talking one every two or three days, otherwise they pile up in my bulk mail folder.

It's so good I paid for a year of mail plus. I didn't even do that for .Mac and I'm a os x geek.

Re:Yahoo

[Jens_UK]

The built-in filter is far from perfect. Currently, I am getting loads of messages with just a single image routed to my inbox, rather than the bulk mail folder. Thankfully, Yahoo! does let you block images, so it doesn't load them and confirm your address. Newer accounts (eg., family members) seem less prone to this, perhaps because their addresses haven't been out in the wild as much yet.

For conventional text spam, the filters are decent and route most to the bulk mail folder.

Re:Yahoo

[Malc]

It's not perfect, but it is fairly good. I would say it blocks greater than 90% of spam. I was impressed enough that last year I paid them money for the service. I use their automatic SMTP forwarding, and filter on the header X-YahooFilteredBulk. I personally wish they would just block everything they tag rather than forward it to me, but oh well. At some point I'll stop using my Yahoo address and just stick to unique aliases on the domain I own. After so many years of using my Yahoo address, I'm just a little shy of changing it in case I lose touch with somebody.

Re:Yahoo

I've been using Yahoo mail for going on 4 years now.

Re:Yahoo

[Ratbert42]

I have 4 addresses forwarding to Yahoo. One (a bigfoot account) is at least 6 years old. For me, Yahoo's spam filter blocks about 40-60% of incoming spam and about 5% of legitimate incoming messages. So it's essentially useless for me.

Re:Yahoo

[civilizedINTENSITY]

I average closer to 10 spams/day @yahoo.com. Whats more of an issue is that their spamblock sends IBM DevloperWorks and movingon.org emails into the bulk mail folder. I've sent these to yahoo for "review", where they should realize that 1)I've signed up for these notifications, and 2) Its easy to opt-out. Repeated "reviews" still result in spam in my inbox and real email in my bulk folder. Which means I can't just delete everything in the bulk folder. Since I have to look at all the headers first, whats the difference? Yahoo sucks. When it was young it was fun, but now its just sad.

Re:Yahoo

[mbbac]

You've got to be kidding me. My Yahoo e-mail address gets inundated with spam (I do try to use their filter, though). However, in the year and a half of having a Mac.com address, I have only received 4 spams through it. Yes, it is easy to keep track when you get so few.

Re:Yahoo

[cornjones]

this has not been my experience at all. I have had a yahoo acct since they were offered back in the day. I used it alot for awhile and it was quite good. sometime about 2 years ago it started getting too much spam. I have had the address for so long and given it out to so many people that I am not in day to day (or even year to year) contact w/ that I can't give it up. That being said.... 99% of the crap I get at yahoo is spam. I log on once or twice a month to check but only very rarely is there anything usefull there. my 100 "spam blocking" addresses were full long ago and I am not going to bother going through them again. unfortunately, my hotmail acct that I got at the same time (pre ms) is also useless. Unfortunately, any address that has been around for more than 3 years anymore is full of spam. especially if you have signed up for domains w/ it. B(

ahh woe is spam..... spam gourmet looks cool, i have just started using it. spam assassin also works well if you have your own server (haven't tried the home version)

Re:Yahoo

[dotgod]

I switched from yahoo to HotPOP when yahoo stopped offering free pop3. HotPop works great for me...I get ~1 advertisement every week or so from HotPOP, but haven't been bothered by a single spam message other than those so far (it's been about a year). Oh, and it's free too. Of course I've also been a LOT more careful about who gets my new email address. The down side is that they don't have webmail access, but I just use my old yahoo accound to download my HotPOP messages when I'm not at home.

Re:Yahoo

[maxume]

Not a huge fan of yahoo myself, but I do believe that they still let you have a few filters, even without paying. Yep, just checked it, click on Mail --> Options. Select filters, figure out a way to send the stuff you want to your inbox, no more digging through Bulk Mail.

Also, I don't really think that sending a mail for 'review' gets a pair of human eyes, but more is more likely combined with other submissions and used to adjust filtering techniques and training...

Re:Yahoo

I have blocked all mail that claims to be from an account at yahoo. It is nearly always spam.

Re:Yahoo

[magnum3065]

I don't know what you're talking about. I signed up for a new account because I was getting tired of the junk mail on my Hotmail account and even though I hadn't given out my address yet I started getting junk mail a couple days later. I abandoned that account without ever actually using it because I got at least as much mail as with Hotmail.

Re:Yahoo

[jhunsake]

That's why it's called the Bulk Mail folder and not the Spam folder. Mailing lists are bulk mail.

Re:Yahoo

[questforme]

You're the only one then..

Re:Yahoo

On Yahoo, I get a spam to my inbox every other day, on average. Interestingly, all of that spam is from Yahoo itself revealing my e-mail address, because I only used that account a handful of times, sending to only one other address, which I know never got out to the public.

Re:Yahoo

Unfortunately Yahoo!'s filter won't work for non-English spam. I get a lot of crap from China or wherever, and also from my home ocuntry...

Stupid

[transient]

Um, so let me get this straight. They challenge all incoming mail except for the spam they've been paid to let through? And this is an "inseparable" part of the service?

Next, please...

Re:Stupid

[beldraen]

I'd mod you up, if I could. That is the first thing I noticed, as well. They're preventing spam by providing it? Business logic is always interesting..

Re:Stupid

[gmuslera]

Logic is not was it used to be. Now you prevent war starting it, so this is not so bad.

Re:Stupid

[Carbonite]

Ah yes, the obligatory comparison to the war in Iraq. How clever! It's becoming nearly as ubiquitous as "Soviet Russia" and "First Post!".

Re:Stupid

[endoboy]

but it's better tasting spam...

Re:Stupid

In Soviet Russia Iraq starts war with you

Re:Stupid

[mobileskimo]

It's the oldest business in the world. Paying for protection. Only they get to pick on you, nobody else!

PS. Prostitution IS indeed the oldest business in the world, but its just a subset of this business, isn't it?

Re:Stupid

[Kragg]

Yeah, sounds like 2 concurrent sources of income. Surely if they charge advertisers to let mail through, they shouldn't be charging me - and vice versa?

I'd be happy to get free blocking except for allowed ads, or paid blocking with no ads, but i can't really see the point in paid blocking with ads...

Re:Stupid

[anonymous+loser]

Do you have a credit card or a checking account? Chances are your bank have multiple sources of income as well. They collect fees and interest on debt from you, they collect direct marketing revenue from advertisers, and they also sell your information to 3rd parties (unless you explicitly opted out).

Re:Stupid

[Kragg]

Yeah, but everyone knows banks are the spawn of satan. That's why I use a building society.

These guys don't have the same kind of power - I can't back it up, obviously, but I reckon they'd do better by sticking to one source or the other, rather than a mush of both with the benefits of neither.

Re:Stupid

[cyberformer]

While banks may do bad things, they're not selling their services as a way to avoid junk mail or protect privacy. (Well, most don't. A few banks in Switzerland or various tax havens do, but that's a separate issue.)

An anti-spam service that spams its customers sounds, at the least, quite deceptive and hypocritical. It may not be totally unreasonable, but we have no way of knowing because the company doesn't say how many unsolicited messages its customers will get. I'd consider the service if it's 1 a year, but not if it's 20 a day.

Re:Stupid

[SemperFiDownUnda]

It isn't better tasting because they are not responsible for the content of the said SPAM. The ToS also is pretty open ended allowing them to do anything they want without any guarentees to the customer. Geee 10 buck to have them spam me directly.

Re:Stupid

[oaksey]

"Not now, but in the future, Mailblocks may permit third parties, such as advertisers, to furnish our members, through the Services and otherwise, with information from time to time."

Re:Stupid

[FuddChuckles]

Yes, it's stupid, but it's also an error. I asked their customer service department about the paradox and they responded this morning below.

-FC

Dear Mailblocks Customer,

Our apologies, we picked up an old version of our TOS when we went live. We will
NOT be allowing 3rd parties to send unsolicted email to our userbase. Please
check the site this evening for the updated and correct TOS. We apologize for
any confusion or inconvenience.

Thank you for using Mailblocks. If we can be of further assistance, please don't
hesitate to contact us.

Regards,

The Mailblocks Team

Yeah, this system was invented by SolidBlue

[Ace905]

It really pains me to see the amount of competition *and* press coverage our competitors are getting.

We invented this system for authenticating email, and we've had a product on the market for 2 years now making use of it.

We have the most affordable service available still. It's one thing for competitors to realize our idea is the solution - it's another thing for the media to ignore the origins of the system completely.

Re:Yeah, this system was invented by SolidBlue

[Ace905]

I've spent enough time distributing marketing material to every computing news source you could imagine.

Our web site talks about the advantages of our product. My point isn't why our software and service is better, CNET hasn't even begun to offer their service - so an argument over why ours is better wouldn't really make sense.

My problem is media coverage of the big name software companies. Maybe you haven't tried to make a software project fly on your own with a tiny budget, an incredible idea and rock solid code.

Let me tell you, it's hard.

Re:Yeah, this system was invented by SolidBlue

[B3ryllium]

Well, he DID say it was "the most affordable still". Does that count?

I do agree with the whining part :) But challenge-based email has been around for a while, so he does have a valid point ... that is, I don't think Slashdot really covered other offerings of challenge-based email. I think there might even be some free ones.

Re:Yeah, this system was invented by SolidBlue

[adrianbye]

Then you should be doing a better job of marketing it!

Re:Yeah, this system was invented by SolidBlue

[erc]

Well, that's certainly true. We've been offering Escapade for almost 5 years, and we have a big following in Europe, but people in the US are still addicted to clunky and cumbersome technologies like ASP, Perl, and PHP.

Re:Yeah, this system was invented by SolidBlue

Yeah, so I guess the only way to rectify that is to sign up an account on Slashdot and spam the comments for your shitty, underrated product. Isn't that right?

Re:Yeah, this system was invented by SolidBlue

[lewp]

This thing has been around for five years and the only version available for download is a beta? Not only that, I have to register with you to download it? It's only available as a CGI binary? It's only compatible with MySQL? There's no IDE/editor, or even syntax files for things like Vim? The license is hopelessly incomplete, and not even in the tarball? There's no source code, so I can't make it meet my needs even if I'm willing to resort to adding huge chunks of functionality to it?

It says this in the README?
Hey, it's a beta. What do you expect?

Gee, I can't imagine why I continue to use "clunky" and "cumbersome" technologies like some of the ones you mention! I'll switch to Escapade right away! I'm sure IBM and Sun will be right behind me. Hell, probably even Microsoft after they realize ASP has been officially made obsolete by Escapade.

I thought this was a good troll at first. I was wishing I had mod points to mark it "Funny". Then I started to fear you were serious. For fuck's sake...

Escapade might work for you (heh), but suggesting people should ditch the other technologies you mentioned in favor of what looks like a zero-featured, sketchy ColdFusion makes me want to vomit. Are you high?

This is probably flamebait and a troll, or just me feeding one. I'm willing to risk it based on your low UID and homepage link that mentions Escapade. If you just trolled me, it's the best one ever. Otherwise, die.

Internet Explorer Centric

[pheph]

When I go to sign up using Mozilla on Linux, I get a JavaScript pop-up that reads:

"Mailblocks may work with other browsers, but it is only tested using Internet Explorer"

Anyone tested using other browsers? This sort of thing was never anticipated when people were excited about the Internet...

Re:Internet Explorer Centric

[NDPTAL85]

The internet existed long before any world wide web or web browser so I don't know why this is such a big problem for Slashdot geeks. Myself I use Mozilla for 99% of my web browsing but I can understand why a web dev would only want to develop for the ONE BROWSER THAT OVER 95% OF THE COMPUTER USING POPULATION USES.

Re:Internet Explorer Centric

[prairiedock]

The "Learn more" link doesn't work with Opera (6) for Windows, no matter how I adjust the preferences.

Re:Internet Explorer Centric

[pheph]

Perhaps it isn't so bad for those who use 'Other browsers' less than 100% of the time.

I'm not asking web developers to develop for Mozilla, or Opera or Internet Explorer... I'm asking them to develop based on standards! 95% of the web works on 'other browsers', why can't the other 5% ?

Re:Internet Explorer Centric

[NDPTAL85]

Since MS makes the browser that 95% of the people use then MS also sets the standards, not the W3C.

Re:Internet Explorer Centric

Since I have a gun in my hand, and you don't, I make the rules, not the government. It might be correct, but its not right. And something should definitely be done about it...

Re:Internet Explorer Centric

Because the developer can, with a little effort, develop for all the browsers, using the real standards developed by the standards organization founded by the inventors of the web (web browsing is about the WWW, not the Internet) and participated in by ... get this ... Microsoft.

Astroturfer.

Re:Internet Explorer Centric

[GlassUser]

Why this talk of developing for a specific browser? There are standards for a reason.

Re:Internet Explorer Centric

[walt-sjc]

Bill? Is that you?

can we stop calling it spam?

Can we start calling what it really is? I realized today- "spam" sounds like "the internet is down."

It is Unsolicited Bulk Email, or if you prefer, Unsolicited Commercial Email.

These services won't work for many of us.

[matt[0]]

I own a small business and much of my client correspondance is via email. That means, I have to run my own IMAP server and I have 200 mb of mail on the server.

Someone would do well to offer this service with your own domain (if you change your MX record), IMAP and reasonable charge for each 50mb increment of disk space. This is yet another web mail service, only this one is hosted off of a MSFT server and it implements intrusive spam blocking. SPAM Assasin works very nicely, I've found.

*yawn*

Re:These services won't work for many of us.

[Yeroc]

Actually if you take a closer look they do provide IMAP access to your mail. I wish more of the webmail providers offered this.

Re:These services won't work for many of us.

Fastmail.fm

Re:These services won't work for many of us.

[matt[0]]

mac.com does it as well. The problem is always that the disk space is weak, no IMAP/S & SMTP+TLS and you have to use their domains.

Re:These services won't work for many of us.

[corz]

I offer this service via TMDA for domains that I host. In addition, SpamAssassin is also available for use with or without TMDA.

If you are interested check out my website at http://www.standblue.net/.

There is an email address listed on the contact page, but expect an immediate challenge. ;)

Re:These services won't work for many of us.

Blatant Advertisement

http://www.mxlogic.com Does passthrough email filtering for Spam, Virus, Attachment, Content and more.

Re:These services won't work for many of us.

[bofkentucky]

Try looking looking into postini. You slip your primary MX records through them, leaving backups for direct access. And thir spam filter will quarantine for up to 14 days. Lock your mailserver against direct access (only accept mail via MX routing) and boom, you are set, per mailbox pricing isn't bad but I can't quote our rate, it is under $1/month/mailbox though.

Re:These services won't work for many of us.

[rthille]

Just install TMDA, since you're already running your own server.

Re:These services won't work for many of us.

[gordyf]

You slip your primary MX records through them, leaving backups for direct access.

Lock your mailserver against direct access (only accept mail via MX routing) ...

So which is it?

Re:These services won't work for many of us.

[hazem]

My ISP filters its mail through a service Called Postini - www.postini.com.

I don't know what they pay for it, but it's been very effective for blocking spam and virus-laden e-mails. You can also put in a "always accept" and and "always reject" list as well for certain addresses (and I think, domains).

Re:These services won't work for many of us.

[bofkentucky]

You set a 10 record to postini and a 20 record to your backup mail relay in your name servers, if postini goes kaput, it falls over to your mail server, which you can allow direct access through. We were the guinea pigs for some of this stuff but it seems to be working out pretty well. Postini and your backup relays should be the only machines that you accept mail from,

Re:These services won't work for many of us.

[Erik+Hollensbe]

We use postini at work and it's great.

It also has the great effect of filtering mom's everpresent 'give someone a hug' forwarded emails as spam too. :)

That said, I've never had a false positive. bugtraq and other mailing lists still get through. Covalent spam that I get from OSCON 2002 doesn't. :)

Re:These services won't work for many of us.

Have a look at MessageLabs (www.messagelabs.com) they do anti-virus & anti-span filtering before the mail reaches your mail server.

Re:These services won't work for many of us.

[bofkentucky]

I had to whitelist the apache-users and freebsd-stable lists but my experiences are that cranked all the way up the false positives are negligible.

Now this is what I prefer to see...

[questamor]

...rather than government legislation. It doesn't matter how much one country's government may ban spam, if it still comes from outside it's still going to come in time and time again.

This setup may not be perfect, but to me it's a step in the right direction. Working towards a system that doesn't allow spammers to exist is wholly more admirable.

--

Curiously, why were open relays ever in existence? And once spam started, why were open relays kept around? Is there a use for them? Why not have all mail servers require authentication for outgoing mail, much like POP retrieval. That would have to stop a great deal of spam

Re:Now this is what I prefer to see...

[JohnLi]

I don't know the history of open relays, but I do know that I worked for a hosting company that tried unsucessfuly for almost a year to secure the mail server(s). When we finaly did get it set up, it was a support nightmare. People didn't read the emails that we sent explaining the new system and were freaked out when it was trying to authenticate them when they were sending. An important side note is that these were all nt4 boxes.....I suppose that was most of the hassle, but still, all it takes to buy a server and some bandwidth is a credit card. It takes a little more than that to set it up properly. All goes back to human error being 99 percent of the problem I suppose.

Re:Now this is what I prefer to see...

Ah-so... open relays didn't (start to) go away because of Spam. They went away when gkos came out with Up Yours, and the relays were being used for "mailbombing".

Re:Now this is what I prefer to see...

[Neil+Watson]

Alas, I'm sure this must by laziness (the bad kind), being cheap and ignorance.

1. Some sysadmins (I use that term loosely) are simply to lazy to patch up their systems. Some distributers ship their software so that relaying is allowed out of the box.
2. Companies are to cheap to hire a competent person to watch over their networks.
3. Some people simply don't know what and open relay is. This is usually due to points 1 and 2.

Re:Now this is what I prefer to see...

[ePhil_One]

This setup may not be perfect, but to me it's a step in the right direction. Working towards a system that doesn't allow spammers to exist is wholly more admirable.

The spammers will just build an automated response system. Plus, this thing could no be used as a source for a DOS attack, since its happily generating emails. And god help us if they ever decide they need to sell their "contact list to be profitable, since to work it must have a list of every person who might email you. And hopefully they've considered the feed back loop as service A asks for a confirmation of the confirmation email service B just asked for... :^)

Yeah, I think I'll give this a pass

Curiously, why were open relays ever in existence? And once spam started, why were open relays kept around? Is there a use for them? Why not have all mail servers require authentication for outgoing mail, much like POP retrieval. That would have to stop a great deal of spam

Yes, it would. The idea is you send a single mail to the open relay with a huge list of recipients, the server then burns its bandwidth sending 900 copies of that mail. Not to mention it gets to deal with all the bounced emails messages, etc.

So why do they exist?

1) Best compatibility. Not everything understands how to authenticate SMTP.

2) Firewall compatibility. Some firewalls don't allow authenticated SMTP in more secure modes

3) Traveling clients. If your client could concievably pop up at any IP, its very difficult to filter access by IP, the usual method of blocking unauthorized access

4) Don't fix what aint broke. If its working, some folks are hesitant to make changes they aren't comfortable with.

5) A workaround opened a previously closed relay. Spammers have gotten tricky in fooling Mail relays into forwarding their spam. there's a lot of ope relays that were closed when originally set up.

6) Philosphical reasons. Folks may wish to provide a service that bypasses listening in by corporations or governments

I'm not going to argue the validity of these points, I'm just pointing out some of the possible why's...

Re:Now this is what I prefer to see...

[mobileskimo]

Historically we didn't have this kind of problem, now did we? I remember a time when I could telnet into that port on almost any server and quickly send out a message. Sometimes just for kicks sending one from "Santa Claus". It was harmless back then to leave it open. I don't think the developers of SMTP or Sendmail put alot of thought into this aspect. I suppose everything we build for communications will now have to be designed with "spam-awareness". As long as humans live, there will be the need for greed. And where there is greed, there will be spam.

That answer your question?

Re:Now this is what I prefer to see...

[kill-hup]

The spammers will just build an automated response system.

Good. I'd love it if they did. That way, we'd have a "good" return address with which we could track them down. Right now, I'll bet a very large percentage (approaching 100%) of U[B|C]E has a fake return/from address.

Re:Now this is what I prefer to see...

[MCZapf]

Curiously, why were open relays ever in existence?

I think it's because email was modeled after snail-mail, where you can drop a letter into any mailbox and it will be delivered. In general, you could trust the community not to abuse open relays, because the Internet was as easily accessible to every get-rich-quick moron. No one probably even foresaw the problem.

Re:Now this is what I prefer to see...

[ePhil_One]

The spammers will just build an automated response system.

Good. I'd love it if they did. That way, we'd have a "good" return address with which we could track them down. Right now, I'll bet a very large percentage (approaching 100%) of U[B|C]E has a fake return/from address.

I was thinking a third party service, or perhaps a tool to be dropped on other comprimised systems. The main spammer rule of thumb is to use other folks resources as much as possible. Since I haven't seen the complexity of the "confirmation", there's really no telling how easily the reply can be forged, but since they concievably have millions of outstanding "confirmations" (How long do they hold these for? Humans can be slow to reply...) making it too complex could be self defeating.

I'll be sticking with SpamNet. according to my Spamnet sig

I've stopped 40,543 spam messages. You can too! Get your free, safe spam protection at http://www.cloudmark.com/spamnetsigs/

I like the approach, biggest problem with them is the knuckleheads who can't tell the difference between a subscribed list and spam (I hate the UCE acronym)

This seems...

[Shant3030]

Like a very annoying email service. Doesnt this kill speed advantages of email? I would hate to send an email out, and have to go through more red tape so the recipeint can receive their email. The sender would be doing all the work to help solve the recipients spam problem.

What about the mass emails I like to receive, such as newsletters?

Only 100, eh?

[EvilStein]

So, they simply create more Hotmail accounts and send out more spam.

Besides, I've never actually had spam *from* Hotmail - it's usually going *to* my Hotmail account or spam coming with forget Hotmail headers.

I seriously doubt this is going to do very much to curb spam.

err??

[Flamesplash]

What are these other browsers you speak of? ;)

Re:err??

[B3ryllium]

I bet you use Telnet, don't you?

Um...no

[Ant2]

1. Services. Mailblocks provides a fast, low-cost email service to its users. The Services also include online calendar and address book features, and other features may be added in the future; unless expressly stated otherwise, any new or enhanced features will be subject to the then-current version of this Agreement. In exchange for your use of the Services, you expressly permit and authorize Company, and such third parties as may be authorized by Company, to furnish to you from time to time, through the Services or any other means, with information prepared by Company or by (or on behalf of) other entities, including advertisements and solicitations (such information, "Third Party Content"). You acknowledge that such Third Party Content is an inseparable part of the Services, and that furnishing such Third Party Content to you cannot be terminated unless the Services are terminated. All such Third Party Content will be understood to be requested by you through your use of the Services. Some third parties furnishing you with Third Party Content may permit you to "opt out" of receiving such communications from them. However, Company is not responsible for any such party's failure to comply with its own "opt out" policies.

Company neither endorses nor is responsible for Third Party Content, and you may be exposed to Third Party Content that is offensive, inaccurate, misleading, deceptive, out-of-date, or incomplete. You must evaluate, and bear all risks associated with, the Third Party Content, and your use of and reliance on any such content. We are not responsible for any errors or omissions in Third Party Content, for hyperlinks embedded in Third Party Content or for any results obtained from the use of such content. Under no circumstances will we be liable for any loss or damage caused by your reliance on any such Third Party Content. Your correspondence or business dealings with, or participation in promotions sponsored by, any such third party advertisers, or any other third party providers of goods or services accessed through the Services, and any terms, conditions, warranties or representations associated with such dealings, are solely between you and such third party advertiser or provider.

We may establish limits and restrictions on the Services, including without limitation, the maximum disk space that will be allotted on your behalf, the maximum number of days that messages will be retained, the maximum number of messages that may be sent or received, the maximum size of a message that may be sent or received, and the maximum duration for which you may access the Services in a given period of time. You acknowledge that Company reserves the right to terminate accounts that are inactive for an extended period of time. You further acknowledge that Company reserves the right to change these limits and restrictions at any time, in its sole discretion, with or without notice.

COMPANY MAKES NO WARRANTIES CONCERNING, AND ASSUMES NO RESPONSIBILITY FOR, THE TIMELINESS OF DELIVERY, MISDELIVERY, DELETION, CORRUPTION, OR FAILURE TO DELIVER OR STORE ANY EMAIL MESSAGE(S) THAT YOU MAY SEND OR RECEIVE USING THE SERVICES, OR FOR ANY LOSSES THAT YOU MAY INCUR THEREBY.

Officially Load Tested

[Entropy248]

By /. If they can stand up to this, how slow could they be?

Question.

TMDA looks interesting, I'll have to check it out. But what happens when a person using a TMDA-protected email account attempts to contact someone else using a TMDA-protected email account?

What's to stop there being a cascading ping-pong of confirmation messages? (Or are you supposed to automatically whitelist everyone you send email to?)

Re:Question.

[pohl]

I've wondered about that too. You could always manually add the person to your whitelist before you send the initial message.

What I'm wondering about is how you would buy something online where you can't really predict the address that shipping-confirmations will come from. In that case one wouldn't know what to add to the whitelist, and the odds of a human being on the other end are small...so your TMDA message would probably go ignored.

Is there a good FAQ somewhere that addresses questions like these?

Re:Question.

The better question is: what happens when someone forges a source address and mails someone else with TMDA?

I bet it generates the same annoyance level as when someone forges your address and triggers one of those stupid antivirus products out there. You know the ones - they respond to the sender (who was probably forged) and say "you sent me a virus"...

Something like TMDA should only respond if it first receives a message that aims to initiate communications. That message would carry no other content.

Re:Question.

[Midnight+Thunder]

What I'm wondering about is how you would buy something online where you can't really predict the address that shipping-confirmations

One approach would be for the web site to publish the addresses it posts from, so someone could paste this information into their white-list.

Re:Question.

[netsecd00d]

With TMDA you can make a 'dated' address which would allow anyone who uses that address to send you an email for a certain amount of time.
Example from http://tmda.net/config-client.html

jason-dated-989108708.a17f80@mastaler.com

This particular address expires on Sun, May 6 00:25:08 2001 UTC, which is exactly 5 days after it was generated. TMDA time intervals can be set in years, months, weeks, days, hours, minutes, and seconds. Once a dated address expires, messages sent there must go through the confirmation process. Use of strong cryptography insures that the timestamp can't be modified.

Re:Question.

[mjh]

For TMDA, yes there's a good FAQ. The specific question that you need to reference is a 4.12.

This answers how TMDA deals with this problem. I don't know how other challenge/response email systems deal with it.

There is an IETF draft which describes how automatic, machine generated responses are supposed to be formatted, so that they can be easily identified as such. The primary author of TMDA (Jason Mastaler) has, I believe, incorporated all of the recommendations of that draft which are applicable to TMDA. So, if other automatic response systems (like TMDA) are also following the recommendations of that draft, then all of these auto responders should be able to interract.

Re:Question.

[jemenake]

What I'm wondering about is how you would buy something online where you can't really predict the address that shipping-confirmations will come from

Well, when I was planning to make a system like this, all "non-grata" mail would be held in some "pending" folder. If the sender completed the challenge/response, then it would be released for delivery. However, the owner of the email account would also be able to go into the folder and release individual messages for delivery as well.

So, for purchasing stuff, I figure that the process of registering at a new retail site will become marginally more involved. Currently, many sites send you an email that contains some "activation" link that you must click on. Now, you'll probably have to also go retrieve (and release) it from your "pending" folder. It's not going to be that much more of a hassle, it's just that the world needs to arrive at a standard process for it. This isn't unlike the idea of e-mail verification and account activation hyperlinks. A few years ago, before they were common, they were new, awkward, and perplexing to many people. Now, however, it's almost more rare to find a site that does NOT verify email addresses you give them... so people "know the drill" now.

The same will hold true for challenge/response email filtering. There will be some cases where the receiver of the mail needs to manually release some piece of mail from their "pending" folder. It's just going to take some time for this idea to become part of the normal way of doing things... it needs to become "mainstream".

That's the really promising thing about this new webmail service. Personally, I'm not going to sign up for it. However, I think that enough people will that it will force the "big guys" like eBay, Amazon, Buy.com, etc. to deal with this new reality.

Once that happens... once the net has arrived at some way of making this all go smoothly, it won't be long before the process gets incorporated into sendmail, smail, exim, etc. Sure, this web-based service is probably going to fail (the curse of the "early adopter") but, ultimately, the net will be better for what they've started today.

Re:Question.

[Anonvmous+Coward]

"But what happens when a person using a TMDA-protected email account attempts to contact someone else using a TMDA-protected email account?
What's to stop there being a cascading ping-pong of confirmation messages? (Or are you supposed to automatically whitelist everyone you send email to?)"

It would probably do the same thing that Outlook 2000 does. When the server recieves a message, the sender information is stored on a list. When next email comes, it checks the sender information against the list of people who's approval is still pending. If the sender is already there, then it does not send a message back to them. The list is cleared when the program is restarted.

That's how Outlook 2000 avoids the auto-responder loop. It's pretty trivial to write too, so I can imagine TMDA has already worked that out.

Re:Question.

[Alan+Clifford]

I do this with procmail.

To buy on line, you have to have a passthrough to: address. I use a list of to: addresses that bypass the autoresponder and automatically add the sender to the whitelist. When the passthrough address becomes compromised, you change it.

Alan

Re:Question.

[mazor]

What I'm wondering about is how you would buy something online where you can't really predict the address that shipping-confirmations will come from.

TMDA stores mails from non-confirmed senders in a pending folder. If you're expecting an email confirmation from an online merchant, you can just fire up TMDA's cgi web interface to check your pending queue. You can then release the merchant's confirmation message from the queue (to let it go through to your inbox) and optionally add the sender address to your whitelist to expedite future purchase confirmations.

You should also create a cron job to delete the accumulated crud from the pending folder after a reasonable amount of time - two weeks should be plenty of time for a real person to respond to the challenge response sent out by TMDA.

-mazor

Re:Question.

[spankfish]

This is pretty much exactly what SpamArrest does. I've been trying it out for a couple of weeks, looks good so far. I will probably subscribe at the end of the free first month. Going from 180 spams a day to *none* is very very nice indeed, and certainly beats the alternative of ditching my favourite 7 year old email address.

Exclusive Spam Provider ?

[Dave21212]

Wow, definitely read the TOS info...

It reads more like they wish to charge you $10 to become your primary spam provider, oh and they will also be sharing your personal info with 'their' spammers (3rd parties), which you can't opt-out of.

Pay to go from bad to worse ? I think not !

Not free according to NYTimes...

[jmiles]

The article here indicates that this company plans to charge $10/year for the service. Cheap, if the system proves to work, but definitely a different business model.

Further, it says that the 7 digit passwd will be sent in a "digital image"; kind of a hassle for those of us with text-only email. (long live pine)

Re:Not free according to NYTimes...

[John+Hasler]

No hassle at all. My filters will classify their HTML-only "challenge" as spam, I will ignore it, and the message won't be delivered. Not my problem. I have no strong need to correspond with people who think that everyone reads their email with a Web browser anyway.

And the use of a "digital image" discriminates against the blind.

Re:Not free according to NYTimes...

[Cedric+C.+Girouard]

Further, it says that the 7 digit passwd will be sent in a "digital image"; kind of a hassle for those of us with text-only email. (long live pine)

Not being of the programming type, but to me, it would seem trivial to send an "ascii" graphic depicting a 7 digit passcode. So long as the mail client doesnt mangle it too bad...

Re:Not free according to NYTimes...

I still don't understand why thos Digital Image stand up... After all is't any good OCR software enable to transfer those to text? How mutch time before someone develop a Spam software that auto reply?

Re:Not free according to NYTimes...

[WegianWarrior]

If they write proper HTML, the alt-tag should describe the image; ie the number...

Re:Not free according to NYTimes...

[Mr+Guy]

And a blind person who has their email read out loud will hear what?

00001100000
00000100000
00000100000
000011100 00
00000000000

Re:Not free according to NYTimes...

[kiolbasa]

If they write proper HTML, the alt-tag should describe the image; ie the number...

...which would defeat the purpose of having the number in an image at all, which is to make it hard to machine-parse but still human-readable.

Re:Not free according to NYTimes...

[kill-hup]

But that would defeat the purpose of sending it as an image in the first place. The whole point (I would assume) is to combat auto-response agents that could easily reply back with the number. By placing it in an image along with some obfuscation designed to confuse OCR, automated response systems would be extremely difficult to write.

Re:Not free according to NYTimes...

[Cedric+C.+Girouard]

And a blind person who has their email read out loud will hear what? 00001100000

First thing I note is that you bring another problem without even an attempt at a possible solution. So much for being constructive. I at least proposed a solution to the problem at hand (text only mail readers.).

Second: And make the mistake of sticking a link in there saying something like "For visualy impaired persons, click this link that will call a java script to unmangle the address and allow your email through" and you'll have every single association for the rights of blinds, friends of blinds, relatives of blinds, people who know people who once went to school with a blind person and whatnot on your back for making it harder for them to use your service. Embed an OGG sound-clip in there and you'll make it harder for someone else.

Whatever you do, you're doomed not to cater to someone or some group of persons. You just try to minimize the number of them that are going to be impaired by your product/device.

If you had to churn out universaly usable code only, well... Lets just say that anything over a teletype hooked to a 150bps modem would be overkill.

The other thing is that this is an opt-in service. Nobody's twisting your arm so you use it. There are other ways to deal with spam. I for one know that if I was using this service, and gave my email addy to a blind friend, I'd make sure to whitelist him beforehands.

Re:Not free according to NYTimes...

[yerricde]

Nobody's twisting your arm so you use it.

Unless your job requires that you contact somebody who uses only it.

next on cnn....

i hope "the war on spam" is more successfull than "the war on terrorism"... and more painless than the current "war on iraq"...

- tired of anything labelled the "war on <insert cause here>"

Re:next on cnn....

I say we have a peace on war (can't very well have a war on war, can we?)

Still fixing the problem by breaking the consumer

[BaCkBuRn]

Challenge based spam reduction sounds like a great idea. The only problem is that the spam is still going to be sent. Only when the internet comunity goes out and actively shuts down spammers will the problem ever be solved. Hotmail may now limit their users to 100 messages a day but that wont stop anything. Sounds like a PR gig and another reason for high volume legitimate emailing fools like myself to pay for a "professional" hotmail account. Let alone the fact that most spam comes from open relays that are exploited on a daily basis. Stop the spammers before they stop you!

SpamCop used to work that way

[Animats]

SpamCop used to be challenge/response, but they switched to a "heuristic" system that doesn't work as well.

Challenge/response systems have the problem that if two parties both use a challenge/response system, they may not be able to communicate with each other at all. The challenge message may not get through. Worst case, they create a mail loop.

Incredimail has it...

Challenge response was first done by using Incredimail last year. I know of at least a July email that I needed to respond to from them.

Challenge-response will be the new way to combat spam, but I still believe that if the response will still allow you to have incoming spam from advertisers then e-stamps are the key to limit folks from emailing you, and for those that do, have some $$ from the e-stamps be paid to the email user.

Here's a FAQ on the PaidStamp solution we are testing:

http://www.brainclone.com/PaidStamp%20FAQ.htm

Anthony Loera

Re:Incredimail has it...

Correction, incredimail was not the first.

But, it was the first time I saw this in action.

Anthony Loera

Not exactly free...

[zaren]

Service Pricing
I want the following Mailblocks service:
Standard Service -- $9.95/year

* Standard Service includes 12 megabytes of storage.
* Promotional launch offer: Buy one year of service for $9.95, receive an extra two years of service for free. That's just .23 cents per month to rid your life of spam.

Expanded Service -- $24.95/year

* Expanded Service includes 50 megabytes of storage.
* Promotion not offered for the expanded service.
* Can I upgrade later? Sure.*

Re:Not exactly free...

[Carbonite]

Promotional launch offer: Buy one year of service for $9.95, receive an extra two years of service for free. That's just .23 cents per month to rid your life of spam.*

* Customer will be rid of their spam, not ours.

Re:Not exactly free...

* Standard Service includes 12 megabytes of storage.
* Promotional launch offer: Buy one year of service for $9.95, receive an extra two years of service for free. That's just .23 cents per month to rid your life of spam.

.23 cents a month? Now that's a deal. I'll be a nice guy and just forward them 3 pennies for the year, thankyouverymuch.

The service is free

That $24.95 must be for shipping and handling.

Re:The service is free

[BaCkBuRn]

rotflmao! More and more companies seem to be moving in the free-product-and-ass-raping-handling-charges. I dont know about you but I dont like paying to have my ass raped. :)
-bb

Myrealbox is the best

[wonea]

Myrealbox filters the spam, and it is free. Why would you want to pay for something that is already free. www.myrealbox.com

Re:Myrealbox is the best

[theflea]

I second that. Last year I got a 2-3 spam e-mails in the course of a week. Their support staff sent all subscribers a notice apoligizing for the incident. Absolutely unbeleiveable since I'm not paying any money for the service. It seems there was a glitch with their filter.

Since then I've not received one single spam. BTW, It's a testbed for Novell's Netmail product.

Re:Myrealbox is the best

[reverse+flow+reactor]

I paid for my fastmail.fm account. I wanted something that did POP3 over SSL, IMAP over SSL, and SMTP via SSL. Plus a nice web internface. Plus subdomain addressing, and a decent amount of email storage space. That is worth US$20 per year to me. It may not be for everyone, but it is worth it to me.

I have used many of the free email accounts, and you get what you pay for. Yahoo pulled the plug on a few important features, and it was actually cheaper to go with Fastmail and the extra features than the get an enhanced Yahoo account.

But that's just me. I rate email as very important. Others may not. I have heard a few good things about myrealbox, and it may be a great solution for lots of people, but I have not tried them. I am happy with fastmail right now.

Re:Myrealbox is the best

[Noksagt]

I've inspected myrealbox & it DOES offer pop3,imap,and smtp over ssl. IT also has a nice web interface. Only 10 MB of storeage, but that isn't anything to sneeze at.

I am strongly considering it & thought you might want to save a buck or two if the 10 MB cap isn't too little.

"Patented" challenge-response?

[rsidd]

There have been procmail-based autoresponders that essentially do this for ages. You maintain a whitelist, people who are not on it need to reply to an email and then get added to your whitelist.

WAR

[Ty]

WAR on terror
WAR on drugs
WAR on Iraq
WAR on ....

WAR on SPAM

How American.

MS has ruined the guy

[westfirst]

Gosh, I loved the first WebTV even after MS bought them. It was a great, lightweight client with a beautiful user interface, at least for the time. Now the jerk wants to save us from SPAM just so he can spam us himself. Plus, you pay him $10/year and can't avoid it. That's right, the TOS says you CAN'T opt out.

Memo to VCs: don't fund ex-M$ people. They seem to believe that they can jam any TOS down people's throats.

Not only web based.

[Kaypro]

Looks like you can also use IMAP to tap into your mailbox as well:

Not *all* spam is bad

[Illuminati+Member]

Remember, spam targetted for a specific audience is not all that bad.
I used to work for a bulk email service. We pride(d) ourselves on the fact that we supplied game offers to gamers. If you were a hardcore gamer, you didn't mind the mail. If you didn't care about games, you didn't get our emails.
Is that such a bad thing?

Sure, a large sum of spam isn't targetted for a specific audience, just as many people as possible. That should be blocked. Targetted mail, however, should not.

Re:Not *all* spam is bad

Is that such a bad thing?

You are not very bright, are you?

Re:Not *all* spam is bad

[Hayzeus]

Let me save the 27,000 others who'll respond to this the trouble:

Spam is bad, targetted or not. If I didn't ask for it I don't want it. So, yes, basically, it's all bad.

Re:Not *all* spam is bad

[RembrandtX]

all e-mail lists and or mailings should be OPT-IN.
if a customer opts in .. then yes .. you are correct, their targeted e-mail is acceptable.

however, if you just happen to 'get' their e-mail for example .. from any of the credit industry companies, or from web trolling etc - assume they are gamers, and send them 'targeted' e-mail, then you are no better than the bastards who call me at 8:00 am on a monday morning because they know I bought a lawnmower last month, and *know* i like outdoor power equipment - and want to sell me more.

I believe the exact conversation went something like this :

Telemarketer: 'Mr Walk, I see here that you recently bought an electric lawn mower at Home Depot, I am authorised to offer you an electric hedge trimmer through my company at a steep discount ! Does that sound interesting to you?'

me: 'I am authorized to remind you that you just woke me the fuck up, that you are to remove me from your calling list, and any calling lists your company uses.'

Telemarketer: 'But Mr. Walk, this is a great deal .. '

me: (interrupting) ' I am *NOW* authorized to tell you to remove me from your calling list, and any calling lists your company uses, and to tell you to 'go fuck yourself' *click*

Now with 'targed' non opted e-mail .. I am denied the simple retaliation of telling someone to go screw.

So .. *no* its not the same .. and *no* I don't approve.

Re:Not *all* spam is bad

This is a *BS* story.

Telemarketer: 'But Mr. Walk, this is a great deal .. '

It is illegal for them to argue when you say "take me off your list."

Feel free to make up shit.

Re:Not *all* spam is bad

[walt-sjc]

You obviously have a small penis. I'll add you to our list. Would you like breasts with that?

Re:Not *all* spam is bad

Yes, and as we all know, telemarketers would *never* do anything illegal. Grow up!

Re:Not *all* spam is bad

[RembrandtX]

its also illegal for them to call you before 9:00 I believe, but they don't seem to let that stop them either.

I bet you believe that more strict gun control laws will keep guns out of criminal's hands too.

Disposable Email Addresses -- Effective?

[angle_slam]

The last time I posted this question, it was late in the discussion and didn't get many responses. So I'll ask again. Does anyone here have any experiences with Disposable Email Address services? Click the above link to get a more detailed explanation of what it is.

Briefly, I'll explain how they work in theory. After signing up with a disposable email service, they give you a disposable email address that you can, for example, enter into forms. Mail sent to that disposable email address gets automatically forwarded to your email account of choice. But here's where they supposedly come in handy. You can sign up for a different disposable email address everytime you fill in a web form. If you start getting spam, you can look at the disposable email address the spam was sent to and you can do 2 things: (1) cancel the disposable email address so you no longer get spam sent to that address; and (2) you know who gave out your disposable address and you can take whatever action you deem appropriate.

Any thoughts?

Re:Disposable Email Addresses -- Effective?

[sheddd]

Just buy yourself a domain name and forward *@yourdomain.com to your real email addy. Cheap and you stay in control.

Re:Disposable Email Addresses -- Effective?

[neilsly]

http://www.spamgourmet.com

Allows you to 'create' an e-mail address, consisting of x.y.username@spamgourmet.com where x=a unique identifier for the e-mail address you're creating, y is the number of times e-mail may be sent to the address before it gets forwarded into /dev/null, and username is .. obviously your username.

a little complicated - but go and sign up, it's free, it works...

Re:Disposable Email Addresses -- Effective?

[Anita+Coney]

I use disposable email accounts. But I see no reason to go to a Disposable Email Address service.

Here's what I do. I have a real email address that I only use with my friends. It is not provided by my ISP in case I decide to move. For all other email I create extra accounts with my ISP. Every ISP I've ever had has provided multiple accounts.

I then use these accounts to buy products, post to newsgroups, or to sign up for /. Once I start getting any spam I immediately cancel the account and create a new one. I've been virtually spam free with this system for about 6 months now.

Re:Disposable Email Addresses -- Effective?

My approach is that i use a different mail address for each company i deal with (someone else on here mentioned that they also do this).

Easy to do if you own a domain name, and applies in the same way.

I used to do this with another e-mail service i had. That one you got a subdomain name *all*@subdomain.freeserve.co.uk I think that some spammers are getting the hang of that though, as i started to get spam to variations on the addresses I used (i.e. they would chop characters out of the name). This seemed feasible as the ISP (freeserve), is a pretty large supplier for the UK.

Anyway, just thought I'd say.

Re:Disposable Email Addresses -- Effective?

[smeenz]

On those occasions when I absolutely have to provide my email address in order to get something, and I suspect the site of having no qualms or morals at all, I do a similar thing by creating an email alias for myself, waiting for the confirmation email, then trashing the alias. Obviously this requires that you have access to your mail server.

Re:Disposable Email Addresses -- Effective?

[mddevice]

I've used sneakemail, and it works pretty well. They limit the amount of bandwidth you can use with their free service, but it does actually work. In time it becomes a pain in the butt to go and create a new email address, so many times you'll find yourself saying "oh hell, I'll just use my yahoo account", but nothing is perfect.

Re:Disposable Email Addresses -- Effective?

[pimephalis]

Actually, you can use this approach to another end as well. If you want to buy something from indigo books, for example, create and use the email address indigobooks@yourdomain.com for the transaction. If you later find that you're getting spam to that address, you have a good idea of who sold/leaked your email. Great way to build up and work a bitch-list of slimy companies.

Re:Disposable Email Addresses -- Effective?

[g0_p]

Fastmail.fm has something similar. They set up a sub domain of the form yourname.fastmail.fm. Any mail sent to this sub-domain comes into your mailbox. The way this works is that you would give a mail-id like say foldername@yourname.fastmail.fm to potential spammer (website forms etc..) and all such email will come into a folder called "foldername" in your mailbox.
Though this facility is not there with the basic service it is there with the one time payment service. Pretty neat stuff.

Re:Disposable Email Addresses -- Effective?

[eric6]

maybe i'm just ignorant of "how", but if something like fastmail.fm is only $20/yr, wouldn't that be waaay cheaper than having a domain?

I mean, i love the idea of having the control of your own domain, but you have the cost of registration plus at least $10-20/month or so to host the thing. Is there a cheaper way to host your own domain (if only for email purposes)?

Re:Disposable Email Addresses -- Effective?

[Rashkae]

That's about the dumbest thing you can do. As soon as a spammer gets a hold of your domain name, they will send a "username" attack. They will try to send an e-mail to every comon username in their 'dictionary', and you'll receive hundreds of them. you have to explicitely enable every e-mail address you want to reach you, and create a new one each time you have to hand out your address.

Re:Disposable Email Addresses -- Effective?

[sheddd]

You can grab a domain for ~$12/year and use www.zoneedit.com for your free nameserver(s)/email forwarder.

I do this and haven't yet had a spammer do a dictionary attack on my domain.

Re:Disposable Email Addresses -- Effective?

[germanbirdman]

I have my own domain at namecheap (8.88 a year), nameservers for it at zoneedit.com because I like their dynip stuff and IPv6 support, and the MX records for it point to fastmail.fm.

I love it!!!! I have full control, reliable email, and I know the people that manage it belong to the most knowledgeable people about email on Earth (who else hacks around in IMAP code, writes white papers about why the Spamcop block list is flawed....)

Email is a lot more complex than people realise, and these people are just great, and they respond to you and you get to know them via the independant forum. Need a feature change? Ask them!!!

Re:Disposable Email Addresses -- Effective?

[germanbirdman]

works for your own domain too now :-)

I feel guilty, I've recommended them in 3 posts so far in this thread - but I am really just a customer that loves the service. I am not Jeremy or Rob (who come from Australia).
I don't really want to advertise.

Re:Disposable Email Addresses -- Effective?

[billstewart]

If you're running your own sendmail, it'll reject any messages to bogus addresses; obviously it'd be nice to teergrube that so the failure messages take a long time. If somebody else is doing your sendmail, and is forwarding you all the messages to all addresses, good or bad, that's annoying, or even if you're getting postmaster-grams for all the bogus addresses.

But usually this doesn't happen if all you've got is a subdomain from an email provider, and if everybody had unlimited user names inside their own subdomain instead of the more common conventions, dictionary attacks would scale very badly for spammers, especially if attempts to reach bad addresses led to long or increasing delays in responding.

secure?

[hey]

mailblocks says "All login information is sent securely to the Mailblocks server."... but I don't see any "https:". I tried signing in with a bogus userid/password just to see if I got a SSL response but no. Am I missing something?

Re:secure?

Actually you are.

When you put in your username/passwd it posts to a https website.

-ac

Re:secure?

[panaceaa]

It uses HTTPS. Search for "https" in the source code, and you'll see they dynamically create a URL for the submit action. It takes a parameter called "secure", so technically non-secure URLs could be created, but the function (FixFormAction()) always receives secure=true.

Also, I sniffed the login traffic doing the same sign-in process you did, and the form was submitted with HTTPS. I don't know why you couldn't detect this.

Re:secure?

[invi]

How would you know? The form content may be submitted via HTTPS; but sending the form itself via unencrypted HTTP makes it easy for an attacker to replace the HTML-code and instead point the form action to the attacker's web server ... DNS poisoning or TCP connection hijacking anyone?

Sending information through a form received over HTTP is dangerous, no matter where the form action is intended to point to. Browsers should warn their users about it.

Mailblocks Free

[Rudy+Rodarte]

Standard Service -- $9.95/year

* Standard Service includes 12 megabytes of storage.
* Promotional launch offer: Buy one year of service for $9.95, receive an extra two years of service for free. That's just .23 cents per month to rid your life of spam.

Expanded Service -- $24.95/year

* Expanded Service includes 50 megabytes of storage.
* Promotion not offered for the expanded service.
* Can I upgrade later? Sure.*

fake sender?

[xj9000]

If the challenge/response is only on the first email then it would be posible for the spammer to use an address that has already been green listed. Sometimes i get spam messages that bounce back that have my own email address as the to and from fields. This system certainly would not get 100% of all the spam it claims!

ToS translation

[Limburgher]

We are committed to preventing delivery of any spam (except ours) to your inbox, in an effort to prevent you from being harrassed by anyone (except us) trying to send you unwanted advertising (i.e. not ours).

Hmmm. No thanks.

Web based email service is opening it's doors?

[ThatMadeNoSense]

Web based email service is opening it's doors

That made no sense.

Re:Web based email service is opening it's doors?

The rest of the sentence must have been ...who is headlining.

Still it seems like a semicolon after "opening" would make more sense.

Oh well.

if looking for a killer online mail service

[thrice]

try out oddpost

http://www.oddpost.com

it truly is the best web based email
i've every used. if you like outlook,
evolution, eduora, >... you'll feel
right at home in oddpost.

pretty cheap too... only $30 a year
and the 1st month is free. and the
spam filtering is coming along nicely
to boot.

Re:if looking for a killer online mail service

[smeenz]

works with IE5/6 *only*. lovely.

Re:if looking for a killer online mail service

[thrice]

i use it all the time and i'm linux based.

of course i'm running IE via cross over office.

Re:if looking for a killer online mail service

[stevel]

I use SpamCop - also $30/year with excellent spam AND virus filtering, plus a great web e-mail client and support for POP3/IMAP and SPOP to your ISP.

Re:if looking for a killer online mail service

[smeenz]

there's a bunch of javascript in the main page to check that you're running IE. You don't even get a login box to type in if the check fails.

It'll block too much

[lazyl]

Before allowing e-mails through to your in-box, Mailblocks automatically transmits a numerical password to first-time correspondents. The senders must then retype the code into an onscreen dialog box before the system acknowledges them as legitimate.

This will block a lot of legitimate mail. You won't be able to subscribe to mailing lists. You can't recieve those "account authorization/activation emails" that lots of sites use. E-cards won't work. You won't be able to to get daily comics. Bascailly, any system where the mail is sent by an automated system won't work. There are probably others I can't think of.

Re:It'll block too much

[John+Hasler]

> There are probably others I can't think of.

Mail from anyone who does not read their email with a Web browser, and mail from blind people.

Re:It'll block too much

[jetmarc]

> There are probably others I can't think of.

There is a BIG one: you can't receive email from other Mailblocks subscribers.

Unless their filter automatically marks all Mailblocks subscribers as "green", that is. But this would enable spammers to spam from (or forged-from) Mailblocks when spamming Mailbocks accounts.

Marc

you invented this? not.

[jbellis]

you invented this idea the way al gore invented the internet. :(

as I posted earlier, mapson predates any commercial implementation I have seen. I downloaded version 1.0 to doublecheck -- unless yours was written before 1997, or you employ Peter Simons, I'm afraid your claim to being the first doesn't hold water.

mailblock at least doesn't claim originality, just that they do it better. which may be true; they have a pretty slick "mail siphon" feature going.

Spam Gourmet

Try Spam Gourmet. Not only are the email addresses disposable - but they automatically self-destruct after a little while. It seems to work quite well and is effective at cutting back on spam.

Re:Terminology quibble

No shit. We should declare a "War on War"! Stop all wars. But then the US gov't would try to start up a "War on Peace" or something.

Re:you invented this? not.

[Ace905]

Our white paper on the system was published in November of 2001. A challenge-response based system has existed for longer on web sites to prevent automated submissions.

To offer the system for email requires a more advanced server-client architecture, overcoming challenges such as "what if both systems require authentication" to ensure that Spam still can not get through a 'hole' for this scenario, and finally: The actual challenge-response is being done wrong by almost all of our competitors. A simple dictionary attack could authenticate a spammer for their entire user list.

We're the longest running email-authentication project (obviously, since we did invent it) and we have a very large list of improvements planned for the system. I suspect these other companies, which publicly lie about trade mark, patent and copyrights to the system (that have never been registered) will take our new ideas and claim to own them as well.

Only time will tell.

I'm doing that already..

[kurokaze]

Got myself an account over at pair.com

Basic FTP account is all you need + vanity domain.

Setup what is called recipes,
e.g.
foo@my.vanity.domain

any mail sent to that address will either get forwarded to my actual email address, or get deleted. I create a new recipe for every person/site I come into contact with.

Quick, Cheap solution for my spam problems. Unfortunately my real email address got out before I setup my recipes.. so I'm still get some spam.

I'm aware of what fastmail offers

[jbellis]

yes, fastmail has 4 price points, including a free entrylevel one, but given the context of the article, the relevant price point for fastmail is the cheapest that offers spam filtering.

Re:I'm aware of what fastmail offers

[Speed+Racer]

given the context of the article, the relevant price point for fastmail is the cheapest that offers spam filtering.

I'd agree with you except for the fact that signing up for this service guarantees that you will receive spam since you agree to it as a term of service. They just decide who gets to spam you. Since FastMail doesn't do that, it's already a superior service, even at the free level.

Disclaimer: I am a paying user of FastMail (the one-time payment Member level). It is one of the best services that I have had the pleasure to use.

WAR ON PROFIT

[kewsh]

war ( P ) Pronunciation Key (wôr)
n.

1.
1. A state of open, armed, often prolonged conflict carried on between nations, states, or parties.
2. The period of such conflict.
3. The techniques and procedures of war; military science.
2.
1. A condition of active antagonism or contention: a war of words; a price war.
2. A concerted effort or campaign to combat or put an end to something considered injurious: the war against acid rain.

Never had spam from Hotmail?

[stomv]

Of course you've had! I get them about once a month. It's from "Hotmail Staff" or some such, and it includes a paragraph about the standard "fighting spam" and "send your photos to granny."

Then, it goes on to shout out the virtues of MSN 8, MSN Messenger, MSN Wallet, MSN XBill, MSN We Hate Torvolds, et al.

For grits and shiggles, I reported it as spam. Forwarded it to abuse@hotmail.com and whatnot. I got a message back informing me that the email -- containing advertisments I didn't want -- was not spam. Go figure.

Damn, made me laugh.

yes.

Love and kisses,
Phil Goatse

Re:Damn, made me laugh.

[mobileskimo]

Fell out of my chair. Office workers are curious, but I'm afraid they won't understand.

But as the book review points, you will not develope cancer. You will develope a renew freshness for the splendid joy in life.

do you have a reading comprehension problem?

[jbellis]

I cite a specific example of a challenge-response system for authenticating email dating from 1997, and you reply that since you started in 2001 you are the longest-running.

way to refute me, champ.

Re:do you have a reading comprehension problem?

[Ace905]

From the Mapson web site.

"Every time you receive an e-mail, mapSoN will look-up the sender's e-mail address in a small database file and check whether that address is in there. If it is, the mail is delivered to your mailbox, but if it is not, the e-mail will be stored in a spool directory in your home, using a cryptographic cookie as the filename. Then mapSoN will send a so called request for confirmation to the sender's address, asking him to please confirm his addresses validity by replying and sending the cryptograpic cookie back. When mapSoN receives a mail with such a cookie in it, it will move the corresponding mail from the spool directory to your mailbox and add the sender's address in the mail to the database.

This approach is based on the fact that spammers usually fake the sender address of the spam mail. (In fact, they have to, because sending unsolicited advertisement via e-mail is illegal in most countries.) But because their sender address is invalid, they will never see the request for confirmation, they will never reply, and their spam will sit in that spool file until hell freezes over or an apropriate cron job deletes it. Using this heuristic, mapSoN catches way above 95% of all spam mail I receive."

This is not our system. Our system does not use cryptographic cookies, and our system does not stop more than 95% of spam. It stops 100% of spam.

I read the site fine, I just forgot to mention you're not even close.

Re:do you have a reading comprehension problem?

1) This is not a server-client based system. Using it adds your name to more mailing lists, not less.
2) This system uses cryptographic cookies that need only be added to the response. Real challenge-response based systems have to work even if Spammers want to defeat them.
3) The author of this system claims it is around 95% accurate at PRESENT, even with it's relatively low use around the world and next to no incentive for spammers to add a simple script that does the response should they encounter it.

I have my own test account for working with Spam Interceptor and of 343,332 spam emails received in the past 12 months - 1 spammer authenticated. That's 99% accuracy to 5 decimal places.

Then I discovered that spammer got my name from a friend that signed me up to his tiny mailing list, and he believed that I wanted to receive it. That doesn't make him a spammer.

So you do the math, champ.

Re:do you have a reading comprehension problem?

It sounds pretty close to me. Sounds like your just complaining about minor implementation details. What, are you afraid your dot-com software patent suddenly went *poof* in a puff of prior-art? :-)

Re:do you have a reading comprehension problem?

[Ace905]

We've decided not to patent the idea, for moral and financial reasons. We believe the system would do better on its own.

Also, as one of our users posted - there are 3 fairly good reasons why these systems are entirely different.

server-client architecture
graphical-text challenge / response vs. file attachment (latter being easy to circumvent)
accuracy rate. 100% vs. 95%

Plus:

Handling of lists through GUI
Windows Architecture
blah blah blah.

All points our original patent lawyer found relevant enought to take our case ; until we decided against a patent.

Regards,

-Doug

Re:do you have a reading comprehension problem?

[walt-sjc]

Handling of lists through GUI
Windows Architecture

... And these are supposed to be GOOD things????

Re:do you have a reading comprehension problem?

We've decided not to patent the idea, for moral and financial reasons. We believe the system would do better on its own.

Translation: our patent attorneys have told us that there is a strong probability our application would get thrown out due to prior art.

Re:do you have a reading comprehension problem?

[Ace905]

Translation:

A patent is $8000USD, our total 1 year budget for marketing. Once the patent is filed and potentially accepted, court case costs to actually enforce it are astronomically higher - especially when going up against Microsoft, CNET or other companies which have a lot of backing.

When a patent is not enforced it is lost.

Also, patents stifle innovation in software development. As much as the online activist hates patents, they always recommend them when you're not doing so well.

I'm sorry our moral reasoning coincides with the morals of activist internetters ; but as I said, I'm not complaining about competition, I'm complaining about media coverage.

i also like being challenged to prove that we did in fact invent our authentication system - it gives me a chance to prove unequivically that we have. As I did.

Regards,

-Doug.

Re:do you have a reading comprehension problem?

[Sanity]

When a patent is not enforced it is lost.

If your attorney told you this - I suggest you get a new attorney, it is flat-out false (you are thinking of trademarks).

Re:do you have a reading comprehension problem?

[Tumbleweed]

I have a better reason why you shouldn't try to patent it - it's already patented, and it is called 'P3P'. Also note that there is at least one perl-based open source project that has been doing this that's older than your system. Also note that P3P patents have been placed in a public trust (xns.org), so you don't have to worry about anyone else patenting this.

But, hey, if it makes you feel better to think that you came up with something new, by all means, go ahead.

Re:do you have a reading comprehension problem?

[Ace905]

Do you mean P3P as specified by the W3C? P3P the web based, not email based, not related system?

The not server-client based, not related to email, not even mentioning graphical/text challenge-response based systems?

I hope you don't mean that one.

Re:do you have a reading comprehension problem?

[neonfrog]

Ace905 is correct in this to some degree. If you don't enforce your patent by researching and finding infringers, informing infringers to cease and desist, and ultimately taking infringers to court (costs YOU money to do any of this) then they simply make their infringing product anyways and you lose market share. Then, after some amount of time, you can no longer claim damages back to the beginning of their infringement (some kind of limitation on that if you didn't find and communicate with them early on).

You technically don't lose your patent, true, but you certainly lose the benefit of having the bloody thing to begin with if you don't defend it.

So you make a business decision; research patent validity, apply, and then defend costing $X (lawyers fees at every step of the way here), or release and market spending $X. Reminds me of StarCraft, in a way... Do lawyers play StarCraft? I wouldn't know as I am not one.

Re:do you have a reading comprehension problem?

[andyt]

our system does not stop more than 95% of spam. It stops 100% of spam.

heh. 100 is > 95.

Yes, I am a prat...

Re:do you have a reading comprehension problem?

[erc]

And that's a good thing because you'd lose. I've been using challenge-response email systems (for anonymous email) since 1992, and so have a number of people on the cypherpunks mailing list. So if you can claim that your system has been around for longer than 11 years, your claim doesn't hold water.

Or.......

[Qapf]

For 10 a year you can buy a domain, build a box, load server side spam protection, and sell it to your friends and coworkers for profit. Capitalism++

Solution: Have a "private" address

[clmensch]

I use yahoo mail whenever I do anything online, but I give my "private" email address (my own domain) only to friends and relatives. In the two years I've had the address, I've literally gotten THREE pieces of spam...the last time was about two months ago. I have no idea how they "found" me, but it's not like I appeared on someone's list or else I'd still be getting junk emails!

Vulnerable to spoofed email addresses?

[Noksagt]

I noticed that some free email services with spam protection will let through spoofed messages. If challenge-response is the "new" form of spam fighting, than I would imagine that dictionary attacks on the from address would become the new form of spam.

Since spambots harvest email addresses from websites and online directories, they will already have good guesses about who you receive messages from.

Challenge-Response Has Issues

[istartedi]

1. It imposes hurles on first-time contacts. Posted your resume and got a response? HR person doesn't have time to answer questions like "what color is the sky" or whatever they use to verify you're human.

2. Spammers can use it! If they get a challenge they know the e-mail is valid. Then, they can forge senders. If they forge the right sender the spam gets through. If they forge the wrong sender a challenge goes out to the 3rd party. The challenge has to carry a subject doesn't it? Voila! The spammer has hijacked your box and used it to send quickie text messages to 3rd parties. OK, well, maybe you change the subject so that it simply gives the time of the message or something... but then the sender is less likely to recall if he actually sent the message.

Even if it works, C-R floods the network with with little micro-spams. I for one do not look forward to having my inbox flooded with messages with subjects like "SpamMaster response requested for message you sent 3/24/03" because I never sent the message and some lousy spammer just forged my address in the Sender.

Maybe they've come up with some ingenious way to fix these problems, but I doubt it.

Re:Challenge-Response Has Issues

[Ace905]

Yes, if you're waiting for an important email with Spam Interceptor you can check your mail cache and manually add the person either before or after you receive the email. Since HR firms always send from the same email address, future correspondence isn't a problem.

Server-Client based systems ensure spammers don't know which email address is valid. The subject line is included in the email, but with minor changes so an automated strstr isn't going to find it.

Spammers do not forge legitimate email address as the sender, a very high percentage of spam emails use email addresses with no MX record attached or an MX record set to localhost (ie. doesn't exist).

The other ones use random addresses, so unless you're askdhjf@asdf.com I doubt you're going to get little micro spams. If you do, you'll receive a total of maybe.... 1.

Regards,

-Doug Styles

Re:Challenge-Response Has Issues

Spammers do not forge legitimate email address as the sender

Actually, Dave Winer complained on Scripting News last year that a spammer had forged his address...suddenly he was getting thousands of bounce messages.

Re:Challenge-Response Has Issues

[TonyGreene]

My resume is only posted as HTML. The included email link specifies a Subject that my filters look for. That's good enough for people contacting me via my on-line resume. When I'm actually in the job market, I have a filter that allows subject lines related to jobs. That allows in people who have my email address in a database, or who copy/paste it into a message instead of using the link.

It is unlikely that a spammer will generate a valid sender. Hoping to generate a valid fake address to deceive my challenge system is too much time/effort for most spammers. In the first place, they would have to include contact info in the Subject of the message. Not likely.

There is a way to fix this, and it's not complicated, but it will require agreement among mail client developers.

1. Sender sends message. Sender's mail system records Message-ID of outgoing message in a temporary whitelist.
2. Recipient's antispam system receives message and issues challenge, including original Message-ID in the In-Reply-To header of the challenge message.
3. Sender's antispam system receives challenge and notes that it is a reply to one of its owner's messages. The challenge is let through.
4. Sender responds to the challenge and original message is delivered.

Um, maybe not to a spammer...

Trust me - they probably didn't want your spam. About all any bulk email services can pride themselves on is a self-delusion that they're spam is any better than ones pusing the herbal penis enlarging vitamin pills.

Spam Inspector

[Tmurder]

I don't know how many of you use Outlook, but if you do check out Giant Company This prog works wonders for me. It filters all your email via its predefined filters, so you don't have to come up with your own filters. Prior to using this I would receieve 300+ articles of spam a day to my inbox, now maybe one slips through if its lucky.

T

hardly unique

[MattW]

There are a lot of sites gearing up to do exactly this. Sites like Mailrazor are doing spam-blocking with tools like spamassassin and such, as well as adding things like whitelisting/opt-in. (IE, you might be able to allow in things which pass draconian spamasassin/RBL filters, then force suspected spam to opt in). Meanwhile, if the user sends out an email to an address, it whitelists automatically and even if it sends a 'suspicious' email it will be autowhitelisted. With confiruable behavior, of course.

Comment removed

[account_deleted]

Comment removed based on user account deletion

not really

[jbellis]

you only have to authenticate _once_ to each recipient. less if you're important enough that they pre-auth you. :) Unless you're working in tech support or something where you mail dozens of new people a day, it's hardly a bother.

Re:not really

[guardian-ct]

It's a bother for those trying to avoid spam by avoiding entering their email address into a web site (ie, company database). If lots of people start using these, I can see a few problems.

1) There's already at least 3 challenge-response (c-r from here on) type spam-proofing systems that I know of. If they all require the entry of my email address into yet another company database, then there goes some of the security in having an email address that is in only one company's customer database (the ISP). Any c-r system could use the verified email addresses for nefarious purposes. Strangely enough, most spam is a type of c-r system. "Enter your address to be removed from our list".

2) If someone forgets to put a mailing list's address into their "pre-approved" list, a message may get sent out to the list requesting that it verify its email address. I can see an opportunity here for massive mail loops if more than one person on a list signs up for different c-r systems. If the owner of the list happens to miss the challenge, then, depending on the system, either the list mail to that address just disappears, or bounces off the c-r email server.

3) Unless the builder of the c-r system is more careful than all of the ones I've seen (I haven't looked at mapSoN), blind users are out in the cold, and sight impaired users have significant trouble getting through the challenge.

4) Any c-r system based on web connectivity or HTML imaged email may fail dramatically on cellphones or the dreaded "email appliance".

5) Approving based on "From:" address only is susceptible to forged headers. That's one reason some spam has your address in both the "From:" and "To:" fields. The other reason is to get around some poorly secured email relays.

6) Approving based on sending mail server IP and "From:" address is susceptible to dynamic DNS changes of the sending mail server, and not likely to work well with web-form based c-r.

and I have some nice swamp land....

[frovingslosh]

Lets make sure we have the facts: Here's a free service that costs either $9.95 or $24.95 a year depending on the file size limitation you select (You want a file size limitation imposed on your e-mail, don't you?) and then they take your name and sell it to people to send you the exact thing you're paying to avoid. Sure, that makes sense, but how well will it work? I've considered the challange and response system, but how many valid e-mails will be missed from valid businesses you are doing business with? Do you think Tech Support people you are trying to get a response from will fool with this system, or just delete a validation request that comes back to them? How about rebate confirmation notices? Or adding yourself to a newsletter distribution list? I received an order confirmation for a new notebook just last Friday that came from a "do not reply to this address" e-mail address; I certainly wanted the information in the confirmation message, and I don't expect major on-line retailers will change the way they send confirmations just to suit Mailblocker. How many other important e-mails would you miss if you trusted this system?

Sure, something has to be done about the problem, but paying for a bad system that will just sell your name to other spammers and will block legitimate e-mail isn't much of a solution and should not be accepted in a desperate I'll try anything approach. I would propose that a simple open season on spammers, with perhaps a six spammer limit so every hunter gets a chance, and even a small license fee to help pay down the national debt, would be a much better approach.

Re:and I have some nice swamp land....

[mobileskimo]

I can't believe the amount of discussion going on about this with the OCCASSIONAL beef about them stopping spam so that they can be the exclusive spammer. Ha! As I've stated before, this is the oldest business in the world. "Pay for my protection and nobody else will pick on you!"

I can just imagine it now. The business guys who took the concepts and technology and are rubbing their hands together waiting for the money to roll in from ALL SIDES.

"We'll offer this service where people will pay us to stop spam. Then we'll charge companies so that they can be exclusive members that can spam.
And then on top of that we'll charge companies that want information for their spam targets. We're gonna make a boatload of money guys!"

PS...
Has anyone called them up or emailed to ask them how they can be on the exclusive list to be spammers? I wonder what they charge for a "spamming license" and "demographics information".

Re:and I have some nice swamp land....

[legojenn]

Do you think Tech Support people you are trying to get a response from will fool with this system, or just delete a validation request that comes back to them?

This brings me back. I remember when I did tech support sometime in the last century. Occasionally, we would have 'callbacks' which usually amounted to calls to cranky* people who emailed us instead of calling. Since the company did support for multiple companies, we blanked-out our name for call-display. When we had a callback that would not accept calls from blanked-out names, we could have just called from a regular office phone, but it was less effort to simply mark in the job ticket that the caller was unreachable due to a bad number.

* Usually, the crank people who emailed were ones that didn't get what they wanted from the first level phone support (English speaking tech, billing problem fixed, unsupported issue supported)

Mailing lists

[rf0]

One thing I hate about this sort of thing is that its quite dumb when it comes to mailing lists. More than once I have written an email to a mailing list I'm on and got back a messages along the lines of

"foo@bar.com is subscribed to our service. Please click on very long URL to let them recieve your messages"

Now this means that everyone who posts to that list has to do this for one particular user. Why should they? I'm sure that user has something to say at some point but I don't want/need to do it everytime I post to a list and someone new has joined who uses a similar service.

Why don't they whitelist the address of the mailing list? That would seem obvious to me. Even mailing lists that allow anyone to post normally have very high signal to noise ratios with the occasional spam.

Just my pet peev

Rus

Mark Fiore on this

[CrystalFalcon]

http://www.markfiore.com/animation/bluster.html

SA still works

[ajs]

I've been using SpamAssassin for about a year now. It started out good, and got better. Now it's actually a little frightening how good it is.

If you want to try it out, you will (most likely) need your own machine handling mail (if you're a broadband or DSL user, this is easy enough, I'll assume you've made that step...)

Now, make sure Perl is installed.

Now, as root, type "perl -MCPAN -e shell" and follow the instructions to set up Perl's configuration system.

In that shell, type "install Mail::SpamAssassin".

Exit that shell and type "/etc/init.d/spamassassin start"

You will want to do what your OS prefers for making sure this starts at boot time, under Red Hat Linux, that's "/sbin/chkconfig --levels 35 spamassassin on"

Exit your root shell, and do the rest as your user account.

Assuming you use sendmail with procmail (see the SpamAssassin site for other MTA configuration steps), put:

:0fw
| spamc -f

into your .procmailrc.

SpamAssassin is now doing its job. It just marks messages that it thinks are spam. See the example procmailrc on spamassassin.org for more information on how you can move the mail to another folder, delete it, or even more complex things. Also, there's a procmail bug that the example config can help you work around.

If you're doing this on a busy site, I recommend adding "-m 20" or so to your spamd command-line to throttle periods of intense mail delivery.

You can also configure SpamAssassin to do lots of useful stuff just the way you like it. There's a FAQ on your site that will walk you through it, but after the first time spamd handles mail for you, it will create a ".spamassassin/user_prefs" file that has good comments in it that guide you through common configuration needs (like whitelisting users).

Re:SA still works

[stratjakt]

If you want to try it out, you will (most likely) need your own machine handling mail (if you're a broadband or DSL user, this is easy enough, I'll assume you've made that step...)

Now, make sure Perl is installed.

Now, as root, type "perl -MCPAN -e shell" and follow the instructions to set up Perl's configuration system.

In that shell, type "install Mail::SpamAssassin".

Exit that shell and type "/etc/init.d/spamassassin start"

You will want to do what your OS prefers for making sure this starts at boot time, under Red Hat Linux, that's "/sbin/chkconfig --levels 35 spamassassin on"

Exit your root shell, and do the rest as your user account.

Assuming you use sendmail with procmail (see the SpamAssassin site for other MTA configuration steps), put: :0fw
| spamc -f
into your .procmailrc.

SpamAssassin is now doing its job. It just marks messages that it thinks are spam. See the example procmailrc [spamassassin.org] on spamassassin.org for more information on how you can move the mail to another folder, delete it, or even more complex things. Also, there's a procmail bug that the example config can help you work around.

If you're doing this on a busy site, I recommend adding "-m 20" or so to your spamd command-line to throttle periods of intense mail delivery.

You can also configure SpamAssassin to do lots of useful stuff just the way you like it. There's a FAQ on your site that will walk you through it, but after the first time spamd handles mail for you, it will create a ".spamassassin/user_prefs" file that has good comments in it that guide you through common configuration needs (like whitelisting users).

Is that all!?

I'll forward this to my grandma toute-suite.

Re:SA still works

[ajs]

Ooops, forgot to note that you will probably want to install Razor2 (it's just flat-out amazingly cool, and far more reliable than Razor1). Go to sf.net and search for razor. Download and install it and THEN go through the steps I mentioned to download, configure and install SpamAssassin. If you already did that, you should be able to do a "force install Mail::SpamAssassin" from the CPAN prompt.

Re:SA still works

[ajs]

While I imagine that was meant as a Troll, you cite a valid concern. That, of course, is why you want to direct grandma at a service provider that advertises their use of SpamAssassin, so that she doesn't have to know the details.

This, however, is Slashdot, and I do expect that slashdot_user.clue() > grandma.clue() if you know what I mean...

Re:SA still works

[jark]

and if you are a windows user, if you couple SpamAssassin with SpamNet then you have the best protection around!

Re:SA still works

[stratjakt]

That, of course, is why you want to direct grandma at a service provider that advertises their use of SpamAssassin

Ah, but my particular grandma lives out in the boonies where there is one and only one little mom and pop ISP.

So to avoid spam, a web based service is about the only way to avoid hassle.

Re:SA still works

[froggysan]

And coupled with MailScanner, it's even better. MailScanner facilitates virus/exploit checking, among other things.

Re:SA still works

[ajs]

And many of them now use SA. Q.E.D.

Hotmail Addresses

[rf0]

As much as I would like to applaud hotmail on doing something about spam I can't help but feel that its not going to work. I say this as in all my time fighting spam I've only actually seen a couple of spams actually come from hotmail.

More often than not I actually see Hotmail accounts as drop boxes. i.e. places bounces go or you reply to. Prehaps it might be better for Hotmail to restrict the incoming number of emails to an account to 100 a day.

Now that would hurt spammers more.

rus

Re:Hotmail Addresses

[program21]

But then you open up Hotmail accounts to simple DOS attacks. Sending 100 emails isn't that hard, it's something that a person might not mind doing manually, and you could clog up someone's Hotmail account with your messages, denying them access to legit mail which then bounces.

How naive can you get?

[Xformer]

Hotmail subscribers are now limited to sending only 100 messages a day "in an effort to prevent spammers from using Hotmail to spread spam,"

They don't need to use hotmail itself (in fact, I've never seen a spammer that has). They just need to spoof Hotmail addresses, which is quite easy. Chalk that up as yet another episode of M$ letting itself sound stupid...

Cringely has an interesting proposal

[Norman+Lorrain]

in this week's pulpit.

Basically, it's challenge/response, with the response being via telephone

I replied to him with the following:

I like your idea, I think it'll work. It's a variation of the challenge/response scheme, with the response being via a sender-paid phone call.

Here's a story: 2 years ago, we moved, so I had to change ISPs. I took the opportunity to do an experiment - my new email address I only divulge to people I know; everything else I use a Hotmail account for. In 2 years I have NEVER received spam on my "private" account, and I don't even have a filter enabled. Hotmail, on the other hand, is a different story, but is handy for internet purchases and emailing pundits.

Some points to ponder

- Your forum is a good way to get the ball rolling. Once a reasonable scheme is agreed upon, you could post it (maybe as an RFC) and the practice could spread virus-like from there. Even post instructions for Outlook users (rules wizard). If this catches on, a setup.exe for this filter would be a hot download!

- When subscribing to mailing lists, one might forget to add the address to your address book, thereby flooding the list with the "challenge" email. There should be a standard tag in the challenge that mailing list servers can filter on, and even automatically take you off the list.

- Since an auto-reply confirms to the spammer the address, the filter should ALWAYS delete the email. Once this practice is known, this might even prompt spammers to take you *off* his list. Saving the message would lead some spammers to continue on the off chance you might look through your spam folder later on.

- Using this scheme with bob@cringely.com obviously is not going to work (if you posted a controversial article, it would give new meaning to "slashdotting"). However few email users have a web site that invites comments. If a spammer loses a large percentage of his address list, he'll close up shop completely (here's a question: what is that percentage? How many email addresses make spamming a worthwhile income generator?)

- Registering with sites like NYtimes.com should be done with a disposable address, because forgetting the password requires an email be sent from some unknowable sender (forgot@lga2.nytimes.com)

So that's the new email reality. Get a private address equipped with the challenge/telephone response. Get a disposable address for shopping, or reading the news. And backup your address book.

Sample template for the challenge message:

I don't know who you are. If you want me to read your message, call me at xxx-xxx-xxxx and we can arrange to allow future messages to come straight through.

The message you sent was automatically deleted. I did not see it. Sorry for the inconvenience.

<SPAM CHALLENGE> this tag is for mail list managers </SPAM CHALLENGE>

As some else pointed out, the filter should check addresses that have had messages sent to, to avoid challenge/response infinite loops.

Re:Cringely has an interesting proposal

[Nutrimentia]

Mod Parent up.

I came in to mention Cringely's recent articles, which are highly relevant to this discussion.

TOS ALLOWS SPAM!!!

Why would I pay for a service like this? I read the Terms of Service, and it states that "Third Party" solitations will be allowed by this services. I read that as SPAM. It also states that they are not responsible for third party "Opt Out" failures.

this service will give you MORE spam

[bongoras]

They reserve the right to release any and all infomation... from the TOS:
"Mailblocks furnishes our members, and permits third parties to furnish our
members, through the Services and otherwise, with information, promotional
materials and solicitations, from time to time. You may not "opt out" of
the receipt of such promotional materials from Mailblocks and/or its
affiliates, advertisers or other business partners if you wish to use the
Services. The receipt of such promotional materials is an inseparable part
of the Services that Mailblocks provides. If you decide that you would like
to discontinue receiving such promotional materials, you must stop your use
of the Services and terminate your account with Mailblocks."

"Mailblocks reserves the right to release any personally identifiable
registration information regarding you to third parties who provide goods
or services that we believe may be of interest to you. Some third parties
furnishing you with promotional materials may permit you to "opt out" of
receiving such communications from them. However, Mailblocks is not
responsible for any such party's failure to comply with its own "opt out"
policies."

"Mailblocks uses individual data to "target" advertising - to decide which
advertisements and sponsor messages to send to which members. As an
example, if Sponsor Co. wishes to send their advertising only to Mailblocks
members residing in California, Mailblocks uses member registration data to
ensure that Sponsor Co.'s ads are sent only to members residing in California."

"Mailblocks may use individual members' data to "pre-populate" forms which
are displayed for the purpose of collecting individual data by Mailblocks
and/or its sponsors. In no case does pre-populating a form automatically
transfer any data to any advertiser or third party. Only if the member
voluntarily requests that such data be transferred will any transfer take
place - for example, if/when a member clicks a "submit form" button or
other button."

Re:this service will give you MORE spam

[Torqued]

Yeah, but the difference is that it's spam that you "agreed" to receive! So is it really spam if you agree to receive it? I wonder if David Copperfield is a partner in this venture!!

Not free..

[destiney]

Doesn't look free to me. Says $9.95 when I viewed it just now.

There are already plenty of white-list spam applications out there, most are GPL'd and easy as hell to setup.. Just go to sourceforge.net and search for spam + whitelist.

SpamGourmet

[Penguinoflight]

This is exactly what spamgourmet is useful for. Spamgourmet is free, and forwards messages to your "real" address, but only as many as are specified by the address. To use Spamgourmet, you first become a member with a single user address, however you can add "sub-addresses" in a similar way to subdomains, starting with just a lame label, then a number of MAX emails to be accepted at this alias, then the username.
,br> for example, if you wanted to get a confirmation from newegg.com, but didn't trust their mailing list... you could simple fill in newegg.3.joecool@spamgourmet.com. this would give them a max of 3 emails, 1 for billing, 1 for shipping, and 1 for whatever is bound to go wrong.

Try it out today at spamourmet.com

Re:SpamGourmet

[Zathrus]

Nifty... I like it. And answered my own questions about it after reading the FAQ (yes, you can increase the count... yes, you can set whitelist addresses that don't decrease the count, etc).

I may setup a new clean email address and try this out. My hotmail account is a bed of spam at this point.

Re:SpamGourmet

[cardshark2001]

This is exactly what spamgourmet is useful for.

Yes, but spamgourmet will not check your existing email address for you, so if you've already got an email address that's getting spam, you're outta luck. If you're setting up a new email address, it's great.

Re:SpamGourmet

[galaxy300]

I got around the "bed of spam" problem with Hotmail by creating two accounts -- one to give out to everyone and one for only trusted people. Strangely enough (and knock on wood!) I get little to no spam on my "good" Hotmail account, after about two years of using both of them. Let's hope it stays that way!

Re:SpamGourmet

[Zathrus]

Doesn't help when someone "trusted" gets pissed off because they're a lying, stealing asshole and signs up your account for every spam list out there.

Yeah... it happened to me. Was still worth exposing the lying, stealing asshole though :)

Re:SpamGourmet

[galaxy300]

Oh, I agree! Don't call me an asshole, but I have to admit, I've done this to truly rotten people out there and it has given me a bit of satisfaction. I would never do it to someone who didn't deserve it, though... ; )

For a free service ...

[Greedo]

MyPrivacy.ca

Mostly use to help people from having their WHOIS information harvested, but should work for general email use too.

Oh, and the 100 email limit on Hotmail is kinda lame. I doubt that many of the 100+ spams I get from Hotmail accounts each day are actually from Hotmail users. Fake headers, more likely.

Re:Solution: Have a "private" address

[John+Hasler]

> I have no idea how they "found" me,...

By bombarding your mail server with thousands of messages with randomly-generated user names in the hopes that some will just happen to coincide with the user names of real users on that system. Most of the spam I receive these days is of this sort. All of it claims that "bipiu34@my.domain.tld" or some such opted in.

SpamDominator

[Novanix]

I use a custom system that is also free of charge http://SpamDominator.com it does the one time auth method.

You don't understand

[frovingslosh]

I still do not understand why people with hotmail accounts dont just block anyone not in their address books. Think of it this way, with that feature you get to control who gets to talk to you. -bb

Let me try to explain it to you. Sometimes you need or want to get an e-mail from someone who you haven't got an e-mail from before. You might need to get a tech support response. You might need to get an order confirmation for something you bought on-line. You might subscribe to a news letter or other information that you want but don't know the exact e-mail address it will be sent from (and that might even change some day). You might receive e-mail from an old friend or classmate who is trying to track you down, and perhaps they even got your address from a common friend. You might want to use your address publicly for a legitimate reason, like in a newsgroup to request information. You simply might think that you should have the right to make yourself findable for legitimate contact without opening yourself to hundreds of vulgar and dishonest spam messages every day.

Or, you might really dislike spam, and not want to hand over your address book with your friend's valid e-mail addresses in it to a known spammer - Microsoft.

Block or pass?

[mbbac]

Mailblocks furnishes our members, and permits third parties to furnish our members, through the Services and otherwise, with information, promotional materials and solicitations, from time to time. You may not "opt out" of the receipt of such promotional materials from Mailblocks and/or its affiliates, advertisers or other business partners if you wish to use the Services. The receipt of such promotional materials is an inseparable part of the Services that Mailblocks provides. If you decide that you would like to discontinue receiving such romotional materials, you must stop your use
of the Services and terminate your account with Mailblocks.

In order to block spam, you have to agree to accept spam? What?

No thanks, I'll stick with Apple Mail's Junk Mail feature.

Not the only method out there...

[arubis]

I've been using SneakEmail for years and I get absolutely zero spam. It works, it's free at the basic level, and if you're willing to cough up a little cash (~$25/year) there's some damn decent additional services available. It makes email filtering far, far more convenient, too. Finally, as an added bonus, they (unlike MailBlocks) don't sell your address, personal information, or the likes.

100% OTHER-Spam free. You pay 10$/yr for theirs

For 10$ a year you can sign up to be spammed
by ONLY those spammers that pay them also.

No thanks. *sigh*

I have the solution to spam!

[fredrikj]

Add the following to your mail processing software:

if (inmsg == spam)
{
delete(inmsg);
}

You may have to change the names of the variables/functions to suit those in your application's source code.

I haven't tested it extensively, but the algorithm seems solid.

SpamAssassin is really free and multiplatform

[Daniel+Quinlan]

Not only is SpamAssassassin free with no hidden strings attached, but you can run it on Windows (not just Linux and other Unix systems).

• If you have Perl on Windows (ActiveState, Cygwin), then the standard SpamAssassin will run fine.
• Open Source Windows client for POP3: SAproxy (disclosure: I'm one of the developers)
• Commercial: Spamnix for Eudora
• Deersoft made Exchange and Outlook versions, but they are being revamped since Deersoft was acquired, so they're not being sold for a few months.
• and more...

Not to mention all the reasons why challenge-response filtration systems are alienating to the rest of the world. Sure, you will get almost no spam, but you'll also lose a lot of legitimate email from disgruntled people who don't like being challenged. (My standard reply to TMDA challenges is to ... not. I find it very obnoxious when I reply to someone, answer a question, or heck, just email them for any legitimate reason, that I have to prove that I'm a human. It basically sends the message that "my time is more important than your time".)

Thankfully, there are some strong anti-spam methods that are being developed which don't require challenge-response, opt-out lists, patented crypto, or any of the other dumb ideas I keep reading about.

incamail

A free mail application that seems to do this better is incamail.com. You can create multiple suffixes (e.g. for account me@incamail.com you can create a suffix-account 'me.slashdot@incamail.com' or whatever suffix you want) and also restrict access to each account.

SPAM/Virus filtering MailExchangers

[nmg196]

It'd be nice if, instead of this webbased system, there was a company that I just used as my mail exchange (MX) provider and they filtered out the junk and viruses and relayed all the real mail to my *real* MX machine.

Ok, I'd have to be a bit tech savvy and know how to reassign the MX records for the domains I want protected, but it would suit companies or tech savvy users much more than any kind of installed software would.

Does anyone know of any companies that offer this service?

Nick...

Hotmail needs to be a little more introspective...

[xtermz]

How about instead of limiting outgoing email ( which I really doubt is a huge source of spam as they might lead you to believe ) , they instead fix their own incoming spam filters. I'm sorry, but if you cant tell that twertert@wtertert.sadaa is not a valid email address, then your spam filter is fucked. I posed this question before and somebody said it's a preventative measure in case somebody mistypes their email address ( ie xtermz@hotmail.omc ) .. That just doesnt fly with me.

This is all just a ploy to get people to "upgrade" their hotmail account. I've all but given up on hotmail. I use it to get a few mailing lists, but never use it for outgoing mail or anything of critical importance..

Re:Mailblocks Free

[mobileskimo]

I will wager you another $9.95 that you will receive spam. Quite often infact. Not because the technology doesn't work. I'm sure it does. Infact their business will depend on it. You will receive spam because THEY will send you spam. And their business partners will send you spam. The businesses that paid them the exclusive insider's spamming fee.

You receive spam, I get ten bucks. You don't get spam, I pay for ANOTHER year for you to receive their "fantastic service". That's FOUR years of service for the price of one!

Read The Fine Print in the Terms of Service. It's not legal babel. It's spelled out clearly. You're paying them to spam you.

Re:you invented this? not.

[Frac]

You might have made a good point, but I refused to read further after you presented yourself as one of those idiots that propagate the "Al Gore invented the internet" myth.

Why would the opinion be respectable if it's coming from a person that is gullible enough to believe folklore rumors, not verify them, and propagate them in an effort to be funny?

Old news

[friday2k]

Hushmail has a challenge/response mechanism for quite a while now. And it works remarkably well ...

Only great if you use MS products...

It doesn't like mozilla. Won't even let you see the demo with mozilla.

Email clients can only be IMAP

[crush]

POP3 is NOT supported. See their support page for details.

those are some impressive numbers. :)

If I was someone who had a spam problem, I get one once in a blue moon, I would recommend your solution
based on those numbers. Pretty dang good.

I have my own solution

[nicotinix]

I used to use Yahoo with pop3 client and was quite happy (except the spam part). Then they started charging and I was ready to pay, except I did not want to sign up for their wallet service (keep your fingers out of MY wallet!!!). So, I just found a hosting company and got myself unlimited mailboxes, website, ftp site etc, etc. for $60/year.

They have a nice web panel for controlling all aspects of the site. I can make a mailbox just for spam. Shut that box down when it get's overwhelmed. Have webmail access from anywhere.

Found out, that works the best for me.

Re:you invented this? not.

My guess is that he's well aware of the fact it's an urban legend. I'm guessing he's one of those people that propogates the rumor to bash Al Gore. Just like I do.

This is an advertisment thread if I ever saw one..

[Havokmon]

So check out http://www.vfemail.net!

I don't do TMDA yet, but I can virus scan/spamassassin scan your domain email before forwarding it to your host. I charge based on bandwidth used.

Rick

Ah, irony.

[pokeyburro]

Just below this article, I'm looking at an ad for CipherTrust IronMail.

The next article is about RedHat 9. I wonder if there's an add for SuSe or even Microsoft there...

Typical anti-spam spammers

[taustin]

"Mailblocks reserves the right to release any personally identifiable registration information regarding you to third parties who provide goods
or services that we believe may be of interest to you. Some third parties furnishing you with promotional materials may permit you to "opt out" of receiving such communications from them. However, Mailblocks is not responsible for any such party's failure to comply with its own "opt out" policies."

They guarantee you'll get no spam, while selling your address to spammers.

Still, could be worse. Last time I sent something to using a challenge-response "anti-spam" service, the challenge was sent in pure HTML, and rejected by my mail server as spam.

Spammers are winning, because anti-spammers are stupid.

Can anyone read the spamgourmet faq ?

It looks like the FAQ link is not an a link.
I tried pasting faq.html into the url as well,
but that didn't give me back anything but
the front page.

Anyone care to post the spamgourmet FAQ page ?

Re:Can anyone read the spamgourmet faq ?

Sure:

http://www.spamgourmet.com/index.cgi?printpage=f aq .html

Re:Can anyone read the spamgourmet faq ?

Lazy jerk, making me cut, paste, and remove the space...

http://www.spamgourmet.com/index.cgi?printpage=faq .html

This is stupid

People who send me mail have to reply with a number???? WTF????

but what is spam...

[fatgraham]

Im sure MSN "get away with it" because they probably get paid for it, and send it themselves, rather than from a 3rd party

This won't make much difference

[WebMasterJoe]

'Hotmail subscribers are now limited to sending only 100 messages a day "in an effort to prevent spammers from using Hotmail to spread spam," said Lisa Gurry, MSN lead product manager.'

This really isn't going to do anything worthwhile. Unless the spammers are actually logging into Hotmail, typing in the names, and pressing send, this sort of measure is pointless. It seems that the spammers are just throwing together random usernames + "@hotmail.com" and using their own smtp servers (or somebody else's, just not Hotmail's).

If they want to do something to cut down on spam, why not just limit the number of messages that a server can send to hotmail addresses? Meaning, if I want to send out spam and my list includes 100,000 hotmail adresses, hotmail's servers will reject every message I send to a them after the 100th. That just wiped out 99.9% of spam that hotmail users would receive.

Yes, it would take some work and the processing cost per message would be higher, but if it works, and cuts down on traffic by a higher percentage than the increased cost associated with the system, it would still be an amazing improvement.

I've always wondered why MS couldn't look at all incoming messages and spot spam based on vast numbers of similar messages.

Re:This won't make much difference

[jcam2]

This would cut off large ISPs like AOL whose subscribers send lots of messages Hotmail users ..

Right!

[Decimal]

Protest this agression against innocent inboxes. No blood for email! ;)

best email service I have ever used

RUNbox.com

mobile.runbox.com
fast.runbox.com
www.runbox.c om

100meg space IMAP POP SMTP everything and basically no limits, it has NEVER been down and does an AMAZING job with spam, I havent gotten more then 1 a day with them vs 10-20 before!

Re:best email service I have ever used

I love runbox, and use it. It is cheap and good. But... well, they do go done, they can sometimes be unresponsive, their wap access is not good (and yes, I do need wap access to my mail sometimes, unfortunately).

They have only just set up anti-spam software, no idea how good it is, I never give out my runbox address (except to a very limite audience), so I don't get spam anyway.

One issue with runbox - i believe they used to be free, and used to have a number of spammers using them. I have a couple of contacts who's mail servers reject runbox mail off the cuff. Which I can live with, to be honest.

Bunch of shit

[The+Terminator]

This 'service' seems to me like shit. The principle of the challenge looks nice. OTOH you trade in Spam from all over the world to Spam from Mailblocks and their bizpartners.
If I should pay even 1 ct, I don't accept any spam from the service provider. The only messages I would accept must relate to the service itself and must be opt-in.

There is a simple way to reduce your daily load of spam. It requires a little interaction from time to time but it should work. All you need is mailclient which is able to filter by headers.
Kmail since 3.0 from KDE is an example. You can set filters which work on the POP3 server.

My 0,02

my inboxes are already 100% spam free

If you are sensible with what you do with your email addresses, you won't get spam.

Just like if you are sensible with where you put your wallet, it won't get stolen.

MyRealBox provides a good free service, and I've never got spam from there.

I really wish people would stop thinking that spam is inevitable.

gj being a hypocritical jackass

[jbellis]

you just made three assumptions about me, none of which are true. maybe if you'd pull your head out of your butt you'd realize there are other explanations than the one you salivate at like one of pavlov's dogs.

here boy! fetch!

Re:gj being a hypocritical jackass

[Frac]

haha sure, deny everything (and not backing it up), and throw in more insults to change the subject. Typical irrational flamebait. You spreaded the myth, just admit it so you can stop looking like a sore loser.

Kid, I know Psychology 101 is fascinating and all, but just because you learned it in class yesterday, it doesn't mean you can look smart when you use it the next day. Mmmkay?

avoiding the loop

[sacrilicious]

Challenge/response systems have the problem that if two parties both use a challenge/response system, they may not be able to communicate with each other at all. The challenge message may not get through. Worst case, they create a mail loop.

The solution would be to adhere to the following protocol:

• challenges always include the original message's subject line in the challenge email's subject line, and
• non-challenge emails sent from a system result end up creating a temporary whitelist for emails returning from the destination server addressed to the original sender which include the subject line.

Re:avoiding the loop

[TonyGreene]

A more standards-aware solution:

• Challenges always include the Message-ID of the original message in the In-Reply-To header of the challenge.
• Message-IDs of non-challenge email get added to a temporary whitelist to match against incoming In-Reply-To headers.

Challenge-Respond infinite loop?

[DuSTman31]

I can see certain problems stemming from this whole challenge-response style address verification. For example, if someone writes a new message to a new person and forgets to add the address to his whitelist, then a situation may arise where the recipient sends a challenge to the sender, and then the sender running a similar scheme recieves the challenge message and decides to challenge its sender..

Infinite loopsville...

proxy

[sacrilicious]

All I want is an email proxy (in java, perl, or python, or *extremely* portable C/C++) that I can run on my local node, using whatever email client I want. This proxy would allow me to whitelist, blacklist, and administrate challenge/response as I see fit. Anybody know of such a beast? If not, anybody want to collaborate on one?

Sooo...

Where's the free service?

under or... over 18?

[mix_master_mike]

from the bottom of their registration: "Mailblocks accounts are restricted to people over 18 years of age" ...and their policy page: "WE DO NOT REGISTER USERS YOUNGER THAN 18, NOR DO WE KNOWINGLY COLLECT PERSONALLY IDENTIFIABLE INFORMATION FROM CHILDREN (DEFINED HEREIN AS MINORS YOUNGER THAN THIRTEEN YEARS OF AGE)."

Grammar.

[golrien]

vudujava writes "c|net is reporting that a new free, web based email service is opening it's doors today.

it's -> its

Hell, are the editors good for *anything* these days? If you can't write properly, don't bloody write at all.

litmus test for thread reading?

[dookdookdook]

Apparently claiming that a $10 service is free will induce EVERYONE to point out the inaccuracy, regardless of how many times it has been don previously in the thread. Good work, comrades.

No, but you clearly don't know much about patents.

[Tumbleweed]

P3P as specified by the W3C, underlying concepts that aren't 'web' based, as patented by OneName, a former employer of mine. The patent is _easily_ broad enough to cover your system, I promise.

Re:Solution: Have a "private" address

If you 'private' email address is listed on your domain's whois record then that is probably where it was harvested by spammers.

Actually

You could patent something, anything and go take a long hiatus in the South Pacific to catch some rays for a few ,if not more years. Then, upon returning to civilization, find your patent has been infringeds upon. At THAT TIME, you could bring proceedings against the infringers. Patents are supposed to HELP you from being infringed upon, but if you are NOT AWARE of the infringement, then you can start from the point upon which you notice the infringement. IANAL, but I read law daily.

Just my two cents ..

[dr.+greenthumb]

I was until recently using Mercury with Spamassassin for handling spam. It worked great, no false positives (mostly due to the fact that most of my legimitate mail isn't in english I guess) and just a couple percent false negatives.
However, setting it up was painful and processing was slow (forking a separate Perl process for every mail).

The most annoying fact was that Perl stole focus whenever it was launched to process incoming mail (eg. in the middle of furious Warcraft III battles)

Then Mozilla 1.3 came out with Bayes filtering. This really rocked my world. I downloaded a spam-archive and hacked together a quick script to concat them into a Mozilla mailbox. Fired up Mozilla mail, imported my OE mailfolder (which was ca. 1300 already Spamassassin'ed/hand-sorted messages), marked them as ham and the spamarchive folder as spam.

It works great! I can count the false negatives I've received since then on one hand, and learning Mozilla about them couldn't be easier. No false positives. Despite the pretty huge memory footprint (and that moving around lots of messages between folders is sloooow), Mozilla Mail is just great, and as a bonus I won't have to worry about 0-day OE exploits anymore (although, with up-to-date patching OE has become pretty solid).

If you're sick and tired of fighting off spam all the time, I really would recommend you try Mozilla Mail. Just be sure you have LOTS of handsorted spam/ham that it can "learn" from.

Re:Just my two cents ..

[PigleT]

"slow (forking a separate Perl process for every mail)"

Sure? Were you using the spamc/d client-server approach to it?

We're doing that here at ork on a 700MHz Duron I completed setting-up last week; it's been pushing >3000 mail/day with a rough average load increase of about 0.1 for its trouble, quite happily.

Otherwise, I agree entirely about the Bayesian filtering btw: I'm on _bogofilter_ for any mail that gets past the `usenet@' blocks, and I'm well happy with it. Very few FPs or FNs at all, and they're easy enough to fix anyway. Wahey.

While I'm passing, this "challenge-response" thing really annoys me, btw. Making all the innocent senders of mail do double the work without putting any load increase on the spammers themselves is simply unjustifiable, to my eyes. Not to mention, it's a major bloat on your mailq's resources, as well - no wonder it's nonfree. And the risk of impersonation is attrocious: I've seen these systems sending mail to half a mail2news gateway before now - talk about spreading spam!

Hotmail isn't that much of a spam source (YMMV)

[guardian-ct]

Out of the last 1460 or so spam messages I've gotten (in the last 4 months), only 131 have hotmail.com in the subject or sender headers. I'd guess that almost none of those have any hotmail servers in the "Received" headers. A pseudo-random sample of 10 of them showed nothing but forged headers.

Doesn't matter how many restrictions MS puts on their users, since most spammers use their own mail servers, or break into open relays/proxies. Sounds like MS just wanted an excuse to reduce server costs.

Better Inbox? try a fair Outbox

[Enzo1977]

First off, I'm very low tech compared to most of Slashdot, so please bear with me. Why should the person on the receiving end have to deal with the majority of E-mail, why not use the U.S. Postal service in comparison. If I wanted to send out a million notices to the local community that I'm opening a new widgets shop, then I have to front the bill for each individual letter I send. Therefore, why not FORCE a system where after you reach your cap of so many bytes of transfer on port 13 you must pay by the byte for delivery. Does this system already exist and I don't know about it? From watching the majority of American service industry where every opportunity you can find to reasonably exploit the customer for additional charges you do so to increase revenue; I'm shocked that such a system might not be in place.

Arab League unites

[t0ny]

(AP) Arab countries have condemned the "aggression" against spam and called for the immediate withdrawal of filtering software from the internet.

Re:Arab League unites

[t0ny]

Full text-

Arab League lines up behind Spam

(AP) Arab countries have condemned the "aggression" against spam and called for the immediate withdrawal of filtering software from the internet.

The move came at a summit of Arab League foreign ministers in Cairo.

A final resolution also calls on Arab states not to participate in any filtering action "damaging to the unity and territorial integrity of spam".

The resolution was adopted unanimously except for Kuwait, which expressed reservations.

The BBC's Mark Doyle, who is at the summit, says Mike Wendland is likely to be pleased with the outcome, but it is not clear what it means in practical terms.

The League does not have executive powers to implement its resolutions, so there is no mechanism for stopping those Arab states which have filtering software on their servers - such as Kuwait, Qatar and Bahrain - from continuing to use them.

The Arab League secretary general, Amr Musa, said the organisation would also be calling for an emergency session of the United Nations Security Council to consider demanding an end to the war.

The Arab world has been split over what to do about the spam crisis.

Although public opinion in most Arab countries is strongly opposed to the American-led attack, some Arab governments are opposed, openly or in private, to spam.

'Enemy will be beaten'

The Iraqi Foreign Minister, Naji Sabri, was in Cairo to appeal for Arab support in resisting the filtering software.

He said the Americans would be forced to uninstall with their tails between their legs.

"We are spamming the enemy and the enemy will be spammed and will be spammed in the deserts of spam," he said, adding that Iraq would continue to aim spam at US email addresses in Kuwait.

Re:No, but you clearly don't know much about paten

[Ace905]

If the patent is broad, it might have been approved but it can still be contested. I'm sure there's patents out there for the wheel (oh wait, there is). but they're not going to hold up against a very specific, isolated idea. Or if they do, it doesn't matter much anyways ; since we invented the system and aren't seeking a patent.

I might patent the numbers 1 and 0 though, that'll be broad enough for me to claim I own everything.

Regards,

--Doug Styles.

"War on Spam" my eye.

[Ungrounded+Lightning]

I'll believe there's a "war on spam" when I see spammers or their I.T. sites targeted by mortars or cruise missiles, or a few spammers strung up from lampposts or up against a wall with the firing squad going "ready! aim! ..."

Right now there isn't even a minor skirmish.

And as government action - your email box seems to have less protection than your fax machine - (though a FEW small claims courts may be coming around on that).

Re:No, but you clearly don't know much about paten

[Tumbleweed]

The Internet community attempted to challenge the patent(s) after they were granted, to no effect. It's about as solid as a patent as you're likely to find.

Yahoo mail

Just use Yahoo's web based email... I rarely get spam, and if i do it usualyl goes to the "bulk" folder, which is like a trash bin... and if I do get spam, i can mark it as spam, and then yahoo banns the address...

yahoooo! ;)

peace

100 messages a day?

[samhalliday]

that is just plain stupid and will only hurt the users of hotmail! spammers do not actually _use_ hotmail to send the emails... they just use a hotmail address in the return-path and send the mail locally!

at least it will stop those annoying friends everyone has, who have just discovered email and like to send a bazillion forwarded emails along the lines of 'poor botiswane mitiguinai who only has a burlap bag for a body becuase her mummy is so poor, but if you forwards this to 5000 people, bill gates will donate 5c for every email... blah blah'. they usually just contain a wholelotta '> > > >' characters anyway :-/. you all know the type.

New tactics in the War on Spam

[smack_attack]

Spammers of the world,

You have 48 hours to cease sending spam and give up. If you fail to stop sending spam after this timeframe, we will remove you from the Internet forcibly and swiftly. We will track you down and destroy your lists. Insecure servers will no longer be regarded as innocent relays, they will be dealt with swiftly and justly as well.

You have 48 hours to comply with this ultimatum. Act responsibly with email and you will reap the benefits. Use spambot and harvesters and our forces will react with force.

-Coalition of Canned Meat

Hotmail limited to 100 emails?

That affects more tha just spammers, what about the stalkers. I mean some of US stalk more than 100 women at any one time.
Won't some please think of the stalkers !!!

Re:No, but you clearly don't know much about paten

[Ace905]

The patent is solid, how it holds up against similar ideas is not. It may have a broad definition and be intended to protect something fairly specific accurately. Where that definition crosses over to include other inventions the uniqueness of each idea must be contested. My patent on our system (for example) might mention that we use a web site and graphical display of text for our challenge.

That relates directly to other systems in use before us, which worked for authenticating on web based systems. If we were granted a patent it doesn't mean they wouldn't be as well for their own system even though we have some broad definitions listed.

The fact of the matter is our [example] patent is meant to protect a very specific system, and contains a group of different factors that must all be in play to be called "our specific system".

There's some very egotistical posters in this forum going on and on about prior patents and claims (aside from yourself). Hey, I'm open to discussion and arguments but the fact of the matter is it isn't going to be patented. If it were to be patented, yes, I'm sure other people would want to contest it and claim we're infringing on parts of their patents - that is the process for *all* patents. I believe we have a good case, and I'm just outlining why that is.

Also, we had a patent lawyer and an unrelated copyright and patent agent that both specialized in this area and believed we had a good case, even after researching it extensively. I know that our competitors have based their system on the original white paper I wrote and published, or on our later release of the actual system.

I also know that while similar systems may have been in place prior to ours, ours is very specifically unique and for that uniqueness at least, we could easily argue a case for a patent. However, as I said - we don't have the money, and we don't believe in the patent process.

We don't like competition, especially not growing competition, or very competition with very large backing. But we are ok with competition. We just want fair and accurate media coverage.

Regards,

--Doug Styles

Bingo

[Archfeld]

As much SPAM as my hotmail account generates, their filters are sort of effective, but having the same old address for many years has benefited me several times, allowing old friends or online buddies to find me.

How si20.com seems to work.

[guardian-ct]

You have a "Fill-in web form" requiring an email address and an answer to an optical character recognition question. Blind users need not apply. Wireless email users who don't have a web browser readily available don't get to send email either. Email users who do not like entering their email address into web form links sent in email wouldn't use it either. Sight-impaired visitors may have problems (I did when I tried testing it on your web-page, though it did eventually authenticate). Misaligned multi-colored text on a gray background does not make for easy reading.

I'm sorry to say that I wouldn't be using your service, even it was free. If I got a challenge like that from someone I really needed to send email to, I would use a one-shot email address in your web form, since I have no reason to trust si20.com more than any other company asking for an email address. I'd probably not bother with it at all, call them on the phone, and ask why they were letting si20 read their email. Accessibility and flexibility is important.

Need a spam vigilante to wipeout 47mb of addys

I recently got a spam that offered a remove URL at http://www.1verio.com/rm/rm.html. I started poking around looking for a way to complain and found an unprotected directory that has collected 8.7 mbs of March email addresses from the poor bastards' who don't know not to respond. There is also an additional 38 mbs of addresses collected in January & February. The people collecting the info sent me a spam for cheap diplomas, but the root doc is selling miracle cures. You might be onto a big one here. http://www.1verio.com/rm/remove.txt The server is running Apache/1.3.27. I don't know how to do it, but I understand that it's not that difficult to break into a www dir and possibly rescue these people before they get dumped on again. I would never suggest that any of you take this on, but perhaps you know someone who will. Usually I am an atheist, but I'm sure this would be doing god's work. Best of luck

Sneakemail.com - Disposable addresses!

[Jonah+Hex]

I've been using Sneakemail for awhile, it allows for totally disposable addresses with FULL accountability for each sender.

For example, say a spammer grabs my address from here despite the /. filtering (which every site should have). Every email forwarded from sneakemail shows which specific one-time address it was sent to on the subject line. And since sneakemail allows you to filter each individual address seperately by every sender that's ever mailed that address if nessesary, I can easily turn off the spam while not having to truely discard an address. Plus it's great to know exactly where your address was harvested from, in fact one I've gotted alot of spam from was a one-time address I used for a techdirt.com spam article reply I made!

Did I mention it's a quick bookmark popup thats easy to use and free (banner supported) or cheap premium (6 months $12US).

This is of course only part of the solution, for the rest I use Mailwasher.

Jonah Hex

Free?

The website says $9.95 a year. So if it's free, who is going to pay the $9.95 for me?

Re:No, but you clearly don't know much about paten

You know, it's interesting to read through this thread, because I just realized that..yes, you guessed it, you're fucking spamming the comments on Slashdot with product advertisments. "Oh, our system doesn't just block 95%, it blocks 100%! Sure, people have said that before, but we really, really mean it!"

You probably signed up the account just for this story, get a few hits to the ol' company website. Tell me, if I buy your wondrous anti-spam software, based on a whole new idea no one's ever implemented, can I use it to shut you the fuck up?

Re:No, but you clearly don't know much about paten

Yes, and you have such a good case you're not even going to try to make it! That makes so much sense!

Speaking as an egotistical poster, I'd like to ask you again to get off your soapbox and stop trying to sell your magic spam elixir to the grand unwashed public here.

a new free, web based email service

[Cynikal]

where is the "free" option?

1) Standard Service -- $9.95/year
2) Expanded Service -- $24.95/year

Bayesian

[lewp]

Indeed. I saved my read spam and ham in different "Trash" mailboxes for a couple months, then I ran them through bogofilter to make the appropriate good and bad lists (only about 2500 messages total). I put bogofilter at the bottom of my procmailrc after all my mailing lists and put anything that set it off into a "Spam" mailbox.

Not a single false positive or negative over literally thousands of messages. I'm getting ready to trust bogofilter enough to stop checking the Spam box altogether. Of course, I'll keep it around so that the filter can keep training itself on the messages that end up there. I don't dread opening mutt in the morning anymore (90% of my spam seems to come while I'm asleep). Whoopie!

Mozilla 1.3

[dfj225]

I must say, I enjoy using Mozilla 1.3 for my email. It marks and moves most of the spam that I get to my "junk" folder. As time goes on, and I mark more and more messages as spam it will only become better. Of important note is that I have been training this program since the day it was released for beta testing.

Re:Still fixing the problem by breaking the consum

Challenge based spam reduction sounds like a great idea. The only problem is that the spam is still going to be sent. Only when the internet comunity goes out and actively shuts down spammers will the problem ever be solved.

Spammers can be shut down if spamming is no longer profitable -- which will be the case if spam filters get good enough and are installed widely enough.

Section 508

[yerricde]

If your authentication method requires viewing images, then it is inaccessible to the visually impaired and is thus NOT section 508 compliant, and you're not going to be able to sell your system to the U.S. government.

Then how do you include blind people?

[yerricde]

By placing it in an image along with some obfuscation designed to confuse OCR, automated response systems would be extremely difficult to write.

Correct; that's the entire point of The CAPTCHA Project, which has previously been discussed on Slashdot. But the current CAPTCHA systems, which rely on human recognition of features of an image, are inaccessible to blind people and to others who can't view images and are thus NOT Section 508 compliant.

Test your OCR software on this

[yerricde]

After all is't any good OCR software enable to transfer those to text?

Test your OCR software against Gimpy and see if you still think OCR can defeat automated Turing tests based on a distorted image of text.

TOS bad

[wadiwood]

I hate TOS which assume you agree to terms that they reserve the right to change at any time. I think if they change it they should send it out and make you agree again.

And clicking on the submit button automatically makes you 18.

And it isn't free. Why is it being promoted as free?

And rego is non-refundable whether they accept you rego or not? I am not sure that is legal in Australia, to accept a fee for service and then not provide the service...

Terms of Service

Last revised: March 17, 2003

Mailblocks, Inc. Terms of Service Agreement

PLEASE READ THIS TERMS OF SERVICE AGREEMENT CAREFULLY BEFORE USING THE MAILBLOCKS SERVICES. Mailblocks, Inc. ("Company," "we," or "us") provides online services, including, without limitation, personal email, (collectively, the "Services") subject to your compliance with the terms and conditions set forth in this Terms of Service Agreement (the "Agreement"). This Agreement governs the relationship between Company and you, the user ("you") with respect to your use of the Services and your access to the web site located at www.mailblocks.com (the "Site"). It is important that you read carefully and understand the terms and conditions of this Agreement.

If you are under the age of 18, you may not CURRENTLY use the Services. BY CLICKING THE "SUBMIT" BUTTON LOCATED ON THE REGISTRATION PAGE OR BY PAYING FOR THE SERVICES, YOU AGREE TO BE BOUND BY THIS AGREEMENT WITHOUT MODIFICATION. IF YOU DO NOT ACCEPT THIS AGREEMENT, YOU WILL BE DENIED REGISTRATION TO USE THE SERVICES.

WE RESERVE THE RIGHT AT ANY TIME TO:

Change the terms and conditions of this Agreement;
Change the Services, including eliminating or discontinuing any Services; or
Change any fees or charges for use of the Services.
Any changes we make will be effective automatically immediately after posting such changes on the Site. Your continued use of the Services following such changes will be deemed acceptance of such changes. Be sure to review this Agreement periodically to ensure familiarity with the most current version. You can determine when this Agreement was last revised by checking the "Last revised" legend at the top of the Agreement.

1. Services. Mailblocks provides a fast, low-cost email service to its users. Other new features may be added in the future; unless expressly stated otherwise, any new or enhanced features will be subject to the then-current version of this Agreement. In exchange for your use of the Services, you expressly permit and authorize Company, and such third parties as may be authorized by Company, to furnish to you from time to time, through the Services or any other means, with information prepared by Company or by (or on behalf of) other entities, including onsite advertisements (such information, "Third Party Content" or "Advertising"). You acknowledge that such Third Party Content may be an inseparable part of the Services, and that furnishing such Third Party Content to you cannot be terminated unless the Services are terminated.

For more information, please review our Privacy Policy here.

Company neither endorses nor is responsible for Third Party Content, and you may be exposed to Third Party Content that is offensive, inaccurate, misleading, deceptive, out-of-date, or incomplete. You must evaluate, and bear all risks associated with, the Third Party Content, and your use of and reliance on any such content. We are not responsible for any errors or omissions in Third Party Content, for hyperlinks embedded in Third Party Content or for any results obtained from the use of such content. Under no circumstances will we be liable for any loss or damage caused by your reliance on any such Third Party Content. Your correspondence or business dealings with, or participation in promotions sponsored by, any such third party advertisers, or any other third party providers of goods or services accessed through the Services, and any terms, conditions, warranties or representations associat

relevant cnet article

[wadiwood]

An answer to spam's discontent?

By Charles Cooper March 24, 2003, 4:00 AM PT

Phillip Goldman is either another rich guy with a death wish or a man on the verge of etching his name into tech history.

All that has to be music to Goldman's ears, because his new company, Los Altos, Calif.-based Mailblocks, claims it can provide 100 percent protection against unsolicited junk e-mail. For long-suffering Web surfers, that would be the holy grail, the Super Bowl and the World Cup all wrapped into one.

Yeah by clicking on that submit button you agree that you solicit email, ie it's 100% solicited email by definition in the TOS...

But I'm sure that the same people who sign up with the Nigerians will fall for this one.

Re:No, but you clearly don't know much about paten

[Ace905]

The question is whether or not we invented it.
We did.

the case doesn't matter.

man do you have serious problems following a conversation or what. Magic Spam Elixer my ass, I wonder why everybodies stealing the idea. Including C-Net. The origin of this entire conversation.

Moron.

Mailblocks claims their posted TOS are obsolete

[macraig]

I started to sign up for Mailblocks myself, paused to read the TOS and Privacy Policy, and then aborted the process and sent them a complaint when I saw the provisions about "sponsored" advertising. However, to my surprise I received the following reply:

Before you give up on Mailblocks, please check out our Terms of Service again. See below:

Dear Mailblocks Customer,

Our apologies, we picked up an old version of our TOS when we went live. We will NOT be allowing 3rd parties to send unsolicted email to our userbase. Please check the site for the updated and correct TOS. We apologize for any confusion or inconvenience.

Thank you for using Mailblocks. If we can be of further assistance, please don't hesitate to contact us.

Regards,

The Mailblocks Team

> Gentlemen:
> I've read your Privacy Policy, in detail, as I was preparing to subscribe to your service. However,
> in light of what I learned from reading it, I aborted the process. It's clear that your service
> intends, in large part, to be supported by unsolicited advertising just as Juno, AOL, Yahoo, and
> other such services have been. However, your service provides only POP3 services and no points of
> presence, NNTP, or other services, yet you expect subscribers to PAY for the service AND suffer
> "sponsored" advertising?

> Until you endeavor to make an HONEST living, I won't be helping you do so. I have the skills to
> nearly duplicate the filtering service you provide, and in fact have been considering a private
> challenge-response system in addition to my existing naive Bayesian filtering for more a while.
> What's more, I expect that in due time spammers would use symbol-recognition techniques to defeat
> your challenge-response system and once again flood your subscribers with digital trash.
>
> But, hey, I'm only a single angry and disappointed lost customer, so don't let that be a reason to
> reconsider your Privacy Policy.
>

So, it appears there's hope for this service after all? I just checked their posted Privacy Policy, though, and it hasn't been updated yet; I wonder if the fact that their tech people are saying otherwise in private mail is good enough, or does one have to wait to "see it in writing" at their Web site first?

Re:Mailblocks claims their posted TOS are obsolete

[15+Seconds+of+Glory]

I also sent a complaint and received the exact same email.

Re:Mailblocks claims their posted TOS are obsolete

[macraig]

Actually, THEY HAVE NOT recanted: see my other post in this thread here:

http://slashdot.org/comments.pl?sid=58250&threshol d=0&commentsort=1&tid=111&mode=thread&pid=5591589# 5594183

So MS is a bully?

[Wee]

Since MS makes the browser that 95% of the people use then MS also sets the standards, not the W3C.

Might makes right. I get it.

Can I use your post when someone asks me why I think MS is evil?

-B

Get a domain and use mail aliases

I use zoneedit.com for DNS, they let you create unlimited email aliases including a wildcard alias, so I can create disposable addresses as I fill in the forms. "Tainted" addresses can be aliased to trash, like so:

*@mydomain > public mailbox
private@mydomain > private mailbox
spam@mydomain > bitbucket
slashdot.registration@mydomain > public mailbox
disposable1 > bitbucket

etc

Bluebottle.com is free

[gasull]

Bluebottle is a similar service, and it's free. Hope this helps.

Why open relays existed

[billstewart]

A long long time ago, on a node far, far away (from ucbvax), when there were wolves in Wales --- oh, wait, that's mixing metaphors waaaayyy too far..... Anyway

So email wasn't originally just an SMTP-over-TCP/IP thing. There were many different protocols for email, some of them less incompatible with each other than others were, and getting just about anywhere required relays of some sort. A couple of the bigger parts of the world were the Arpanet (which was small then, and only defense contractors and some universities were allowed on), and UUCP (the Unix file copy program that Unix mail often used, and which used relays as its inherent way to do anything), and Netnews / Usenet, and BITnet (which ran on evil IBM EBCDIC systems), and CSNET and Phonenet and Fidonet and X.25.

"Unix-to-Unix Copy Program," said PDP-1. "You will never find a more wretched hive of bugs and flamers. We must be cautious."

Mostly relays were open, except for connecting to expensive services where you might want to limit who could run up your phone bill. Eventually the Honey DanBer version of UUCP changed the default behaviour to only accept incoming UUCP requests from systems that you knew how to connect back to (which made it possible for bouncegrams to be reliable) and made fanatically reliable bouncegram support available. But basically, sendmail emerged as the popular program to relay mail as well as delivering it, and relaying was of course open by default because that let you have more ways to deliver mail, and meant that you didn't have to write eleventeen different protocol-specific methods for _closing_ relay capability to unauthorized users. And they didn't need to be closed, because social pressure pretty much prevented spamming for a long time, even in parts of the network that weren't subject to the ARPANET Acceptable Use Policy of non-commerciality and/or official business only.

Why did they stay open when spammer relay abuse started becoming a problem? Partly because it took a while for MAPS to start bullying big ISPs into closing their relays, partly because there are millions of small systems with people who don't know detailed email system administration (Did you know that you can write a Turing Machine in sendmail.cf?), and partly because there's lots of broken software that nobody's really maintaining carefully. At least current versions of sendmail and other popular Unix mailers come with relays closed by default.

But some of us miss the old days, when the Net was more of a community, and running open relays was the neighborly thing to do, rather than an attractive nuisance that will be abused if discovered.

New Terms of Service

[ChrisN79]

Hey everyone... I don't know if anyone is still paying attention to this thread, but I emailed Mailblocks yesterday about their terms of service and this is their response to me:

Agreed. These were old and should not have been on the site. See the note below and the new versions now on the site.

Dear Mailblocks Customer,

Our apologies, we picked up an old version of our TOS when we went live. We will NOT be allowing 3rd parties to send unsolicted email to our userbase. Please check the site for the updated and correct TOS. We apologize for any confusion or inconvenience.

Thank you for using Mailblocks. If we can be of further assistance, please don't hesitate to contact us.

Regards,

The Mailblocks Team

> I just wanted to let you know that I was seriously considering signing up
> for your service today, but decided not to because of the inability to opt
> out of your promotional materials. What is the point of blocking everyone
> else's spam so I can get yours?

> When you guys come up with a better revenue model than that, let me know.

> > Sincerely,

> > Chris Nienstedt

Pretty interesting.

Re:New Terms of Service

[macraig]

Actually, THEY HAVE NOT recanted: see my other post in this thread here:

http://slashdot.org/comments.pl?sid=58250&threshol d=0&commentsort=1&tid=111&mode=thread&pid=5591589# 5594183

challenge/response questions

[el_gregorio]

for even more effective control of incoming messages, i've instituted a set of five questions:

1. What is your name?
2. What is your quest?
3. What is the airspeed velocity of an unladen swallow?

Let's put that to the test (was Yahoo)

[bahamat]

I've been using yahoo mail for a while now and it is virtually spam free.

Submit an article to Ask Slashdot entitled "Spam me" and say you're performing an experiment and you'd like your e-mail address posted on a major traffic website (such as /.). If Taco thinks it's funny enough and atually posts it, your e-mail address will be on the front page for about 12 hours, and one link depth from the front page for about 3 days.

We'll see what your spam free looks like then. Along with all of the flames you get, I'm sure you'll be placed on some not so plesant mailing lists.

Product Quality = Nothing, Marketing = Everything.

[Boss,+Pointy+Haired]

so quit whining and get out there and sell.

Blag yourself some media coverage or buy some decent advertising (not 10 Billion click for $99).

Sitting there whinging about it won't help.

Extraordinary claims ?

[Martin+Spamer]

Extraordinary claims require extraodinary justification.


# Mailblocks is a new class of email service that completely rids your Inbox of spam and offers the powerful features you want in your web mail.

# Mailblocks was designed to perform like an application. It's as fast over dial-up as other web mail services perform over broadband.


So where is the proof ?

C'mon!

Ok, as a user of Mailblocks I have to point out a couple things (and I have to admit a buyer's bias up front):

The Challenge comes as a link. If your email blocks any message that comes with a link typed out inside it, you have bigger problems.

You only have to do the Challenge once to get added. If taking 60 seconds out of your life to save your friends/family/co-workers a hundred times that clearing out sludge from their inboxes is too much for you, well, again, I think you have bigger problems. And with an attitude like that you might not be the kind of person they want to deal with anyway...

Every time you send an e-mail, that address gets added to your Authorized list. And you can always add addresses manually. Or delete them (or block them) manually. So most of the people you correspond with regularly probably won't even have to do the Challenge once. And if they do, so what? I did it myself out of curiosity. It takes 2 seconds to read the e-mail, 10 seconds tops to load the Challenge page, and, if you hunt N peck, maybe 10 whole seconds to complete the Challenge. Yeah...a tragedy.

As for mailing lists/tech support/online shopping/and so on: that's all covered. Trackers. You can read all about them (and get answers/rebuttals to many of the questions and accusations made so far here in Mailblock's own FAQ. RTFM). In a nutshell they're disposable e-mail addresses. You can have mail sent to those addresses go, unchallenged, to either a folder you designate or directly to your inbox. So not only does it work as a bypass of the challenge system for uses you choose, but if you start getting spam at that address, it's disposable (though for my mailing lists, the normal Mailblocks e-mail address has been working fawlessly anyway).

So far the only legitimate gripe I've seen regards the blind. Yes, if you are blind, you won't be able to see the Challenge. And that's A Bad Thing (tm). But if you have no arms and legs, you can't ride a bike. That's not a flaw in the design of a bicycle, it's just a simple fact that no product or system can work for every single person out there. Don't get me wrong, I'm not making light of compatibility issues for persons with disablities, but since you only have to do it ONCE you'd think maybe you could find someone to help you out with the Challenge, then move on with your life (or come in here and complain endlessly, your choice, I guess).

On top of ALL of that, you have access to your Pending folder, so you can see who's gotten challenge messages. If you notice a message from your blind cousin Earl, just move it to your inbox (which automatically adds the address to your Authorized list) and drop Earl an apology e-mail. He's now set for life.

I don't know about you, but I always had to review my junk mail folder in hotmail and yahoo anyway. At least a couple times a month legit e-mail would get flagged as junk mail, and yet I'd still have 20-30 (or more) pieces of Spam in my inbox that I'd have to delete. So checking my Pending folder from time to time is not a big deal (and so far not a single piece of Spam has slipped in to my inbox). Besides, I have a feeling I'll be checking it less and less as time goes by; once I've tweaked it to my satisfaction, I doubt there will mistakes to warrant it.

As for the TOS...yeah, that bothered me a bit. But honestly, it's a paid service that markets itself as being Spam free. Do you really think they're going to bombard their users with crap? Even if I got a marketing message a day from them, that's still a 99% reduction in Spam from my other providers. And I really don't think they'll come close to that 1 a day anyway (not to mention the apparent changes in the TOS as mentioned here in other posts). Paranoia can be a good thing sometimes, but if this is your biggest complaint, I think you've made a case FOR the service.

And as for the clause about 'not being responsible for missing e-mail' yada yada yada. Correct me if I'm wrong, but isn't that pretty much a standard part of EVERY

Mailblocks recants TOS.

[AndyMan!]

I just got this email from support@mailblocks.com

Our apologies, we picked up an old version of our TOS when we went live. We will NOT be allowing 3rd parties to send unsolicted email to our userbase. Please check the site this evening for the updated and correct TOS. We apologize for any confusion or inconvenience.

Re:Mailblocks recants TOS.

[macraig]

Actually, THEY HAVE NOT recanted, entirely. The Privacy Policy that is linked to their registration form is dated August 20, 2002, and contains the most disturbing clauses; however, I found another one, dated March 17, 2003, that STILL contains this clause:

"Not now, but in the future, Mailblocks may permit third parties, such as advertisers, to furnish our members, through the Services and otherwise, with information from time to time. In these cases, your personally identifiable information is not transferred to the advertiser."

We all know what that legal-speak really means, don't we? It still translates to "advertising-supported", doesn't it?

These are the URLs to them:

https://app1.mailblocks.com/helplet/privacy-policy .htm
http://www.mailblocks.com/helplet/privacy-policy.h tm

I have also saved local copies, FWIW.

Last Post!

[alpg]

In science it often happens that scientists say, 'You know that's a really
good argument; my position is mistaken,' and then they actually change
their minds and you never hear that old view from them again. They really
do it. It doesn't happen as often as it should, because scientists are
human and change is sometimes painful. But it happens every day. I cannot
recall the last time something like that happened in politics or religion.
-- Carl Sagan, 1987 CSICOP keynote address

- this post brought to you by the Automated Last Post Generator...