Slashdot Mirror
Are People Using TMDA to Kill Spam?
NewtonsLaw writes "With spam becoming an increasingly frustrating part of life in the Net, I have to ask why more ISPs aren't implementing systems such as the excellent Open Source Tagged Mail Delivery Agent (TMDA) strategy? Using this system would mean that only those spammers who used bonafide email addresses in their headers would get through -- and means virtually all the penis enlargement, weight-loss and other scams would be blocked. Even the those habbitual "brand name" spammers (like Real, PayPal, etc) could still be blocked by adding them to the blacklist. With TMDA, email to and from regular correspondents is passed transparently and there's no risk of genuine messages being accidentally discarded by over-active filters. If enough ISPs at least offered TMDA as an option to their users, the effectiveness of spamming could be shattered almost overnight -- oh, wouldn't that be lovely?"
Wouldn't a spoofed email address get through? I see that particular method used quite often.
spammers don't care too much about effectiveness, they already deal with less than half-a-percent response rates anyway, and they don't give a darn if they're blocked... the fact of the matter is that spam is so freaking cheap to send, it will never go away. the way to kill it altogether is to raise the cost so much that it no longer becomes an attractive option. i hate to say it (being somewhat libertarian), but the only way to do that is to have anti-spam laws with some teeth that include some time in a state "correctional" facility. that would send the message.
dum spiro, spero
Okay, so a lot of spam comes from forged email address, and having a whitelist+confirm would stop mail from those addresses, but what is to stop spammers using valid addresses (free ones maybe), and a script that automatically replies to any confirmation requests?
When confirming the test email address noted int he article, I just hit reply and send the email as is, and I'm sure a script could be written to automatically send a blank message to the Reply-To: address if this became widespread.
The spammers task would become harder, but far from impossble.
Yes, there is a risk of a legitimate messages being blocked, if the sender does not understand the "confirmation request" mail sent by TDMA, is not willing to answer it (think mailing lists)
Yeah, if I ever thought about using TMDA, having to deal with other people using it has completely turned me off it.
A number of times somebody has posted to a mailing list asking for help. I've answered them privately, only to get a "please jump through the following hoops" message. Fuck that.
There's no way I'd use it, as email is often how clients first make contact with me. I'm unwilling to risk offending or irritating my correspondents, especially when it could mean many dollars lost.
I believe though that if you make the confirmation process more complicated, it will prove too troublesome for users to reply to.
:)
I'm talking widespread use of TDMA now, with non computer literate users who probably havent ever come across mailing lists and having to confirm subscriptions. And for the more technical users, there are a great many who use text based clients over SSH, with which viewing a jpeg would be troublesome to say the least. Other methods could be used as you mentioned, but I doubt there are that many that would cause minimum trouble for legitimate users while preventing spammers from being able to write some sort of heuristic algorithm to be able to get at least some confirmation replies correct (remember, they wont be bothered about getting every one through).
As to the reason spammers havent yet resorted to using valid email addresses is that they dont have to! Email confirmation currently isnt widespread for the spammers to go through the extra hassle. When it does get so widespread as to hinder spammers, then they will start using valid email addresses and autoresponders (or perhaps deliberately setting up email bounce replies to save them the hassle of writing replies).
Dont get me wrong, its a great idea, and I especially like the idea of being able to just create time delayed email addresses with nothing more than a program to work out the cryptographic hash (i.e. nothing needed server side). However, I think that if TDMA does become widespread enough for spammers, they will find some way around it, and combating what they do will become increasingly complex and time consuming for users. If I am proved wrong hoever, all the better. No more spam
There's a really good reason why TMDA is designed to run on mail servers as opposed to running on your local mail client machine. You can reasonably expect the mail server to be running up and available close to 24x7 whereas a personal machine might not have a permanent network connection, and even if it did, might be switched off for long periods of time.
With TMDA running on the mail server, new messages are processed as they are recieved and confirmation messages (if any) are generated as close to the time of the original messages as possible. On the other hand if TMDA were to run on your mail client machine (for example as a plugin to outlook) confirmation messages would only be generated when the client checks for new mail. In a best case scenario the average turn around time for a confirmation message to be generated (assuming a 10 interval between POPs) would be about 5 minutes on average, whereas the worst case could range anywhere from overnight to several days depending on how often you login to check email. This is definitely not ideal for getting email delivered in a timely fashion, and is the root reason why TMDA is designed to run on a mail server rather than a clients local machine.
That this will only create a sense of accomplishment. Eventually spammers will provide throw away addresses that simply reply to get on the white list anyways. The reason they don't do it now is because this challange-authenticate is not widely accepted.
I still think, and am quite happy with, a Bayesian Filtering application that Mozilla Mail currently offers. Very little spam leaks through and I have only had one false positive in almost 3 months of using it.
D.O.U.O.S.V.A.V.V.M.