Slashdot Mirror

← Back to Stories (view on slashdot.org)

Are People Using TMDA to Kill Spam?

Posted by Cliff on from the driving-down-the-noise-in-your-email-signal dept.

NewtonsLaw writes "With spam becoming an increasingly frustrating part of life in the Net, I have to ask why more ISPs aren't implementing systems such as the excellent Open Source Tagged Mail Delivery Agent (TMDA) strategy? Using this system would mean that only those spammers who used bonafide email addresses in their headers would get through -- and means virtually all the penis enlargement, weight-loss and other scams would be blocked. Even the those habbitual "brand name" spammers (like Real, PayPal, etc) could still be blocked by adding them to the blacklist. With TMDA, email to and from regular correspondents is passed transparently and there's no risk of genuine messages being accidentally discarded by over-active filters. If enough ISPs at least offered TMDA as an option to their users, the effectiveness of spamming could be shattered almost overnight -- oh, wouldn't that be lovely?"

9 of 87 comments (clear)

  1. No spam blocker is perfect... by Anonymous Coward · · Score: 5, Interesting

    Yes, there is a risk of a legitimate messages being blocked, if the sender does not understand the "confirmation request" mail sent by TDMA, is not willing to answer it (think mailing lists), or blocks it as spam.

    A second reason is false positives. Users have really quite different view on them. Some people hate spam so much that to avoid it, they are willing to block a real message every once in a while, and spend lot of time configuring and tuning their filters. For others, hitting "Delete" 30 times a day is less trouble than the nuisance in losing real legitimate messages.

    1. Re:No spam blocker is perfect... by dubl-u · · Score: 4, Insightful

      Yes, there is a risk of a legitimate messages being blocked, if the sender does not understand the "confirmation request" mail sent by TDMA, is not willing to answer it (think mailing lists)

      Yeah, if I ever thought about using TMDA, having to deal with other people using it has completely turned me off it.

      A number of times somebody has posted to a mailing list asking for help. I've answered them privately, only to get a "please jump through the following hoops" message. Fuck that.

      There's no way I'd use it, as email is often how clients first make contact with me. I'm unwilling to risk offending or irritating my correspondents, especially when it could mean many dollars lost.

    2. Re:No spam blocker is perfect... by mivok · · Score: 4, Insightful

      I believe though that if you make the confirmation process more complicated, it will prove too troublesome for users to reply to.
      I'm talking widespread use of TDMA now, with non computer literate users who probably havent ever come across mailing lists and having to confirm subscriptions. And for the more technical users, there are a great many who use text based clients over SSH, with which viewing a jpeg would be troublesome to say the least. Other methods could be used as you mentioned, but I doubt there are that many that would cause minimum trouble for legitimate users while preventing spammers from being able to write some sort of heuristic algorithm to be able to get at least some confirmation replies correct (remember, they wont be bothered about getting every one through).

      As to the reason spammers havent yet resorted to using valid email addresses is that they dont have to! Email confirmation currently isnt widespread for the spammers to go through the extra hassle. When it does get so widespread as to hinder spammers, then they will start using valid email addresses and autoresponders (or perhaps deliberately setting up email bounce replies to save them the hassle of writing replies).

      Dont get me wrong, its a great idea, and I especially like the idea of being able to just create time delayed email addresses with nothing more than a program to work out the cryptographic hash (i.e. nothing needed server side). However, I think that if TDMA does become widespread enough for spammers, they will find some way around it, and combating what they do will become increasingly complex and time consuming for users. If I am proved wrong hoever, all the better. No more spam :)

  2. Discussed ad nauseum.... by kawika · · Score: 4, Interesting

    Every time /. does a story on spam we have the debate about address verification. There are plenty of existing "challenge-response" spam control services and the reason they're not widely used is because they still require a lot of manual work to control spam.

    Mailing lists are a simple example. For every mailing list you legitimately want to be on, you will need to manually set up the address on the whitelist because the mailing list software won't repond to the challenge message.

    Now lets say that the mailing list programs make some mods to automatically respond to the message, assuming it has a standard format. Now a spammer can use the mailing list's address as their return address and take advantage of its response to a challenge! Of course, the challenge could contain other validation data such as a reciept number and/or a digital signature but now we're talking about major mods to the Internet's mail infrastructure and mail clients.

  3. effectiveness? by universalcurb · · Score: 5, Insightful

    spammers don't care too much about effectiveness, they already deal with less than half-a-percent response rates anyway, and they don't give a darn if they're blocked... the fact of the matter is that spam is so freaking cheap to send, it will never go away. the way to kill it altogether is to raise the cost so much that it no longer becomes an attractive option. i hate to say it (being somewhat libertarian), but the only way to do that is to have anti-spam laws with some teeth that include some time in a state "correctional" facility. that would send the message.

    --
    dum spiro, spero
  4. Didn't work for me by Anonymous Coward · · Score: 4, Interesting

    I tried TMDA, and I really like it. However, there are some drawbacks that make it impractical for me.

    First of all, I've had trouble white-listing my friends. I could just give them the address ac@mydomain.com and white-list them, but sometimes they will change email addresses or send me mail through a third-party source (like sending a news item from a web page or sending a greeting card). The alternative is to give each friend an tagged address that will go through, but it is hard for them to remember ac-friend-a751af@mydomain.com

    Second, some of my friends can't handle the concept of replying to a message to let their first message through. (Obviously this happens when they use an address that I haven't white-listed.) I've tried to customize the message to make it easy to understand, but I guess I have dumb or stubborn friends. In particular, if a relative sends a joke to me and a long list of other people, and one of those people replies to everyone ("ha, that was really funny!!"), the sender gets really confused about getting a confirmation request from someone they haven't heard of before.

    I've had one on-line store refuse to use my tagged email address because it was too hard to type. (Apparently their brain-dead system had them manually retype the address into another system.) They processed the order, but I didn't get any status from them.

    The killer was my ISP changed the rules on me and doesn't allow having a mail server on my local system. Further more, the provider I was using for out-going mail now blocks mail from my Linux box because they detect it going through exim and declare that it is relaying through their system. (It works for a simple mail client, just not for a MTA!)
    Another provider I could use has their MTA configured such that it doesn't work with the tagged addresses. Of course, many ISPs now block in and outgoing port 25. The anti-spam efforts of ISPs keep breaking my attempts to avoid spam and TMDA is the latest victim.

    Again, I like the concept of TMDA. Jason Mastaler and company did a lot of things right, but it just didn't work out for me. When the general public becomes educated on the concepts and it is easier to find an ISP that will work smoothly with TMDA, I'd be happy to use it again.

  5. Learning Spam Filters by tdemark · · Score: 3, Interesting

    I think many clients are heading in the right direction with spam filters that learn based upon a user saying "This is spam" and "This is not spam".

    Personally, I use SpamAssassin which was primed with 1200 spams and 6000 hams. Since that point, it has captured 200 spams with 0 false positives and 2 false negatives.

    The hard part is priming the databases. Maybe it would be worth it to have a database that can be downloaded and used as an initial point for new users - combined with "Spam", "Not Spam", "Whitelist" buttons in their client to automatically tweak the db to their usage patterns.

    - Tony

  6. Why haven't they been adopted? by crapulent · · Score: 3, Informative

    Because they're a terrible solution. All you wind up doing is pissing off the poor people whose email address the spammer used in the forged From: line, and not to mention the quagmire that is making these things play nicely with mailing lists.

    But, I think John Levine does a much more eloquent job of explaining why C-R systems are not the answer:


    Date: 11 May 2003 21:41:35 -0400
    Message-ID: <Pine.BSI.4.40.0305111408240.28246-100000@tom.iecc .com>
    From: "John R Levine" <johnl@iecc.com>
    To: "Declan McCullagh" <declan@well.com>
    Subject: Re: FC: MailFrontier.net, poor anti-spamware, and future of mailing lists
    In-Reply-To: <5.2.1.1.0.20030511122149.00b1a710@mail.well.co m >

    > My reluctant conclusion is that C-R systems with flawed implementations
    > have the potential to end legitimate mailing lists as we know them today.

    No, it's worse than that. The collateral damage from widely used C/R
    systems, even with implementations that avoid the stupid bugs, will
    destroy usable e-mail.

    Challenge systems have effects a lot like spam. In both cases, if only a
    few people use them they're annoying because they unfairly offload the
    perpetrator's costs on other people, but in small quantities it's not a
    big hassle to deal with. As the amount of each goes up, the hassle factor
    rapidly escalates and it becomes harder and harder for everyone else to
    use e-mail at all.

    A relatively easy to solve problem with challenge systems is that most of
    them are written by dimwits who don't understand the way that e-mail
    really works. In 1983 the 4.3BSD Berkeley Unix "vacation" program
    correctly dealt with mail from lists and other mechanical sources, yet 20
    years later I still see out-of-office replies from Lotus Notes and MS
    Exchange to list mail every day. (Is there really nobody at IBM or
    Microsoft who used 4.3BSD or knows the rules of thumb to recognize
    non-personal but legit mail?) Challenge systems have the same bugs, and
    list managers are now routinely kicking people off lists whose broken
    challenge systems spam out stupid challenges to everyone who posts to the
    list, and ignoring challenges to signup confirmation messages. These
    particular problems are soluble; the few challenge systems used by
    experienced mail users like Brad and Dan Bernstein avoid them.

    But the real damage from challenge systems will come when spammers start
    attacking them. Challenge systems all have user whitelists so that each
    correspondent only gets one challenge, then mail goes through directly. So
    spammers will start trying to send spam with forged sender addresses that
    are on the recipients' whitelists. That's not so hard, sign up for a
    mailing list, scrape addresses from the list traffic, then send NxN copies
    of spam, to each list address from each list address. Similarly with
    addresses scraped in groups from web pages, usenet groups, and anywhere
    else scrapage happens.

    So what will the effect of this be? You won't be able to trust that mail
    from your friends is actually from your friends, since an increasing
    fraction will be spam leaking through your challenge system. What will
    people do? Given the basic principle of challenge systems, which is that
    it's someone else's job to solve your spam problem, people will dump their
    whitelists and start challenging every message. At this point, it's
    possible to automate much of the work, most challenge systems are
    scriptable, so that for example I have a few lines in my mail sorting
    filters that catch the per-message challenges from submissions to Dan
    Bernstein's mailing lists and automatically send confirmations. But of
    course, if I can send responses from scripts, spammers can and will too,
    so challenge systems will increasingly include "prove you're human"
    features like showing you a picture and asking you how many kittens are in

  7. My gut feelings is... by Kr3m3Puff · · Score: 3, Insightful

    That this will only create a sense of accomplishment. Eventually spammers will provide throw away addresses that simply reply to get on the white list anyways. The reason they don't do it now is because this challange-authenticate is not widely accepted.

    I still think, and am quite happy with, a Bayesian Filtering application that Mozilla Mail currently offers. Very little spam leaks through and I have only had one false positive in almost 3 months of using it.

    --
    D.O.U.O.S.V.A.V.V.M.