Slashdot Mirror
FairUCE - the Smart Email Proxy
Jestrzcap writes "This just posted on Freshmeat: FairUCE (which stands for 'Fair use of Unsolicited Commercial Email') is an SMTP proxy, running between multiple instances of Postfix, that verifies email by attempting to verify the sender through lookups (a user customized challenge/response). It claims to be able to 'stop a vast majority of spam' without the need for content filters, and 'virtually eliminates spoofed addresses, phishing, and even many viruses with a few cached DNS look-ups and a couple of if/then statements'."
No way will the spammers ever find a way around this. It's solid!
I've already had problems getting email from my government coworkers with spam validators like this. The military really doesn't like broadcasting who their email servers are... So they regularly get sent to Junk Mail.
I still think that someone should make a cross-platform langauge similar to Java that can be compiled and call it Bawls.
You might want to close the italics tag in the post so that the rest of the page doesn't become italic...
If MTA's on the Internet required the forward and reverse DNS lookups to match ~70% of spam (and viruses) would disappear. This requires ISP's to correcty configure their DNS, which unfortunately doesn't happen because people are lazy.
FairUCE looks interesting but I'd be curious if it'd do a better job than milter-sender. About a year ago, before I installed milter-sender, I was receiving about 200-300 spams per day. Since installing milter-sender in March 2004 and adding the spamhaus SBL-XBL checks to sendmail, I've received (checking spam mbox) 1568 spam messages.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
But, spammers will find a way around this. Also, I'd like to know, how much bandwidth does this use? It sounds to me like it'd take a lot.
Electrons are free; it is moving them that becomes expensive.
Doesn't this just create more traffic?
Jaysyn
There is a war going on for your mind.
Even though this is an interesting new tool, most e-mail users are tied to whatever backend their ISP supplies, which is a shame... Someone should whip up an end-user desktop version.
Can't wait to get my hands on a copy of the server version though...
One problem with challenge response is that Spammers not only send me spam, but send spam purportedly sent by me. I regularly get error messages about mail that could not be delivered. Now I'll get loads of challenge messages instead.
Of course if my MTA signed my messages with a random key, and the challenge message sent the key back, my MTA could filter out anything I didn't actually send. Unfortunately that requires coordination which the various email/spam task groups do not seem to be capable of.
I liked the Puffy one better.
Guess I'm asking at the wrong place, but does this mean if I send email using my uni's SMTP server with my Yahoo! E-mail address in the "from" field, I will receive a challenge? A challenge being an email to the sender's address so they know the address is active, I'm guessing..
And I read of a whitelist/blacklist. Does this mean the user having to manage this list? It looks like it's being done so that the user can reactively work about it though (instead of actively), maybe an email that says "You got email from xyz, Do you want this email?" Heh an email about an email, that'd be annoying.
I tried sending email using Yahoo!'s web interface with 3 addresses in the "To" field today, and when I clicked "Send" it asked me to answer a Captcha, interesting..
What time is it/will be over there? Check with my iPhone app!
...that this is being pushed by a little fly-by-night company in Armonk.
With a few cached DNS look-ups and a couple of if/then statements.
This is great news! Why didn't someone think of this sooner?
Anus cheeses. Yummy.
1) Mobile user sets up notebook at new location and sends mail via the local mail relay.
2) FairUCE on recipient end bounces the mail because it can't find a relationship between the sender and the mail relay.
If the ISP blocks outbound port 25 access, you get a real catch 22. Can't use remote relay becuase of the port block. Can't use local relay because FireUCE will see that there is no relationship to the sender and block the mail.
This is an old idea. It can be implimented with procmail and a little perl. Few people do this, not for lack of tools, but simply because it is a bad idea.
). It claims to be able to 'stop a vast majority of spam' without the need for content filters, and 'virtually eliminates spoofed addresses, phishing, and even many viruses with a few cached DNS look-ups and a couple of if/then statements'.
Oh, yeah, and completely stop mailing lists from being usable. That, too.
I've had this working with Exim for a long time now. It's actually just a tickbox in cPanel. I actually think it's on by default for any host using cPanel, which are quite a few.
Tim Dorr
Owner/Manger
A Small Orange
My server receives over 140,000 spam messages a day over 300 domains. So, will this system be running this process several times a second, then sending undeliverable bounce back messages just as often? Great, even more server problems, brilliant idea guys. My favorite solution is a client side filter. Thunderbird is amazing. I'd rather see the world go that way.
FYI, any time (which is every time) I get a challenge for an email I didn't send, I immediately block the server because that kind of "solution" is nothing short of dropping their spam problem in my lap. Fair warning to anyone who thinks FairUCE is in any way a "Smart" answer to spam.
The only effective spam solution I've currently found is to have expiring email addresses. One easy way to set that up is to use subdomains that don't even resolve after a certain point. So you might have me@2004.example.com good for only three more weeks, or me@amazon.example.com good for as long as Amazon (or your "healthy" girlfriend) doesn't sell you out. You can get tricky, of course, and use subdomains that are not so easily subject to a dictionary attack or guessing.
- Connecting IP (immediate relay) - do a reverse lookup on it. Does the domain name match the domain name as the envelop sender?
- Take the domain name of the envelop sender and find alll mail exchangers for the domain. Do a reverse lookup on the connecting IP too. Do any of these domains overlap?
- Compare by network - is the connecting relay on the same network as the domain it claims to originate from (sender address)
Etc. As you can see this will definitely catch spam "forged" to come from domains like AOL, but the trouble point is that very often it's legitimate for mail to arrive from an unrelated network. Nothing about SMTP says it's wrong to put in the return address you want, despite the immediate relay delivering the mail.Have we not established a few basic tenets of the spamademic?
1. Spammers make money by using a disproportionate amount of bandwidth than what they pay for. Stopping spam from entering peoples' inboxes is less than half the problem. 70% or more of all SMTP traffic is UCE and everyone pays for that in higher costs and slower performance regardless of whether they have spam filters in place.
2. The majority of the anti-spam solutions (with the exception of RBLs) including the one related to this article, require extra time, bandwidth and resources on the part of innocent networks to deal with the spam problem. This is a step backwards.
If you want to stop spammers you have to stop them from stealing bandwidth. To date, the ONLY effective solution thus far has been relay blacklisting. This has several added benefits including: stopping propagating of worms/viruses, and forcing ISPs to police the illegal activities of their users and shut down nodes which are spamming through their network.
As an ISP, I have no interest in yet another costly anti-spam solution that I have to install that doesn't address the larger issue of the tons of bandwidth spammers waste on my network and every one in between. This system wastes even more resources by attempting to verify the source of every e-mail in an even more detailed manner than before, so the end result is: more computing resources needed, more bandwidth needed and slower mail service.
No thanks.
I'll patiently wait until the *inevitable* SMTP whitelist scheme that is the only true solution to stopping spam (unless the authorities decide to actually start prosecuting spammers for their crimes).
If/Then statements? I sure hope this proxy is not written in BASIC. There could be some serious speed issues.
This message brought to you by Jack Schitt's Previously Shat Shit
BLASPHEMER!!!
He's probably a genie. Unfortunately, we don't know what kind. He may be the kind that only gives you one wish, in which case your wish was for him to be happy. Good karma for the afterlife, but it'll be a while before you find out for sure.
It could also be the kind of genie that only helps when you really need it. In that case, just wait until some disaster befalls you, and then summon the genie to save you. Have you wished for anything out loud since he disappeared? If it's a multiple wish non-emergency genie, that might do the trick. But be careful what you wish for, since you don't know how many chances you'll get. Of course, it could also be the kind of genie that picks the wish itself instead of taking requests, if that's it then something good will happen to you eventually, but we won't know until it does.
As for what to do with the cheese, you may want to consult a psychic. Get several opinions from unrelated ones, there's a lot of fake psychics out there. Take good care of the cheese, but don't seal it airtight or freeze it or anything that would harm a toddler if one were trapped inside it.
Gather as much information as possible before taking action, but don't let the cheese get moldy or dirty.
When seeking further advice, you should figure out the approximate apparent age of the guy (does it match his story, or does he look younger than expected?), and unusual features (such as damage that may have been caused by a fatal injury), or writing or symbols on his clothes. What kind of clothing was he wearing, is it what you'd expect to see here, today or from some past time and place? Did you feel and unusual warm or cold gusts of wind in his presence? Where exactly did you meet him, does the location have any interesting history? If something like this happens again, pick up a video camera while you're out and collect photographic evidence of the visitor, but ask permission first.
I can give anyone a realistic outlook on the problem, from Ground Zero...
Picture Massive Hosting Corporation X, leading entrepreneurialship throughout the company, with an order of X machines, all of which host dozens (hundreds? yes, get over it) of domains each. Everyone is promised X email, usually unlimited, untill someone like AOL blocks them, (us - ouch, my foot...)............
Stupid people register their stupid little domains and we get stupidly stupid passwords like *password* on our mail boxen, supplemented with canned email scripts for the user to choose from, depending on level of stupidity. Ergo, we are left with an effectively massive amount of technically legitmate, open, hax0rable mail relays that get abused as soon as the MX record propagates...
So now what? "Educate the General Public"? Yeah! Hahahahahaa... Until the price of broadband falls into finite pockets, we WILL NOT see an end to SPAM. Really though, for $9.95 a month, any idiot can open a domain up with mail on it and get a good share of the international mail scene...
Now you know...
You are about to give someone a piece of your mind, something which you can ill afford...
there already is one, it's called ANSI-C
Surely you jest. C is about as much like Java as Jack Daniels is to Odouls.
But won't challenges look like spam servers probing your system.
And the license sucks, too. It is restricted to non-commercial use.
now we need to go OSS in diesel cars
if(sender.domain = spam.com){
:)
Move to spam folder
}
I think using Thunderbird to filter your shit is a lot better than using this
Have you metaroderated recently?
This package just isn't going to get very popular. It is restricted to non-commercial use (perhaps you can buy a license for commercial use). And you have to sign up with IBM to get a download just to see if it's any good. And then there's a lot of extra stuff you have to have to run it. Maybe I should work on my own GPL open source version of this and do it as a pure TCP proxy front end so it works on any mail server (even for Exchange on Windows if on a different machine or under some emulator).
now we need to go OSS in diesel cars
Here in the Netherlands the government wants providers to keep a log of all mail (http, ftp, whatever) traffic that goes over their lines. The providers are complaining, but in the end they will simply raise prices to compensate. Effectively I will be paying to be spied upon. And in the case of email, I will be paying to receive spam and then store it for five or ten years.
[...] verifies email by attempting to verify the sender through lookups (a user customized challenge/response)
Okay, so either (a) a user has to do a challenge/response simulation each time he or she wants to send/receive and email, or (b) it's automated... and a spammer could simply brute force/crack/automate themselves the challenge/response. I don't see how this would really work.
- dshaw
%choice = (
."\n\n" ."\n\n"
'type' => [ 'technical', 'legislative', 'market-based', 'vigilante' ],
'reason' => [
'Spammers can easily use it to harvest email addresses',
'Mailing lists and other legitimate email uses would be affected',
'No one will be able to find the guy or collect the money',
'It is defenseless against brute force attacks',
'It will stop spam for two weeks and then we\'ll be stuck with it',
'Users of email will not put up with it',
'Microsoft will not put up with it',
'The police will not put up with it',
'Requires too much cooperation from spammers',
'Requires immediate total cooperation from everybody at once',
'Many email users cannot afford to lose business or alienate potential employers',
'Spammers don\'t care about invalid addresses in their lists',
'Anyone could anonymously destroy anyone else\'s career or business', ],
'fail' => [
'Laws expressly prohibiting it',
'Lack of centrally controlling authority for email',
'Open relays in foreign countries',
'Ease of searching tiny alphanumeric address space of all email addresses',
'Asshats',
'Jurisdictional problems',
'Unpopularity of weird new taxes',
'Public reluctance to accept weird new forms of money',
'Huge existing software investment in SMTP',
'Susceptibility of protocols other than SMTP to attack',
'Willingness of users to install OS patches received by email',
'Armies of worm riddled broadband-connected Windows boxes',
'Eternal arms race involved in all filtering approaches',
'Extreme profitability of spam',
'Joe jobs and/or identity theft',
'Technically illiterate politicians',
'Extreme stupidity on the part of people who do business with spammers',
'Dishonesty on the part of spammers themselves',
'Bandwidth costs that are unaffected by client filtering', 'Outlook', ],
'objections' => [
'Ideas similar to yours are easy to come up with, yet none have ever been shown practical',
'Any scheme based on opt-out is unacceptable',
'SMTP headers should not be the subject of legislation',
'Blacklists suck', 'Whitelists suck',
'We should be able to talk about Viagra without being censored',
'Countermeasures should not involve wire fraud or credit card fraud',
'Countermeasures should not involve sabotage of public networks',
'Countermeasures must work if phased in gradually',
'Sending email should be free',
'Why should we have to trust you and your servers?',
'Incompatiblity with open source or open source licenses',
'Feel-good measures do nothing to solve the problem',
'Temporary/one-time email addresses are cumbersome',
'I don\'t want the government reading my email',
'Killing them that way is not slow and painful enough', ],
'about' => [
'Sorry dude, but I don\'t think it would work.',
'This is a stupid idea, and you\'re a stupid person for suggesting it.',
'Nice try, assh0le! I\'m going to find out where you live and burn your house down!' ]);
srand(time);
sub getIndex { return rand( shift() - 1 ); }
$post = "Your post advocates a"
.$choice{'type' }[ getIndex($#{$choice{'type'}}) ]
." approach to fighting spam.\nYour idea will not work. Here is why it won't work.\n"
.$choice{'reason' }[ getIndex($#{$choice{'reason'}}) ]
."Specifically, your plan fails to account for "
.lcfirst $choice{'fail' }[ getIndex($#{$choice{'fail'}}) ]
."\nand moreover I have the following philosophical objection, \nmainly "
.lcfirst $choice{'objections' }[ getIndex($#{$choice{'objections' }}) ]
.$choice{'about' }[ getIndex($#{$choice{'about'}}) ]
."\n\nSincerely yours,\nSlashdot anonymous random perl bot\n\n";
$post =~ s/ *\. */.\n/g;
print $post;
We all know that any automated solution will fail... spammers will find a way to beat the system. However, a human can always tell. Especially me.
Give me some time to whip up a psuedo anonymous system where all of your email is forwarded to my machine and I will read the subject line and the beginning of the message. From this, I will determine if it is spam or not. If I approve it, it goes to your inbox, otherwise it goes to your spam box. Headers from spam-marked messages will get automatically passed on to select spam-fighting associations. Whitelisted addresses will bypass me completely.
You may be trading off some privacy, but think of the benefits of a clean inbox. Don't worry... you can trust me with all of your email. And besides... it's not different than sending your email through an automated scanner like postini... any admin there can read your mail anyways. For that matter, your email can be read by any mail server administrator anywhere along the way to your inbox. In postfix, I could just add a line "always_bcc" and receive a copy of any email coming or going through my server. At least this way, you KNOW your mail is getting read... no questions about it.
If you need any more persuasion, try this: "C'mon! Just do it already! You know you like the idea!".
Please refer to RFC 2606 and use example.com, example.org, or example.net instead of things like "mydomainname.com"... and to foresee a funny followup... replace the final bit to "instead of things like "example.com""
"If we could just rewrite everybody mailer's with my new widget in illegible Perl or badly written C that breaks several RFC's I've never bothered to read, we will surely stop spam!" I've heard this sort of thing before, every few months for the past 10 years.
There have been dozens of these wildly espoused challenge/response systems over the years. They don't work because users hate them, because vital automated systems such as bill payment and delivery verifications can't get past them. Coupled with "sender pays" systems, they're almost always subverted within short periods and never can or will gain the acceptance of the user community enough to become effective.
Yeah, thats right. For 3 (three) months, i havn't got a single SPAM that got through to my inbox.
Most of it gets blocked by a combination of Blacklists and firewall-rules, the rest gets flushed down the drain by a combination of Bayes- and other mailfilters.
From my Serverlogs i can see that only 'about 0.5-1% gets through firewall and the HELO-command of my server at all (out of about 200-500 Spams a day, varying with weekday). So i even reduced my mail-traffic quite a bit.
Look, this thing is totally safe! Built it myself, you know. You just press that button like this and then turn that lev
Oh, no. It looks like some high school freshmen accidentally plugged in his nifty-keen-gonna-make-millions-from-spammers generator of vaguely random text to confuse email filters.
"With over 150 public blocklists out there"
This is a sad state of affairs when a "do-gooder" claims that spoofed e-mail has come from my website. So I have to go to 150 different lists, argue with each of them that my site is not a spam sender?
I've had to deal with "do-gooder" situations too often. Blacklists are a cop-out ("A failure to fulfill a commitment or responsibility or to face a difficulty squarely") by ISPs. They are passing their cost of providing e-mail to their customers onto me.
An Analytical Look at Spam
You, sir, are a fucking dumbass.
I dont want to have any spam, even if its verified one.
If I want some Information about a product Id like to use, I go and search for it. If theres no need for it based on my intentions, theres no need for it based on the offer.
btw, why doesen't the acute-html-tag work?
Actually, it gives all the records as a response, its just that most PTR lookups only look at the first one, so since the order does the round-robin, the correct one will at best be the first response only 50% of the time (and that's if you have only 1 PTR record).
This begs the question: why would someone have more than 1 PTR record for a single ip? Because they are stupid, that's why.
So it seems to me that I'm already doing as much work as I would have to do using this software, but the whitelisting I'm doing in Thunderbird is already 100% effective at filling my inbox with email I care to see. Anything suspect goes to a suspect folder (after my ISP has already had a go with their spam filters, certain ones don't even reach Thunderbird) so I can double-check if there's something important I'm watching for from an as yet unknown address. It's kind of a pain, but it works. I can't see a benefit from switching to FairUCE.
It would be a lot better if you rewrote the verse lyrics, too. As it's written, it's just a waste of space. No creativity is displayed at all.
Something like:
I've got the hacktitude of a Redmond pro
I've got the legacy devices of a billion sold
I got My Rights Online back, but I don't seem to care
I got the compressed jay-pegs of sex with a mare!
TFP. HAND.
far too readable. please try again.
Most objections seem to be to the challenge/response mechanism. I'm persuaded that that would only be use in a tiny minority of cases by this system.
:-)
A bigger problem is the wide range of prerequisites: Java 1.4, JavaMail, Apache with modssl and mod-auth-external, Postfix 2.1. If you're not running x86 or x86-64, forget it. (Or Solaris, but who runs that?
Disinfect the GNU General Public Virus!
Also, wouldn't this just create a rash of false challenges that lead to spamming type material or websites?
Luck favors the prepared, darling.
But really, no creativity at all? The song is a damn troll without me making it so, do I really need to alter the lyrics? I hate filter, I hate the Crystal Method, yet somehow together it works.
So I'm supposed to send all my mail through my ISP's mailserver, for no good reason? Never mind that for example this will break any ESMTP connections between my - perfectly legitimate - SMTP server and my recipients.
I run a business SMTP server on the end of a DSL connection, and have for many years. The server in question is likely firewalled _better_ than my ISP's.
So tell me again why I can't use port 25 outbound?
Note that my ISP will _not_ give me reverse DNS control, nor make any changes on my behalf, despite my having a static IP.
If you're not living on the edge, you're just taking up space!
LANG=C doesn't work for me. I usually need LC_ALL=C.
It curious that I never heard of C/R before ... and I consider myself an advanced user !
...
From what you wrote, the thing is clearly complex 'just' to send an email
It 's clear that not everybody has the technical understanding of email as to set up easly such a system.
- If someone else has a different challenge/response system then the automated systems will ping e-mail back and forth to each other and humans will never see it. If the systems are sufficiently dumb, you'll get a nasty mailing loop and fill up both users' quota/hard disk.
- Most spam has a forged address. If someone sends e-mail to 10,000 users with a c/r system with *your* e-mail address in the from header, you get 10,000 e-mails that day. Your only solution to this obvious problem would be to blacklist anything that looked like a c/r e-mail, thus breaking the system entirely.
- It increases the amount of traffic on the 'net. This is bad.
- About five million other reasons to do with netiquette and common sense. Will people never learn?
I run a small web board, and already the e-mail address I use as the admin of that board gets flooded daily with crap like "I haven't actually received your message, click here to verify you are real". I finally got fed up with it and posted this response.
If you implement these, remember you get e-mail from more then just friends you know. Lets see, last week alone, I got 5 messages from companies like Dell from working on issues with them, and none of them are in my address book.
The proper solution is to ensure the outside world sees no difference unless it is spam. I never give my full address to a company, instead I use the postfix feature where anything after _ is ignored. Then I create a one letter alias for me to keep them short. If I get a lot of e-mail, it makes server side filtering into my IMap folders easy. And if one address gets hit by spam, I then block it on the server. It works well, and doesn't inconvenience the people e-mailing me.
"Thank you or ringing my doorbell. I am currently home, but did not hear the doorbell. To properly ring it, please run around my house, braving the dogs in back, and use the doorbell located next to the cat door on the deck. Then I might care enough to see who you are and let you in."
I haven't seen anyone post the BIG REASON why C/R systems won't work, so here it is again.
C/R relies on users being willing to respond to challenge messages, either by clicking a URL or by replying by e-mail.
As soon as C/R systems become commonplace enough, and users become accustomed to responding to the messages, spammers will simply craft their spam to look like challenge messages. Replying to e-mail will confirm the address (a win for the spammer), clicking the URL will deliver the reader to a web site full of pop-up ads and spyware (a win for the spammer).
Shortly after this, user willingness to respond to challenges will drop to zero, and challenge messages will be filtered out automatically by bayesian spam filters.
So, if there are any spammers reading this, PLEASE PLEASE start your next major spamming campaign by disguising it as a challenge message from one of these stupid C/R systems. That way we'll kill off the idea once and for all, people won't waste any more time building new (and mutually incompatible) C/R systems, and people with a clue won't have to put up with any more C/R advocacy from well-meaning idiots.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
We all know about how MS wants to change things by certifying email to cut down on spam. But what are the open source/free solutions to this? Wouldn't it be nice to have a peer certification network to certify servers running this FairUCE software? Better yet, to reduce the load of these servers, couldn't individual users run a certified version of FairUCE on their desktop to send out mail? I haven't thought this through long enough, so I'm certain my assumptions have lots of flaws, but isn't it an enticing option?
Linux at home
http://shit.slashdot.org/article.pl?sid=04/12/04/2 047246
with their companion product, SpamBUS.
Hey man, no need for profanities. It was meant as humor. If email proxies are your life's passion and making light of them causes you great discomfort, you might simply turn away.
To the couple of slashdotters that modded me as troll, sorry my post wasn't up to your standars, but hey, it was an attempt at humor of some kind.
Have a nice day.
This message brought to you by Jack Schitt's Previously Shat Shit
That I almost never see any. (Maybe 2-3 per month)
I highly recommend cashette.com's E-mail service.
(Gross, vulgar plug by happy customer over)
The U.S. really needs an English to Wisdom dictionary.
This is an automated reply to your Slashdot post. Since your id was not found on my list of Slashdot friends, your post has been put on hold pending your confirmation. To confirm that the above post was indeed sent by a human, please quote the number "7006-533-7006" (and nothing else) in a reply to this confirmation request, after which your current post and any future ones by you will be immediately delivered to me for reading. You only need to do this once.
I'm sorry for the inconvenience, but this is a necessary step to prevent trolls and bots from ruining my Slashdot experience. If you find yourself bothered by the same, I encourage you to try this automated challenge/response system out yourself. Everybody on Slashdot should use it. Best of all, it's free!
In the case that you didn't send the aforementioned post, but you still received this confirmation request, please disregard it. If no valid response to the challenge is received within seven days, your id will be placed on my list of Slashdot foes, and you will not hear from me again. Thank you!
What is so special about it?
Oh well, what the hell...
Well, I had a more obscure version,
but just for that script it took everything to get it pass the Slashdot lame filter,
saying it had "too many junk characters"!!!
Well, everyone knows that Perl5 has lots of punctuation,
not mentioning Perl6 "nightmare" Unicode punctuation!!!
Enjoy! =)
I only drilled on this article because i knew this post would be in here. Its faster/funnier to read the checklist than TFA.
keep it up!
You have sent some one at this domain a whitelisting email.
All such emails are blocked at this domain.
If you want to communicate with this domain via email, Do
not use white listing software or html email.
Please do not respond to this email. Please add this domain
to your blacklists. We do not want to communicate with you until
you remove your whitelisting requirement.
Whitelisting is a victory for spammers.
Why White listing is harmful to the good users of the internet
and not harmful to spammers:
Please read the following discussions on the problems with whitelisting:
Quote: http://gnosis.cx/publish/programming/filtering-spa m.html
"Although I have not used any of these tools more than experimentally
myself, I would expect whitelist/verification filters to be very nearly
100% effective in blocking spam messages. It is conceivable that spammers
will start adding challenge responses to their systems, but this could be
countered by making challenges slightly more sophisticated (e.g. requiring
small human modification to a code). Spammers who respond, moreover,
make themselves more easily traceable for people seeking legal remedies
against them.
The problem with whitelist/verification filters is the extra burden
they place on legitimate senders. Inasmuch as some correspondents may
fail to respond to challenges--for any reason--this makes for a type
of false positive. In the best case, a slight extra effort is required
for legitimate senders. But senders who have unreliable ISPs, picky
firewalls, multiple email addresses, non-native understanding of English
(or whatever language the challenge is written in), or who simply overlook
or cannot be bothered with challenges, may not have their legitimate
messages delivered. Moreover, sometimes legitimate "correspondents" are
not people at all, but automated response systems with no capability of
challenge response. Whitelist/verification filters are likely to require
extra efforts to deal with mailing-list signups, online purchases,
website registrations, and other "robot correspondences.""
ENDQUOTE
QUOTE: http://tardigrade.net/tmda.html
"TMDA will prevent you from getting a wide variety of real mail. Some
varieties prevent the disabled from completing the verification
process. TMDA will prevent you from registering at many web sites,
buying software when they email you the registration key, or receiving
receipts and shipping notices. I'm far from the only real human who
absolutely refuses to jump through hoops such as this. Ah, you say,
you can periodically check the rejected mail to make sure you aren't
missing anything good! At which point, why bother with it at all? Use a
simple set of mail client filters and you're better off--same number of
spam subject lines to scan for false positives, and you'll never confuse
or irritate any real people.
TMDA is guaranteed to keep you off of a lot of mailing lists, and
you may never know why, because no one can tell you without jumping
through hoops. The list server won't be able to send you a confirmation
request. If you do manage to subscribe to a list somehow, it's downright
rude to send such messages to the people who post to the list, and
just as bad to direct them to the listowner. You've already explicitly
agreed to accept list mail by subscribing at all. As a listowner, I'd
never allow a member to punish contributors that way. TMDA has come
up on several lists for listowners recently, and the opinion has been
unanimous against the technique.
The 'jump through hoops' message sent out to legitimate correspondents
is even more annoying than spam is. Dealing with incoming spam directly
is a nuisance, but missing out on real mail can be the pits. Prospective
employers aren't going to jump through hoops to send you a job offer. If
your great-uncle gets confused about the process, you'll mi
I'm getting beat up on slashdot.... shocking! :)
:-)
Ok, so I wrote this lil' thing when I got really tired of getting hundreds of spams a day. After finishing Robocode I decided to try a new game - spam. Believe it or not - and to my own surprise - it actually works. I'd just like to clear up a few misconceptions here and say a couple things:
1 - It is not a C/R system. I hate them too (especially Earthlink's, as my wife is so fond of harping on). FairUCE only reverts to C/R when it believes the mail is spoofed. And C/R is only used to establish identity, not prove you're human, so the challenges - I call them inqiries - are extremely polite and easy to respond to. The responses are digitally signed so difficult to spoof.
2. The determination of whether the mail is spoofed is not as simple as reverse DNS. Basically FairUCE wants the the smtp client to be in the same class B as any server in an MX, NS, or A record for any domain or parent domain of the bounce email address provided... or matching reverse DNS. You might be surprised how many senders fit this. In my experience it's very rare for a legitimate email to be challenged. FairUCE would find relationships for many of the examples posted in other comments here; have you actually tried it?
3. It's designed to be a fallback for SPF or other identity systems. If, as AOL and Microsoft (and I, now) believe, sender identity is the antispam wave of the future, then we'll need a fallback for what to do when those records don't exist. FairUCE is just one example; it happens to work today.
4. Yes, it may be a hassle to install it due to requirements. Sorry; first iteration, I wrote it to run on my own server. If you like it I'll make it better, or maybe you'll make a better one. The license is the one I had to choose to get it out there to you; all I'd like to do is show that sender identity works.
5. Here are my stats from yesterday:
Total incoming messages: 442
Messages accepted: 39
Messages rejected: 10
Inquiries sent to confirm sender's identity: 303
Inquiries sent to check sender's reputation: 87
Inquiries responded to: 0
--NEW-- senders: 3
- accepted: 0
- rejected: 0
- ignored: 3
Percentage of your incoming email that is spam: 90.5-91.18%
Percentage of spam blocked by FairUCE: 99.26-100%
6. To those concerned about the bandwidth taken up by the challenges: They go to a dedicated queue with a 1 hour (configurable, of course) lifetime, and they're tiny. IMHO I'd rather my server do a tiny bit of extra work to save me time, because I don't want to have a "spam" folder anymore. If you want, though, you can configure it so you have a spam folder and don't send challenges. Up to you.
I'm getting, uh, beat up a lot by people who insist that it can't work, and not just at slashdot. But for me it is working. YMMV, but I'm getting bulk email I want, mailing lists I want - neither of which were sent a challenge - and I'm pretty happy with a 99%+ success rate without looking at message content.
In summary, I don't think you've seen technology like this before; if you had, then I'd be running it. It IS different. It's not perfect. But maybe it's something to build on... I hope so anyway.
Thanks
-Mat
Setting "Precedence: Bulk" would seem to discourage reading, but at least it seems to be a common convention that vacation-mailers don't respond to it.
The real problem you've got is that of the 4000 unknown addresses that you received email from, as many as 1000 might have been from real people rather than spammers, but most of them didn't bother replying. It's possible that only 10 of them were real people, so maybe only a couple of the real people who'd sent you email you might have cared about didn't bother replying to your TMDA, but it's also possible that 992 of them didn't, i.e. 99% of the real senders. You can't easily tell, except of course for the undeliverable addresses which were probably forged (or else are on email systems that don't let strangers verify addresses any more because spammers abuse them.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Secondly, SMTP supports tagged addresses of the form username+tag@example.com, and your email client can filter on the tags. Unfortunately, that's not foolproof - many web forms choke on the "+", because it has syntactic value to CGI and they're not always bright enough to escape the character. (But almost everything can handle subdomain-format tags.) Also unfortunately, Pobox's forwarding service and .forward files and other mail forwarders generally don't know how to preserve the tags while forwarding mail, though sometimes they can at least forward the mail.
The biggest problem with tagged emails is that to use them effectively, your email client needs to keep track of them, so if you get mail addressed to tag-for-alice@username.example.com, your reply to it will come From: tag-for-alice@username.example.com and not From: somedefaultvalue@username.example.com, and if you're sending mail to alice@alice.com, your mail client will know to send mail from tag-for-alice@username.example.com or whatever the last tag was that you used to send it to that address. Also, your email client should keep track of all the addresses you've sent out, because you might want to handle mail from unknown tags differently.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
But it isn't designed to block spammers, just forgers, and spammers are already starting to adopt SPF - so you can tell that mail you received really did orginate at bigspammer.com. This means that you can't use "SPF says it's plausible" to mean "it's not spam", so you'll still need to send them your TMDA if you want to prove they're a human.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks