FairUCE - the Smart Email Proxy
Jestrzcap writes "This just posted on Freshmeat: FairUCE (which stands for 'Fair use of Unsolicited Commercial Email') is an SMTP proxy, running between multiple instances of Postfix, that verifies email by attempting to verify the sender through lookups (a user customized challenge/response). It claims to be able to 'stop a vast majority of spam' without the need for content filters, and 'virtually eliminates spoofed addresses, phishing, and even many viruses with a few cached DNS look-ups and a couple of if/then statements'."
No way will the spammers ever find a way around this. It's solid!
I've already had problems getting email from my government coworkers with spam validators like this. The military really doesn't like broadcasting who their email servers are... So they regularly get sent to Junk Mail.
If MTA's on the Internet required the forward and reverse DNS lookups to match ~70% of spam (and viruses) would disappear. This requires ISP's to correcty configure their DNS, which unfortunately doesn't happen because people are lazy.
FairUCE looks interesting but I'd be curious if it'd do a better job than milter-sender. About a year ago, before I installed milter-sender, I was receiving about 200-300 spams per day. Since installing milter-sender in March 2004 and adding the spamhaus SBL-XBL checks to sendmail, I've received (checking spam mbox) 1568 spam messages.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
No kidding, I hate people with slanted views.
But, spammers will find a way around this. Also, I'd like to know, how much bandwidth does this use? It sounds to me like it'd take a lot.
Electrons are free; it is moving them that becomes expensive.
Doesn't this just create more traffic?
Jaysyn
There is a war going on for your mind.
Even though this is an interesting new tool, most e-mail users are tied to whatever backend their ISP supplies, which is a shame... Someone should whip up an end-user desktop version.
Can't wait to get my hands on a copy of the server version though...
One problem with challenge response is that Spammers not only send me spam, but send spam purportedly sent by me. I regularly get error messages about mail that could not be delivered. Now I'll get loads of challenge messages instead.
Of course if my MTA signed my messages with a random key, and the challenge message sent the key back, my MTA could filter out anything I didn't actually send. Unfortunately that requires coordination which the various email/spam task groups do not seem to be capable of.
Guess I'm asking at the wrong place, but does this mean if I send email using my uni's SMTP server with my Yahoo! E-mail address in the "from" field, I will receive a challenge? A challenge being an email to the sender's address so they know the address is active, I'm guessing..
And I read of a whitelist/blacklist. Does this mean the user having to manage this list? It looks like it's being done so that the user can reactively work about it though (instead of actively), maybe an email that says "You got email from xyz, Do you want this email?" Heh an email about an email, that'd be annoying.
I tried sending email using Yahoo!'s web interface with 3 addresses in the "To" field today, and when I clicked "Send" it asked me to answer a Captcha, interesting..
What time is it/will be over there? Check with my iPhone app!
...that this is being pushed by a little fly-by-night company in Armonk.
1) Mobile user sets up notebook at new location and sends mail via the local mail relay.
2) FairUCE on recipient end bounces the mail because it can't find a relationship between the sender and the mail relay.
If the ISP blocks outbound port 25 access, you get a real catch 22. Can't use remote relay becuase of the port block. Can't use local relay because FireUCE will see that there is no relationship to the sender and block the mail.
This is an old idea. It can be implimented with procmail and a little perl. Few people do this, not for lack of tools, but simply because it is a bad idea.
). It claims to be able to 'stop a vast majority of spam' without the need for content filters, and 'virtually eliminates spoofed addresses, phishing, and even many viruses with a few cached DNS look-ups and a couple of if/then statements'.
Oh, yeah, and completely stop mailing lists from being usable. That, too.
I've had this working with Exim for a long time now. It's actually just a tickbox in cPanel. I actually think it's on by default for any host using cPanel, which are quite a few.
Tim Dorr
Owner/Manger
A Small Orange
My server receives over 140,000 spam messages a day over 300 domains. So, will this system be running this process several times a second, then sending undeliverable bounce back messages just as often? Great, even more server problems, brilliant idea guys. My favorite solution is a client side filter. Thunderbird is amazing. I'd rather see the world go that way.
Sorry. Won't work until all the if/thens are replaced by GOTOs. :P
FYI, any time (which is every time) I get a challenge for an email I didn't send, I immediately block the server because that kind of "solution" is nothing short of dropping their spam problem in my lap. Fair warning to anyone who thinks FairUCE is in any way a "Smart" answer to spam.
The only effective spam solution I've currently found is to have expiring email addresses. One easy way to set that up is to use subdomains that don't even resolve after a certain point. So you might have me@2004.example.com good for only three more weeks, or me@amazon.example.com good for as long as Amazon (or your "healthy" girlfriend) doesn't sell you out. You can get tricky, of course, and use subdomains that are not so easily subject to a dictionary attack or guessing.
- Connecting IP (immediate relay) - do a reverse lookup on it. Does the domain name match the domain name as the envelop sender?
- Take the domain name of the envelop sender and find alll mail exchangers for the domain. Do a reverse lookup on the connecting IP too. Do any of these domains overlap?
- Compare by network - is the connecting relay on the same network as the domain it claims to originate from (sender address)
Etc. As you can see this will definitely catch spam "forged" to come from domains like AOL, but the trouble point is that very often it's legitimate for mail to arrive from an unrelated network. Nothing about SMTP says it's wrong to put in the return address you want, despite the immediate relay delivering the mail.Have we not established a few basic tenets of the spamademic?
1. Spammers make money by using a disproportionate amount of bandwidth than what they pay for. Stopping spam from entering peoples' inboxes is less than half the problem. 70% or more of all SMTP traffic is UCE and everyone pays for that in higher costs and slower performance regardless of whether they have spam filters in place.
2. The majority of the anti-spam solutions (with the exception of RBLs) including the one related to this article, require extra time, bandwidth and resources on the part of innocent networks to deal with the spam problem. This is a step backwards.
If you want to stop spammers you have to stop them from stealing bandwidth. To date, the ONLY effective solution thus far has been relay blacklisting. This has several added benefits including: stopping propagating of worms/viruses, and forcing ISPs to police the illegal activities of their users and shut down nodes which are spamming through their network.
As an ISP, I have no interest in yet another costly anti-spam solution that I have to install that doesn't address the larger issue of the tons of bandwidth spammers waste on my network and every one in between. This system wastes even more resources by attempting to verify the source of every e-mail in an even more detailed manner than before, so the end result is: more computing resources needed, more bandwidth needed and slower mail service.
No thanks.
I'll patiently wait until the *inevitable* SMTP whitelist scheme that is the only true solution to stopping spam (unless the authorities decide to actually start prosecuting spammers for their crimes).
if/then statements automatically mean BASIC? Am I missing something?
How about this:
What is your penile percentile?
I uh hate to burst your bubble, but that is an if/else statement and not an in/then statement. And yes, there is a tremendous difference.
an example of an if/then in visual basic (I know, I know...but I NEVER program in it!!!!!)
If parent_knows_what_he_or_she_is_talking_about() Then
congratulate_him_or_her()
End If
an example of an if/then/else in VB (again, I apologize)
If parent_knows_what_he_or_she_is_talking_about() Then
congratulate_him_or_her()
ElseIf parent_has_no_clue() Then
ridicule_him_or_her_in_slashdot_fashion()
End If
get it?
But won't challenges look like spam servers probing your system.
And the license sucks, too. It is restricted to non-commercial use.
now we need to go OSS in diesel cars
if(sender.domain = spam.com){
:)
Move to spam folder
}
I think using Thunderbird to filter your shit is a lot better than using this
Have you metaroderated recently?
This package just isn't going to get very popular. It is restricted to non-commercial use (perhaps you can buy a license for commercial use). And you have to sign up with IBM to get a download just to see if it's any good. And then there's a lot of extra stuff you have to have to run it. Maybe I should work on my own GPL open source version of this and do it as a pure TCP proxy front end so it works on any mail server (even for Exchange on Windows if on a different machine or under some emulator).
now we need to go OSS in diesel cars
Here in the Netherlands the government wants providers to keep a log of all mail (http, ftp, whatever) traffic that goes over their lines. The providers are complaining, but in the end they will simply raise prices to compensate. Effectively I will be paying to be spied upon. And in the case of email, I will be paying to receive spam and then store it for five or ten years.
[...] verifies email by attempting to verify the sender through lookups (a user customized challenge/response)
Okay, so either (a) a user has to do a challenge/response simulation each time he or she wants to send/receive and email, or (b) it's automated... and a spammer could simply brute force/crack/automate themselves the challenge/response. I don't see how this would really work.
- dshaw
%choice = (
."\n\n" ."\n\n"
'type' => [ 'technical', 'legislative', 'market-based', 'vigilante' ],
'reason' => [
'Spammers can easily use it to harvest email addresses',
'Mailing lists and other legitimate email uses would be affected',
'No one will be able to find the guy or collect the money',
'It is defenseless against brute force attacks',
'It will stop spam for two weeks and then we\'ll be stuck with it',
'Users of email will not put up with it',
'Microsoft will not put up with it',
'The police will not put up with it',
'Requires too much cooperation from spammers',
'Requires immediate total cooperation from everybody at once',
'Many email users cannot afford to lose business or alienate potential employers',
'Spammers don\'t care about invalid addresses in their lists',
'Anyone could anonymously destroy anyone else\'s career or business', ],
'fail' => [
'Laws expressly prohibiting it',
'Lack of centrally controlling authority for email',
'Open relays in foreign countries',
'Ease of searching tiny alphanumeric address space of all email addresses',
'Asshats',
'Jurisdictional problems',
'Unpopularity of weird new taxes',
'Public reluctance to accept weird new forms of money',
'Huge existing software investment in SMTP',
'Susceptibility of protocols other than SMTP to attack',
'Willingness of users to install OS patches received by email',
'Armies of worm riddled broadband-connected Windows boxes',
'Eternal arms race involved in all filtering approaches',
'Extreme profitability of spam',
'Joe jobs and/or identity theft',
'Technically illiterate politicians',
'Extreme stupidity on the part of people who do business with spammers',
'Dishonesty on the part of spammers themselves',
'Bandwidth costs that are unaffected by client filtering', 'Outlook', ],
'objections' => [
'Ideas similar to yours are easy to come up with, yet none have ever been shown practical',
'Any scheme based on opt-out is unacceptable',
'SMTP headers should not be the subject of legislation',
'Blacklists suck', 'Whitelists suck',
'We should be able to talk about Viagra without being censored',
'Countermeasures should not involve wire fraud or credit card fraud',
'Countermeasures should not involve sabotage of public networks',
'Countermeasures must work if phased in gradually',
'Sending email should be free',
'Why should we have to trust you and your servers?',
'Incompatiblity with open source or open source licenses',
'Feel-good measures do nothing to solve the problem',
'Temporary/one-time email addresses are cumbersome',
'I don\'t want the government reading my email',
'Killing them that way is not slow and painful enough', ],
'about' => [
'Sorry dude, but I don\'t think it would work.',
'This is a stupid idea, and you\'re a stupid person for suggesting it.',
'Nice try, assh0le! I\'m going to find out where you live and burn your house down!' ]);
srand(time);
sub getIndex { return rand( shift() - 1 ); }
$post = "Your post advocates a"
.$choice{'type' }[ getIndex($#{$choice{'type'}}) ]
." approach to fighting spam.\nYour idea will not work. Here is why it won't work.\n"
.$choice{'reason' }[ getIndex($#{$choice{'reason'}}) ]
."Specifically, your plan fails to account for "
.lcfirst $choice{'fail' }[ getIndex($#{$choice{'fail'}}) ]
."\nand moreover I have the following philosophical objection, \nmainly "
.lcfirst $choice{'objections' }[ getIndex($#{$choice{'objections' }}) ]
.$choice{'about' }[ getIndex($#{$choice{'about'}}) ]
."\n\nSincerely yours,\nSlashdot anonymous random perl bot\n\n";
$post =~ s/ *\. */.\n/g;
print $post;
We all know that any automated solution will fail... spammers will find a way to beat the system. However, a human can always tell. Especially me.
Give me some time to whip up a psuedo anonymous system where all of your email is forwarded to my machine and I will read the subject line and the beginning of the message. From this, I will determine if it is spam or not. If I approve it, it goes to your inbox, otherwise it goes to your spam box. Headers from spam-marked messages will get automatically passed on to select spam-fighting associations. Whitelisted addresses will bypass me completely.
You may be trading off some privacy, but think of the benefits of a clean inbox. Don't worry... you can trust me with all of your email. And besides... it's not different than sending your email through an automated scanner like postini... any admin there can read your mail anyways. For that matter, your email can be read by any mail server administrator anywhere along the way to your inbox. In postfix, I could just add a line "always_bcc" and receive a copy of any email coming or going through my server. At least this way, you KNOW your mail is getting read... no questions about it.
If you need any more persuasion, try this: "C'mon! Just do it already! You know you like the idea!".
Please refer to RFC 2606 and use example.com, example.org, or example.net instead of things like "mydomainname.com"... and to foresee a funny followup... replace the final bit to "instead of things like "example.com""
"If we could just rewrite everybody mailer's with my new widget in illegible Perl or badly written C that breaks several RFC's I've never bothered to read, we will surely stop spam!" I've heard this sort of thing before, every few months for the past 10 years.
There have been dozens of these wildly espoused challenge/response systems over the years. They don't work because users hate them, because vital automated systems such as bill payment and delivery verifications can't get past them. Coupled with "sender pays" systems, they're almost always subverted within short periods and never can or will gain the acceptance of the user community enough to become effective.
A void method that returns a value? Oh dear oh dear :)
Simon
Yeah, thats right. For 3 (three) months, i havn't got a single SPAM that got through to my inbox.
Most of it gets blocked by a combination of Blacklists and firewall-rules, the rest gets flushed down the drain by a combination of Bayes- and other mailfilters.
From my Serverlogs i can see that only 'about 0.5-1% gets through firewall and the HELO-command of my server at all (out of about 200-500 Spams a day, varying with weekday). So i even reduced my mail-traffic quite a bit.
Look, this thing is totally safe! Built it myself, you know. You just press that button like this and then turn that lev
Oh, no. It looks like some high school freshmen accidentally plugged in his nifty-keen-gonna-make-millions-from-spammers generator of vaguely random text to confuse email filters.
You must be new here. Slashdot doesn't have editors that are capable of that.
I dont want to have any spam, even if its verified one.
If I want some Information about a product Id like to use, I go and search for it. If theres no need for it based on my intentions, theres no need for it based on the offer.
btw, why doesen't the acute-html-tag work?
Actually, it gives all the records as a response, its just that most PTR lookups only look at the first one, so since the order does the round-robin, the correct one will at best be the first response only 50% of the time (and that's if you have only 1 PTR record).
This begs the question: why would someone have more than 1 PTR record for a single ip? Because they are stupid, that's why.
could also be algol/pascal/modula/oberon
Conservatism: The fear that somewhere, somehow, someone you think is your inferior is being treated as your equal.
So it seems to me that I'm already doing as much work as I would have to do using this software, but the whitelisting I'm doing in Thunderbird is already 100% effective at filling my inbox with email I care to see. Anything suspect goes to a suspect folder (after my ISP has already had a go with their spam filters, certain ones don't even reach Thunderbird) so I can double-check if there's something important I'm watching for from an as yet unknown address. It's kind of a pain, but it works. I can't see a benefit from switching to FairUCE.
Similarly, responsible blacklists will demand credible evidence before listing a domain as a spam source.
Could you name names, i.e. the blacklists that you have encountered that are not being responsible?
Female Prison Rape in NY
Compiled BASIC is (about) as fast as compiled C -- for equally well-written code.
The notable exception is garbage collection. But, with the advent of decent garbage collection research over the last N-years, that really isn't much of a problem any more.
Do daemons dream of electric sleep()?
This usually happens when a normal user has an open relay on their computer - which forwards all email to the ISP's mail server. This causes the ISP's mail server to appear in the headers of all the spam and can get the ISP's server blocked - which obviously stops everyone else using it from sending email as well.
This definitely used to be a problem - I don't know if the blacklists have somehow sorted this problem though - maybe they only blacklist the first server now? I know my old ISP (Demon) had a few problems with that happening though.
It would be a lot better if you rewrote the verse lyrics, too. As it's written, it's just a waste of space. No creativity is displayed at all.
Something like:
I've got the hacktitude of a Redmond pro
I've got the legacy devices of a billion sold
I got My Rights Online back, but I don't seem to care
I got the compressed jay-pegs of sex with a mare!
TFP. HAND.
far too readable. please try again.
Most objections seem to be to the challenge/response mechanism. I'm persuaded that that would only be use in a tiny minority of cases by this system.
:-)
A bigger problem is the wide range of prerequisites: Java 1.4, JavaMail, Apache with modssl and mod-auth-external, Postfix 2.1. If you're not running x86 or x86-64, forget it. (Or Solaris, but who runs that?
Disinfect the GNU General Public Virus!
Also, wouldn't this just create a rash of false challenges that lead to spamming type material or websites?
Luck favors the prepared, darling.
So I'm supposed to send all my mail through my ISP's mailserver, for no good reason? Never mind that for example this will break any ESMTP connections between my - perfectly legitimate - SMTP server and my recipients.
I run a business SMTP server on the end of a DSL connection, and have for many years. The server in question is likely firewalled _better_ than my ISP's.
So tell me again why I can't use port 25 outbound?
Note that my ISP will _not_ give me reverse DNS control, nor make any changes on my behalf, despite my having a static IP.
If you're not living on the edge, you're just taking up space!
Some blacklists list known spammer domains, but these are fairly well confirmed via the ownership of the domain. Many lists skip the actual 'sending spam' part and just list all domains owned by certain spammers.
What you are describing sounds like what people who have IPs near spammers go through. Can you point to one of these hundreds of domain blocklists that has listed you incorrect at some point?
The only thing I can think of is that you're running an affiliate system and can't keep your affiliates under control.
If corporations are people, aren't stockholders guilty of slavery?
LANG=C doesn't work for me. I usually need LC_ALL=C.
- If someone else has a different challenge/response system then the automated systems will ping e-mail back and forth to each other and humans will never see it. If the systems are sufficiently dumb, you'll get a nasty mailing loop and fill up both users' quota/hard disk.
- Most spam has a forged address. If someone sends e-mail to 10,000 users with a c/r system with *your* e-mail address in the from header, you get 10,000 e-mails that day. Your only solution to this obvious problem would be to blacklist anything that looked like a c/r e-mail, thus breaking the system entirely.
- It increases the amount of traffic on the 'net. This is bad.
- About five million other reasons to do with netiquette and common sense. Will people never learn?
Oh? Then why does garbage collection *still* interact very badly with swapping?
When the active thread needs to access a piece of memory that has been swapped to disk, the thread will block. If the machine is otherwise idle, the garbage collector will run. The garbage collector starts bringing in several pages of useless memory, forcing out pages from the active set. The result: background garbage collection slows down the process by a factor of ten (experimental results).
I run a small web board, and already the e-mail address I use as the admin of that board gets flooded daily with crap like "I haven't actually received your message, click here to verify you are real". I finally got fed up with it and posted this response.
If you implement these, remember you get e-mail from more then just friends you know. Lets see, last week alone, I got 5 messages from companies like Dell from working on issues with them, and none of them are in my address book.
The proper solution is to ensure the outside world sees no difference unless it is spam. I never give my full address to a company, instead I use the postfix feature where anything after _ is ignored. Then I create a one letter alias for me to keep them short. If I get a lot of e-mail, it makes server side filtering into my IMap folders easy. And if one address gets hit by spam, I then block it on the server. It works well, and doesn't inconvenience the people e-mailing me.
"Thank you or ringing my doorbell. I am currently home, but did not hear the doorbell. To properly ring it, please run around my house, braving the dogs in back, and use the doorbell located next to the cat door on the deck. Then I might care enough to see who you are and let you in."
I haven't seen anyone post the BIG REASON why C/R systems won't work, so here it is again.
C/R relies on users being willing to respond to challenge messages, either by clicking a URL or by replying by e-mail.
As soon as C/R systems become commonplace enough, and users become accustomed to responding to the messages, spammers will simply craft their spam to look like challenge messages. Replying to e-mail will confirm the address (a win for the spammer), clicking the URL will deliver the reader to a web site full of pop-up ads and spyware (a win for the spammer).
Shortly after this, user willingness to respond to challenges will drop to zero, and challenge messages will be filtered out automatically by bayesian spam filters.
So, if there are any spammers reading this, PLEASE PLEASE start your next major spamming campaign by disguising it as a challenge message from one of these stupid C/R systems. That way we'll kill off the idea once and for all, people won't waste any more time building new (and mutually incompatible) C/R systems, and people with a clue won't have to put up with any more C/R advocacy from well-meaning idiots.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
We all know about how MS wants to change things by certifying email to cut down on spam. But what are the open source/free solutions to this? Wouldn't it be nice to have a peer certification network to certify servers running this FairUCE software? Better yet, to reduce the load of these servers, couldn't individual users run a certified version of FairUCE on their desktop to send out mail? I haven't thought this through long enough, so I'm certain my assumptions have lots of flaws, but isn't it an enticing option?
Linux at home
Hey man, no need for profanities. It was meant as humor. If email proxies are your life's passion and making light of them causes you great discomfort, you might simply turn away.
To the couple of slashdotters that modded me as troll, sorry my post wasn't up to your standars, but hey, it was an attempt at humor of some kind.
Have a nice day.
This message brought to you by Jack Schitt's Previously Shat Shit
That I almost never see any. (Maybe 2-3 per month)
I highly recommend cashette.com's E-mail service.
(Gross, vulgar plug by happy customer over)
The U.S. really needs an English to Wisdom dictionary.
This is an automated reply to your Slashdot post. Since your id was not found on my list of Slashdot friends, your post has been put on hold pending your confirmation. To confirm that the above post was indeed sent by a human, please quote the number "7006-533-7006" (and nothing else) in a reply to this confirmation request, after which your current post and any future ones by you will be immediately delivered to me for reading. You only need to do this once.
I'm sorry for the inconvenience, but this is a necessary step to prevent trolls and bots from ruining my Slashdot experience. If you find yourself bothered by the same, I encourage you to try this automated challenge/response system out yourself. Everybody on Slashdot should use it. Best of all, it's free!
In the case that you didn't send the aforementioned post, but you still received this confirmation request, please disregard it. If no valid response to the challenge is received within seven days, your id will be placed on my list of Slashdot foes, and you will not hear from me again. Thank you!
for some reason, I typed BASIC while thinking of Visual Basic... my bad. Compiled Visual Basic is always slow. (They may have fixed that in .net, but I'm not sure yet)
This message brought to you by Jack Schitt's Previously Shat Shit
What is so special about it?
Oh well, what the hell...
I'm getting beat up on slashdot.... shocking! :)
:-)
Ok, so I wrote this lil' thing when I got really tired of getting hundreds of spams a day. After finishing Robocode I decided to try a new game - spam. Believe it or not - and to my own surprise - it actually works. I'd just like to clear up a few misconceptions here and say a couple things:
1 - It is not a C/R system. I hate them too (especially Earthlink's, as my wife is so fond of harping on). FairUCE only reverts to C/R when it believes the mail is spoofed. And C/R is only used to establish identity, not prove you're human, so the challenges - I call them inqiries - are extremely polite and easy to respond to. The responses are digitally signed so difficult to spoof.
2. The determination of whether the mail is spoofed is not as simple as reverse DNS. Basically FairUCE wants the the smtp client to be in the same class B as any server in an MX, NS, or A record for any domain or parent domain of the bounce email address provided... or matching reverse DNS. You might be surprised how many senders fit this. In my experience it's very rare for a legitimate email to be challenged. FairUCE would find relationships for many of the examples posted in other comments here; have you actually tried it?
3. It's designed to be a fallback for SPF or other identity systems. If, as AOL and Microsoft (and I, now) believe, sender identity is the antispam wave of the future, then we'll need a fallback for what to do when those records don't exist. FairUCE is just one example; it happens to work today.
4. Yes, it may be a hassle to install it due to requirements. Sorry; first iteration, I wrote it to run on my own server. If you like it I'll make it better, or maybe you'll make a better one. The license is the one I had to choose to get it out there to you; all I'd like to do is show that sender identity works.
5. Here are my stats from yesterday:
Total incoming messages: 442
Messages accepted: 39
Messages rejected: 10
Inquiries sent to confirm sender's identity: 303
Inquiries sent to check sender's reputation: 87
Inquiries responded to: 0
--NEW-- senders: 3
- accepted: 0
- rejected: 0
- ignored: 3
Percentage of your incoming email that is spam: 90.5-91.18%
Percentage of spam blocked by FairUCE: 99.26-100%
6. To those concerned about the bandwidth taken up by the challenges: They go to a dedicated queue with a 1 hour (configurable, of course) lifetime, and they're tiny. IMHO I'd rather my server do a tiny bit of extra work to save me time, because I don't want to have a "spam" folder anymore. If you want, though, you can configure it so you have a spam folder and don't send challenges. Up to you.
I'm getting, uh, beat up a lot by people who insist that it can't work, and not just at slashdot. But for me it is working. YMMV, but I'm getting bulk email I want, mailing lists I want - neither of which were sent a challenge - and I'm pretty happy with a 99%+ success rate without looking at message content.
In summary, I don't think you've seen technology like this before; if you had, then I'd be running it. It IS different. It's not perfect. But maybe it's something to build on... I hope so anyway.
Thanks
-Mat
Setting "Precedence: Bulk" would seem to discourage reading, but at least it seems to be a common convention that vacation-mailers don't respond to it.
The real problem you've got is that of the 4000 unknown addresses that you received email from, as many as 1000 might have been from real people rather than spammers, but most of them didn't bother replying. It's possible that only 10 of them were real people, so maybe only a couple of the real people who'd sent you email you might have cared about didn't bother replying to your TMDA, but it's also possible that 992 of them didn't, i.e. 99% of the real senders. You can't easily tell, except of course for the undeliverable addresses which were probably forged (or else are on email systems that don't let strangers verify addresses any more because spammers abuse them.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Secondly, SMTP supports tagged addresses of the form username+tag@example.com, and your email client can filter on the tags. Unfortunately, that's not foolproof - many web forms choke on the "+", because it has syntactic value to CGI and they're not always bright enough to escape the character. (But almost everything can handle subdomain-format tags.) Also unfortunately, Pobox's forwarding service and .forward files and other mail forwarders generally don't know how to preserve the tags while forwarding mail, though sometimes they can at least forward the mail.
The biggest problem with tagged emails is that to use them effectively, your email client needs to keep track of them, so if you get mail addressed to tag-for-alice@username.example.com, your reply to it will come From: tag-for-alice@username.example.com and not From: somedefaultvalue@username.example.com, and if you're sending mail to alice@alice.com, your mail client will know to send mail from tag-for-alice@username.example.com or whatever the last tag was that you used to send it to that address. Also, your email client should keep track of all the addresses you've sent out, because you might want to handle mail from unknown tags differently.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
But it isn't designed to block spammers, just forgers, and spammers are already starting to adopt SPF - so you can tell that mail you received really did orginate at bigspammer.com. This means that you can't use "SPF says it's plausible" to mean "it's not spam", so you'll still need to send them your TMDA if you want to prove they're a human.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks