Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Keeping Spambots Out: A New Anti-Spam System

By mb in Internet
Sun Apr 21, 2002 at 10:10:45 PM EST
Tags: Internet (all tags)
Internet

Day by day, millions of spam mails get dropped in our mailboxes - numbers steadily rising. There exist several techniques against spam, some of them have turned out to be quite successful. But in this article I will outline an anti-spam system which could be easier to use and more effective than the existing ones.


What is wrong with the filtering approach?

If you start to block unsolicited mail from your accounts there will always be false positives and negatives. As to false negatives, they will not cause much pain, since one or two spam mails a month is more entertaining than disturbing. But false positives - legitimate mails which get trapped in your filter - can be a real problem. Can you run the risk of not getting important messages from your friends, family, boss or customers?

Of course, there are sophisticated systems like Spamcop with which one has the option to move suspicious mails to special folders. Yet it is not much fun to review hundreds of mails to be sure not to lose an important message. And without having done that, you can never be sure.

The hiding approach

Spammers get their address lists through various channels. One of them is by tricking people into giving them their address voluntarily, e.g. when filling out the web form to subscribe to that hot new site. Or they buy customer data from companies which filed a petition in bankruptcy. There may be some other ways but the most important source for them is the WWW.
There, millions of addresses can be harvested for free, by searching web sites for all those telltale mailto: links.

If you keep your address off the web you are very likely to enjoy clean mailboxes, containing only birthday wishes from your little sister and confirmations of your last Amazon order.

There are already solutions for this:
On one hand, users can publish forward addresses which expire after a certain time or after a certain number of messages being sent (for example with Spamgourmet), on the other hand, web site operators do not publish email addresses directly but provide certain alternatives (as outlined in Stopping Spambots).

The first technique requires a lot of discipline on behalf of the user - one time being lazy and typing in your real e-mail address could give you of a lifelong supply with "Increase your investments/penis size"-like love letters.
The second one works better, because it puts the responsibility on the administrators. But, unfortunately, it is not - and will never be - implemented by all sites.


The new system: A centralised anti-spambot addressbook

The new system is nothing other than a centralised approach to the above-mentioned technique of not publishing the e-mail address directly.

Instead, it will provide registered users with an alias for their real e-mail address. But what is really new to this: the alias will not be a forward address to the real one. It is a key to obtain the real address of the user. The system will make sure that only human beings will be able to use that key.

To give an example first:

User A with email-address A@example.com registers with the anti-spam service, located at http://www.serviceXYZ.com. He will get the following aliases:
A-4082238@serviceXYZ.com to be used in mail clients and whenever only an e-mail address can be used.
http://www.serviceXYZ.com/users/A-4082238 to be used instead of mailto: links in web pages.

User B visits A's homepage and wants to write him a mail telling how great it is. She clicks on the Mail link (to http://www.serviceXYZ.com/users/A-4082238) and is presented with a web form which is asking to retype the letters and numbers displayed in the picture above (technology as used by Altavista). After she did that and submitted the form, she is given the real address of A (conveniently as a hyperlink).

User C reads an interesting mail by A in his biking mailing list and wants to contact A privately. So he clicks the reply button in his mail client and writes his mail to A-4082238@serviceXYZ.com. After a short time, he gets an automated reply which is telling him to go to http://www.serviceXYZ.com/users/A-4082238 to obtain the A's real address. (if A had been smart, he would have included a link to this URI directly in his mail signature)

So, what the system basically does is requiring everyone to prove that he is not a spambot before he gets the real e-mail address. Testing image recognition abilites is only one example of doing that, natural language questions could be another one (e.g. Which colour is the sky of?). The latter could also present an alternative to users without GUIs or blind people.

Ideally, this service should be backed by a renowned, non-profit organisation, thus users are more willing to give away their precious e-mail addresses and to become widely accepted.

And, contrary to filter systems, which depend on multiple users to report possible spammers, it will even work for one user. And once registered with the service, no further interaction on behalf of the subscriber is required.

Disadvantages

Of course, it will be a little disturbing for the others to go through these web forms when they want to know your e-mail address. But they have to do it only one time (and then save it in their book) and if they think it is not worth the hassle, their message would not have been important anyway, would it?

And, with increased acceptance of this service, it could be standardized and supported by the mail clients themselves.
(think of X-Real-Address: http://www.serviceXYZ.com/users/A-4082238.xml in the mail header) Whenever you want to add someone with this protection turned on to your addressbook, KMail will then display a picture/natural language question first.

Another problem is, that robots (by definition) cannot use these alias addresses. But the service could be combined with the existing technique of (expiring) forward aliases, in case you have to give your address to untrusted robots.
Of course, if you consider even the bugtraq mailing list manager to be an untrusted robot, this system will not make your anti-spam strategy much easier.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o several techniques against spam
o Spamcop
o Spamgourme t
o Stopping Spambots
o technology as used by Altavista
o Also by mb


Display: Sort:
Keeping Spambots Out: A New Anti-Spam System | 83 comments (74 topical, 9 editorial, 0 hidden)
not _that_ new (4.50 / 4) (#2)
by Arkady on Sun Apr 21, 2002 at 02:30:27 PM EST

You've never sent an email to someone's public address and received an automatic response stating that you aren't on the approved list and requiring that you confirm your humanity through one of several ways before the bot will pass your message on? These are not commonly used but they've existing for a while.

They're better than a central system, as you're proposing for two significant reasons:

1) there's no central database of real email addresses to crack into and fiddle, for which there would be many motivations

and

2) since the user installs this on their own email account, it continues to protect them even if a spammer _does_ get their real address.

-robin

Turning and turning in the widening gyre
The falcon cannot hear the falconer;
Things fall apart; the centre cannot hold;
Mere Anarchy is loosed upon the world.


"Centralised" (1.00 / 1) (#20)
by mb on Sun Apr 21, 2002 at 04:49:28 PM EST

1)
This service could be provided by several organisations, ideally, every provider would set up such a service for his own customers. (one could define an open protocol, etc.)
With "centralised" in the article, I meant: not the user's duty.
2)
If he implements this on client side, he will still have to download the spam. And most users won't have a shell account.

[ Parent ]
How would you do this? (none / 0) (#26)
by John Milton on Sun Apr 21, 2002 at 05:39:08 PM EST

How would you go about setting up a whitelist system like that. I'm thinking about setting up an email domain for my family and friends, and I have been interested in setting it up with whitelists. Particularly, do you know of any way to achieve this with squirrelmail.


"When we consider that woman are treated as property, it is degrading to women that we should Treat our children as property to be disposed of as we see fit." -Elizabeth Cady Stanton


[ Parent ]
Oops (5.00 / 1) (#35)
by John Milton on Sun Apr 21, 2002 at 07:19:42 PM EST

Now I feel silly. I must have missed that plug-in on the squirrelmail page.


"When we consider that woman are treated as property, it is degrading to women that we should Treat our children as property to be disposed of as we see fit." -Elizabeth Cady Stanton


[ Parent ]
Simple and effective: whitelists (4.76 / 17) (#4)
by tmoertel on Sun Apr 21, 2002 at 02:44:02 PM EST

The most effective and painless technique that I know of (and presently use) is the "whitelist" method: You keep a list of people that you allow to send you email, and everybody not on the list must authenticate themselves (typically by replying to a challenge email) before their email will be released from a holding bin and delivered. Spammers almost always use bogus sender addresses, and so challenge requests for spams bounce and aren't authenticated.

I've been using TMDA, a Python-based whitelist system, for about a year now, and it works beautifully. I have had only a handful of spammers authenticate their spams, and they were are easy to weed out. The vast bulk of the spam I have received, probably 30 emails a day, was automatically routed to the holding bin, never authenticated, and eventually deleted -- all without any effort on my part.

If there is a downside to whitelist systems, it is that they sometimes hold legitimate email sent by automated agents until you notice them and add them to your whitelist. In practice, this isn't a big deal. I scan my holding bin once a week or so, and legitimate emails jump right out at you.

Whitelists work. I can't imagine an easier, more effective system.

--
My blog | LectroTest

[ Disagree? Reply. ]


Pushing out the burden (4.25 / 4) (#30)
by Aquarius on Sun Apr 21, 2002 at 06:20:20 PM EST

I can't stand systems that require me to prove that I have the right to send you mail. Essentially, what you're doing is making everyone who mails you for the first time go through a process because *you* don't want to get spam. Fine, you don't want spam. Why is this *my* problem? Why should I have to jump through your hoop when I'm already mailing you out of the blue for some reason? Pushing out the responsibility for keeping your mailbox clean onto other people rather than sorting it yourself seems like the height of bad manners to me.
"The grand plan that is Aquarius proceeds apace" -- Ronin, Frank Miller
[ Parent ]
eh? (4.80 / 5) (#44)
by PresJPolk on Sun Apr 21, 2002 at 10:24:53 PM EST

By sending me a mail, you're the one making a demand on my time and my mail server.

You're a guest. The least you can do is knock and wipe your feet before you enter.

[ Parent ]
You have no right to send me mail (5.00 / 2) (#45)
by Skapare on Mon Apr 22, 2002 at 02:33:55 AM EST

You have no right to send me mail, so you can't prove that you have any such right. Your mail is accepted at my pleasure, if you send it to me. I can choose to reject it because I don't like to receive mail from mail servers who's IP address modulo 13 is equal to 7, if that's my choice. In reality, I block a lot of servers from access to my mail servers simply because of the lack of ability to distinguish between junk mail and normal mail before it is delivered. If you're using one of those servers and you want to send me normal mail, choose a different server where spammers are not known to be present. If your ISP is run my a bunch of nimwits that run an open mail relay, change ISP. If that's the only one in town, move or start one of your own.

The whitelist method is merely what most people do with their mail, made automated so they can spend their time doing other things instead of sorting through all the junk mail, or switching to the mail client when it chimes just to read some story about being kidnapped in Nigeria. You CAN send me mail, but I don't have to accept it. If I don't know who you are, I might not accept it. What the humanity test does is tells me a little bit about you ... that you are a human being (OK, well, maybe you're a dog and nobody really knows on the internet). That might change my mind about accepting your mail. In fact, it probably will. The whitelist implementation just automates all this process.

Think of it this way. The whitelist is really a mechanism to keep out all mail from anyone I don't know. The HOOP you refer to is NOT the whitelist ... it's what lets me add you to the whilelist so you don't have to go through the hoop the next time.



[ Parent ]
OK, fair enough, I have no right (none / 0) (#78)
by Aquarius on Mon Apr 29, 2002 at 10:46:16 AM EST

But, if I have no right to send you mail, then don't ever post to Usenet. Or make your mail address available on K5, like you do. What's the point? Anyone who already mails you already knows your address, and no-one else has the right to send you mail. I'm not sure I understand your distinction here. I can understand hoop-jump whitelisting on the part of someone who keeps their email address secret (imagine if you were, say, Tom Clancy, or someone else who would get a mountain of mail). But if you publish your address, surely you're implicitly saying to people, look, here is my email address, mail me if there's something that you think I might find interesting. If I drop a bit of time out of my day to, say, let you know that your webpage doesn't render properly in the latest version of Mozilla (which I've done for a few people recently because I thought that they might find it useful), and your response is, well, you have no right to send me mail, so prove that you should be granted that right and maybe I'll listen, then I'm less inclined to be helpful.
"The grand plan that is Aquarius proceeds apace" -- Ronin, Frank Miller
[ Parent ]
A handful of spammers? (5.00 / 1) (#48)
by Skapare on Mon Apr 22, 2002 at 02:51:39 AM EST

A handful of spammers have authenticated their spams? Could you post their email addresses? Maybe we should as ask for CC numbers :-)

One thing I have found that cuts out a lot of spam is (and obviously you need control of your MX directed server to do this) is reject everything from any SMTP connection IP address which has no PTR record (reverse DNS), or the name in its PTR record does not resolve to a set of IP addresses which includes the connecting address. In the last 9 months of doing this, My server has rejected over 80,000 messages, and of these, only 4 were found to be legitimate messages. Of those 4, all of the administrators were notified to fix their DNS, and 3 did, and 1 did not. The sender whose mail was rejected from that 1 that did not fix their DNS switched to another ISP.

I also have a big list of subdomains that represent dynamic IP pools, which I do not accept SMTP directly from (anyone running their own mail server on these needs to forward through their ISP's mail server, or get a static IP with either a distinctive domain name that validates reverse to forward correctly, or tell me your IP which I can add to an IP whitelist). I also block China, Korea, Hong Kong, and Taiwan (based on addresses from APNIC, TWNIC, and KRNIC). And I use a few DNS based blacklist services. Even with all that, I still got 2 spams today. But my logs also show about 50 blocked.



[ Parent ]
Approach I'd like to see (4.14 / 7) (#7)
by tombuck on Sun Apr 21, 2002 at 03:13:33 PM EST

(this may exist, but I've only done the most cursory searches, and I really don't have the time myself, yet)

I want to set up rules based filtering system. Nothing new, you might say. However, unless the from address is from someone I know, it'll go to the filter which'll have as many rules in it as I can muster. This will catch a lot of legitimate mail as well. The solution? Well...

An email is sent back to the from: address with an reply-to address of something like [MD5 hash]-check@mydomain.com

The MD5 hash is only valid for one message and a new one is generated for each and every possible spam mail received.

So, the user can then re-send their mail to that address and it'll get through. However, once that one mail has been received, the email address given is no longer valid, and all mail directed there once again goes through the filtering process.

One day I'll get around to it.

--
Give me yer cash!

Problem (3.66 / 3) (#19)
by leviramsey on Sun Apr 21, 2002 at 04:40:37 PM EST

That approach has more than a few issues associated with it, at least as I see it. Number one is the hassle you're imposing on people wishing to communicate with you. Many people do not keep the emails they send out (I, for instance, do not). These people may not be willing to retype their email to you.

Maybe a better idea is to send the text of their email back, at least allowing them to cut and paste.



[ Parent ]
Remember (none / 0) (#74)
by aspartame on Tue Apr 23, 2002 at 03:16:41 AM EST

Remember that only the emails that trip the spam-finding regexs get bounced. The hoopjump system is only for the occasional false positive.

--
180 times sweeter than sugar
[ Parent ]
Personally (none / 0) (#75)
by tombuck on Tue Apr 23, 2002 at 06:32:55 AM EST

I felt that quoting the original email went without saying... evidently not.

--
Give me yer cash!
[ Parent ]

Ugh (4.41 / 12) (#8)
by rusty on Sun Apr 21, 2002 at 03:16:45 PM EST

I loathe hoop-jumping systems. I refuse to participate in them. There are already systems like this, where you have to reply to an auto-response to prove your non-spamhood. In my view, systems that generate automatic replies to emails are just as bad as spammers to begin with. Anyone using one of these "prove your worth" systems should be aware that they will never ever receive email from me, at least.

There was an extraodinarily long thread about this on l-e recently. See "ruben's stupid filter."

____
Not the real rusty

You mean... (5.00 / 5) (#9)
by pwhysall on Sun Apr 21, 2002 at 03:29:43 PM EST

...like the K5 user sign up process?

/me runs away
--
Peter
K5 Editors
I'm going to wager that the story keeps getting dumped because it is a steaming pile of badly formatted fool-meme.
CheeseBurgerBrown
[ Parent ]

That's different. :-) (NT) (5.00 / 1) (#14)
by rusty on Sun Apr 21, 2002 at 04:23:02 PM EST



____
Not the real rusty
[ Parent ]
Not very different (4.00 / 3) (#21)
by Mysidia on Sun Apr 21, 2002 at 04:51:29 PM EST

Prove your address works to send e-mail versus prove your address works to post a comment?

The issue I have with these things is that they often involve too much work for the sender. Particularly when I get those things when posting to a mailing list, I usually either ignore them or forward a message to the list owner asking them to remove the person I got it from.

If they only involved replying to the message, they would be barely tolerable, but they don't -- usually they involve going to some URL, sending the message again to a new address, or doing something resulting in it being too much an inconvenience to bother with



-Mysidia the insane @k5
[ Parent ]
Our system (5.00 / 1) (#46)
by rusty on Mon Apr 22, 2002 at 02:42:04 AM EST

The reason I feel like I can justify the "prove you're not a script" step here is because someone using a script to generate and control a lot of accounts could seriously screw up the site. Basically, the hoops are not for my protection, they're for everyone else here.

On an individual basis, I don't see why I should jump through hoops just for your convenience (er, not you in particular, but "you" in general). I mean, people are totally free to use those things if they want. Just like I'm totally free to say "Well, guess they didn't want to hear from me after all" when I get a bounce back from one of them. :-)

____
Not the real rusty
[ Parent ]

Bots send important messages too (2.50 / 2) (#27)
by BlowCat on Sun Apr 21, 2002 at 05:44:29 PM EST

I would hardly find it annoying to prove that I'm a human. However, one could miss an important message from a bot.

[ Parent ]
Ugh (5.00 / 1) (#49)
by Skapare on Mon Apr 22, 2002 at 03:13:22 AM EST

The hoop-jumping is only ONE TIME, and only for mail going to people you haven't sent mail to me before. Of course these things do have some technical problems, such as when you sign up for a web site account which wants to validate you by email (don't you hate those, too?) ... how will the validation mail get to you?

I don't actually have such a thing set up, yet. But I plan to. My solution to the web signup problem is to use distinctive email addresses for each account, which won't be affected by the whitelist initially. Also, I'm looking into a combination of content testing using a very liberal spam check (potentially many false positives) in conjunction with the reply-response. If mail fails the whitelist AND fails the spam content test, THEN the sender has to respond to get on the whitelist. Hopefully that will reduce the number of times people have to do that. If your mail is clean, it won't do that to you. If you talk about your new penis enlarger, or talk about printer toner, or relate your experiences being kidnapped in Nigeria, then expect to the HOOP the first time.

While I don't specifically agree with you regarding the hoop-jumping issue, I can certainly see that we have many different kinds of things going on to deal with a problem we really never should have. It's not unlike terrorists making us have to endure long lines at airports (I don't fly commercial anymore, not from fear of being hijacked, but just from all the hassle at the airport). So in a sense, spammers are like terrorists, making us have to do unpleasant things online.



[ Parent ]
Social contract (5.00 / 2) (#61)
by dennis on Mon Apr 22, 2002 at 12:40:35 PM EST

You're making several presumptions:

1) That you're doing me a favor by emailing me. This is not necessarily the case - you're asking for my attention, and I may be sufficiently rewarded for giving it to you, or I may not;

2) That your email is in fact so rewarding that it's worth the effort on my part to wade through a bunch of spam to see it; and

3) That you've so finely calculated the cost of your time that it's worthwhile to send me the first email, but not worthwhile to spend an additional ten seconds to reply to my auto-challenge, which you only get if neither of us has emailed the other before.

The reason we have a spam problem is that we have a faulty social contract, which says I should read any email that anyone sends me. This is a good contract, as long as everyone abides by the implied corollary: that everyone will try not to send me email that wastes my time. You, I'm sure, make every attempt to abide by that corollary, but unfortunately many people do not.

We can fix the problem simply by amending the contract: I'll try to read all the emails I get, if senders who've never emailed my before will do me the slight courtesy of proving they're not spambots. If this had been the agreement from the beginning, no one would think twice about it, and instead of complaining endlessly about spam and proposing legislation and blocking all the IPs in China, we'd spend a few extra seconds introducing ourselves to new recipients. Heck, we could start using open relays again.

There are various ways it could work, and it wouldn't necessarily need a centralized system. It needs to be very easy for the sender - see a question, type a response, that's it. And we'd need to be able to give individual forwarding addresses to businesses, from whom we want to get email sent by machine. Those businesses don't need to know our public email addresses.

Sooner or later, I'd bet, we'll all be doing this, and the very idea of manually sifting through piles of machine-generated crapmail will seem laughably unnecessary. Using automated filters to detect spam will be an endless arms race; blocking open relays or IP ranges interferes with legitimate email; but a simple ten-second challenge knocks out the problem completely and permanently.

[ Parent ]

Limited use emails (2.00 / 3) (#12)
by gnovos on Sun Apr 21, 2002 at 03:52:54 PM EST

My favorite these days is the limited use emails. You use them once or twice and they automatically expire.

A Haiku: "fuck you fuck you fuck/you fuck you fuck you fuck you/fuck you fuck you snow" - JChen
That isn't where spam comes from (3.00 / 3) (#13)
by Hopfrog on Sun Apr 21, 2002 at 04:07:14 PM EST

My pop registered recently with hotmail, having just got internet. 2 weeks later, he phoned me breathless, telling me he was receiving hundreds of emails from people he didn't know. I logged into his account, and he had gotten about 1000 spam emails.

It turns out he had registered at some joke sites, some quote-of-the-day sites, and some other things he thought would be entertaining.

And of course, those people must have given out his address to the Spam Factory (c).

Hop.

My mail server gets lots of those (5.00 / 1) (#50)
by Skapare on Mon Apr 22, 2002 at 03:21:53 AM EST

My mail server gets lots of those. And they are addressed to userids that never even existed. And they keep coming despite the clear 5XX SMTP rejection for invalid address (or in some cases because they are listed on an anti-spam blacklist I use). The fun part is tracking down someone (like the CEO) at those places, getting their email address, and setting up a forwarding of those email addreses to that person. Trouble is, there are too many of them to deal with.



[ Parent ]
Handy hint (4.00 / 2) (#56)
by gazbo on Mon Apr 22, 2002 at 04:57:14 AM EST

When talking about email, it's best not to refer to your 'father' as 'pop'.

Those of us who can no longer function in the real world thought you meant something else by 'My pop registered recently with hotmail'.


-----
Topless, revealing, nude pics and vids of Zora Suleman! Upskirt and down blouse! Cleavage!
Hardcore ZORA SULEMAN pics!

[ Parent ]

SpamAssassin (3.85 / 7) (#15)
by leviramsey on Sun Apr 21, 2002 at 04:30:45 PM EST

I've used SpamAssassin for a few months and it works beautifully. It's a collection of Perl regexps which have weightings. Mails with a score greater than a configurable threshold get an X-Spam-Status: header and their subjects mangled. It can query OR databases, Vipul's Razor and other means of spam detection.

The problem with your proposal is that it wrecks the Internet (arguably as badly as spammers, but at least not as badly as the RBL implemented by AboveNet).



Amen, brother (none / 0) (#58)
by tzanger on Mon Apr 22, 2002 at 09:43:26 AM EST

SpamAssassin rox muh sox.

I have set it up on our modest 4000-user ISP and have been getting rave reviews about it. I've had to do some score tweaking and added some rules (mainly to subtract score for "Fw:" and messages with valid MSN and Hotmail footers) but the amount of SPAM we trap is unfathomable. We're talking on the order of 5-7kspam/day.

I had to nursemaid the system for about a week to finetune the scores (going through all that spam by hand isn't fun, but sorting by subject really helps) but now it works great. We don't delete spam directly; we file it into an IMAP folder for 30 days and then erase it from there (in case someone calls about missing email). Users have a nice little CGI they can use to turn it on and off, and since we use Postgres to store all the customized scores we could theoretically let them tune their own scores.

Something I want to add in the future is the ability to plain-out erase emails with scores > 10.0 and keep everything else for 30 days, and write a SquirrelMail plugin which gives them access to the spam folder, filtered on email scored as spam but destined for them. All in time, I suppose. :-)



[ Parent ]
Am I the only one? (3.00 / 4) (#18)
by codespace on Sun Apr 21, 2002 at 04:38:44 PM EST

I don't use any spam filtering 'service', I don't have rulesets designed to filter my spam, nothin like that. I just delete what little spam comes my way manually.

_____
today on how it's made: kitchen knives, mannequins, socks and hypodermic needles.
you're normal (4.00 / 1) (#22)
by damiam on Sun Apr 21, 2002 at 04:53:49 PM EST

Most people I know do nothing to stop spam. I have a few filters (basic stuff, filtering out "get rich quick", etc), but they haven't been triggered for a while.

[ Parent ]
What if (3.66 / 3) (#23)
by mb on Sun Apr 21, 2002 at 04:54:12 PM EST

it won't remain "little spam"?

[ Parent ]
A simple method (3.60 / 5) (#24)
by damiam on Sun Apr 21, 2002 at 04:56:32 PM EST

One of the easiest ways to avoid spam is to filter everything which doesn't have your email address under the "To:", "CC:", or "BCC:" headers. That's pretty much the only filter I use, and it catches more than 90% of the spam I get.

Huh? (4.66 / 3) (#25)
by pschap on Sun Apr 21, 2002 at 05:14:29 PM EST

If you can see the Bcc header in a message that you're a recipient of, then something is horribly wrong. B stands for blind, no?

--
"I have always believed that the true mark of success is when you make it into some complete loser's sig." -- Parent ]
well (3.66 / 3) (#31)
by damiam on Sun Apr 21, 2002 at 06:41:45 PM EST

I don't get many bcc'd messages, so I'm not sure. But IIRC, I've always been able to see my own name, but no one else's.

[ Parent ]
And it turns out... (4.75 / 4) (#33)
by pschap on Sun Apr 21, 2002 at 07:15:19 PM EST

...that you are right. I looked at the latest rfc for email (rfc 2822). Apparently Bcc fields can be done in one of a number of ways. The first way is to just send the message to everyone (including Bcc recipients) but without the Bcc header at all. This is what I'm used to. The other ways are variations on removing the Bcc header to the visible recipients and leaving it in for the invisible recipients. This is what you're used to. It must depend on how your MUA (or possibly your MTA, I don't know what level this work gets done on) is configured.

Hey, live and learn :)

--
"I have always believed that the true mark of success is when you make it into some complete loser's sig." -- Parent ]

Where it happens (5.00 / 1) (#51)
by Skapare on Mon Apr 22, 2002 at 03:28:22 AM EST

It would be done at the first point where a message gets an SMTP envelope on it. Once the envelope is present, the addresses in the RFC822 layer are not processed (lest other MTAs end up duplicating the email to everyone in the RFC822 layer again ... and I've seen this happen with Lotus Notes in it's early days of SMTP capability). So it is generally going to happen at the sending MUA as it delivers to the first MTA.



[ Parent ]
Relying on your recipient jumping through a hoop (5.00 / 4) (#28)
by pw201 on Sun Apr 21, 2002 at 05:49:49 PM EST

is bad. If you actually want people to email you, you should make it as easy as possible. Also, things like TMDA won't scale (and it's not clear what happens when one TMDA user sends mail to another for the first time, unless they've sorted that out now).

One thing which doesn't seem to get much publicity is the Distributed Checksum Clearinghouse (DCC). A server-side solution. The server takes a hash of the text of all incoming mail. The hash is made a little "fuzzy" (currently by ad-hoc methods) so that similar messages with some oft-used hashbusters in ash to the same value. Co-operating servers share their hash counts. Bulk email is caught by this system. Solicited bulk email (that is, mailing lists) is allowed through by whitelists.

The difference between this system and the more often mentioned Vipul's Razor is that the DCC takes humans out of the loop as regards detecting bulkiness (since Razor relies on people reporting spam to its servers). It is possible to argue that the DCC is more complicated because it requires a whitelist, but a little thought will show that sensible people will be using a whitelist for Razor too.

Another solution relying on the fact that spam is sent in bulk is proposed by the Campaign for Real Mail. In this system, all new senders "pay" to send email by using hashcash (that is, spending time computing hash collisions) as a stamp. This is easy for someone mailing to a few recipients, but hard for someone mailing to many millions.

Alas, since this isn't part of the current mail system, there will be bounces with postage due before everyone adopts it. So I'm not sure it'll go anywhere until spam gets much much worse. Still, nice idea.



Hoop jumping, and a simpler solution. (3.50 / 2) (#29)
by piman on Sun Apr 21, 2002 at 06:15:35 PM EST

I have to reiterate all the comments others have made about this being unnecessarily complex. While the idea is sound, it's not going to fly, because no one wants to wait to get the real address, let alone deal with going to a web page and filling out some information.

I've left my (real, linked to) email address on the bottom of my site for as long as I can remember (at least 2 years). I get somewhere between 5-10 spam emails a day on average. However, they're almost all filtered out by something that looks at To: and Cc: - if the strings "piman" or "wres0003" aren't in them (and they're not dealt with by a mailing list filter I have which runs first), they go to a "Spam" folder. I scan Spam about once a month to check for false positives.

So far, I've found one false positive in about 7 months of doing this, and I get 1-2 false negatives a month. Which I consider pretty good for someone whose email address is plastered all over the Internet.

(Oh, and these filters aren't some deep procmail magic; they're made in Evolution's GUI filter editor, so anyone can do it. :)

Hotmail (4.00 / 2) (#32)
by delmoi on Sun Apr 21, 2002 at 06:52:06 PM EST

I'm supprised that still works. Hotmail added that filter capability, and now it seems like half the spam I get is directly addressed to me
--
"'argumentation' is not a word, idiot." -- thelizman
[ Parent ]
Another possible solution (none / 0) (#43)
by piman on Sun Apr 21, 2002 at 09:35:26 PM EST

That probably explains why I've been seeing 1-2 a week rather than the 0 a week I saw a few months ago.

Another (relatively simple) filter I have is a whitelist for HTML email; anyone not on my "approved" list (which is a whole two people long :P) gets their HTML email moved to Spam.

[ Parent ]
Simple filter - (3.80 / 5) (#34)
by gordonjcp on Sun Apr 21, 2002 at 07:19:20 PM EST

just search any mail for the phrase "This is not spam!" and delete it, safe in the knowledge that it is, most certainly, spam.

Give a man a fish, and he'll eat for a day. Teach a man to fish, and he'll bore you rigid with fishing stories for the rest of your life.


Good point (3.66 / 3) (#38)
by John Thompson on Sun Apr 21, 2002 at 08:03:42 PM EST

gordonjcp wrote:

just search any mail for the phrase "This is not spam!" and delete it, safe in the knowledge that it is, most certainly, spam.

You may also want to filter out any message with more than three exclamation marks ("!!!") or dollar signs ("$$$") in a row because no sentient being would do such a thing in a legitimate message.



[ Parent ]
Ah but you forgot the best one (5.00 / 3) (#55)
by Quixato on Mon Apr 22, 2002 at 04:36:17 AM EST

Honestly, if Hotmail would allow me to search the subject body for this phrase, I probably would get 99% less spam then I do currently:

"Click Here"

I don't think a single legit email has come through with those words.

"People are like smarties - all different colours on the outside, but exactly the same on the inside." - Me
"Learn to question, question to learn." - Sl8r
[ Parent ]

Ahh... (none / 0) (#64)
by John Thompson on Mon Apr 22, 2002 at 05:26:04 PM EST

Quixato wrote:

Honestly, if Hotmail would allow me to search the subject body for this phrase, I probably would get 99% less spam then I do currently:

"Click Here"

I don't think a single legit email has come through with those words.

I already filter out all html email so I don't see those anyway... :-)



[ Parent ]
bullet -> foot (none / 0) (#72)
by k2r on Mon Apr 22, 2002 at 10:37:21 PM EST

Hotmail tends to add signature-lines like

"MSN Photos is the easiest way to share and print your photos: Click Here"

I agree that hotmail sucks but filtering by the signature looks somewhat - er - indirect to me :-)


[ Parent ]
My procmail filter (none / 0) (#60)
by KWillets on Mon Apr 22, 2002 at 11:30:59 AM EST

Used to have that and a bunch of other catchphrases. It worked pretty well.

[ Parent ]
Keywords (5.00 / 1) (#68)
by Majromax on Mon Apr 22, 2002 at 06:46:04 PM EST

Since most of this spam likes to pretend it's a legitimate list, take any mail with "remove" (as in "remove me from this list") in the body as suspicious.

You get an annoying level of false positives (5% or so), but used in combination it would certainly work well.

[ Parent ]

That was one of them (5.00 / 1) (#73)
by KWillets on Tue Apr 23, 2002 at 02:33:32 AM EST

I think it was:

[Cc]lick( here)? to remove

I think I gave an automatic boost to the word "herbal". It was pretty fun to think of new rules. I used to collect spam to test the filter.

[ Parent ]

False premis: spam filters are not effective (5.00 / 4) (#37)
by kmself on Sun Apr 21, 2002 at 07:58:29 PM EST

Your premise that spam filtering cannot reach accceptable values of both sensitivity and specificity are mooted by the fact that current systems do. And with far less bother than the hoop-jumping you propose.

I sit as the default email address for over 600 domains. I get get about 40 spam items daily (you'd expect more, but, hey, I'm not complaining).

Since February, I've been running spamassassin on all mail I receive.

The results:

  • Total mail: 40,000 items.
  • Spam: ~3200 items.
  • False positives: ~50 items.
  • False negatives: ~150 items

My overall rates are ~96% true positive, ~4% fales negative, < 1% false positive, and > 99% true negative.

Used in conjunction with other filtering rules, and spamassassin's own whitelists, you can eliminate the possibility of reporting your boss, clients, and cow-orkers.

Spamassassin itself uses something similar in regards to what you propose -- a collectivized ruleset. However, that ruleset is more generalized than what you propose. It's also not a hoop-jumping excercise, discussed in the linux-elitists thread Rusty pointed out. Rusty's own intentional Spamassassin triggering aside, chances of someone I know generating a positive response from SA are slight, though non-negative. I do deal with people who discuss SSNs and statistics, which seem to produce triggers.

Finally, SA itself can be merely a filtering/tagging tool. I've heard from several people who are violently opposed to any mechanistic processing of mail (what then of my standard procmail filters?). To them: this is merely a tool, and like others. It can be misapplied. But in user control, or as an advisory to users, it is tremendously useful.

--
Karsten M. Self
SCO -- backgrounder on Caldera/SCO vs IBM
Support the EFF!!
There is no K5 cabal.

People are lazy (4.50 / 4) (#39)
by BloodmoonACK on Sun Apr 21, 2002 at 08:32:12 PM EST

From personal experience I can tell you why this wouldn't work: People are lazy. They wouldn't want to go through this hassle to get an E-Mail address.

I don't know if this has already been tried, but wouldn't it be easier to just have a lot of honey pots out on the net with fake e-mail addresses? Then, whenever you get 100+ e-mails from the same source, you could filter it...I dunno.

"It's like declaring a 'war on crime' and then claiming every (accused) thief is an 'enemy combatant'." - Hizonner

Ach (3.33 / 3) (#40)
by axxeman on Sun Apr 21, 2002 at 08:38:38 PM EST

But what happens when your "trusted", "non-profit" organisation goes bankrupt and sells all the real emails to spammers, hmmm?

Trust no-one ;p

Not yet. Don't come before we have finished humping...

Foolproof filters (4.50 / 4) (#41)
by J'raxis on Sun Apr 21, 2002 at 08:41:00 PM EST

I’ve set up my filters to only allow mail from known senders, or sent to specific J'raxis.com-administration addresses like webmaster@, postmaster@, etc. Mail from anyone else is bounced and stored in a quarantine box that I only check once in a while. The bounce is a message telling them how to resend manually (usually by including specific text in the subject header), and explaining that they do not have permission to send certain kinds of mail (spam, HTML, etc.). The bounce message itself is sent from procmail-bounce@ so any bounces it generates go to a third mailbox.

Everyone I know, and few whole domains (such as work and college) are on the OK list, everyone else gets the bounces. If they’re too lazy to resend properly, I don’t care to see their message.

— The .procmailrc Raxis

[ J’raxis·Com | Liberty in your lifetime ]

work distribution (3.00 / 1) (#57)
by PigleT on Mon Apr 22, 2002 at 06:29:47 AM EST

There's one reason I won't adopt your approach. It's selfish. It makes everyone else do the work for you, so that the spammer is identified. Let me guess, do you like removing munging from email addresses? Do you like resending mails up to 3x over in order to get one through? Now why do you inflict that on other folks?

As for the article at hand, I think the business of clicking on links to go via some intermediate anonymiser site is a useless waste of time; if you use this "service" site to post to a mailing list, what's to stop someone running a bot across the list archives and submitting all the addresses, so *you still get to see the spam*??
And exactly *how* does the indirection make it any easier to see that the Lovely Lucy at the other end is a real live humanoid, that I couldn't have worked this out myself by watching the poster's behaviour over a little time?

Personally, I go for the tracking system; I've got a couple of whole domains to myself, and can fabricate "k5@some.domain.tld" on demand if I really want to sign up here.
I've also found that filtering by the RBL and using Spamassassin has been the best thing since sliced bread as well.
~Tim -- We stood in the moonlight and the river flowed
[ Parent ]
Mine, mine, mine... (4.50 / 2) (#66)
by J'raxis on Mon Apr 22, 2002 at 06:39:13 PM EST

Sorry, but it’s my mailbox, residing under my quota at my hosting provider, then I download it taking up my time and my hard drive space. If someone wants to send me something uninvited the least they can do is follow my instructions.

If we were talking about putting these kinds of limits on some hypothetical public forum I might be in control of, you’d be right; but again, this is my private mailbox. You don’t have the right to stuff anything you want in there however or whenever you want. (Since I have a 5 MiB quota, I also have a filter deleting all messages greater than 2 MiB. It notifies the sender of the deletion, but doesn’t move the message to a quarantine box like the spam mails.)

— The Raxis

[ J’raxis·Com | Liberty in your lifetime ]
[ Parent ]

Wrong (none / 0) (#69)
by PigleT on Mon Apr 22, 2002 at 07:03:56 PM EST

Actually, I have every right to read any posting of yours in a public forum (Usenet was the first that springs to mind, followed by this august weblog) and take a conversation offline to email. So does everyone else. You'd be very hard pushed to classify this as "spam" or somehow "unauthorized".
In the process, I do *not* expect to have to work around your arbitrary restrictions.
(I've seen a few such systems before - business of "I've not seen you before, please reply with magic-word in the Subject:" or whatever, and have almost invariably abandoned it as a lost cause.)

As I said before, it's placing a ludicrously unfair burden of workload in the wrong place. Consider why we don't -generally- believe in a "just press delete and have done" approach to spam. The cost of you pressing the magic DELETE button for some legitimate mail is far less than you telling *everyone* who might want to email you to go through some hoops - for stuff that isn't even their fault!!

To me, that really stinks.

Do something useful - direct your venom where it belongs, invest some time in the existing rather good "technologies" such as spamassassin and Vipul's Razor, and improve those for the rest of us. In the process, you'll find them incredibly efficient at stopping real spam as well.
~Tim -- We stood in the moonlight and the river flowed
[ Parent ]
You do? (5.00 / 1) (#71)
by J'raxis on Mon Apr 22, 2002 at 09:27:15 PM EST

First off, you should notice that neither Kuro5hin, nor Slashdot, nor Fark, nor any of the other minor weblogs I visit even allow other readers to see my email address. You cannot contact me through email from these weblogs unless I let you by clicking the appropriate box in my preferences. So that was irrelevant. I don’t post to Usenet anymore, so that was also irrelevant, in respect to me at least.

Secondly: again, you can contact me directly by following the simple directions of putting a specific piece of text in the message subject. My email signature explains this. If I were to mail someone I didn’t know, but I wanted a reply forthwith, I would put the text in my subject so it is automatically included when they reply. And if I were to begin posting to Usenet again or publicising my address here or anywhere else, I would of course explain the need for the special subject. If I wrote a mailto: link, I could even include it (mailto:foobar@xyzzy.org?subject=SPECIALTEXT).

This tactic is only for people who may try to contact me out of nowhere, with no prior knowledge of how to contact me correctly. i.e., spammers, stalkers (pinheads from my IRC hangouts), people who may somehow guess my email address, random accidents, etc.

— The Raxis

[ J’raxis·Com | Liberty in your lifetime ]
[ Parent ]

Riiiight. (5.00 / 1) (#76)
by NFW on Fri Apr 26, 2002 at 06:18:28 PM EST

Actually, I have every right to read any posting of yours in a public forum (Usenet was the first that springs to mind, followed by this august weblog) and take a conversation offline to email. So does everyone else. You'd be very hard pushed to classify this as "spam" or somehow "unauthorized".

You have the right to attempt to take the conversation to email. However, the person you attempt to contact has no obligation to read whatever it is you have to say. If you want to convince me to read something, you must first convince me that you are not a spammer. If that's too much trouble, then whatever you have to say probably isn't worth my time anyhow. So it's not just a spam filter, it filters uninteresting non-spam messages as well. So much the better.

Actually, I advocate a slightly different system, in which the person in your position gets a message back that says something like "In order to prove that you're not a spammer [or dullard, come to think of it], please reply to this message with the subject intact." Not hard to do. Take that step and you're added to my whitelist, so you won't have to use any silly tricks again unless you change email addresses.

My approach is not as challenging for the spammers as the mechanisms proposed above, but I prefer this particular convenience/security tradeoff. If it ceasees to be sufficient, the mechanisms proposed above will start to look more interesting.


--
Got birds?


[ Parent ]

Still wrong (none / 0) (#77)
by PigleT on Sat Apr 27, 2002 at 05:30:06 PM EST

If you think I'm going to spend time knocking up a response and then bother sending it all over again pasting the mail in from sent-mail or whatever, you've got another think coming.
There are plenty enough of us that think email-address munging for "anti-spam" purposes is an antisocial way to give in to spammers, don't expect to make us to do extra work for the dubious privilege of mailing you.
~Tim -- We stood in the moonlight and the river flowed
[ Parent ]
So be it. (none / 0) (#80)
by NFW on Wed May 01, 2002 at 02:22:29 PM EST

First, you don't have to paste the mail in or anything like that, just hit reply (as with a [decent] mailing list subscription confirmation) or click on a link. I realize that for you it's probably still not worth the trouble, I just wanted to clear that up.

Second, and more importantly: I don't care any more than you do about whether or not your message makes it to my inbox. Think about that. If it's not worth the trouble to you, it's not worth the trouble to me. If you don't care, I don't care.

I get the impression that you don't see it this way, but the fact is, getting my attention IS a privilege. You have no right to my attention. There was a time when all a person had to do to get my attention was send me email. That got way out of hand. Now you have to take an extra step if you want my attention. And again, if your message means so little to you that you won't take that extra step (click), then the whitelist is doing its job very well. From the 'anti-spam' perspective, that would be considered a false positive... but in the larger scheme of things, it's the desired behavior.

I acknowledge that this is, in a sense, 'giving in to the spammers.' Sort of like putting a lock on my front door is 'giving in to the burglars' and locking up my snowboard at the lodge (or paying $2 to check it) are 'giving in to the theives' and so on. In all cases, I wish I didn't have to, but in all cases, it beats the alternative.

You seem to think that I am eager to read email from anyone who comes across my address, and that I will be disappointed if I don't hear from every single person who has something to say that (they think) I might be remotely interested in. That is not the case. Life's too short to bother with email from every single person who happens to find my address on the net somewhere.


--
Got birds?


[ Parent ]

A better way -- Shoot all SPAMMERS! (2.60 / 5) (#42)
by www.sorehands.com on Sun Apr 21, 2002 at 08:46:23 PM EST

Lets make it legal to shoot spammers on site. That is one way to cut down on spam.

Actually, I have put together a complex license agreement/terms of use on my sites to try to attack this. Spammers that gather addresses from my site violate my terms of use and agree to a $10k/copy payment. There are 2 addresses on my site, one is uniquely generated based on time and date, the other is a auto-forward to uce@ftc.gov.

If I can track down a couple of these spammers and bankrupt them, other spammers will realize spamming costs.



------------------------------------------------------------------------------
http://www.barbieslapp.com
Mattel, SLAPP terrorists intent on destroying free speech.
-----------------------------------------------------------

Not new. (3.00 / 1) (#47)
by i on Mon Apr 22, 2002 at 02:46:20 AM EST

A company whose name escapes me used (is using?) such method, only better :) There are two differences.

Human verification: instead of being asked to re-type something, user is asked to click certain word in a pucture.

Address management: after successful verification, the user doesn't get your real address. Instead, the system starts forwarding (instead of holding) his mail to you.

So the entire process for your correspondent is one or two mouse clicks plus some brain activity :) Unfortunately, blind people are out of luck with a picture-based system. One can devise something similar with sounds ("press a key when you hear the word 'omnipresence'") but what about people who are both blind and deaf? Ask them to solve a simple math problem, in Braille?

and we have a contradicton according to our assumptions and the factor theorem

Other solution : distributed filtering (3.00 / 1) (#52)
by Betcour on Mon Apr 22, 2002 at 03:40:45 AM EST

Let's do something better : add a "this is spam" to email programs menu. Whenever a user receive an email that he think is spam, he marks it as "spam", the email is forwarded to a central server. After several report as spam from different peoples, the email is listed as official spam : all other Outlook client or SMTP/POP daemon who connect to the server are informed that this is spam, and can delete the email immediatly if they happen to have it.

Vipul's Razor (4.00 / 1) (#53)
by mbrubeck on Mon Apr 22, 2002 at 03:51:13 AM EST

Vipul's Razor is a fairly popular implementation of this exact idea. SpamAssassin uses it as one available filtering method.

The obvious step for spammers is to randomly modify each message in some small way, and in fact this countermeasure is becoming fairly common (you may notice strings of random characters showing up in your spam messages recently).

[ Parent ]

Well (4.00 / 1) (#54)
by Betcour on Mon Apr 22, 2002 at 04:12:48 AM EST

Didn't know about these.

As for changing the message slightly, it is fine if the antispam recognition system is a simple checksum (CRC32, MD5, whatever) but it is easy to have 100% recognition using keyword matching (supposedly the text is identical at 99%), originating IP, etc.

[ Parent ]
sounds like DCC (none / 0) (#63)
by boy programmer on Mon Apr 22, 2002 at 04:12:14 PM EST

check out dcc rhyolite.com/dcc it makes a md5 hash of the message (after attempting to remove any personalization or hashbusting strings) and sends the md5 to the nearest dcc server- the dcc server increments the count for that message, and returns the count to the client.

users can also manually specify that the count is 'many'. One problem is the system can not tell the difference between spam and legit mailing lists- but most people only subscribe to a few mailing lists, so they can whitelist those.

[ Parent ]

spamgourmet feature pending (4.50 / 2) (#59)
by jqh1 on Mon Apr 22, 2002 at 10:46:21 AM EST

A user suggested adding a similar feature to spamgourmet, and it'll probably be the next one implemented. His suggestion: there should be a reserved keyword (like "secure") that, when prefixed to a published address, would result in the sender having to click on a link to confirm non-bot-ness. The implementation will probably make use of the MD5 hash approach that is currently used to keep folks from sending unsolicited mail through the system -- this way, there won't need to be new tables or records in the database. The hash approach would generate a unique "to" address for each confirmed sender that contains a hash made from the sender's address and a private key stored in the database with each sg address. It would then be up to the sender to use that address from then on.

I agree, increasing burden on senders is bound to turn some people off, but then spammers have been abusing the sender-friendly system we have for way too long.

Anyone remember the Greg Egan story... (3.00 / 1) (#62)
by SIGFPE on Mon Apr 22, 2002 at 02:30:43 PM EST

Testing image recognition abilites is only one example of doing that, natural language questions could be another one
...that preëmpts this discussion? At one point he discusses software to filter junk mail. So the junk mail needs to get past the filters by pretending to be something innocent. Only when it knows that there's a real human reading it does it do its stuff. So of course the mail filter has to fake being the human reading it to trigger the spam into doing its stuff and we end up in an arms race. Anyway...it was pretty insightful.
SIGFPE
Most spammers don't care (none / 0) (#65)
by hackerhue on Mon Apr 22, 2002 at 05:32:05 PM EST

Most spammers won't bother to authenticate. Why would you send a message to someone who has made it clear that he/she doesn't want to receive it? And authenticating is more effort than it's worth for a spammer. On the other hand, some spammers are dolts who won't realize this, and they may decide to authenticate. But there will probably be very few of these.

[ Parent ]
Er... (none / 0) (#67)
by SIGFPE on Mon Apr 22, 2002 at 06:43:22 PM EST

Why would you send a message to someone who has made it clear that he/she doesn't want to receive it?
That's practically the definition of a spammer isn't it?
SIGFPE
[ Parent ]
Um, no. (IMHO) (none / 0) (#70)
by hackerhue on Mon Apr 22, 2002 at 08:46:08 PM EST

Spam is unsolicited commercial/bulk email -- i.e. email that you didn't specifically ask for. Not email that you specifically requested to not receive. Uh, I should have also noted in my last reply that most people don't use anti-spam technologies where the sender needs to authenticate (I don't -- I just use spamassassin), so authenticating with the few users who do -- just to send one email before they get blacklisted, to someone who is less likely than average to want to read your message -- is more trouble than it's worth.

[ Parent ]
A different approach (4.00 / 1) (#79)
by truemajik on Wed May 01, 2002 at 01:43:11 PM EST

Currently, the way things work with e-mail is as follows (in basic steps):

1) Someone (preferably a human) e-mails you.
2) The email message goes though and arrives at your e-mail service's (or ISP's) mail server.
3) The message resides there, taking up YOUR quota.
4) When you check your mail, the message is RETRIEVED from YOUR e-mail service's mail server.

This puts the burden of storing e-mail messages on the receiver of the message.

A different approach to the the concept of e-mail is to put the burden on the SENDER. Meaning, when you send a piece of e-mail, it is stored on YOUR e-mail service's mail server box. The intended receiver of the e-mail receives your e-mail, but the actual message is retrieved from the SENDER'S mail server system, rather than the receiver's.

This way, the spammer would not find it worthwhile to store terabytes of e-mail messages waiting to be picked up.

I think this is a great approach, but it means that the whole infrastructure of e-mailing would need to be upgraded dramatically. A few months ago I cam across where this concept was explained. I was looking through my bookmarks but I could not find it.

Terabytes? (none / 0) (#82)
by bunnytricks on Tue May 14, 2002 at 03:57:44 PM EST

Kilobytes is more like it. What makes you think that a package for efficiently storing mass mail on their server wouldn't be written by the spammers? The emails wouldn't have to be customized for each recipient. Even in the case where that was desired to get past some new species of filter then they could dynamically generate each message from a template.

[ Parent ]
SpamAssassin (4.50 / 2) (#81)
by hry on Wed May 01, 2002 at 09:15:43 PM EST

There is a program, called SpamAssassin which IMHO takes a mixed approach. It filters mail based on:
  1. text analysys based on several criteria including a dinamic one where senders which did not sent you spam in the past get better chance to pass trough.
  2. white/black specific lists set up by the user
  3. checks with a centralized black list.
This kind of "multi-dimensional" approach have IMHO the best chance.

You can see it at http://spamassassin.taint.org/

My anti-spam technique (3.00 / 1) (#83)
by jobeus on Tue May 21, 2002 at 03:49:02 PM EST

Unfortunately, it was only after 5 months of using my real email address everywhere that I realised this idea, so I still do get spam, but at least I'm protected(ish) from getting much more.

Though it will only work if you run your own mail server, I'm sure there's a few of you out there who are reading this. All I do is make up various forwarding aliases to my real address on the box. jobe-www@jobeus.net is my alias which is listed on my webpage. jobe-someservice@jobeus.net is my address according to somewhere else, etc etc. If I get spam at that address, I know two things: who sold me out, and how to stop it. All I have to do it remove the alias, and the spam stops.


Keeping Spambots Out: A New Anti-Spam System | 83 comments (74 topical, 9 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!