What is wrong with the filtering approach?
If you start to block unsolicited mail from your accounts there will always be
false positives and negatives. As to false negatives, they will not cause much
pain, since one or two spam mails a month is more entertaining than disturbing.
But false positives - legitimate mails which get trapped in your filter - can
be a real problem. Can you run the risk of not getting important messages from
your friends, family, boss or customers?
Of course, there are sophisticated systems like Spamcop
with which one has the option to move suspicious mails to special folders. Yet it is not much fun
to review hundreds of mails to be sure not to lose an important message. And
without having done that, you can never be sure.
The hiding approach
Spammers get their address lists through various channels. One of them is by
tricking people into giving them their address voluntarily, e.g. when filling
out the web form to subscribe to that hot new site. Or they buy customer data
from companies which filed a petition in bankruptcy. There may be some other
ways but the most important source for them is the WWW.
There, millions of addresses can be harvested for free, by searching web
sites for all those telltale mailto: links.
If you keep your address off the web you are very likely to enjoy clean
mailboxes, containing only birthday wishes from your little sister and
confirmations of your last Amazon order.
There are already solutions for this:
On one hand, users can publish forward addresses which expire after a certain
time or after a certain number of messages being sent (for example with
Spamgourmet), on the other hand, web site
operators do not publish email addresses directly
but provide certain alternatives (as outlined in
The first technique requires a lot of discipline on behalf of the user - one
time being lazy and typing in your real e-mail address could give you of a
lifelong supply with "Increase your investments/penis size"-like love letters.
The second one works better, because it puts the responsibility on the
administrators. But, unfortunately, it is not - and will never be - implemented
by all sites.
The new system: A centralised anti-spambot addressbook
The new system is nothing other than a centralised approach to the
above-mentioned technique of not publishing the e-mail address directly.
Instead, it will provide registered users with an alias for their real e-mail
address. But what is really new to this: the alias will not be a forward
address to the real one. It is a key to obtain the real address of the user.
The system will make sure that only human beings will be able to use that key.
To give an example first:
User A with email-address A@example.com registers with the anti-spam
service, located at http://www.serviceXYZ.com. He will get the following
A-4082238@serviceXYZ.com to be used in mail clients and whenever only an
e-mail address can be used.
http://www.serviceXYZ.com/users/A-4082238 to be used instead of mailto:
links in web pages.
User B visits A's homepage and wants to write him a mail telling how great it
is. She clicks on the Mail link (to
http://www.serviceXYZ.com/users/A-4082238) and is presented with a
web form which is asking to retype the letters and numbers displayed in the
picture above (technology as used by Altavista).
After she did that and submitted
the form, she is given the real address of A (conveniently as a hyperlink).
User C reads an interesting mail by A in his biking mailing list and wants to
contact A privately. So he clicks the reply button in his mail client and
writes his mail to A-4082238@serviceXYZ.com. After a short time, he gets an
automated reply which is telling him to go to
http://www.serviceXYZ.com/users/A-4082238 to obtain the A's real address. (if A
had been smart, he would have included a link to this URI directly in his mail
So, what the system basically does is requiring everyone to prove that he
is not a spambot before he gets the real e-mail address. Testing image
recognition abilites is only one example of doing that, natural language
questions could be another one (e.g. Which colour is the sky of?). The latter
could also present an alternative to users without GUIs or blind people.
Ideally, this service should be backed by a renowned, non-profit organisation,
thus users are more willing to give away their precious e-mail addresses and to
become widely accepted.
And, contrary to filter systems, which depend on multiple users to report
possible spammers, it will even work for one user. And once registered with the
service, no further interaction on behalf of the subscriber is required.
Of course, it will be a little disturbing for the others to go through these
web forms when they want to know your e-mail address. But they have to do
it only one time (and then save it in their book) and if they think it is not
worth the hassle, their message would not have been important anyway, would it?
And, with increased acceptance of this service, it could be standardized and
supported by the mail clients themselves.
(think of X-Real-Address: http://www.serviceXYZ.com/users/A-4082238.xml in the
mail header) Whenever you want to add someone with this protection turned on to
your addressbook, KMail will then display a picture/natural language question
Another problem is, that robots (by definition) cannot use these alias
addresses. But the service could be combined with the existing technique of
(expiring) forward aliases, in case you have to give your address to untrusted
Of course, if you consider even the bugtraq mailing list manager to be an
untrusted robot, this system will not make your anti-spam strategy much easier.