Putting up Barriers to my Inbox: Active Spam Killer

by Steve Mallett

Related link: http://www.paganini.net/ask/



My Inbox. The final frontier.

There is no perfect solution for spam, yet. That is the simple truth. You can bang your head against that simple truth as much as you want. It will not stop it from being true.

SpamAssassin is nice and has done its duty for me for over a year. Message filtering with Mail.app/Mozilla/Thunderbird has helped me out a bit as well. Thank you.

But, the time has come to implement what some others claim may be the most drastic measure short of cutting myself off from the internet itself. You must now be a real person to contact me and you must 'hit reply' when I check to see that you are.

What's that, you ask. I installed Active Spam Killer.

Yup. I did it. When you email me henceforth, if you're not already on my 'whitelist' of real people, you'll get an email response back from my mail server asking you to reply to a short msg so it can confirm you are a real person who actually wants to email me. You do that once and you never have to do it again.

Drastic isn't it? The internet is supposed to be open and free. Well that's ok for the internet, but not for my inbox.

I have work to do! I have people with whom I have to and want to communicate with. I don't want to waste anymore time with message filters, tweaking spamassassin day and night (not that I'd bother), losing the odd good email among the spam, deleting spam that gets through the filters, etc etc etc.

The world is an imperfect place and so is my inbox. Until now.

This morning, after 10 hours of having ASK installed I had one email in my inbox*. One!!!!!!

Let that sink in.

Did someone email me and get cheesed off that I asked them to confirm they're real? Probably. If they can't be bothered to do that once I really don't care if I ever hear from them. Did someone try to spam me and a confirmation email went out into the ether to an email address that doesn't exist? You bettcha!

What's the downside to this? There is one, but I can live with it to offset not getting spammed to death. It puts a bit of an onus back on the legit emailer to prove they're real.

That does suck a bit, but really... who doesn't understand that you're trying to take back your inbox from the scumbag viagra/penis-enlargement/pr0n/mortgage/Nigerian princes of the internet? Idealistic blunderheads and the above mentioned spammers.

So ends today's sermon from the mount.

*Be careful setting up ASK if you do so. There are a lot of folks who you talk to now that you don't want ASK to ping. Or maybe you do???


28 Comments

gerhardt
2004-03-30 06:07:12
What about the folks without their own server?
Great idea. I wish there would be something like ASK to use with just my mail client alone. Any hints?
spaceman
2004-03-30 06:18:30
What about the folks without their own server?
I think you could do this, but let's see if anyone chimes in knowing for sure. I envision fetchmail, ASK, and procmail on an OSX or *nix box.


Anyone doing this???

guet
2004-03-30 06:45:56
faked 'from' headers
This does have the unfortunate consequence of spamming people who are unfortunate enough to have their existing email address used by a spammer as the 'from' of a message with your challenge. I guess they could always set up a filter to filter out ASK messages...


Until ISPs agree to disallow non-authenticated email servers there doesn't seem much choice though.

macrat
2004-03-30 07:52:57
Steve becomes a Spammer


So what you are saying is that you are sending out an e-mail for every spam message you get?



Basically doubling the spam load on mail servers.


spaceman
2004-03-30 07:56:13
Steve becomes a Spammer
Well, let's see I get an email from a spammer, I send one back which 99% of the time actually goes nowhere (buyviagra@buysomeviagranowyouvarmit.com)


How does that double mail server load other than my own? It doesn't.

kavka
2004-03-30 08:18:00
faked 'from' headers
Yes, this is a big problem. One of my domains is used as a fake 'from' address. So every day I get tons of bounced-back e-mails about stuff I never sent. I could envision ALSO getting these 'verify' e-mails to add to my load. At some point, I begin to get charged for the excess over what my host allows in traffic. All the while, I have done nothing. I think there should be identity theft laws associated with sending out false 'from' addresses with fines for the victims. I don't like people pretending to be me, and the potential of someone associating the spammer's actions with me.
aristotle
2004-03-30 10:55:22
You have cut yourself off from me and possibly a large number of other netizens
My policy is to never, ever reply to a challenge I get from such a system. Why?


Read Challenge-Response Anti-Spam Systems Considered Harmful (server seems down at the moment, unfortunately; but it's in Google's cache if you search for the title).

aristotle
2004-03-30 10:56:06
You have cut yourself off from me and possibly a large number of other netizens
Heh, and now it loads. Oh well.
mariuss
2004-03-30 11:14:44
what about real notification messages
What if you want to register on a web site that asks for your email address and then sends an activation message to that address?


There is no real person behind the notification and you don't know in advance from what address is the message arriving.


Also subscribing to mailing lists (either announcement type or discussion) is much harder now.

spaceman
2004-03-30 11:28:51
what about real notification messages
You can open the flood gate for a particular domain in advance.
spaceman
2004-03-30 11:33:12
You have cut yourself off from me and possibly a large number of other netizens
Yeah, I'm familiar with that, but let's put it this way: You emailed me a minute ago, then get a confirmation msg from me five mins after that. You know it's me.


If people still balk at that, I don't really don't care.


There are all kinds of little nits to pick here, but the main thing for me is that I'm quite content with them balanced against having my inbox back.


Again just for clarification: A person only need respond to the challenge -once- ever (most people set it up that way).

aristotle
2004-03-30 11:44:49
You have cut yourself off from me and possibly a large number of other netizens
That doesn't sound like you've read the page all the way down.


Also: if I ever get a challenge from someone because my address is spoofed as a From by a spammer or virus, you betcha I'll report it as spam.


You have chosen to inconvenience not the spammer, not even yourself, but the people trying to communicate with you. Fine, have it your way. If someone doesn't want me talking to them, I can take a hint.

spaceman
2004-03-30 12:43:55
You have cut yourself off from me and possibly a large number of other netizens
"That doesn't sound like you've read the page all the way down." Which part did you have in mind then??


That said, who said the system was perfect???? I prefer this imperfection over the imperfection I had yesterday. Again, it's a trade-off I can live with. Can't live with it? Don't do it.


"If someone doesn't want me talking to them, I can take a hint." You really have be a nit picker to come to that conclusion.


my quote: "Did someone email me and get cheesed off that I asked them to confirm they're real? Probably. If they can't be bothered to do that once I really don't care if I ever hear from them." I'd now put you in this category and we'd both be happy.

chromatic
2004-03-30 13:59:52
You have cut yourself off from me and possibly a large number of other netizens

Agreed; this is a bad idea because it completely fails the One Question Certification Test for E-Mail Filter Authors.

spaceman
2004-03-30 14:06:05
You have cut yourself off from me and possibly a large number of other netizens
Hi chromatic,


If you just sent me an email & my system replies to you five minutes later what are the chances that it's a forgery?

chromatic
2004-03-30 21:53:27
Rule #1: Spammers (and viruses) Lie

What you say is true, but it's not what I'm talking about.


How can a whitelist block spam or viruses that have forged addresses already in your whitelist?


How can you ensure that your whitelist doesn't respond to forged addresses on spam or viruses? At best, they'll merely bounce. At worst, they'll reach an innocent person.


I'm not sure that the solution to receiving unwanted e-mail from people you don't know is to send unwanted e-mail to people who don't know you.

jwenting
2004-03-30 22:37:26
Steve becomes a Spammer
Most spammers use real domain names now (albeit often with fake destination addresses on those domains) to get around blacklists, so you ARE sending traffic to innocent 3rd parties.
And virus emails (and ever more spam) use existing addresses harvested from peoples' address books, websites and usenet groups as from: addresses causing you to send a lot of email to people who never sent you anything thus causing THEM to receive even more unwanted email.


Next step, they install the same software you did and you get the situation in which one two instances of that software start sending confirmation requests back and forth...
You send a request to some person, that person's computer sends one back asking for confirmation from you which leads your software... etc etc into eternity or until someone shuts it off.


Whitelisting isn't the way forward, except insofar as a manual whitelist can be used to punch holes in a blacklist (say you communicate with somoeone whose ISP you've blocked because they serve as a relay for some large spammers).

jwenting
2004-03-30 22:40:53
faked 'from' headers
fines for the victims? That would mean you want to be fined for someone abusing your email address?


I guess you mean fines for the perpatrators :)


Of course they're kinda hard to track down as they didn't leave their real address.
With spammers it's a bit easier as they want to be reached some way but you'd never catch the virus authors that way, the persons that would be fined are the ones who got infected as they're the ones sending on the virus emails (without knowing but that's no defense).

spaceman
2004-03-31 04:15:24
Rule #1: Spammers (and viruses) Lie
"How can a whitelist block spam or viruses that have forged addresses already in your whitelist?"


It certainly can't. I'm still not insisting this is perfect. However, using spamassassin aswell would certainly help this a bit.


"How can you ensure that your whitelist doesn't respond to forged addresses on spam or viruses? At best, they'll merely bounce. At worst, they'll reach an innocent person."


Now this does concern me. I don't mind the barrie to starting a new conversation, but don't want to bury someone else in spam.


Let me look into this with the ASK community to see how they deal with this. I'll write back what to let y'all know what the concensus is on this issue. Off the top of my head I'd think that this would end up not being a huge problem since the use of challenge response systems isn't widespead and the chances of a spam being sent to a lot of challenge-response users that has the same forged address would be slim. Again, no one said this was perfect.

aristotle
2004-03-31 07:16:46
Rule #1: Spammers (and viruses) Lie
Yes, exactly: it's just another one of those "solutions" to spam that "work" because it has such low penetration. If it were to become ubiquitous, we'd have far more problems than we already do.


And that's the part in that article I was talking about. Karsten doesn't really warm up until the middle of it, when the real arguments start flying.


The question is not so much how it affects you; the question is how it would affect spamming at large assuming widespread adoption. And that's a world I'd rather not live in, so I have decided to do what is in my power to avoid that reality: being disincentive for the use of challenge-response filters by refusing to play their game.


Sorry if I sound harsh and vociferous about this topic, but C-R is a meme that should be struck down as soon as possible before it can do as much damage as those "your computer is infected" virus scanner notification mails have already done.

spaceman
2004-04-01 07:01:14
Clarification for SpamArrest users:
Ummm that's not how these work. When someone emails you there is a catchphrase in the email so when you respond the system sees that it is a response & it goes straight through.
spaceman
2004-04-01 07:06:57
Rule #1: Spammers (and viruses) Lie
As promised...


The most logical response I received from my query was pretty simple, but again not perfect.


If someone's email has been hijacked by a spammer for use in faking the From field that person is highly likely to be barraged in "user not found" msgs and to such a degree that with the statistically miniscule amount of challenge-response systems out there the 'please reply" msgs would be less than a needle in the haystack. By this logic "user not found" msgs should be turned off long before challenge-response.


Again, not perfect.

chromatic
2004-04-01 09:47:46
Rule #1: Spammers (and viruses) Lie

In other words, it's a good solution because nobody's using it so it's not as annoying as it could be?


At what point does CR spam (and yes, if you're sending unsolicited messages advertising your CR system to people you don't know who've never contacted you, it's spam) become a problem? When it's one percent of messages? Ten percent? Fifty percent?


If there's a tipping point -- and I don't believe it exists, but I'll humor you -- surely CR providers should stop advertising, lest their popularity suddenly turn "harmless" CR messages into spam.


Then again, I don't think spamming non-spammers does anything to reduce spam. Shouldn't that be the goal of any anti-spam system?

spaceman
2004-04-01 10:01:00
Rule #1: Spammers (and viruses) Lie
"In other words, it's a good solution because nobody's using it so it's not as annoying as it could be?"


I would rephrase that as it works for me because the downlside at this point is neglible. If everyone stated using C-R is probably would suck, but that's not the case.


"At what point does CR spam (and yes, if you're sending unsolicited messages advertising your CR system to people you don't know who've never contacted you, it's spam) become a problem? When it's one percent of messages? Ten percent? Fifty percent?"


I dunno.


"If there's a tipping point -- and I don't believe it exists, but I'll humor you -- surely CR providers should stop advertising, lest their popularity suddenly turn "harmless" CR messages into spam." I'd agree with that.


"Then again, I don't think spamming non-spammers does anything to reduce spam. Shouldn't that be the goal of any anti-spam system?" Totally, but since one doesn't exist yet, and I'll change again when one does, I'll go for the less than perfect option.


At this point in time I think the benefit outweighs the cost. I don't want to live in a manure filled barn while I wait for the perfect shovel. I'll use this one until SPF (or other) is widespread.

chromatic
2004-04-01 11:30:13
Rule #1: Spammers (and viruses) Lie

The downside for you is negligible, because you've shifted it to other people!


That's your choice -- but as someone affected by unsolicited challenges, I believe I have the right to say it's a socially irresponsible choice.


That, to me, is the crux of the matter. I don't know how to explain it in clearer terms. Since this is your weblog, I'll let you have the last word if you want it. :)

spaceman
2004-04-02 05:31:05
Rule #1: Spammers (and viruses) Lie
"I believe I have the right to say it's a socially irresponsible choice."


I sat on replying to this yesterday. I must admit I was feeling a twinge of guilt. "socially irresponsible". That hurt.


However; again this morning my inbox is devoid of any mention of penis, pedophilia, pharmacology, perversion, pr0n, loan sharks, online betting, and other dumpster-diving material.


While I was bit uncomfortable with how your comment sat on my shoulders yesterday I feel pretty good about it today. Among this insanity, this is a liberty I feel ok in taking. I will step up my efforts to make sure SpamAssassin does as much filtering as possible before handing mail over to ASK to minimize the chances of an innocent getting a challenge.


2007-10-17 03:11:53
write a rb program that goes to your email account and gets all the email headers from your inbox and puts it in a file - then send me t he code.
ramila
2008-04-20 20:02:47
Please my inbox my account.