All the Perl that's Practical to Extract and Report

SPMA

TorgoX on 2002-03-07T20:32:50

As spam gets worse and worse, my craziest anti-spam idea starts to look less and less crazy all the time. The idea is:

No email to me gets thru unless it's "authenticated". That means some combination of:

  • A message gets thru if it has headers indicating that it's a message from a listserv list that I'm on. (Like many people, almost all the traffic to my account is list mail.)
  • If the sender is on the list of people I correspond with regularly, it gets thru. (That and the above, catch the vast majority of non-spam traffic to my mailbox.
  • Otherwise you get a "confirmation email" saying that the mail won't get thru unless you either reply with some confirmation code, or hit some HTTP URL that, when hit, approves the message.

The only problem I see is with automated email that's not spam. Stuff like Amazon Alerts, or messages like "you went to our web site just now and requested that your password be emailed to you, so here it is: 123BZORCH."

Antispam

ziggy on 2002-03-07T20:46:24

I've seen a system just like this before. I forget who was using it, but the automagic reply (with confirmation via email or the web) was quite obnoxious. Shunting unvalidated email into a holding tank has the advantage that you don't blindly send email to people or things that are trying to correspond with you (and repeat the problems we saw last week).

The more I think about it, the more I'm warming up to some sort of bot managing my incoming email. (I remember one night pointing out the most obvious of flaws on the Bill Gates Personal Wealth clock; so I sent mail to Philip Greenspun at 2am, and got an immediate and quite terse response. That was almost certainly emacs replying, not Philip.)

One of the advantages of a bot manager is that I'd get all sorts of interesting stats about my inbox -- like the amount of SPAM per month, list traffic per list, etc.

Why?

Matts on 2002-03-07T21:31:08

Why are you ignoring SpamAssassin? It has auto-whitelists and auto-blacklists, and very smart people working on it *cough*.

The problem with your scheme is you lose the spams sent through lists, like all the people attacking perlbug recently. SpamAssassin won't miss that.

Re:Why?

TorgoX on 2002-03-07T23:22:56

I'm "ignoring" it because I didn't know about it!
Oh no, did I FAIL A TEST?!

Re:Why?

Matts on 2002-03-07T23:38:30

Fair enough - I figured everyone knew about it ;-)

ACM solution

jdavidb on 2002-03-08T07:01:27

Saw the following solution in a communications of the ACM a few years back. (Keep plugging SpamAssassin, Matt; I'm sure I'll try it before I try this.)

You set up multiple valid email addresses of the form userid-\d\d\d\d\d\d@example.com . You can set up an alias for your friends, an alias for each mailing list your on, and so on. When you need to sign up for something and have a password mailed to you, you temporarily activate an alias. When one account gets discovered and you start getting hammered with spam, you deactivate it and set up a new one.

Having just completed migrating from one account to another, that sure seems like an attractive option. (I'm sure I'd be doing even better now if I'd migrated suddenly instead of taking two months.)

Of course, this means your friends have to remember annoying digits. I started life on the net as jxb9451@omega.uta.SPAMMEDTODEATH.edu, so I'm used to having digits in my identity. The rest of you may not like that, and your family and friends might not either. It's like having to know a password to email you, with all the advantages and disadvantages that would entail.

What happens if an address gets compromised?

pne on 2002-03-25T13:32:07

What happens if, say, one of your friends sends a message both to you and a mailing list that's archived on the web somewhere, causing a spamtrawler to pick up your "friends" address.

Are you going to dump that address as well and replace it by one with a different number? Because that would entail informing all your friends to "please send to jxb-2001 instead of jxb-1701 from now on".

Or if your mailing list address is compromised -- you'll have to keep track of which lists you were subscribed to *with that address* so that you can unsubscribe from all of them and re-subscribe with the replacement address. Won't you?

Re:What happens if an address gets compromised?

jdavidb on 2002-03-25T13:56:47

Are you going to dump that address as well and replace it by one with a different number? Because that would entail informing all your friends to "please send to jxb-2001 instead of jxb-1701 from now on".

Yeah, that's the general idea. I didn't say it was the best of options, just an interesting one.

What if your correspondent also has this scheme?

pne on 2002-03-25T13:29:15

A fairly obvious disadvantage would be if someone sends you email who also has such an authentication scheme going on: your request that the sender authenticate himself first is going to bounce off his filter with a request that *you* authenticate yourself first, which results in your filter sending back an email... you get the point.

How would you avoid that? You probably can't really. I think this sort of thing only works if you think you are (no offense intended now) so important that people will voluntarily jump through hoops to send you email, and will keep trying if they think their message is important enough.