This is freakin' stupid.

First of all, I never respond to anti-spam e-mail "challenges" whether they are from TMDA, SpamArrest, or anyone else. Ever. On my personal e-mail account, I have a procmail rule that ensures I almost never see them (unless they're heavily customized and my rule misses, of course).

A reader (of the book) just e-mailed me (at my work address for some reason) to ask a question. I spent the time to answer his question only to be rewarded with a message (via his TMDA install) that he's not going to read my message unless I jump through another fucking hoop.

Screw that!

You know why?

HE CONTACTED ME FIRST!

If these systems are so brain-dead as to not bother adding my address to the whitelist when the user sends me e-mail, I have serious trouble understanding why anyone is using them.

Is it just me? Is this too hard to figure out?

Anyway, there's another 5 minutes I'll never get back. It's too bad there's no mail header to warn me that "this message is from a TDMA user", because then I'd be able to procmail 'em right to /dev/null where they belong.

Ugh.

This bullshit is not going to "solve" the spam problem, people. If that's your solution, please let me opt out. Forever.

</rant>

Posted by jzawodn at April 27, 2004 02:40 PM

Reader Comments
# Marc said:

Heh. At first glance, I parsed this as TDMA and thought it was going to be a rant about AT&T Wireless's crappy coverage/service.

on April 27, 2004 03:06 PM
# justin said:

That's just as bad as those stupid anti-virus messages that you get because of spoofed mail headers. When a big virus is going around, you end up with MORE anti-virus bounce backs than the friggin' virus itself.

As for the issue that Jeremy is on about - yeah, me too. I never ever confirm. Stupid idea , made by engineers without a clue.

on April 27, 2004 03:11 PM
# Ben said:

I believe that a proper install of TMDA is supposed to auto-whitelist address that you send email to. Is the email address you email FROM possibly different than the one they had sent mail to originally?

I'm curious why people think this sort of system is a "Stupid idea , made by engineers without a clue." Is there more basis to this argument beyond "I'm too lazy to hit reply to this email that's sent back to me"?

After fighting spam for so long with various filters I'm about to throw in the towel and install something like TMDA -- SpamAssassin and the like just aren't cutting it anymore. I'm curious if anyone can better articulate on the pros/cons, or why you personally find them so awful?

on April 27, 2004 04:09 PM
# George Schlossnagle said:

Tell it brother!

on April 27, 2004 04:29 PM
# Mark said:

Oh sure, try to muscle in on my top spot for "blow me".

http://www.google.com/search?&q=%22blow+me%22

on April 27, 2004 04:43 PM
# Tim A said:

I agree 100% with Jeremy on this. Recently I sent a colleague an email and got one of those ridiculous bounce backs. I couldn't be bothered jumping through any hoops to make sure my email got through.

And for Ben, yes you'll probably find that 99.9% of people are too lazy or busy or whatever to hit reply and jump through hoops. That is what makes it stupid and clueless.

on April 27, 2004 04:47 PM
# Alden Bates said:

I was going to suggest setting up something to auto-respond to such requests, but then I realised that it would mean a spammer could spoof your email address to get their spam through.

A pox on TMDA.

on April 27, 2004 05:03 PM
# Michael Moncur said:

I hate TMDA-type spam filters too. The main reason is just what Jeremy said: 90% of the time, I'm emailing you to *answer your question*. This happens to me about once a week when I'm answering questions about my various web sites.

The unspoken message that comes to me with a TMDA autoreply is "Hi. I'm far more important than you, so you'll need to jump through a few extra hoops to reach me." If you're George W. or Bill Gates or Dave Barry, I'll gladly jump through an extra hoop. Otherwise the TMDA message goes in the trash, and you don't get the answer you asked for.

If you're thinking of using TMDA, think about this. You don't have to agree with me or Jeremy or the many others who are bitterly against it--but you should realize you're going to annoy lots of people, and miss lots of potentially important mail.

on April 27, 2004 05:31 PM
# david said:

Obligatory joke: We'll find you a chick that uses TDMA.

on April 27, 2004 05:51 PM
# B said:

I use TMDA and I quite like it. Yes, I occasionally go through my pending queue and find messages that people either couldn't be bothered to reply to or were too stupid to figure out, but on the whole it works quite well. You'll notice that my email address on this comment is unprotected. That means that if you send me a message and you're not in one of several of my whitelists or if I don't have a pattern set up that lets your message through, you'll get a confirmation request. Your adoring fan who requested help obviously didn't do something right, however. My TMDA setup (and most correctly configured ones) can either automatically add an unrecognized address to a whitelist when sending a message, or munge the headers so that when the unrecognized sender replies (within, say, a week) their reply is not challenged.

Yes, it can be a pain for me, yes, some people wank about having to confirm the message, and yes, it is untraditional, but you know what? I NEVER GET SPAM. NEVER! Period! Man, I love that. Can you or any other non-challenge/response SPAM mitigation system user say that?

on April 27, 2004 06:40 PM
# Justin #2 said:

I really hate TMDA. What I hate most is getting TMDA auto-acks when I post to a mailing list like the PHP Install mailing list. ARGH. That gets my goat. I've been known to blacklist senders that use TMDA. I too wish I could identify TMDA messages during the SMTP dialogue. Maybe a custom SA rule would do the trick.... Couple that with MIMEDefang and I'd be sitting pretty. :-)

on April 27, 2004 06:51 PM
# Marc Slemko said:

Mailing lists and automated mail are definitely areas where TMDA (well, any challenge response system I have seen) can just up and completely blow chunks.

It is fine if you always subscribe to any lists or automated mailings using a distinct address. But if you have one where you don't (or have many lists that get infrequent posts that you subscribed to long ago and can't even remember offhand), or try to do it based on filtering on the list address and that changes... then anyone who posts to the list gets your spew back at them. Not a very nice failure mode, many lists are already bad enough with broken autoresponders.

on April 27, 2004 06:56 PM
# Chris O'Donnell said:

I use Mailblocks and it's been a godsend. It stops over 500 spam emails a day right now. However, when I send a personal email to somebody, I use an address that comes straight into my mail server and bypasses Mailblocks. Mailblocks is primarily for the chris@ address, which has been floating around the Net since 1998 and has made it onto every spam list in existance. It's a compromise that seems to be working well, I don't have to deal with spam, and people I expect to hear from can reach me without dealing with the challenge email.

Although I do find it amusing that Jeremy was so pissed about wasting 5 minutes that he wasted 5 more on the rant. It would have been quicker to click the damn challenge link.

on April 27, 2004 07:26 PM
# Mark Denovich said:

Jermey I really don't agree with you on this one.

I would wager that most desired email is sent between parties with a pre-existing relationship. These people would be surely whitelisted up front, or would be quickly added (and wouldn't be assholes about one extra reply.)

The noise of dealing with TDMA challenges is so small compared to the deluge of spam, I can't see why you care. Hell, if you never want to see it, it's at least trivial to filter out.

If I wasn't too lazy to integrate TDMA into my sendmail config, I'd be running it right now. 80% of my incoming mail is spam... and if what you are sending me isn't worth a simple extra reply, then it's effectively spam too.

on April 27, 2004 09:00 PM
# rick said:

Oh, give me a break TMDA users... I use nothing but the builtin junkmail filter in Thunderbird. It captures about 99%of spam and since I whitelist everyone in my addressbook I don't get false positives. So that means that out of 200 pieces of spam I *might* have to manually nuke one email. I'd much rather do this that dick around with some system that makes people sending me email jump through ANY hoops

on April 27, 2004 09:13 PM
# Ivan Tumanov said:

I think its definitely a matter of preference for the person using them. I can't afford to miss any business (or otherwise important) email because somebody doesn't take the time to go through the "are you a human being" check, so I don't use them.

One of the few quantitative examples I've seen recently is David Powazek - he swears by them and the KnowSpam system he uses blocked 400k messages for him: http://www.powazek.com/2004/04/000395.html

Of course, then you ask yourself, how many of those were real emails that he missed? There's gotta be some sort of public/private key system that can be thought up to automate this kind of stuff, so no human intervention is required.

on April 27, 2004 10:02 PM
# Nick said:

Probably another reason why Jeremy has so many of these confirmation requests is due to the fact that he refuses to answer any of the questions.

Several of the challenge services will add your e-mail to a service wide whitelist once you have responded to the challenge. Then you should not recieve more challenges from any other users using that service.

So by refusing to respond you are infact causing yourself more problems.

on April 27, 2004 10:14 PM
# Donny said:

Now if Jeremy used a TMDA, and I did as well. And neither of us were on the others "approved list". And I sent him and email, and I got a challenge back, actually I wouldn't the damn TMDA would. And it would send it back to Jeremy, and he would send something back to me.

Does it ever end?

Donny

on April 27, 2004 11:34 PM
# Rimantas said:

Why should anyone bother to solve spam problems for TMDA users?
Why should I send some confirmation email to some crappy robot? I am not even considered human being, until I say so. Weird. And it is not being asshole not to send "one extra reply". It is asking for such reply that makes you asshole.
If you want to fight spam - do it yourself, don't throw that burden on your corespondents.

Other point is mailing lists. How do TMDA users ever got registered? They send subscription email, system gets automtatic reply with confirmation request. And it is stuck. Ok, if you know beforehand which address to put to whitelist to get confirmation request to pass through.

Another problem is virii. New brands send a lot of email forging "From" field. And if you ar the unlucky one whose email address was put in, you'll get that damn confirmation request out of the blue. It may protect person using TMDA, but how many innocent ones will be affected?

Get yourself a decent Bayesian filter and that's it.

on April 28, 2004 02:26 AM
# Jeff Flowers said:

"Oh, give me a break TMDA users... I use nothing but the builtin junkmail filter in Thunderbird. It captures about 99%of spam and since I whitelist everyone in my addressbook I don't get false positives."

The problem, Rick, is that you have to download that spam to filter it with Thunderbird. Who wants to waste their time doing that? And in the case of Jeremy, the person who sent him that e-mail is an idiot for not correctly configuring his system, as anyone he sends e-mail to should automatically be whitelisted.

on April 28, 2004 06:20 AM
# kasia said:

"who wants to waste their time"..

no sympathy.. so I should waste my time to make sure you don't get spam just because you don't want to waste yours? I see a serious flaw in that logic.. My time is no less valuable than yours.

I use spamassassin with some bayesian filtering and get almost no spam (300+ a day rejected at server level).

A solution that involves more work by other people as opposed to an automated system is not a solution. It's a patch that spammers will get around sooner or later.

on April 28, 2004 07:06 AM
# Ron said:

"The problem, Rick, is that you have to download that spam to filter it with Thunderbird. Who wants to waste their time doing that? And in the case of Jeremy, the person who sent him that e-mail is an idiot for not correctly configuring his system, as anyone he sends e-mail to should automatically be whitelisted."

Really? I'm glad you're so perfect and never do anything wrong and completely understand everything you do from the very first moment you try. You're an inspiration to all of us.

on April 28, 2004 09:45 AM
# Aristotle Pagaltzis said:

I completely agree with Jeremy, and I, too, never respond to such a challenge.

Challenge-response systems fail the One Question Certification Tests for E-Mail Filter Authors. The From: header can and usually is spoofed, people! I don't understand how the problem that people you don't know send you mail is solved by sending mail to people you don't know. Basically, if you receive a mail with a spoofed but valid From: (which is common spam and virus practice nowadays) your C-R system is spamming an innocent third party.

Karsten Self has a nice summary on the why-nots of C-R systems.

on April 28, 2004 09:48 AM
# McGroarty said:

A big "FUCK YOU" to all the TDMA users.

Whenever one of these big mail worms comes around that forges senders' addresses, guess who gets Joe jobbed?

Yeah, for every crap mail you're not getting, you've handed the burden off to a stranger.

Asshole.

on April 28, 2004 07:33 PM
# Justin said:

sheesh -don't remind me! Last time that Blaster worm came around, my server was overloaded with crap TDMA messages and anti-virus software bounce backs.
in fact , there was WAY more of that crap than the actual worm and associated spam itself!!!

F**k off TDMA!

on April 29, 2004 02:48 AM
# rick said:

"The problem, Rick, is that you have to download that spam to filter it with Thunderbird. Who wants to waste their time doing that?"

Ron - what time? I'm on a bradband connection, so the download time is negligible. After it's trained, TBird's filter autmatically filters, so none of MY time is spent doing that. Yeah, my software has to spend *it's* time on this - but isn't that what it's for?

TMDA on the other hand, imposes a time penalty on me (to configure it) and my correspondents.

on April 29, 2004 09:58 AM
# Jeff said:

For all those morally opposed to TMDA, I wonder if there are ANY circumstances under which you could accept its existence and acknowledge its usefulness.

For example, if TDMA users read the guidelines for handling replies and mailing lists, AND if mail systems support basic authentication protocols like SPF, then the only time you would receive a challenge would be if you sent an unsolicited e-mail to a stranger. These are big ifs, but assuming we could get there, would you still get so hot and bothered?

on April 29, 2004 01:54 PM
# Keith Ivey said:

Jeff: It's not true that you'd only get a challenge when you sent an unsolicited e-mail to a stranger. You also get one when some virus or spammer sent an unsolicited e-mail to a stranger using your e-mail address.

The biggest problem with challenge-response systems, aside from their rudeness, is that they for every spam message they get they send another spam message to an innocent third party. They're effectively spam-doubling systems. If the "From" field isn't forged, you're annoying some person who's trying to contact you by telling them your time is more important that theirs. If the "From" field is forged, your annoying someone who doesn't have anything to do with the message. How is that reasonable?

Like Jeremy, I have yet to respond to a challenge. But I'm on the edge of modifying my rule and starting to respond to challenges only when I didn't send the message, thus letting the spam get through to the clueless CR user whose system is spamming me.

on May 2, 2004 01:51 PM
# JohnWho42 said:

"I completely agree with Jeremy, and I, too, never respond to such a challenge."

Great, that's one less hostile person with which to deal.

"I believe that a proper install of TMDA is supposed to auto-whitelist address that you send email to."

So ignoring id requests is good because it filters out idiots.

Cool I can have the best of both worlds: no hot heads and no idiots.


Thanks

on September 3, 2004 12:42 AM
# LeeH said:

How unbelievably lazy can you be? I mean really, click a link or send an empty reply? Your whine about TMDA isn't because it increases your workload by a factor unmanageably large, but about your being a control freak; you must absolutely hate that someone puts barriers between you and what you want to do.

My servers get hit with GIGS of inbound spam .. the problem is completely out of hand. There is no usable solution in sight. TMDA are in their infancy, but should be developed, as should all other forms of aggressive attacks on spammers and spam creating systems.

TMDA's are one of the most effective forms of anti-spam systems available today, and once they are more widely in use, they will improve.

You probably still think Lynx is the only good browser available -- had we listened to opinions like that back in '94 where would we be today?

on December 28, 2004 08:15 AM
# Frank said:

Rick,

You must be lucky. Thunderbird maybe catches 80% of the spam if I'm lucky.

To the rest,
If your e-mail is worth the recipient reading, and they've never had a prior e-mail relationship, confirm the damn thing, it's not that hard. Hell, TMDA can be setup to auto-whitelist a person that confirms once (how my setup works). Very cool.

on January 2, 2005 04:34 PM
# said:

Yes, challenge response systems are evil. Yes, they roughly double the amount of spam. Yes, they send challenges to poor innocents.

The thing is: they work really fine for me, and I don't care much about the rest. Whining about C/R systems in today's world is like going after apple stealers in Chicago during the prohibition. What have done ISPs to fix SMTP until now ? Why is such a very basic authentification scheme like SPF still in its infancy ? (this would easily prevent most misdirected challenges) How come can bad guys still send millions of messages a day for days long ? Why are notoriously spam-friendly ISPs not yet black-outed ? Why is port 25 not filtered by default for newbies ? etc.

When big guys will do their job against spam, then I will become a good citizen too and disable my C/R system.

PS: most of Karsten Self's arguments on C/R systems are just plain false.

on January 12, 2005 08:06 AM
# Whatever Dude said:

How freaking hard it is to hit reply? Seriously?

on March 5, 2005 12:12 PM
# Robert A(nonymous) Coward said:

I hate it hate it hate it hate it hate it hate it.

So I was supposed to correspond with some wanker about transferring a website, and when I email him I get this stupid bounce, and yes, I couldn't be bothered to hit reply.

Eventually, after I've sent him a few more emails (I forgot that he had this stupid TMDA thing) I think, OK, we need to communicate so I'll do your stupid C/R. Then he bitches at me because of all this stuff which he should have read last week but which has only come through now once I'm "confirmed"!

To top it all off, I'm emailing from multiple addresses, he's also (that's the fucking cherry-on-top) emailing from multiple addresses, so basically I have to masturbate his TMDA program each time I want to send him an email!

Blow me, dude! Never again will I confirm my existence!

PS - Sincere apologies for the crudity of my language, it's just that I'm feeling quite distressed...

on March 14, 2005 01:31 PM
# Brent said:

Dammit all to heck people. I just had to type Jeremy's bejeezusly long name before this web form would let me post. You eh-wholes made me put extra mileage on my keyboard. I will never forgive the world. I hate everyone who has a website.

I don't have TMDA...just happened on this blog while looking on the web to see what it was.

It sure sounds like all the arguments against TMDA are pretty feeble-minded, as if straining to support a pre-existing mindset with whatever weak evidence might work.

So, you have a problem with getting challenge bounces from 2% of the people you write too. How do you know that another 50% of the emails you send are going to people who have well-configured challenge-response systems that work well and are smart enough not to challenge you?

Even if spammers could create an automaton to get through C-R systems, wouldn't it (A) require them to use a real email box where they could be tracked down and (B) increase the effort/resources required for sending all that spam by several orders of magnitude?

Is bouncing a message to someone who's mailbox is already being flooded with other bounces really such a bad thing? And if any other technology can reliably determine a message to be spam or forged, is there any reason that technology couldn't be used with C-R?

C-R seems to me like a valid weapon in an arsenal against spam--something that could be invoked by other spam-blocking technologies when they're not sure about a message.

on July 21, 2005 07:07 PM
# Daryn said:

Daryn from Spam Arrest here.. My two cents are that most complaints about Challenge/Response are about BAD IMPLEMENTATIONS of C/R, not the concept itself.

We've certainly had our moment of infamy, but we're past that. I believe that what we've developed over the past 3.5 years is, while not perfect, an example of a good challenge/response system that shows how effective, and non-intrusive, it can be.

We don't get in email loops. We auto-whitelist anyone you send email to. We don't challenge mailing lists, virus-infected emails, or spoofed emails (as best we can).

Yes, its very easy to write a bad C/R system. Even beyond our spamming incident, it took us quite awhile to refine the process, and we're constantly tweaking it.

I saw a posting on Rent-a-Coder awhile back asking for someone to duplicate Spam Arrest for $2000. If you're a coder thinking about it, beware! More so than a lot of projects, the devil is in the details.

on August 4, 2005 04:59 PM
# Mike Jackson said:

I'm really late to the party, but figured I'd post anyway. Currently I'm the sys admin for an ecommerce hosting company. The way our software is set up, order confirmation emails go out from user@hostname (no one's bothered to fix that), so any bounce-backs or replies come to me. I just had to deal with someone who had TDMA on their mail, and ran across this post while googling to figure out what the term meant. I hate these C/R type emails, but I find myself replying to them just to keep my customers (and in turn, their customers) happy. Grr. Stupid "solution" to the spam problem. Get better filters and develop a thicker skin, people.

on June 16, 2006 12:12 PM
# Noah said:

I used to get over 300 spams a day. With a client-side Bayesian filter, that was still 20-30 in the INBOX a day and a crap load of downloading and processing. I now get ZERO spams in my INBOX with a combination of TMDA and server-side SpamAssassin.

It was worth it. If I hadn't done it, there'd be no way I could use ever use my email address beyond a desktop -- such as on my mobile, which I do plenty these days -- and not without slogging through the 30-40 that the client filter wouldn't catch.

I also trawl my pending directory on somewhat weekly basis, just to manually whitelist grouches like yourself.

It's still more efficient than dealing with all the spam.

on August 9, 2006 12:32 PM
# Dan said:

Those fans of TMDA or C/R who have never had their domain forged by spammers can blow me. I received a virtual DDoS from C/R, TMDA, misconfigured bounces, etc. when two of my domains were forged in a huge spam run. Every C/R message was submitted to Spamcop. As the spammer was rotating the left part of the address, some systems were sending multiple challenges. As these were all substantially identical messages they were bulk email. As I never requested them, they were unsolicited bulk email, AKA spam.

on August 25, 2006 02:22 PM
# Jerk said:

Hello Important People, People who are too important to click twice with their mouse to open a reply to a challenge and hit the reply button.

Spam is wrong, very wrong. Like terrorism, sometimes the response can generate some collateral damage. Unlike terrorism, no lives are lost. That is a beautiful thing! But like terrorism, some emotional people blow things completely out of proportion. They will, allegorically speaking, threaten to kill you because they don't like your smell, apparently believing they smell like roses. Translated into TMDA space, they apparently think that you are unimportant and they are very important.

That is not true. The truth is you both need to make intelligent human contact and flourish from it.

Spam is bad. So if you need to make two mouse clicks to get yourself accepted to a new person, why is that such a bad thing? Everyone must have been to at least one party where you felt a little uncomforatble, and made, upon reflection, a few social mistakes with people you really wanted to get to know, and felt bad when that was held against you. And felt really good when it wasn't. Same thing with TMDA. The internet is a really big party, with all the good and bad stuff that implies. If you want to sit in a corner by yourself and reject every connection that's made, then you deserve a cold hard life devoid of interesting friends and perhaps more interesting acquaintances.

Do you want friends? Click twice. Link. Reply.

Do you beleive you are better than everyone else? Toss their emails into the bit bucket. Nobody needs you if you don't want to get to know them.

Jerk

on September 7, 2006 06:02 PM
# sb said:

You've got it backward, Jerk. Do you believe you're better than everybody else? Then install a C/R system and waste everybody ELSE's time. And install a car alarm on your crappy Fiero and keep the neighborhood awake at night.

If you truly believe in intelligent human contact, then don't force me to jump through hoops just to talk to you. There are far better ways of solving the spam problem than C/R.

Your terrorism analogy is utterly ridiculous by the way.

on October 22, 2006 08:46 PM
# JR said:

The type of whitelisting provided by TDMA is the absolute ONLY way to block 100% of spam, all previous posters who do not believe this simply do not understand the nature of spam and the resources required to ATTEMPT to block it. There are no "better filters" and it is far less intrusive than blacklisting. It is in practice, no different than having to type "Jeremy" to post to this blog. Eventually, you WILL encounter this more and more, and eventually you WILL break your policy of not responding to TDMA type requests in order to contact someone who you really want to contact. Good luck hating it!

on October 29, 2006 03:26 PM
# Charles Galpin said:

Wow, interesting responses. I don't use a C/R system yet, but I'm about to give one a try. I was googling to get thoughts on this spoofing issue because it concerns me, but boy I think the arguments made here against C/R systems are pretty pathetic.

I get literaly no spam if I use my mac laptop combined with samSeive which catches everything my server side filtering composed of SA/RBL/DCC/Razor/Rules Du JOur and probably others I am forgetting.

However, the server side filtering actualy misses **HUNDREDS** of spam a day. I use IMAP because I want the felxibility of checking my mail anywhere/anyhow, but i'm held captive to using my laptop else I get inundated with spam.

I can't use webmail.

I can't hop on a friends computer and check mail anytime I want.

I can't route mail to my cell phone.

All because I'd still get hundreds of spam messages per day and it screws me on all of the above.

Anyway, just trying to give you an idea why I think it's the only workable solution for me at this point. I am sensitive to the issue of innocents getting emails due to spoofing, but the majority of the arguments made here against C/R are just pathetic, sorry.

I still love ya Jeremy, but you lost a tad bit of respect from me on this one.

:)

charles

on November 19, 2006 03:56 PM
# LS said:

Thanks Jeremy for starting this interesting conversation on Challenge-Response (C-R).

The concept of a stranger being required to identify himself as a human before being "accepted" (to forums, this blog, web contact forms, etc.) is universally accepted. I don't see why a STRANGER who emails me should be surprised or offended if he has to make a similar ID verification for me to accept his mail into my inbox, which is my PRIVATE SPACE. Especially since the verification is as easy as a simple click on the email client's "Reply" button.

I can imagine one of the anti challenge-response fellows acting this way when he knocks at someone's door:

"Knock Knock."
"Who's there?"
"What the hell right do you have to ask me who I am, you asshole?! F**k you! Just shut up and open the door straight away!"

The problem of C-R challenges being occasionally sent to third parties (due to forged "from" headers in spam) is the only good argument I have heard against C-R. To avoid receiving such misdirected challenges I suggest:

1. Do not configure your domain to accept all email that is sent to it. (Duuuh!) Accept only mail that is sent to a real email address on your domain.

2. Use greylisting. It will block all spam that originates from personal computers hijacked by viruses and acting as spam relays. These are I believe the main culprits of forged "from" headers in spam.

on November 24, 2006 09:35 AM
# Ronny said:

I receive hundreds of spam messages every day and have used various junk mail filters for years. Some of them do work reasonably well for filtering out spam. The main problem is not spam getting through. The real problem with regular spam filters is: Some legitimate and important mail will occasionally get tagged as spam and deleted.

I find a C-R challenge system to be a much better approach, but some guidelines must be followed to minimize the problems:

1.My customers (and potential customers) can contact me through a secure web-form at my site (most of them do). All email from this form get through unfiltered.
2.When sending email or replying to someone I use a "secret" (unpublished) email. All email to this address get through unfiltered.
4.All email that contains my name or my company's name get through unfiltered. This let a few spams through, but 99% of the spammers don't have my name, only my email so this is not such a big problem.
3.Everyone I send email to is of course automatically white listed. All my customers are automatically white listed the moment the buy anything.

The remaining emails are from people I have never been in contact with. Unlike 99% of my legitimate first time customers they don't use the contact form on my site to contact me and there is no reference to my name or company in the email. I run this through a standard (Bayesian) spam filter and if tagged as probable spam these people will receive a C-R challenge message.

My intention is not to inconvenience anyone, but to give real people who actually is trying to reach me a chance to do just that despite the fact that my Bayesian filter think they may be spammers. The alternative is to just delete their message unseen. There is just no way I can manually screen several hundred spam tagged messages each day.

I do occasionally receive a C-R challenge message from someone due to forged headers (spammers using my email address). I'm happy to report I never see any of these messages because they are stopped by my own C-R challenge system.

Of course I still receive C-R challenge messages from people I have actually initiated contact with (everyone I send a email to is automatically white listed) and I have no problem spending 15 sek of my time to verify my identity when this happens.

on December 29, 2006 04:49 PM
# Ronny said:

Jeremy, I was surprised but happy to see you have changed your mind and now is using a challenge message system yourself :)

I just received this after emailing you... sorry, posting a comment to you..:

----------------------------

Click the following URL to make your comment visible:

[Verification URL]

If your comment is spam, don't bother. I'll remove it soon enough.

Thanks!
Jeremy

----------------------------

on December 29, 2006 04:58 PM
# MLM said:

This opinion, and all of the people whose Bayesian filters were working well, was all well and good in early 2004. But, as we all well know, spammers have kept up and things are much different 2.5 years later. I'll bet Rick, who used nothing but Thunderbird's filter back in 4/2006 for 99% success is now getting closer to 50%, and only if he's resetting his training data every two weeks and then training it for a few days. As has been noted by an earlier poster, this blog now requires C/R, so we've got to assume that Jeremy has changed his mind about this. Will he own up to it herein?

on October 26, 2007 10:46 AM
# john said:

interesting. i've been using tmda for the last 3 years. i have received 0 spam. i put everyone i want email from in my whitelist, then i give them my email. if i'm out somewhere and i want to give my email to someone, i have ssh on my dash that i use to remotely log into my server so i can run a script that adds their email to the end of the whitelist. takes like 2 minutes. most of the people i know are computer nerds. i doubt any of them use tmda but i know every one of them approves. we have discussed this before and basically, on an individual level (tmda would not be appropriate for larger based email solutions), to keep spam out of sight, the best way to handle mail is to block everything and allow on an individual basis. actually, it's kind of like my firewall. explicitly deny everything, add exceptions on an individual basis before it. if i don't know you, tough shit, i don't want your email. just like, if you're not the right protocol/port/host, tough shit, you're not getting to my network. i guess that's why i don't have a spam or network issue. if they happen to change their email address or whatnot and they don't want to respond to my silly little challenge email or don't know what the hell it is, well, they can send an email to my yahoo account. how about that! seriously though, yeah, tmda, not so good for large scale implementation, perfect for small list of contacts.

on January 24, 2008 08:06 PM
# Sam AMi said:

Jeremy, Jeremy, Jeremy

You obviously have no "blow yourself" idea how TMDA actually works in a real work installation when setup correctly.

on April 14, 2008 11:28 PM
# BHC said:

Those complaining about Jeremy's use of an email-verification system for comments have clearly missed the point.

The problem with using TMDA for email is the underlying assertion that keeping YOUR inbox clean is MY responsibility, even though I reap none of the benefits. Its the notion that emailing YOU is a privilege.

Now lets apply the same logic to a community forum. . .

Keeping the community forum clean is each member of the community's responsibility. We all reap the benefits. Participating in the community forum is a privilege.

Notice how those two things are not the same at all??

You benefit, I pay != We all benefit, we all pay

on October 21, 2008 10:36 AM
# Toby said:

BHC has hit the nail on the head when he says that TMDA carries an underlying assertion that emailing YOU is a privilege. But, unfortunately, I think he then draws the wrong conclusions, and misses the point when comparing this to the forum's C/R system.

Firstly, let's be clear that in a well-designed, correctly configured C/R system, YOU = a stranger who you've never corresponded with before. So "TMDA carries an underlying assertion that emailing a stranger who you've never corresponded with before is a privilege". Does that sound unreasonable? If we translate this into LS's front door analogy, we're saying that: "closed doors carry an underlying assertion that entering a stranger's house is a privilege".

Now, you're welcome to choose to have an open door policy if you like, and let in any stranger who shows up without question. But you can't reasonably object if I choose to keep the door to my house locked, and ask who's at the door before letting them in. There's nothing unreasonable about viewing it as a privilege for a complete stranger to get their email into my private inbox, and asking them to convince me first that they're not a Viagra salesman or porn merchant. I wouldn't let such people through my front door either!

If you, a stranger who I've never heard from before, email me, and get so offended by the challenge that you don't want to correspond any more, I can't reasonably object to that either. That's your prerogative, and I chose to take that risk when I chose to use a C/R system. But nor can you reasonably object to reveiving a challenge, given that you're the one who decided to email me in the first place. (Again. if *I* emailed you first, I completely agree that challenging you is rude, and there's no excuse other than using a worthless C/R system or not understanding how to configure it properly. Though I personally don't feel this is quite as heineous a crime as Jeremy does.)

Finally, BHC is wrong when he argues that you gain no benefit from responding to a challenge. The benefit you gain is that, instead of your mail getting accidentally lost and forgotten amongst a deluge of spam, you make sure that your unsolicited email gets through and stands a chance of being read. I started using a C/R system when I started to lose too many legitimate emails from people I wanted to hear from to false positives. (Even though I regularly eyeballed the spam folder, there were so few false positives relative to the amount of spam that I still missed them.)

The comparison with the forum C/R system becomes: you pay, you benefit, vs. we all pay, we all benefit. The only difference is that the forum is a public space, so more people pay (and more people benefit).

on November 13, 2008 07:19 AM
# Samantha said:

Spam Arrest claims to stop spam, but what it is actually doing is using a worm to contact all of your contacts in your distribution list once you click its link or sign up.

You may not be aware this is happening as the sent mails aren’t recorded. Our IT department found that it was happening and we immediately took action.

We deal with several suppliers internationally and are now having to clean up this incident.

It also searches your email and grabs legitimate subject lines from other emails you’ve sent so the mass mail looks correct and is more likely to prompt people to trust it.

It perpetuates itself like any other email worm using altered/rearranged email addresses and mass mail, and is difficult to contain. Please do not use SpamArrest and please don’t click links that are sent to you in emails.

Virus programs and Gmail filters may not catch it, because they can’t stop you from clicking a link.

Spam Arrest emails come with a standard email body of: “Im protecting myself from receiving junk mail.” If you see this please delete it immediately.

Please also keep in mind that the majority of the people giving Spam Arrest “good reviews” mostly likely work there. Thanks.

on August 27, 2009 06:21 AM
# Dave said:

You pussy. I had to type in the word Jeremy to post this message, while TMDA only requires two clicks (reply and send). Now who's got to jump through hoops? Clearly his shit is broken, how kind of you to help... what a kind and thoughtful soul you are.

Tim A: Yeah you could dislocate a thumb having to click twice.

Michael Moncur: If you think George W. is important enough to jump through hoops for, you have bigger problems than spam.

Justin #2: I can't wait to be on your blacklist.

Marc Slemko: How many mailing lists do you subscribe to? Enough that you don't even remember them, clearly they are of paramount importance.

rick: There's no hoops, it's two clicks, reply and send. PS: 1% of 200 is not 1.

Donny: Google TMDA and read the FAQ. Section 4.12 explains why that wouldn't happen.

Rimantas: The burden isn't on correspondents, it is on new correspondents. TMDA users register for mailing lists by reading the FAQ and following the instructions like they should when they install and configure software. Challenge messages have fuck all to do with virii, you clearly do not understand how email works. The fact that you think the word "Bayesian" is cool doesn't make it effective.

kasia: I'll bet you never touch your automated system for anything ever.

Ron: *tips hat*

Aristotle Pagaltzis: Super, don't email me.

McGroarty: Fuck you too fellah, fuck you too. I have yet to see a TMDA message from a spammer using my forged email address. Maybe you should use a throwaway address for those pr0n sites you sign up for?

Justin (again): The Blaster worm? You mean http://support.microsoft.com/kb/826955 THAT Blaster worm? the one that does not propagate via email? Bullshitter.

Keith Ivey: Seriously, stop giving your email address to spammers so they can forge it. Spam is not doubled because for every spam message that comes from a fake address, absolutely nobody gets a challenge.

Robert A(nonymous) Coward: Obviously a communications expert.

Brent: This guy doesn't even claim to have any in depth knowledge of email or spam and he gets it... what does that say about Jeremy?

Daryn: Advertising on blogs is spam.

Dan: You should give spammers McGroarty's email address or Justin's, that'll keep 'em off your back.

sb: You don't get it, Jerk is saying that nobody is more important than anybody else, slow down when reading comments, sound them out if it helps.

LS: BAM! Nice explanation.

Sam AMi: Made me giggle a little bit.

BHC & Toby: Supporters of TMDA do not claim that emailing them is a privilege, they may claim that 2 clicks is not very much work, but they do not assume that they are more important than you. Your comments are childish, your desire to have the ability to email any address unhindered encourages me (and hopefully others) to deploy TMDA.

Samantha: So, what has happened in the last 4 or 5 months since your IT department found out about Spam Arrest's scum practice? Did they tell you to go pound sand and host your own email if you want to protect it?

on January 19, 2010 09:53 PM
# Your Name (optional) said:

almost 6 years and counting on this blog... wow... As for TDMA in an organization of any real size, I can't imagine how I would get average users to understand that they won't receive e-mail from a new contact (or old one with a different address) until the sender effectively sends it twice. I would rightfully be shot by my business colleagues and then fired by my boss... TDMA - Temporary Distraction - Minor Attraction

on March 1, 2010 05:24 PM
# Sabahattin Gucukoglu said:

Yeah, gave up in the end and deployed, after much resisting. Spam's still a problem with the same complete lack of any solution. I can't raise my SA score any higher without losing mail, and there's still enough in my inbox to make mobile use impossible. I think the benefits of CR ***FAR*** outweigh the drawbacks in the absence of a good sender authentication or reputation scheme we can all live with. And yes, I've been there, a victim of blowback.

It's a cruel world, fellas. Deploy TMDA, and feel your troubles melt away. I'll be shot in any of my social circles for saying this, but I cannot care any longer. If you write, and my email is everywhere now, take a moment, please, to confirm that you are not a spammer. You understand, don't you? Spam is everywhere, it's always coming, and you, who want me to read your mail with certainty, can take one whole second to make two mouseclicks, and to understand why it's important in the changing landscape of spam that is never ending without any legal recourse. Do that, and I will know that you are not the robot of evil, the email spammer, whom you know to pollute the Internet with their junk. Oh, and be mindful that a consequence of CR (or perhaps just BATV, if you admin your own mail server and get itchy about CR victims)) is to shield you from the very blowback you fear causing others by the use of CR. This is reason enough to encourage a greater appreciation of this technology by those otherwise opposed to it.

Oh, and I'm blind, so don't use CAPTCHA, or you *will* inconvenience somebody.

Cheers,
Sabahattin

on March 14, 2010 10:54 AM
Disclaimer: The opinions expressed here are mine and mine alone. My current, past, or previous employers are not responsible for what I write here, the comments left by others, or the photos I may share. If you have questions, please contact me. Also, I am not a journalist or reporter. Don't "pitch" me.

 

Privacy: I do not share or publish the email addresses or IP addresses of anyone posting a comment here without consent. However, I do reserve the right to remove comments that are spammy, off-topic, or otherwise unsuitable based on my comment policy. In a few cases, I may leave spammy comments but remove any URLs they contain.