I just ran into this program on the Web and can't refrain from saying that it's an extremely stupid idea and I can't believe someone made a program for home users with it. A huge "ISP-portal-content-provider-kitchen-sink" in my country has implemented a similar mechanism for averting spam and it's even more annoying than spam.
Why is it so hard to see that spam is causing a huge increase in traffic and that stupid idea of sending confirmation messages *triples* the non-spam volume? Instead of "send message", now it's "send message, send confirmation, reply to confirmation".
And spammers never bother replying to those, only bona fide senders will, so it's yet another burden on the innocent.
Please, dump that silly program right away. I also hate spammers with all my guts, I'd love to see them getting death penalties or something worse, but that's not a good way to fight spam.
Dear developer, I know you are very smart and certainly very proud of your creation, written in your praised and hailed strongly-indented language, but you're doing a great disservice to the Internet. Be wise, be humble: admit you were in a bad day when you conceived it, drop the idea and think of an intelligent way to fight the pest. I'm pretty sure you can do a lot better than that.
Well, since you signed your post with Anonymous, I think you don't have a better idea to deal with the daily spam.
The company I work for receives about 800 - 1000 spammails each week.
Spamassassin correctly identifies about 60 - 70 % of this as spam.
That still leaves about 300 to be sorted manually.
I've filtered a carefully sorted spamlist of about 2 months of spam, to create our ignorelist for ASK.
In places where there were numbers in the domainname I replaced them with *
Since We've installed ASK, our amount of spam reduced to almost zero and we send about 40 - 50 confirmationmails per week. So the mail-overhead of ASK is not that large as you suggested.
I think ASK is a great product. There are some points which have to be adressed in a future version and it takes some time to install and configure.
Still ASK is a great product which earns itself back (is a dutch expression, I can't translate in English very well).
>And spammers never bother replying to those,
>only bona fide senders will, so it's yet another
>burden on the innocent.
I think that's the idea. Only people who identify themselves are allowed in. Do you allow strangers into your home? Do you consider it inelegant when someone requires you to knock on the door before you enter?
Argh!!! I know I am preaching to the choir since Anonymous Coward is probably long gone (and still going through all his SPAM manually).
I've been using SpamArrest for my personal mail for a few months. Yeah, it's expensive and I feel like I am being extorted to have my mailbox back, but for my personal mail that is the right solution for me since I need it to work from multiple platforms.
However, one of my work accounts is an even bigger SPAM magnet than my personal account, and the POP server is not accessible to the Internet (for obvious reasons), so SpamArrest would not work for that. A friend recommended ASK and here I am.
As I was looking for ASK on the web, I noticed a lot of articles with the same tone as Anonymous Coward. What is up with these people?! I honestly suspect they are spammers themselves and have realized that have finally met their match.
1) SPAM filtering does not work! Don't you dare tell me that it does. I used a SPAM filter on my personal account: I would estimate that it filtered about 60-70% of the SPAM "out of the box", but it filtered out an unacceptably large number of legitimate mails. I had to go searching through my SPAM folder on the web anyway to make sure I wasn't missing anything, so it was actually more work! I set the filter to a higher threshold so I would not miss any legit mails and as would be expected, the filtering dropped to about 40-50%. SoBig.F was the camel that broke the straw's back for me. I was getting hit hard with it (probably because my e-mail address is on a lot of web pages) and my mail quota would fill up every 3 hours. And when it's full you miss ALL mail!!! Fortunately I found out about SpamArrest and soon all went silent! Ahhhh!
2) At work, the problem was even worse. A SPAM filter was put in place, but at its best it only filtered a paltry 40% of my incoming SPAM. I was away for one week this past Thanksgiving and came back to over 3400 messages! Yes, that's over 350 spams per day, and remember this is apparently FILTERED! Generally speaking I have about 200-250 mails to delete in the morning, which takes about 10 minutes, but it took me several HOURS to delete the 3400 spams I received over holiday.
3) I run a web site that sends out weekly e-mails to my users that specifically asked to be sent these reminders. At some point last week, the mail server I use (part of a bigger web host provider used by many other users) was blacklisted and my weekly reminders did not get sent out to about 10% of my users. Apparently the "issue" has been resolved and the mail server has been taken off the black-lists, but thanks to FILTERING, 10% of my users missed an important e-mail.
4) The "best" idea the filtering folks have come up with is the Bayesian filter which uses statistics to identify "good" and "bad" mail. Well, guess what? I've been getting spam now that contains the SPAM message broken up into two character pieces with HTML comments containing "valid" words that aren't visible to the user when they read the spam. Example: Or<!--business-->de<!--hardware-->r V<!--provide-->ia<!--read-->gr<!--feedback-->a N<!--activities-->ow. The user sees "Order Viagra Now". The Bayesian filter sees: business hardware provide read feedback activities. Spammers will ALWAYS stay one step ahead of filters.
5) So how does Challenge-Response work? Wonderfully! After several months of using SpamArrest, only 8 emails (out of over 9000 processed) have actually come through. These are from spammers that actually took the time to respond to my confirmation mail! And with SpamArrest it is trivial to then permanently ban that address, so even they don't bother me. I expect similar results from ASK, although I must say maintaining the lists looks to be a little less automated and user-friendly. There are also a few more issues that I think will cause ASK to be less effective for me at work, but even if I can get down to 10 spams being let through a day, I am WAYYYY ahead.
6) These people are worried about mail volume? Please! First of all, worst case it only "doubles" mail volume. Once senders are validated, there is no confirmation at all. And let's take an extreme case like me where over 90% of my mail is SPAM: there will be "send message" and "send confirmation". The spammer will never "reply to confirmation", so mail volume is only doubled. And that's assuming the entire message is quoted (which it's not). And what's the problem with that anyway? Are we suddenly out of bandwidth on the Internet? Believe me, if the mail system can keep up with SoBig.F, it can keep up with confirmation e-mails. If it can keep up with bazillions of MP3's and friggin' movies being swapped, it can keep up with confirmation e-mails!
7) Putting the "burden" on the innocent? "Annoying"? Oh please! Most users of Challenge-Response initialize their white lists with their address books or their existing mailboxes (I love the idea that ASK can scan Unix mailboxes for white list addresses, but bummer it appears that it can't handle MH mailboxes) so the majority of correspondents aren't "bugged" at all. And even if they are, big deal--it's a ONE TIME confirmation!
How in the world can this be more annoying than SPAM?
I would LOVE to hear one of these critics come up with a better idea. Of course since they are all most likely spammers in the first place, their "idea" will be the one that will let the most SPAM through.
Thanks, I needed that!
Confirmation mails may be the only way to go, but having "ASK lite" might be a lighter-weight first step. This "lite" method would be to simply "test" the sender's mailbox to see if it's valid, rather than require a confirmation message. This, I suspect, would eliminate a vast majority of hacked, or temporary mailboxes that do not exist.
How does one "test" the sender's mailbox without actually sending an e-mail? I agree, probably 95% of the SPAM that hits my inbox and is requested to be confirmed does bounce back to me, so if it were possible to predict this, I agree that you could almost do without confirmation e-mails. But of course once you've filtered down to that level, why not send a confirmation e-mail to the remainder of the "valid" senders. The system works!
Postfix natively does this check. Perhaps others do too, but I'm not sure. Some ISPs are starting to do so too. This movement is raising the bar on email sending validity checks.
Randolf C. Richardson
Actually, I wouldn't call the program "stupid," but I certainly do think the concept is bad because it actually serves to aid spammers in further victimizing innocent users who've had their eMail addresses forged by spammers and/or viruses.
I am going to clarify some points here, however, because it does appear to me that other posters here are misinformed on the issues surrounding spam fighting (see numbered points below...).
I dislike filters because my bandwidth is still wasted, but I find that blocking SMTP traffic from known spam-supporting ISPs works wonders for cutting down on spamflow.
I report all spam, including C/R system challenges (because they are spam), to SpamCop.Net, and also share the information with other key people I know and trust who are responsible for SMTP servers throughout the world.
0. "SPAM" is a Registered Trademark of Hormel Foods, and junk eMail should be referred to as "spam" or "Spam" instead: http://www.spam.com/ci/ci_in.htm
The following points are intended to address Lance Pickup's numbered points...
1. Spam filters and DNSBLs (a.k.a. "blocklists" and sometimes "blacklists") are entirely different things. DNSBLs are not filters, they are merely DNS-based databases of IP addresses (or in some cases internet domain names) that fit a predefined criteria that normally relates to spam. SMTP server operators make a choice on which DNSBLs to use to block traffic based on which DNSBL's criteria they agree with, thus preventing the eMail from entering their systems at all. Filters, on the other hand, require that SMTP traffic not be blocked in order to operate, otherwise there would be no content to filter.
2. Each filter is made differently. Some filters definitely work better than others, but each site and each user will have different experiences with filters due to being targeted by different spammers. The whole assumption that spammers have access to all eMail addresses is an incorrect and illogical one, because spammers use a wide variety of techniques for stealing the eMail addresses of innocent users -- they're in competition with each other in many ways, so it would be naive to think that there are any standards among spammers (actually, a common inherent problem with spammers is a lack of moral and ethical standards).
3. When an eMail is blocked because the destination SMTP server is using a DNSBL to block IPs that are known spam sources (or whatever the criteria of the DNSBL might be), no messages are actually lost -- messages are simply rejected, and the sending server continues to be responsible to notify the sender (or mailling list operator) of the problem.
4. I wasn't aware that Bayesian filters were considered to be "the best solution." Can you cite any credible references for this? At any rate, there are many different types of filters, and Bayesian is just one of many. There are some SMTP server administrators who have done really well with content filters, but a combination of techniques and filters, and other customizations are required to do this. Myself, I do very limited filtering on initial headers to check for some basic things (and reject the message if it's not compliant with standards, etc.), which I find blocks some spam, but most effective tool for me have been the DNSBLs.
5. From the C/R system user's perspective, C/R is a great thing, but unfortunately the user isn't aware of the havoc their beloved C/R system is causing the rest of the internet, and as a result their systems get added to various DNSBLs because of how C/R systems are actually "spam repeaters" (and sometimes even "spam amplifiers" when they send multiple challenge messages for a single message). C/R systems deserve to be blacklisted.
6. Bandwidth waste due to spam increases the overall costs for users, even if they are on monthly flat-rate services. After all, the ISP has their own bandwidth bills, and if more bandwidth is being consumed then that means users will pay higher fees in the end (lower bandwidth fees could mean more discounts and/or fewer price hikes in the monthly fees). To cite examples of other forms of bandwidth use/waste are the typical ploys that spammers use to justify their criminal behaviour (yes, spam is "theft-of-service"); spam has a much greater cost than bandwidth alone though, don't forget about the time wasted by users in dealing with it, the extra wear-and-tear on equipment, higher electric bills, etc. In addition to that, it's just a matter of time before some spamware vendor figures out how to automate responses to C/R challenges, and then any spammers who use such spamware will be getting through your beloved C/R system and you won't have any right to call it spam because you chose to automate the delegation of your consent to the senders, including spammers.
7. Why should I have to jump through hoops just to send an eMail to someone? That's not the natural course of how eMail is expected to work, thus it's unintuitive. Consider that I want to buy a certain product and I seek out a few companies to ask for some information and pricing -- those who expect me to jump through additional C/R hoops so I can get my request to them are not going to get my business because I'll just assume that their whole philosophy on doing business is screwed up (Where else will I have to jump through hoops in dealing with them? Why should I support a spam amplifier? Are they snobs who think they're elite or something?).
8. Marco Paganini posed the question "Do you allow strangers into your home?" My answer to this is "No, of course not, and the same goes for my SMTP servers, which is why I don't use C/R -- a C/R confirmation is more like a key to a locked door, which allows the so-called stranger to open the door and place a message inside my eMail inbox."
Regarding a "better solution," I'm a big fan of the death penalty, but so far the common member of society only really agrees when it comes to how to deal with child molestors, rapists, and murderers; somehow spammers still get a lot of sympathy from the general public (and that's really sad).
Unfortunately, sending "Your eMail message is infected with a virus," "Cannot find user, urf, vomit, barf...," and "C/R confirmation" backscatter messages are all forms of eMail abuse. Sending enough of these to my systems will result in blacklisting by way of a private DNSBL for a time determined partially by the perceived level of arrogance from both the sender and the sender's ISP. Why? Because eMail abuse is a form of theft-of-service which is totally unacceptable.
Horse-hockey, Anonymous Coward !!
I agree, Anonymous Coward is likely a frustrated spammer himself. You can't get around this one, "Coward."
I have often wondered if spammers really want to sell me anything at all. It seems if they have a brain at all they will realize their spam so infuriates me that I would never by a produce they advertise.... ever ! I do know that there are people in this world who go to bed with a satisfied grin knowing they have infuriated, annoyed and frustrated 10 people today... and then they scowl and swear that they'll infuriate at least 12 tomorrow. Is Spam mostly just that? An attempt to infuriate people? I'd bet a lot of it is created by people who are trying to make up for being very poorly endowed in unmentionable parts of their anatomy.
I am beyond livid. I used to have a mailbox which I and my friends liked for its simplicity: email@example.com. It was destroyed by spammers. I had to abandon it because of the volume of spam it was receiving.
There are animals who supply addys to spammers. These characters are even more despicable than spammers themselves. They robbed me of that simple bob@ addy. They started sending emails to bob@, john@, harry@ etc and looked for bounces. I saw that in my logs. So simple addys were robbed from all of us.
Almost every day I also see in my logs:
From [126.96.36.199] to firstname.lastname@example.org: 1 Times(s)
Know what that is? It's some Korean a**s**s... checking to see if he can slip through my mail server and use it as a relay. I emailed Kornet.net, the ISP this character is using. They don't even bother to answer my emails, much less stop this jerk.
It is past time... WAY WAY past time for programs like ASK. Yes, it's annoying. Yes I'm afraid I'll miss some emails. But the alternative of having my email addy effusively destroyed by spammers is worse. I run a major website. I can't keep changing email addys every time the damned spammers discover me. My site-members would lose me and the valuable contact and help which I give them.
One other thing: How about children? Does Anonymous Coward also believe that children should get sexually explicit email?
My site focuses on children. Many have told me that they receive many sexually explicit spam emails... that they have been getting these since they were 8 or so.
Lots of lip-service is given to improving the email system. But in reality not chit is being done, except by ASK and other programs like it. How does one require that countries like Korea comply ? Do we declare war on countries that refuse to do anything about Internet abuses?
1) I would love to block all Korean ISP's... many systems do. But I have a lovely Korean girl on my site who uses the site to keep in contact with her American friend. If I block Kornet.net. I will also be blocking her because that is her ISP.
2) SPAM is a registered trademark !!! (As if I and others had no idea!!! nor HAVE any idea what the relevance of your pointing this out might be 0_0)
3)As for Spamcop.net, I spent many hrs there trying to discover a way I might report a spammer.... to no avail. Do you have some sort of 'secret knowledge' that the rest of us lack? I gave up on reporting because it's rather like trying to kill an elephant with a bb gun anyways.
4)You say "Some filters definitely work better than others." For those of us who can read between lines, it's obvious that you are admitting that filters simply don't work... *smile* ... next point...
5) Why should you jump through hoops to email someone? If you don't care to respond to my C/R that's perfectly fine with me. That simply informs me that neither you nor your message are of any importance whatever to me... that your initial message is essentially the same "Spam" you accuse me of with my C/R... perhaps I should report you?
5)... It rather seems your attitude is "so the email system doesn't work?... deal with it" You offer no solutions other than the death penalty and tell us that you will report any of us who try to protect ourselves, our children, our time, and our mailboxes from spammers.
Randolf C. Richardson
I still believe that C/R systems are severely, inherently, flawed, and are aiding spammers in their plight to further victimize internet users through theft-of-service [of their bandwidth, etc.]. Here is my response to "usagichan" (a.k.a. "bob")'s response to my last posting here...
1. That's your choice. If you know how to configure your SMTP servers to whitelist certain eMail addresses before blocking entire IP netblocks, then you'd be able to continue to service your existing customers while still putting pressure on the offending ISPs they use to take the spam problem seriously -- in fact, this will likely put even more pressure on their ISPs because if it works for some customers and not others, then their system will appear to be unreliable when their users tell them "it works for so-and-so and also works with YahooMail.com, etc." (and don't worry, they'll definitely know why).
2. Actually, it's obvious that many people don't know that "SPAM" is a Registered Trademark because they keep mis-using this term in violation of Hormel's wishes. One of the ways spam fighters can demonstrate they have integrity is by respecting others' property. After all, isn't that one of the whole points of fighting spam in the first place? To protect property (not to mention consent, ethics, decency, etc.)? Of course it is (to both those questions).
3. No secret knowledge is needed to use SpamCop.Net for reporting spam since the procedures are all documented clearly. In addition to that, there are both NNTP-based and web-based forums that welcome anyone to ask for assistance. I suggest you look into this if you really are serious about using SpamCop.Net to report spam.
4. You totally ignored my point that blocklists (a.k.a. "DNSBLs") and filters are very different things, and unfortunately you twisted it into "filters simply don't work." The fact is, some blocklists work especially well. As for filters, certain types will work while the spammers aren't "on to them," but this mostly depends on how dedicated the owners/administrators are (it boils down to ethical/moral motivation, the economics of time/money, etc.).
5a. Your arrogant attitude indicates to me that you are frustrated, and I'm guessing it's partly due to the fact that you're in denial about the desperation you feel from delegating your consent to complete strangers. It's only a matter of time before the spammers will automate the C/R hoop handling and you'll just be back at square one again. Also, you definitely should NOT report me for spamming because that would be an outright lie.
5b. Why should I be expected to come up with an alternative solution for a severely flawed system that I didn't have any active role in creating in the first place? I merely pointed out, with fairly detailed reasoning, why the system is flawed, in the hopes of seeing a response somewhere between complete agreement and sensible counter-arguments; your response failed to meet my expectation.
Wilmer van der Gaast
I know the problem. I removed the MX records for two domains because spammers started to use them for forged sender addresses. More than half of the SMTP traffic to my server consisted of bounces (stupid QMail servers, mostly) of undelivered spam.
But this program is just NOT the solution to the spam problems. I thought the world realized this by now, so I was pretty surprised when I saw a new release of a similar program on FreshMeat.
All these programs do is make the spam problems worse. Just like QMail with its braindead behaviour of sending bounces instead of the usual 550 response. Spammers use forged sender addresses all the time, sometimes those are real addresses that are real people. So you end up being the spammer yourself.
Also, if everyone would use such a program I'd have to reply to those confirmation requests every time I send a mail to a new person, or when I accidentally use a different sender address. I got better things to do than that.
A couple of weeks ago I actually tried to mail someone who used a system like this. His query-system seemed to be broken, or at least I couldn't figure out in less than a minute how to confirm. Sure, that's what we want. IOW, I don't bother, and I hope more people won't.
So then you end up not getting any non-spam mail anymore either. Congratulations! :-D
BTW, if you want something that works without contributing to the spam problem, try graylisting. Together with some nice and safe IP blacklists, it keeps pretty much all spam out of your INBOX.
And to the author, I'm sorry for participating in this kind of flamewars (it *is* pretty low), but this kind of software is just wrong. It's nothing about your program specifically.
Randolf C. Richardson
> ... SMTP traffic to my server consisted of
> bounces (stupid QMail servers, mostly) of
> undelivered spam.
Although I do agree that qmail, by default, lacks in this area, in my opinion it is a first-class mail server that can be programmed to reject at the STMP envelope stage instead of bouncing from the queue. There are a number of free add-ons for qmail that make this possible in a variety of ways.
Please keep in mind that qmail was originally designed for an environment where forgeries weren't commonplace as they are today. There are many other SMTP servers that came later which default to this same behaviour of naively bouncing from the queue, and I consider it the responsibility of the mail server administrator to make the right configuration/software choices when it comes to operating a system responsibly.
> But this program is just NOT the solution
> to the spam problems. I thought the world
> realized this by now ...
The world never realises anything. Democracy has already proven this (think "99 people telling 1 person what to do is not freedom" -- people seem to think democracy is freedom, but it is not, it's just a really big strata council), yet people continue to insist that it is the best solution (I don't know what is, but I don't mind living in a democratic^H^H^H^H^H^H^H^H^H^Hstrata-run society given the alternatives) and even wage military wars to force it upon unwilling parties.
The problem with democracy is that you have followers picking leaders, which in itself should raise some alarm bells for those who posess common sense.
The implementation of C/R Systems are just another form of bad decisions that don't consider the overall, long-term effects that they have on the internet. What's the basis for these decisions? Whatever the reason, it certainly has its roots in selfishness because it just puts the burden on someone else who's eMail address could have been forged.
At least it does eliminate the spam problem in its entirety because once consent has been delegated to a sender (who could be a spammer to others who don't use a C/R System), it can no longer be considered "spam" because the recipient clearly gave their consent/permission for the sender to eMail them.
> Also, if everyone would use such a program I'd
> have to reply to those confirmation requests
> every time I send a mail to a new person, or
> when I accidentally use a different sender
> address. I got better things to do than that.
You're absolutely right about that. I wish that folks who choose to implement a C/R System could also see things in this light -- eMail is already pretty dysfunctional, and C/R Systems are only going to make it worse, especially when spammers start automating responses to C/R verification requests.
> ... I couldn't figure out in less than a minute
> how to confirm. Sure, that's what we want. IOW,
> I don't bother, and I hope more people won't.
I don't bother either. Recently a business associate of mine implemented C/R System, so I telephoned him and gave him a friendly lecture on the problems with C/R Systems. At first he just whitelisted my eMail addresses (all 50+ of them), but then later abandoned the idea altogether because he was getting calls from people who thought his eMail wasn't working -- they thought that their messages had bounced! Yup, you're absolutely right about the confusion aspect, but I think you're generous with 1 minute; most people I know would probably give it no more than 10 or 15 seconds at best.
> ... works without contributing to the spam
> problem, try graylisting. Together with some
> nice and safe IP blacklists ...
An excellent suggestion. I do this myself, and I help others implement/modify eMail systems to do the same. It's quite effective, and depending on the recipient's criteria the statistics show anywhere from roughly a 50-95% blockage, and the users are happy because they get a lot less spam.
> ... this kind of software is just wrong ...
I agree, and so do many other professionals who are also responsible for keeping extremely busy mail servers operating reliably for large numbers of users. A C/R System can increase the bandwidth requirements in a very big way, which is likely one of the reasons C/R isn't seen on large systems.