On Tue, May 11, 2004 at 01:36:51PM +0200, Wouter Verhelst scribbled: > On Tue, May 11, 2004 at 10:49:47AM +0200, Bartosz Fenski aka fEnIo wrote: > > > There is a tool that does a very good job for keeping spam > > > away from your box if you're willing to put some effort in configuring it > > > (I'm not using it personally, but my boss is - with a great success) - > > > http://www.tmda.net/ > > > > That looks interesting. Thanks for pointing it out to me. > > tmda challenge-response is not an effective solution against spam. There I beg to differ. Read below. > are a few reasons: > > * When a spammer sends you a mail, the autoresponse you send out will > effectively spam other people. You're saying "I don't like to be > spammed, so I'm spamming you instead". That's annoying, at best. It's actually pretty effective but, I agree, not really friendly. > * Many people (me included, but there are certainly more) do not bother > to jump through hoops for the amazing privilege to communicate with a > complete stranger. Requiring people to do so will indeed get you rid > of all your spam, but it will include a fair amount of legitimate > mail, too. It's not the way you think it works. The challenge is not (doesn't have to be, at least) sent to every email. We have set it up so that only mails with 10.0 < score > 1.0 are challenged. Besides, tmda has several other nice things - like addresses timing out after some time, addresses available only for certain posters (for example for your bank statements, credit card reports etc.) and a few other nice features. You can tune it so that the unfriendly effect is as minimized as possible. What you mention as a problem, the fake sender addresses, are really a problem but, selfishly, I'd rather ignore that issue. All in all, spam is a complex issue not easily solvable if we'd like to do it using standard protocols, I guess... In the ideal world everybody would sign their mail with signatures we could trust. Let's imagine that the mailing list people are subscribed to signs the mails with its own key but only those mails which are signed by their subscribed users with their known pgp/gpg keys (yes, it's sort of similar to closing the list and I realize what the pros/cons of that are) and the unsigned mails are challenged by the mailing list software and posted only if the sender certifies that the mail is legit. Pain in the neck, but it might work, I guess. The same goes with the personal mail - mails signed with known signatures are passed through, those signed with unknown signatures are challenged but treated as 'probably legit', those unsigned are treated as spam. But, again, that would be in ideal world :) Just some ramblings, really regards, marek
Attachment:
signature.asc
Description: Digital signature