Anti-Spam ideas for usenet/list harvested email addresses

To: debian-user@lists.debian.org
Subject: Anti-Spam ideas for usenet/list harvested email addresses
From: "Jacob Anawalt" <jacob@cachevalley.com>
Date: Tue, 23 Sep 2003 13:16:38 -0600 (MDT)
Message-id: <[🔎] 1141.192.168.1.4.1064344598.squirrel@scsi-burn.office>

To me the big question is how do I avoid the spam in the first place,
besides avoiding email all together? I want to participate on the web, I
just don't want so much junk email nor do I want to have my mailbox or ISP
suffering from gigabytes of worm attachments or advertising data.

We've all done or seen people do this: jacob at cachevalley dot com,
jacob.nospam@cachevalley.com, jacob@cachevalley.nospam.com, etc.

Are we kidding ourselves thinking that if we can write a filter rule that
just catches SoBig.[A-Z], that someone else can't turn all of those 'safe'
addresses back into the real  email address?

I've already mentioned the web authorization idea and the rotate your
email address on some schedule ideas in another thread. I've even seen a
web site go so far as to use a .js file function to put together the email
address from a bunch of fragments when you click the mailto link. That
would take more work to parse, but it is still possible by having an email
grabbing webbot that can run javascript.

Another though I've had on the mailing list issues (besides wondering why
I'm trying to make mail act like a news client with threads and looking
for a 'watch thread' capable client) is if I had an email address to use
on mailing lists that  only accepted email from the list servers I was on
and reject all others I should only get the spam that relayed through the
list.

The mail server would need to have access to my personal list of
acceptable email addresses so it could give a 550 with the appropriate
extended SMTP code for unauthorized/security and an appropriate error
message after the HELO and MAIL FROM and RCPT TO: have been given. It
should only do this for mail accounts that have entries in the safe list.
If your list is empty, all email is valid. If you have one or  more
entries, only those ones can send you email.

Some ideas for rules to accept or reject the email may include:

If HELO does not match a reverse DNS lookup and doesn't match the domain
of RCPT TO: or to a user specified value then the mail is rejected.

A looser match would be just on the HELO <name>  where the name given is
some md5hash of the user's email address and some value noted on the
mailing list. People start getting spammed, the list admin changes the key
used to generate the name value and people go to the web to see what it
has been changed to.

A tighter setup might be to have the hash in the MAIL FROM: <value> and
have it be a hash of the subscriber's list password and their email
address. That way the subscriber can change their list password at any
time they see spam coming ?from? the list.

I'm sure there are other better ideas to be had along the lines of how to
quickly identify that the sending server is who they say they are and look
up a safe list to see if the user accepts email from that server.

A side benefit of using an email address that only accepts list traffic
for some would be that it would reject the second email if someone replies
to you and the list. People using this setup could have their .sig say
"This email address only accepts authorized list traffic, please reply to
the list."

Since we have seen that a greater volume of worm mail is possible with
email addresses usenet and mailing lists, it seems a setup based on this
system could help cut down the cost of fighting spam generated from those
sources. The rules would be based on a simple lists, with each user
responsible for maintaining their list. Much less CPU power, bandwidth and
storage space would be required to match those rules because the matching
is done before delivery is accepted. Mailing lists could publish to their
subscribe page the values they use for HELO and MAIL FROM when sending the
messages to all subscribers.

Compare this to the "dog chasing cars" method of inventing a new filter
rule that looks through the MIME data to decide if this is the latest worm
you don't want or the kissing picture that you do. Sure it's cool to be a
geek and figure out the rules. If you like doing this, do it. Maybe spam
isn't a cost to you but a benifit if you consider your enjoyment at
solving each filter puzzle. I think that's why I like finding bugs, to
help find and solve puzzles. On the other hand this method of filtering is
more expensive in every measure I can think of except the freedom of
allowing anyone to email you anytime. You spend time thinking up rules,
writing rules and testing rules. The rules are applied after you have
accepted the bandwidth of the transfer. Running the rules takes CPU time
and possibly more bandwidth as you do RBL DNS or Razor and storing the
email takes disk space.

If you're sick of getting swamped (as a user or admin) wouldn't this setup
be usefull? An ISP could encourage users to use username.lists@isp.com for
email addresses that are going to be used on usenet or public mailing
lists. The new email address could just dump into the real address after
the mailing list rules were validated, or it could be it's own account and
mailbox.

Of course some will say "but I only have my ISP available and it doesn't
do that" and others will say "I don't like that idea because it isn't easy
or flexible enough. I want email from everybody as long as it isn't
UCE/UBE/A worm or virus". That's why there isn't just one way to do
things, we all have different ideas on what is best.

One major concern that I've lightly touched on and will bring up again is
?What if I want to have other people contact me off list?? You wouldn't
want to post your non-list-only email to the list, that would be
counter-productive. There's got to be a convenient way of providing a
source for people to look up your email address that is very resistant to
scripting it's harvest for the UCE/worms/etc. One idea that comes to mind
are images of pictures with your email address on your web site. I keep
thinking that PGP/GPG should be able to help in some way, either by adding
to the EHLO command set or something on the users web site. There have to
be better and still simple ways of doing this that make it cost much more
to find our email addresses than it costs us to filter the junk.

The sad part is that I've already squandered my username at this email
address by putting it where it can be harvested in mass by worm/virus and
UCE/UBE collection scripts, and I had already read an article cautioning
me against this. Oh well live and learn (someday I'll learn anyway.)

I'm going to look into setting up a new email address with mail server
rules for delivery driven by a user supplied whitelist after waiting a few
days for comments and flames on this idea. If you know of links to pages
already discussing how to do this with postfix, please share them.


-- 
Jacob
Trying out SquirrelMail

Reply to:

Follow-Ups:
- Re: Anti-Spam ideas for usenet/list harvested email addresses
  - From: pellegrini@mpcnet.com.br (Jeronimo Pellegrini)
- Re: Anti-Spam ideas for usenet/list harvested email addresses
  - From: Rich Puhek <rpuhek@etnsystems.com>
- Re: Anti-Spam ideas for usenet/list harvested email addresses
  - From: Arnt Karlsen <arnt@c2i.net>
- Re: Anti-Spam ideas for usenet/list harvested email addresses
  - From: "Jacob Anawalt" <jacob@cachevalley.com>
- Re: Anti-Spam ideas for usenet/list harvested email addresses
  - From: Paul Johnson <baloo@ursine.ca>

Prev by Date: Re: logins and logouts hang
Next by Date: Re: SMTP Relay, closed (or so i thought)?
Previous by thread: Re: radeon opengl help
Next by thread: Re: Anti-Spam ideas for usenet/list harvested email addresses
Index(es):
- Date
- Thread