Yet another anti spam approach

[Roedy Green]

I don't know quite how this works inside, but http://www.zaep.com/
has a fresh approach to spam that should give 100% protection until
the spam guys decide to attack it specially.

When you send a message to somebody using it, you get an email back
saying, please visit this URL one time only to get through the spam
filter. If they visit in 5 days, then the original email and all
successive ones are passed through.

I wrote them asking how it works. I'm not clear if you have to host a
website and mailserver for this to work.

 

[KC Wong]

When you send a message to somebody using it, you get an email back

saying, please visit this URL one time only to get through the spam
filter. If they visit in 5 days, then the original email and all
successive ones are passed through.

I wrote them asking how it works. I'm not clear if you have to host a
website and mailserver for this to work.

But how difficult is it to get through this filter? Unless you require the
senders to answer questions on the page... (e.g. Captcha,
http://www.captcha.net/)

Also that's going to annoy the senders... and it's likely the email back got
filtered by some other spam filters and the email end up being blocked.

 

[Rogan Dawes]

I don't know quite how this works inside, but http://www.zaep.com/
has a fresh approach to spam that should give 100% protection until
the spam guys decide to attack it specially.

When you send a message to somebody using it, you get an email back
saying, please visit this URL one time only to get through the spam
filter. If they visit in 5 days, then the original email and all
successive ones are passed through.

I wrote them asking how it works. I'm not clear if you have to host a
website and mailserver for this to work.

It creates a white list of non-spammers (i.e. people with valid return
addresses). If that person cares enough about the email that they sent
to visit the link, your email address gets added to the whitelist, and
held and future emails from that address pass through.

It can be a real pain when people subscribe that address to mailing
lists, though. I don't care enough about that person to visit their
link, but I keep getting bombarded by their whitelist messages.

As a work-around, I set up a mailbox that simply discards whatever it
receives ([email protected]), and send all list (and usenet) emails
from that account, with an appropriately mangled reply-to address. (See
above). Email clients and Usenet readers should use the reply-to rather
than the From: address, and if the person replying does not notice that
the address is mangled, they will get a bounce to make them aware of it.

I would say that yes, you do need to host a website and mail server for
it to work, unless they do it all for you. You would then have to
redirect your email to their systems (update MX records, etc), or use an
email address that they provide.

Other systems work using a token (cookie value) that you send in a reply
email. Once your reply email containing the token arrives at their MTA,
it releases any pending emails, and permits future ones. Seems simpler
to me, as their are fewer components. (No webserver, anyway)

Regards,

Rogan

 

[Roedy Green]

Also that's going to annoy the senders... and it's likely the email back got
filtered by some other spam filters and the email end up being blocked.

It is an approach for someone who needs to post a public email
address. I agree, it is a pretty easy system to defeat with
automation, except that spammers rarely give a true return address.
They could give some innocent party's and hope they click the url out
of curiosity. the note could ask people not to do that unless they
did send mail.

The biggest problem would be the requests getting lost as either
automatically or manually as spam.

Spam filters should track who you SENT mail to, and automatically let
mail back from that address.

 

[Roedy Green]

added to the whitelist,

The problem is spammers would start using the return addresses of
popular whitelisted people or companies.

I have been screaming for years about what a Mickey mouse system mail
is.

It needs a total overhaul to deal with spam, automatic digital
signature and verification, automatic encryption. automatic
compaction, and automatic notification similar to what you get with
Fedex about the state of your "parcel".

see http://mindprod.com/projmailreadernewsreader.html

Mail just gets lost too often.

The sender should know at least the receiver read the message rather
than discarding it without looking at the contents.

 

[Andy Fish]

I don't know quite how this works inside, but http://www.zaep.com/
has a fresh approach to spam that should give 100% protection until
the spam guys decide to attack it specially.

When you send a message to somebody using it, you get an email back
saying, please visit this URL one time only to get through the spam
filter. If they visit in 5 days, then the original email and all
successive ones are passed through.

The main problem I see with this what if (say) your credit card company
wants to send you an email - there is some information they are probably
obliged by law to deliver to you, and they will almost certainly not go in
manually fill in forms for everyone who is using a white list filter.

In the long term I think the only sensible solution is for senders to be
authenticated. Once you get a "critical mass" of senders using that kind of
mechanism, any unauthenticated email would be treated as spam.

I particularly like the idea that if you get an email you think is spam you
can charge the sender, say $0.20. This would force the mass mailers to
consider their target audience very carefully but would not require explicit
white listing.

 

[Roedy Green]

I particularly like the idea that if you get an email you think is spam you
can charge the sender, say $0.20. This would force the mass mailers to
consider their target audience very carefully but would not require explicit
white listing.

It could work if sending an email cost 20 cents and receiving an email
pays you 19 cents with 1 cent going as tax to manage the system.

Then most people make money!

You could deliberately attract spam, the way some people heat their
homes with junk mail.

The problem now is there is no incentive at all not to spam. It is
effectively free.

 

[GaryM]

I wrote them asking how it works. I'm not clear if you have to
host a website and mailserver for this to work.

Challenge/Response systems are not new. However they are flawed. For
example, if both ends use this system, no one gets a message unless
there is a mutually agreed handshake. Getting such universal
standards established across the myriad of companies is no mean feat.

The way you describe it, one could simply programmatically visit the
link and not only does the spam get through, but you are confirmed as
a live one. Most other C/R systems use an image that can only be read
by a person.

There are a number of efforts under way to create an enhanced SMTP
protocol that aims to authenticate the sender.

http://www.pcmag.com/article2/0,1759,1473986,00.asp

 

[Phillip Lord]

Roedy> On Tue, 11 May 2004 09:16:05 GMT, "Andy Fish"

Roedy> It could work if sending an email cost 20 cents and receiving
Roedy> an email pays you 19 cents with 1 cent going as tax to manage
Roedy> the system.

Well, yes. At least, it would if the internet weren't international.

My problem with this idea is that it would totally screw up the use
of mailing lists. All I would have to do is subscribe myself to every
publicly accessible mailing list, wait for a week, to receive a
reasonable amount of email, and then charge everybody for sending me
email. Something like gmane.org would make this exceptionally
easy. I could pick high volume email to offset the cost of the one, or
two subscription emails I would have to write.

Of course, it would be unclear whether the originator, or the person
running the mailing list would be the one responsible.

And, as there are email gateways for c.l.j.p, its highly
likely that individuals like Roedy are going to go bankrupt fairly
soon after this comes in.


Phil

 

[Nigel Wade]

I don't know quite how this works inside, but http://www.zaep.com/
has a fresh approach to spam that should give 100% protection until
the spam guys decide to attack it specially.

When you send a message to somebody using it, you get an email back
saying, please visit this URL one time only to get through the spam
filter. If they visit in 5 days, then the original email and all
successive ones are passed through.

I wrote them asking how it works. I'm not clear if you have to host a
website and mailserver for this to work.

It looks like a basic challenge/response system.

Very annoying for legitimate senders and generally bypassed by forging the
sender to be the recipient (most people send mail to themselves from
time-to-time and allow it through).

Add to that the number of people who receive false challenges because the
spam has their email forged as the sender and you've got a nice system for
creating even more collatoral spam.

 

[Knute Johnson]

It could work if sending an email cost 20 cents and receiving an email
pays you 19 cents with 1 cent going as tax to manage the system.

Then most people make money!

You could deliberately attract spam, the way some people heat their
homes with junk mail.

The problem now is there is no incentive at all not to spam. It is
effectively free.

The only effective way to stop spammers for good is to put a bounty on
them and pay $100,000 or so. It might not take that much money but
you'd have to change the law and then try it to see.

I'm using Popfile. It is a context based system and works about 99.5%
of the time correctly. I average about 60 spams a day so that isn't too
bad. The only annoying part about any of them is the false positives.
I average one every other day or so. I would put up with a lower
percentage of spam detection for no false positives.

 

[Tim Tyler]

I don't know quite how this works inside, but http://www.zaep.com/
has a fresh approach to spam that should give 100% protection until
the spam guys decide to attack it specially.

When you send a message to somebody using it, you get an email back
saying, please visit this URL one time only to get through the spam
filter. If they visit in 5 days, then the original email and all
successive ones are passed through.

I wrote them asking how it works. I'm not clear if you have to host a
website and mailserver for this to work.

It is unconventional. The usual approach is to send back a mail message
asking for confirmation by mail. That leaves HTTP out of the equation.

 

[Tim Tyler]

The sender should know at least the receiver read the message rather
than discarding it without looking at the contents.

There are headers for that purpose:

"Return-Receipt-To" ...and... "Acknowledge-To" headers.

However, many people often won't send back automated recipts.

 

[Tim Tyler]

It could work if sending an email cost 20 cents and receiving an email
pays you 19 cents with 1 cent going as tax to manage the system.

Then most people make money!

You could deliberately attract spam, the way some people heat their
homes with junk mail.

The problem now is there is no incentive at all not to spam. It is
effectively free.

The cost of sending messages has fallen continuously - and I can't imagine
it rising again.

There will probably be better ways of having pay-to-deliver mail addresses
- but that's not terribly hard to do today. The recipient could offer to
refund the fee on receipt of a useful message.

 

[Roedy Green]

It is unconventional. The usual approach is to send back a mail message
asking for confirmation by mail. That leaves HTTP out of the equation.

The spammers have probably caught no to most of the return mail
schemes. The visit a website is not difficult, but since so many
emails contain urls, it might be easy to disguise it and keep
modifying its form.

 

[Tim Tyler]

It is unconventional. The usual approach is to send back a mail message
asking for confirmation by mail. That leaves HTTP out of the equation.

The spammers have probably caught no to most of the return mail
schemes. [...]

I believe hardly any of them bother.

Such schemes are used sufficiently infrequently - and the cost of
dealing with all the different schemes is sufficiently prohibitive -
that answering human-readible questions in confirmation emails is
very unlikely to represent the "lowest hanging fruit" for a spammer
trying to get their message out.

The main problem with such schemes is not so much that spammers get
round them - but that they inconvenience genuine senders significantly.

 

[Roedy Green]

I don't know quite how this works inside, but http://www.zaep.com/
has a fresh approach to spam that should give 100% protection until
the spam guys decide to attack it specially.

When you send a message to somebody using it, you get an email back
saying, please visit this URL one time only to get through the spam
filter. If they visit in 5 days, then the original email and all
successive ones are passed through.

I wrote them asking how it works. I'm not clear if you have to host a
website and mailserver for this to work.

I asked them some questions about how it worked. Here are the
responses.
-------------
have included your questions and my answers below.


1. do you have to maintain a webserver or does Zaep server do this for
you?
Zaep runs a webserver to handle the confirmations. There
should not be anything in the website that needs to be setup from
the clients point of view.


2. Do you have to run your own mailserver?
No, Zaep can connect to any mail server as long as the mail
server is using POP3 and SMTP.


3. How does Zaep get between your mail client and the Internet?
Are you familiar with proxy servers? From looking at your
site, you look fairly technical. Just think of Zaep as a SMTP /
POP3 proxy server. Your e-mail client will connect to Zaep and Zaep
connects to your mail server.


I am also looking for a tool suitable for a technopeasant charity at
hans.org. It has to be duck simple to manage.
The initial setup of Zaep can take a little time, however,
after everything is setup, daily use is completely in the
background.


If you have any additional questions or comments please let me know
and I'll be happy to assist.


Andrew H. Peterson
http://www.RhinoSoft.com

---------
Perfectly explained. Thanks. I have added this information to the spam
entry in the Java glossary at http://mindprod.com/jgloss/spam.html

We were discussing your product in comp.lang.java.programmer. Some
concerns came up.

What is to stop a spam harvester from automatically visiting the Zaep
url? They can either tunnel now automatically responding to
traditional challenges, or by using the name of the receiver as the
sender to tunnel through.
-----------

Currently there is no way for Zaep to address the automatic visiting
of the URL. In a future version we hope to add some additional
challenge like recognizing a number / picture. As for the tunneling,
currently the only way to stop this is an option "Approve
email messages using this account's email address.". If this option
is selected Zaep should automatically approve email messages
from this account's email address. Sometimes virus authors and
spammers use your email address as the return email address. If this
happens disable this option. NOTE: when disabled Zaep will be unable
to send a test challenge message to your email address.