Re: Almost Amazing!
> > Won't work well --- if at all --- for
> > * Mailing lists
> > * automated mailings (freshmeat's new version mailings, most
> > buying over the internet stuff, Bounces, etc.)
> Legitimate mailing lists and automated mailings are usually
> easy to differentiate from spam;
I got a 'please go to this website' (where you have to enter a
20 char long string to let the message pass through) ... which
looked so much like the spam I usually get that the spam filter
treated as spam.
In the end I had to re-write the message, before it passed
through, as it timed out the first time before I looked through
the spam heap. I would not have done this if the email had not
been important _for me_ to arrive. Helping others is _not_ that
important, as I do this on my free time.
If I had countered with a confirmation request instead of
throwing it on the spam heap, I'd never known that my mail never
made it. Instead I would have grumbled over the recipient's
Easy to differentiate, indeed.
> also, if you know ahead of time that you are subscribing to
> something, you can add it to a whitelist.
So I just got a mail from a guy 'firstname.lastname@example.org' which
notified me of your answer. Never got that mail before. So how
can I whitelist that in advance? How is email@example.com
gonna read, much less respond to a confirmation request?
How is _that_ low maintenance?
(The same goes, as I said, for many online shopping cases.)
> > * people who don't like jumping through hoops to get mail
> > through (unfortunately these are usually the people who
> > give answers).
> First, you can safely whitelist everybody you send to, so as
> not to inconvenience them.
i.e. even more work for me to integrate that into my mail client.
And if they answer me from a different (e.g. preferred or new)
address, they'll be inconvenienced again --- when all they try to
do is making me reach them better/faster.
This can be real fun if you use sneakemail.com (I do).
If you send me a mail to my sneakemail address (say
firstname.lastname@example.org), I get a temporary email@example.com
(which will expire in a few days).
You send me another mail in a week ... and I'll get a
firstname.lastname@example.org. A new confirmation is clearly neccessary,
right? So you'll have to parse the X-Sneakemail-From: header
instead of just the From header, where it applies.
> Also, if you apply this, say, only to messages tagged by
> spamassassin as 'probable spam', only your friends trying to
> sell you penis enlargements will be asked to confirm :-)
So we are still stuck on the case --- which I, personally,
experienced --- where a confirm mail will be asked to confirm
itself. At best, you'll never ever see that mail. Really a good
thing if the mail was somewhat important.
> > * Senders where the anti-spam system fires such a message
> > right back to you --- you can get a nice mail flood if that
> > goes over a mailing list. For 3 parties you'll get a very
> > very impressive snowball effect! (Can you say 'complete
> > meltdown'?)
> Oh, come on now. Sending one message per address is a simple
> thing to do.
You are implying a world where nobody's 'out of office' mails
will be send as answer to their own 'out of office' mails.
Welcome to reality.
I have seen that at 100 mails/hour on a mailing list. More than
once. So much that the mailing list finally stopped Reply-To
munging. It won't help, either, if the sender address keeps
changing. Like some peope who regularly change their mail
addresses to avoid spam.
> To see two systems that are successful with the confirmation
> technique, read up on these: TMDA and Active Spam Killer.
> Remember that you can combine this with a spam identifier like
> spamassassin to only request confirmation from messages that
> look like spam.
So you'll be part of a DDoS on some poor schmuck who's address
was faked into the mail.
If but 0.5% of the recipients of a modest 5 mio. spam use such
a thing, you'll have 25k mails on you on the day your address
appears in the From of a spam. And often enough it is somebody's
spam. Ask the owners of test.com. With luck, you'll fire off
another 25k mails if the confirmation request includes the
original spam "for your convenience".
And now imagine 1% and 20 million recipients. 200k mails is fun
and a half.
Again, it's your choice, I believe that these things can
harm others, badly, and thus should not be used without deep
understanding. But go right ahead, time will show if DDoSsing
innocent bystanders will help the fight against spam.
Re: Almost Amazing!
> % % How about this: set up an autoresponder
> % % that says, "I'm sorry, your message has
> % % been trapped by my spam filter. If this
> % % is a legitimate email message, please
> % % put the word PASSWORD in the subject.
> % % [...]
> % % I guarantee that spammers are not going
> % % to bother putting your password in the
> % % subject.
> % Won't work well --- if at all --- for
> % * Mailing lists
> % * automated mailings
> % * people who don't like jumping through
> % hoops
> % * Senders where the anti-spam system
> % fires such a message right back to you
> % * If a mailing list rewrites the header
> % enough
[leading to endless mail loops and other fun things]
> % You will have to decide yourself if
> % these restrictions and dangers are
> % acceptable to you, your mailing list
> % reputation and your environment;
> Most of what you are asking for can be resolved
> using the user_prefs file. You can find
> a free Windows utility for creating and
> editing user_prefs files here:
As a non-Windows-User I cannot use that program (not that I'd need it).
Also, there is no way the user_prefs file can prevent the problems outlined above if you use an autoresponder telling people to put something specific into the subject.