Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Spam

Are People Using TMDA to Kill Spam? 87

Posted by Cliff from the driving-down-the-noise-in-your-email-signal dept.
NewtonsLaw writes "With spam becoming an increasingly frustrating part of life in the Net, I have to ask why more ISPs aren't implementing systems such as the excellent Open Source Tagged Mail Delivery Agent (TMDA) strategy? Using this system would mean that only those spammers who used bonafide email addresses in their headers would get through -- and means virtually all the penis enlargement, weight-loss and other scams would be blocked. Even the those habbitual "brand name" spammers (like Real, PayPal, etc) could still be blocked by adding them to the blacklist. With TMDA, email to and from regular correspondents is passed transparently and there's no risk of genuine messages being accidentally discarded by over-active filters. If enough ISPs at least offered TMDA as an option to their users, the effectiveness of spamming could be shattered almost overnight -- oh, wouldn't that be lovely?"
This discussion has been archived. No new comments can be posted.

Are People Using TMDA to Kill Spam? More

Are People Using TMDA to Kill Spam?

Comments Filter:

  • How about... (Score:2, Insightful)

    by Paddyish ( 612430 )
    Wouldn't a spoofed email address get through? I see that particular method used quite often.

  • No spam blocker is perfect... (Score:5, Interesting)

    by Anonymous Coward on Wednesday May 14, 2003 @08:57AM (#5953718)
    Yes, there is a risk of a legitimate messages being blocked, if the sender does not understand the "confirmation request" mail sent by TDMA, is not willing to answer it (think mailing lists), or blocks it as spam.

    A second reason is false positives. Users have really quite different view on them. Some people hate spam so much that to avoid it, they are willing to block a real message every once in a while, and spend lot of time configuring and tuning their filters. For others, hitting "Delete" 30 times a day is less trouble than the nuisance in losing real legitimate messages.
    • but tmda allows *senders* to deal with "false positives." and they only need to do it once per address (in a sane tmda config).

      at least *READ* about it before you dismiss it out of hand.
      • Or, to paraphrase.
        but tmda allows *spammers* to deal with "false positives." and they only need to do it once per address (in a sane tmda config)

        The other features such a temporary email addresses are nice though.
        • sigh.

          try reading the faq.

          yes, a spammer *can* send mail from a valid email address and they *can* respond to each of the tmda generated confirms. however the more people who use tmda, the more bandwidth of the spammer that will consume. and since the spammer would be using a valid email address, the spammer can be traced.
          • sure, the spammer would consume more bandwidth, but sneding a blank email to the address with no extranous headers or content wont be a huge loss to the spammer, even for sending large amounts of replies.

            And I dont see how much easier a spammer could be traced by using a valid email address if they provided false details to the isp providing the address. Even when using a false email address, a MTA will usually give the ip address of the original sender in the headers, and if it doesnt help now, then it wo
            • still haven't read the faq, have you?

              if what you say proves right - and in two years it hasn't - then a simple change to tmda allows you to make the confirm process less easy to automate. send back a jpeg and have them type in the numbers of the jpeg in the response.

              include a question they have to answer or instruction they have to follow:

              "in order to confirm this message, you need to reply to this message AND type my last name in the message body."

              everyone could do something slightly different which m

              • Re:No spam blocker is perfect... (Score:5, Insightful)

                by mivok ( 621790 ) on Wednesday May 14, 2003 @11:10AM (#5954867) Homepage
                I believe though that if you make the confirmation process more complicated, it will prove too troublesome for users to reply to.
                I'm talking widespread use of TDMA now, with non computer literate users who probably havent ever come across mailing lists and having to confirm subscriptions. And for the more technical users, there are a great many who use text based clients over SSH, with which viewing a jpeg would be troublesome to say the least. Other methods could be used as you mentioned, but I doubt there are that many that would cause minimum trouble for legitimate users while preventing spammers from being able to write some sort of heuristic algorithm to be able to get at least some confirmation replies correct (remember, they wont be bothered about getting every one through).

                As to the reason spammers havent yet resorted to using valid email addresses is that they dont have to! Email confirmation currently isnt widespread for the spammers to go through the extra hassle. When it does get so widespread as to hinder spammers, then they will start using valid email addresses and autoresponders (or perhaps deliberately setting up email bounce replies to save them the hassle of writing replies).

                Dont get me wrong, its a great idea, and I especially like the idea of being able to just create time delayed email addresses with nothing more than a program to work out the cryptographic hash (i.e. nothing needed server side). However, I think that if TDMA does become widespread enough for spammers, they will find some way around it, and combating what they do will become increasingly complex and time consuming for users. If I am proved wrong hoever, all the better. No more spam :)
              • Actually, you're working from incorrect assumptions.

                - spammers arent traceable, we dont know who they are

                - if TMDA made them come out into the open, then we could get them.

                They are traceable. The spammers are by and large mostly known. The problem is there is no broad legal consensus against spam and there is no strong economic disincentive against spamming for either the spammers or the pink-contract ISPs. You cant "get them", unless you blacklist ISPs (but hey, we can already do that and do, so why did
                • Your vision of jpeg or turing-test challenge-response systems for email is simply frightening. Its holds promise of an ever escalating C-R war with spammers, perhaps ultimately destroying the convenience of email.

                  Not really, unless you're constantly receiving e-mail from new sources on a daily basis. Most of the legitimate mail I get comes from known sources (mailing lists, my friends/colleagues, service notices from my ISP, etc.).

                  I don't see it being that much more difficult than having to know and then
                • You should try this shit before dismissing it so casually. My spam problem has gone from being intolerable (20-30 / day) to just one spam message in the last 2 months thanks to TMDA.

                  I whitelisted all my buddies and people who I have mailed previously so they can't even tell I use it. I added my mailing lists in there as well so they're unaffected. I set up the SMTP proxy so anyone who I mail to will automatically get whitelisted. There have been two occassions in the last two montsh where someone failed to

                  • You should try this shit before dismissing it so casually. My spam problem has gone from being intolerable (20-30 / day) to just one spam message in the last 2 months thanks to TMDA.

                    But i'm not doubting it stops spam getting through. In fact i'm reasonably convinced its the best technical answer to spam existing at the moment. My problems are with complicating email by using C-R, and i believe spammers would adapt anyway, hence bringing us back to blacklists anyway.

    • Re:No spam blocker is perfect... (Score:5, Insightful)

      by dubl-u ( 51156 ) * <2523987012&pota,to> on Wednesday May 14, 2003 @10:35AM (#5954530)
      Yes, there is a risk of a legitimate messages being blocked, if the sender does not understand the "confirmation request" mail sent by TDMA, is not willing to answer it (think mailing lists)

      Yeah, if I ever thought about using TMDA, having to deal with other people using it has completely turned me off it.

      A number of times somebody has posted to a mailing list asking for help. I've answered them privately, only to get a "please jump through the following hoops" message. Fuck that.

      There's no way I'd use it, as email is often how clients first make contact with me. I'm unwilling to risk offending or irritating my correspondents, especially when it could mean many dollars lost.
      • "There's no way I'd use it, as email is often how clients first make contact with me. I'm unwilling to risk offending or irritating my correspondents, especially when it could mean many dollars lost."

        I have not had a single problem with clients mailing to one of my TMDA protected accounts. I simply put a note on the page that listed the address informing the user to expect a challenge. See here [standblue.net].

        • Well, that's fine. You know about all the clients willing to jump through hoops to get to you. You do NOT know about all the clients who said "fuck that" and went to your competitor.

          If ANY company put me through a TDMA like system, I wouldn't deal with them. You see, it puts forth the impression that their time is more valuable than my time. This is the same attitude I have for aweful phone menu systems. If I can't hit Zero and get a human, I go somewhere else.

          Now if you combine something like spamassasin
          • "Well, that's fine. You know about all the clients willing to jump through hoops to get to you.

            In other words, I only get the clients who really want me. These are the clients I want anyway.

            "TDMA ... TDMA ... TDMA ... TDMA"

            Dyslexic?

            "Now if you combine something like spamassasin with TDMA and ONLY run messages tagged as spam though TDMA, THEN you may have something"

            In fact, I do just this, as I pointed out in earlier post [slashdot.org]. Since I starting using this method not a single legitimate message has bee

          • I wouldn't want a shiftless and lazy client, they're the absolutely worst to deal with. Let them go to someone else I say. Any client that can't even hit the reply button on their email client once is not worth the trouble of dealing with.

      • A number of times somebody has posted to a mailing list asking for help. I've answered them privately, only to get a "please jump through the following hoops" message.

        Assuming the poster asking for help has a degree of clue, TMDA copes with that. Clearly, in your experience, the poster did not.

        You can configure the return address of the posted message to accept unhindered replies from _all_ senders to that particular address for a limitied period of time. Therefore, the window of opportunity for spa

  • Discussed ad nauseum.... (Score:5, Interesting)

    by kawika ( 87069 ) on Wednesday May 14, 2003 @09:03AM (#5953763)
    Every time /. does a story on spam we have the debate about address verification. There are plenty of existing "challenge-response" spam control services and the reason they're not widely used is because they still require a lot of manual work to control spam.

    Mailing lists are a simple example. For every mailing list you legitimately want to be on, you will need to manually set up the address on the whitelist because the mailing list software won't repond to the challenge message.

    Now lets say that the mailing list programs make some mods to automatically respond to the message, assuming it has a standard format. Now a spammer can use the mailing list's address as their return address and take advantage of its response to a challenge! Of course, the challenge could contain other validation data such as a reciept number and/or a digital signature but now we're talking about major mods to the Internet's mail infrastructure and mail clients.
    • I very nearly made a similar comment, but you just put your email address down ad something like mivok-mailinglistname@yourdomain.com, set that address up with the TDMA, and use that instead. If you suddenly start getting spam to that address, simply revoke it and use a new one. Adding the address to the keyword address list might be difficult, but I'm sure a simple(ish) GUI could be built to manage that for those who were really bothered.

      TDMA also has features such as time bomb email addresses, which stop

    • Now lets say that the mailing list programs make some mods to automatically respond to the message, assuming it has a standard format. Now a spammer can use the mailing list's address as their return address and take advantage of its response to a challenge!

      Why wouldn't they, um, just set up their software to automatically respond to the emails?

      • Why wouldn't they, um, just set up their software to automatically respond to the emails?

        (I assume "they" refers to spammers.)

        That would require spammers to use valid return addresses. This raises their costs and makes them less anonymous. It won't happen (at least on a large enough scale to matter).

        Mailing list software should never respond to a challenge from a subscriber. Any such challenges should be treated as bounces and should unsubscribe the user.

        -chris

  • effectiveness? (Score:5, Insightful)

    by universalcurb ( 113612 ) on Wednesday May 14, 2003 @09:08AM (#5953787)
    spammers don't care too much about effectiveness, they already deal with less than half-a-percent response rates anyway, and they don't give a darn if they're blocked... the fact of the matter is that spam is so freaking cheap to send, it will never go away. the way to kill it altogether is to raise the cost so much that it no longer becomes an attractive option. i hate to say it (being somewhat libertarian), but the only way to do that is to have anti-spam laws with some teeth that include some time in a state "correctional" facility. that would send the message.
    • The problem is effectively defining spam, so as not to accidentally turn innocent civilians into criminals. Kind of like how grandmothers have been arrested on child pornography charges, 'cause they had pictures of their grandkids in the bathtub or rolling around on the floor in the buff.
      • That's a bogus argument. Are you telling me that you have a hard time telling spam apart from real email? Right... EVERYONE knows exactly what spam is. It has been defined quite well, repeatedly. Search google.
        • "Are you telling me that you have a hard time telling spam apart from real email?"

          No, that is not what he is telling you.

          The problem is determining if it is unsolicited commercial email. You may have requested mailings from a company two years ago and forgotten about it. This mail is not spam because you opted in, but SpamAssassin or some other "smart" method may not be able to tell it apart from the junk. The frequent mails from Register.com come to mind.

    • It's possible to raise the cost of sending an email so that for typical email senders, and even mailing lists the cost isn't prohibitive, but because of the 1% response rate to spam would make spamming a losing proposition...

      The problem is updating all the MTAs, or worse all the clients at the same time. If you continue to receive mail from older MTAs or clients which don't know how to sign or 'add postage' to an email, then the spammer will just pretend to be the older MTA/client...

      So there's a huge res

  • How would TDMA stop spam? (Score:3, Insightful)

    by mivok ( 621790 ) on Wednesday May 14, 2003 @09:26AM (#5953929) Homepage
    Okay, so a lot of spam comes from forged email address, and having a whitelist+confirm would stop mail from those addresses, but what is to stop spammers using valid addresses (free ones maybe), and a script that automatically replies to any confirmation requests?

    When confirming the test email address noted int he article, I just hit reply and send the email as is, and I'm sure a script could be written to automatically send a blank message to the Reply-To: address if this became widespread.

    The spammers task would become harder, but far from impossble.
    • Most spammers don't use valid addresses.

      This also starts sucking up spammers resources in CPU time and bandwidth since he now has to individually send out replies instead of CC'ing a million address, all you really have to do to stop SPAM is make it more expensive than it's worth.
      • I doubt it would take up an amazing amount more, okay, so they would end up sending a reply for every email they sent out, but I doubt spammers resources would be streched that thin anyway.

        My point is, if use of this became widespread, then the spammers would simply start using valid email addresses and auto responders. And considering that people who take the effort and expense to post junk mail and 'telemarket' seem to think its worthwhile, writing a few scripts and using a few cpu cycles wont seem like
        • But if they started using valid addresses, then they could actually be blocked with a very simple very distributable blacklist in addition to TMDA's personal whitelists.

          Like I said, it's not about making it impossible, it's about making it more expensive than it's worth, which I guess I also mean to say they spend more time (time is money) than I do, if I spend ten minutes setting up TMDA (I think it took me about considerably less than that, very good documentation on that project) then I just have to cos
          • Unfortunately, this isn't true. It's only a matter of time before spam is sent as email worms / viruses, or spammers start hacking into moron's computers with script-kiddie tools and spam away. Spammers have no ethics, and breaking the law is like eating french fries.
    • This could possibly be implemented in the way that Yahoo, PayPal, et al do. Send an image with a slightly mangled word in it. Have them reply back with the word in the subject header.
    • " Okay, so a lot of spam comes from forged email address, and having a whitelist+confirm would stop mail from those addresses, but what is to stop spammers using valid addresses (free ones maybe), and a script that automatically replies to any confirmation requests?"

      See the FAQ [tmda.net]

  • I think the strategy may work well for a bit, but I can write code to mimic/steal a bona fide email address easily and put it in the header, so I don't think it will help in the long run.

    I have my own ideas on how to stop spam, but I'm thinking I'll save them for my thesis ;-)
    • "but I can write code to mimic/steal a bona fide email address easily and put it in the header"

      I am not going to say it can't be done, but I am curious, how can you "mimic/steal" an email address that is in my whitelist?

      Even if you do come up with a way to do it, how could you do it for millions of people in a cost effective way as would be necessary if you were a spammer?

  • Didn't work for me (Score:4, Interesting)

    by Anonymous Coward on Wednesday May 14, 2003 @09:37AM (#5954023)
    I tried TMDA, and I really like it. However, there are some drawbacks that make it impractical for me.

    First of all, I've had trouble white-listing my friends. I could just give them the address ac@mydomain.com and white-list them, but sometimes they will change email addresses or send me mail through a third-party source (like sending a news item from a web page or sending a greeting card). The alternative is to give each friend an tagged address that will go through, but it is hard for them to remember ac-friend-a751af@mydomain.com

    Second, some of my friends can't handle the concept of replying to a message to let their first message through. (Obviously this happens when they use an address that I haven't white-listed.) I've tried to customize the message to make it easy to understand, but I guess I have dumb or stubborn friends. In particular, if a relative sends a joke to me and a long list of other people, and one of those people replies to everyone ("ha, that was really funny!!"), the sender gets really confused about getting a confirmation request from someone they haven't heard of before.

    I've had one on-line store refuse to use my tagged email address because it was too hard to type. (Apparently their brain-dead system had them manually retype the address into another system.) They processed the order, but I didn't get any status from them.

    The killer was my ISP changed the rules on me and doesn't allow having a mail server on my local system. Further more, the provider I was using for out-going mail now blocks mail from my Linux box because they detect it going through exim and declare that it is relaying through their system. (It works for a simple mail client, just not for a MTA!)
    Another provider I could use has their MTA configured such that it doesn't work with the tagged addresses. Of course, many ISPs now block in and outgoing port 25. The anti-spam efforts of ISPs keep breaking my attempts to avoid spam and TMDA is the latest victim.

    Again, I like the concept of TMDA. Jason Mastaler and company did a lot of things right, but it just didn't work out for me. When the general public becomes educated on the concepts and it is easier to find an ISP that will work smoothly with TMDA, I'd be happy to use it again.
    • your killer problem isn't really a problem. you can configure tmda to send mail directly to your isp. your mail client can send the mail by invoking tmda directly, or connecting to the oddly named tmda listener on port 25 and yapping smtp at it.

      tmda can then be configured to send the mail directly to your isp's mail server.

      no need to go through exim, postfix, qmail or any other local mta.

    • I've tried to customize the message to make it easy to understand, but I guess I have dumb or stubborn friends. In particular, if a relative sends a joke to me and a long list of other people, and one of those people replies to everyone ("ha, that was really funny!!"), the sender gets really confused about getting a confirmation request from someone they haven't heard of before.

      This is a bad thing?

    • In particular, if a relative sends a joke to me and a long list of other people, and one of those people replies to everyone ("ha, that was really funny!!"), the sender gets really confused about getting a confirmation request from someone they haven't heard of before.

      You mean that this will deter people from sending those useless mass mailed jokes or flash animations all the time? Why didn't I think about installing TDMA before?!

  • Learning Spam Filters (Score:4, Interesting)

    by tdemark ( 512406 ) on Wednesday May 14, 2003 @09:38AM (#5954028) Homepage
    I think many clients are heading in the right direction with spam filters that learn based upon a user saying "This is spam" and "This is not spam".

    Personally, I use SpamAssassin which was primed with 1200 spams and 6000 hams. Since that point, it has captured 200 spams with 0 false positives and 2 false negatives.

    The hard part is priming the databases. Maybe it would be worth it to have a database that can be downloaded and used as an initial point for new users - combined with "Spam", "Not Spam", "Whitelist" buttons in their client to automatically tweak the db to their usage patterns.

    - Tony
    • 200 spams - thats about 30 minutes of inbound email for my company...and we're not that big so God only knows the problem for the likes of Ford/IBM etc.

      But anyway back on topic, yes it would be nice to have some of easy update feature, but I sure as heck wouldn't give it to the users...
    • that's nice.

      tmda includes a script to extract all the from addresses from your mailboxes. since tmda works off of addresses - the addresses *you* want to get email from - this essentially primes the list.
    • The hard part is priming the databases. Maybe it would be worth it to have a database that can be downloaded and used as an initial point for new users - combined with "Spam", "Not Spam", "Whitelist" buttons in their client to automatically tweak the db to their usage patterns.

      http://www.spamassassin.org/publiccorpus/ [spamassassin.org]

    • Personally I use TMDA in combination with SpamAssassin. TMDA confirmations are only sent out for messages that score above my SA threshold of 5:

      pipe "/usr/bin/spamc -c" ok

      With this setup the only people who have to confirm are unknown senders whose mail appears suspicious according to SpamAssassin. Since I started using this method not a single legitimate message has had to be confirmed.

  • What about my order confirmations? I'm never quite certain what e-mail address they'll use as the from. Maybe they have an e-mail order tracking system and they use a unique from: for each order. Talk about a TMDA nightmare... especially if the implementation is out of your own geeky hands (read: controlled by the ISP).

  • Why haven't they been adopted? (Score:4, Informative)

    by crapulent ( 598941 ) on Wednesday May 14, 2003 @10:30AM (#5954482)
    Because they're a terrible solution. All you wind up doing is pissing off the poor people whose email address the spammer used in the forged From: line, and not to mention the quagmire that is making these things play nicely with mailing lists.

    But, I think John Levine does a much more eloquent job of explaining why C-R systems are not the answer:


    Date: 11 May 2003 21:41:35 -0400
    Message-ID: <Pine.BSI.4.40.0305111408240.28246-100000@tom.iecc .com>
    From: "John R Levine" <johnl@iecc.com>
    To: "Declan McCullagh" <declan@well.com>
    Subject: Re: FC: MailFrontier.net, poor anti-spamware, and future of mailing lists
    In-Reply-To: <5.2.1.1.0.20030511122149.00b1a710@mail.well.co m >

    > My reluctant conclusion is that C-R systems with flawed implementations
    > have the potential to end legitimate mailing lists as we know them today.

    No, it's worse than that. The collateral damage from widely used C/R
    systems, even with implementations that avoid the stupid bugs, will
    destroy usable e-mail.

    Challenge systems have effects a lot like spam. In both cases, if only a
    few people use them they're annoying because they unfairly offload the
    perpetrator's costs on other people, but in small quantities it's not a
    big hassle to deal with. As the amount of each goes up, the hassle factor
    rapidly escalates and it becomes harder and harder for everyone else to
    use e-mail at all.

    A relatively easy to solve problem with challenge systems is that most of
    them are written by dimwits who don't understand the way that e-mail
    really works. In 1983 the 4.3BSD Berkeley Unix "vacation" program
    correctly dealt with mail from lists and other mechanical sources, yet 20
    years later I still see out-of-office replies from Lotus Notes and MS
    Exchange to list mail every day. (Is there really nobody at IBM or
    Microsoft who used 4.3BSD or knows the rules of thumb to recognize
    non-personal but legit mail?) Challenge systems have the same bugs, and
    list managers are now routinely kicking people off lists whose broken
    challenge systems spam out stupid challenges to everyone who posts to the
    list, and ignoring challenges to signup confirmation messages. These
    particular problems are soluble; the few challenge systems used by
    experienced mail users like Brad and Dan Bernstein avoid them.

    But the real damage from challenge systems will come when spammers start
    attacking them. Challenge systems all have user whitelists so that each
    correspondent only gets one challenge, then mail goes through directly. So
    spammers will start trying to send spam with forged sender addresses that
    are on the recipients' whitelists. That's not so hard, sign up for a
    mailing list, scrape addresses from the list traffic, then send NxN copies
    of spam, to each list address from each list address. Similarly with
    addresses scraped in groups from web pages, usenet groups, and anywhere
    else scrapage happens.

    So what will the effect of this be? You won't be able to trust that mail
    from your friends is actually from your friends, since an increasing
    fraction will be spam leaking through your challenge system. What will
    people do? Given the basic principle of challenge systems, which is that
    it's someone else's job to solve your spam problem, people will dump their
    whitelists and start challenging every message. At this point, it's
    possible to automate much of the work, most challenge systems are
    scriptable, so that for example I have a few lines in my mail sorting
    filters that catch the per-message challenges from submissions to Dan
    Bernstein's mailing lists and automatically send confirmations. But of
    course, if I can send responses from scripts, spammers can and will too,
    so challenge systems will increasingly include "prove you're human"
    features like showing you a picture and asking you how many kittens are in
    • > challenge systems will increasingly include "prove you're human" features like showing you a picture and asking you how many kittens are in it...

      I am going to implement a challenge-response system that sends S.A.T. questions as a challenge. That way it will be very difficult for spammers to automate responses. As a fringe benefit I won't get email from stupid people anymore.

    • Well, first off, why, oh WHY are people still using email lists?

      Fuggedaboutit. These types of things belong on web forums or usenet. Both work exceedingly better on so many levels its laughable that anyone is on anything but a receive-only mailing list right now.

      If, for some idiotic reason you really need to deal with two-way listservs, you are probably "elite" enough to have a separate email account just for that without the spam protection, or at least with non-whitelisting protection.

      Next, if you pl

  • I'd love to use a TMDA-like system, but.. (Score:3, Interesting)

    by orthogonal ( 588627 ) on Wednesday May 14, 2003 @10:32AM (#5954497) Journal
    My ISP doesn't.

    I'd install it myself, as a proxy MTA, but it's not a Mail Transfer Agent; instead it requires one to use one of a particular set of MTA.

    In short, there's not way to use it under Windows or even cygwin (as far as I can tell).

    I wrote much of a TMDA, but never completed it, as a plug-in for Microsoft Outlook -- I abandoned that project when I decided it should be wriiten as an extension of an SMTP/POP3 proxy. (And I wrote it first as a Visual Basic "macro" before I understood how to add plugins written in C++ to Outlook; that was the antithesis of fun.)

    I was unable to find an open source SMTP/POP3 proxy that runs under both Windows and linux -- I've looked, but what I've found has been either for Windows but not linux or vice versa, or SMTP but not POP3 or vice versa. The one thing I've found is Hamster, which is quality software, but written in Delphi, and it doesn't run under linux.

    Basically, I'll use a TMDA as soon as I can run it myself, under Windows -- or the OS of my choice.

    The TMDA softweare currently available seems to be aimed at ISPs, and this seems to be a political decision of the TMDA software authors.
    TMDA is designed to run on the server which receives your incoming mail, not on your desktop workstation.
    ASK [a TMDA-like system --orthogonal] is a Unix/Linux/OSX program. It will not run on Windows servers or workstations. You may however, switch to an Internet/Mail provider that offers ASK services.

    It probably makes some sense, in the long term battle against spam, to keep it off the desktop so as to put pressure on ISPs to install it, but it sure doesn't make it easy for me to use.
    • There's a really good reason why TMDA is designed to run on mail servers as opposed to running on your local mail client machine. You can reasonably expect the mail server to be running up and available close to 24x7 whereas a personal machine might not have a permanent network connection, and even if it did, might be switched off for long periods of time.

      With TMDA running on the mail server, new messages are processed as they are recieved and confirmation messages (if any) are generated as close to the t
      • There's a really good reason why TMDA is designed to run on mail servers as opposed to running on your local mail client machine. You can reasonably expect the mail server to be running up and available close to 24x7 whereas a personal machine might not

        That's a good reason. But my desktop does run 24/7 (doing folding@home, motion detection, routing my handheld's wifi connection, acting as a jukebox).

        Even if it did not, people don't (yet) expect instantaneous answeres to email. As I'd only challenge prev
  • I gotta confess. I've been using Internet email for 9 years, and corporate email [IBM PROFS] for 10 years before that. I never saw what the fuss was about SPAM until this spring.

    Sure, the spam ads are pesky and take time to DL and delete, but they really aren't that intrustive or obnoxious. At least not for me using `pine` or `mutt`. Then I had to use a GUI browser to get my mail on vacation. Using a GUI was bad enough, but suddenly I _saw_ the obscene cr@p that was being foisted on unsophisticated lu

    • > Sure, the spam ads are pesky and take time to DL and delete, but they really aren't that intrustive or obnoxious.

      Good for you! It's cool not to get shitty spams.

      I got a worrying pair of spams the other day:

      - It's Mother's Day soon!
      - Give Her Something Bigger

      Now say what you will about spam, but my name's definitely not Ed...

  • What a pain (Score:3, Informative)

    by stevenbdjr ( 539653 ) <steven@mrchuckles.net> on Wednesday May 14, 2003 @11:37AM (#5955111) Homepage

    There are better methods. Message analysis (ala SpamAssassin [spamassassin.org]), spam clearing houses (ala Razor [sourceforge.net]), RBLs [google.com], bayesian filters [paulgraham.com], and sender address verification [exim.org]. I use all five at my site [keyschool.org], and my users are happy.

    Plus, can you imagine a potential client of your company e-mailing for information, only be sent a TDMA message? I'd bet money that person would either not no what to do, or just ignore the message and think you never got back to them.

  • What if (Score:2, Interesting)

    by satterth ( 464480 )
    What would happen if two peole are using ISP's that have TMDA installed, and neither have been confirmed with each other?

    Joe e-mails Fred. Fred's TMDA sends a confirmation e-mail to Joe. And Joe's TMDA sends a confirmation e-mail to the confirmation e-mail, then the cycle continues.

    I don't like the looks of this.

    • "What would happen if two peole are using ISP's that have TMDA installed, and neither have been confirmed with each other?"

      You haven't done your homework. See the FAQ [tmda.net]

      • From the FAQ

        Another common worry is that two TMDA installations will create a mail loop as they send confirmation requests back and forth.

        This will not happen, as TMDA is configured to not respond if the message contains identifying characteristics of a mailing list message, bounce message, or auto-response such as the vacation program (or another TMDA message!). Even if this fails, the mail-loop will be stopped by TMDA's auto-response rate-limiting feature that puts a ceiling on the number of messages

        • Great, now the mail stops and doesn't get to be delivered.

          You could configure it to mangle your From address to a dated or tagged address when sending a challenge. Then the other person's TMDA will send its reply to the dated address and it will automatically get through.

          In the unlikely event that a spammer did not forge his address, the challenge was sent from a dated address, and the spammer started spamming the dated address, then at least it would expire in a day or two.

          • Upon closer inspection of the program, the TMDA does infact include the dated address in the "Reply-To:" header. Wheni first looked at it i only noticed the "From:" header of the origial address.

            Now if every one used this method its still not going to stop the SPAM. Sure, in this case the SPAM will be now confirmed to an Address where the investigation can start from and posible removal of the account. But i think the SPAM will contiue without too much trouble.

            I still think filtering the better method

            • Sure, in this case the SPAM will be now confirmed to an Address where the investigation can start from and posible removal of the account. But i think the SPAM will contiue without too much trouble.

              If spammers have to have valid addresses, then that will straight away eliminate most spam. Spammers operate today assuming (1) it is difficult to get caught or shut down, with open relays and forged addresses, and (2) it is inexpensive, since they don't have to have an ISP or their own servers and lots of ban

              • But in any case, I plan on combining TMDA with some sort of filtering. Very conservative filtering for whitelisted messages, and strict filtering to sort unwhitelisted messages into not-whitelisted-but-probably-not-spam and almost-definitely-spam folders, both of which could still be overridden by a response to the challenge.

                Since the "Reply-To:" header is set to the TMDA dated address a spammer can simply get into your white list with a simple auto-responder. If the spammer has access to alot of disposi

  • I used ASK (http://a-s-k.sf.net/) for a while. It blocked virtually 100% of my spam (it is VERY rare for a spammer to have a valid email address and have them respond to a challenge).
    It also blocked a lot of valid automated email that I wanted to get. Airline confirmations, advertising/announcements that I had signed up for. That kind of thing.

    Now I use tess.sf.net (baysian(sp)). I don't get false positives ever, and I nail about 90% of my spam (and getting better).

    For the curious - I receive about 55
  • all they gotta do is find one of these confirmation boxen that mails a copy of the message you sent, and bounce a million messages off it with the being the target for each spam.

  • Currently, i'm using two different [sourceforge.net] filters [paulgraham.com]. Each one filters well around 99.9%+ of all spam if properly configured. It's cut the spam that gets through on my server from around 5,000/day to an avg. of 2/day with each user on the server seeing maybe 1 spam per month.

    The problem with using the filter described is that a good portion of spammers DO send from legitimate e-mail addresses...just usually not their own. Sometimes it's even being sent from the person receiving it (by simply faking the from: tag)

  • who thought: How does Time Division Multiplexing Access combat spam? :)
  • I know companies that sell spam generating software have been talked about but what about the people doing the coding?

  • My gut feelings is... (Score:4, Insightful)

    by Kr3m3Puff ( 413047 ) * <me@@@kitsonkelly...com> on Sunday May 18, 2003 @07:43PM (#5988392) Homepage Journal
    That this will only create a sense of accomplishment. Eventually spammers will provide throw away addresses that simply reply to get on the white list anyways. The reason they don't do it now is because this challange-authenticate is not widely accepted.

    I still think, and am quite happy with, a Bayesian Filtering [paulgraham.com] application that Mozilla Mail currently offers. Very little spam leaks through and I have only had one false positive in almost 3 months of using it.
  • I know your mum might prefer Outlook, but Mozilla Mail/Thunderbird is a really really good mail client AND it uses Bayesian spam filters, the best around!! Just mark the Junk messages a couple of days and leave the rest to it.

Slashdot Top Deals

"If I do not want others to quote me, I do not speak." -- Phil Wayne

Close