Fighting dirty in the war on spam
I've had enough.
I've had my current email address for 8 years now. I have no intention of changing it now, or any time in the near future. It's short, it's simple, and current and old friends all know how to find me.
The problem with keeping an email address for that long is that you end up on every spam-list in existence. Recent statistics are citing that about 80% of the mail sent on the internet is spam. It's much higher for me -- closer to 95% -- or over 200 emails per day, of which about 10 are legitimate. This volume has effectively nullified the value of email in my life.
To be fair, my spam filter (I've been using SpamAssassin for some time -- recently upgraded to version 3, and have had good success there) catches about 75% oif those. For those of you who aren't familiar with SpamAssassin, it's a highly-flexible, highly-configurable filter-based application that lives on your mail server, filtering the messages before they ever land in your inbox.
The problem with filter-based spam prevention is that there's no such thing as 100% success. Anyone who tells you differently a) doesn't know anything about spam and b) is a liar. What's spam to one person may be legitimate to another -- and to further complicate things, what I consider legitimate today I might consider spam tomorrow. It's simply impossible for another entity (computer, or human) to filter my spam for me.
Strategy behind filter-based systems? Allow everything that is not explicitly denied. (by denied, it may be a filter denying the message due to its content).
Proponents of filter-based email systems argue that they are 95% to 99% effective, and that 'very few' legitimate emails are tagged as spam. I hate to be the bad guy here -- but ONE false positive is unacceptable. It renders the filter useless. I find myself looking through my "filtered items" every day for legitimate mail (I would usually find one about every other day) -- and if I'm going to spend the time to do that, why filter them in the first place?
Conclusion: Filter-based systems can never achieve a 100% success rate, and they are therefore unstrustworthy, thus eliminating any value achieved by them in the first place. A new approach is required.
There's been a lot of recent buzz about the use of "challenge-response" email systems. for spam prevention.
Strategy behind challenge-response systems? Deny everything that is not explicity allowed
In other words, you maintain a white-list of people you WANT to receive email from. If someone sends you a message, and they're not on the list, they receive an automated reply with a friendly explanation about why their message didn't go through (here's mine) and some (hopefully) simple instructions on how to confirm that they are, indeed, a real live person. In my case, they can click a link in the message, or they can hit 'reply/send'. Once they "confirm", their email address is automatically put on my whitelist, and their message is sent through to my inbox. If they don't confirm within X number of days, they are automatically blacklisted to prevent the same process from happening again (thus wasting bandwidth on people we know aren't legit).
This obviously prevents a few issues..
1) How do you deal with e-commerce systems, where you don't know what address the receipts and confirmations will come from?
The CR (Challenge Response) community has come up with a rather clever solution to this problem -- email addresses that expire! If I'm shopping at buy.com, and they need my email address for a particular order, I have two choices.. I can either whitelist *@buy.com (not a bad approach, but not perfect) or I can provide them an email address that's only valid for 2 weeks (enough time for me to get my order). At the end of 2-weeks, any messages sent to that address can either be required to authenticate themselves (as above) or I can choose to drop/bounce them.
2) What if you send an email to someone, and they reply? You already know they're legitimate.
Correct. The system is smart enough to watch my outgoing mail and automatically white-list anyone I send mail to. It will even take it a step further and allow me to send outbound mail with one of those email addresses that expire -- thus letting me decide how long I want to community with a particular person -- and also eliminating the problem wherein the reply may come from a different address than the one I originally sent my message to (such as when you might communicate with a large business via email).
3) Don't you lose emails this way?
There's a handy web-interface that lets me see all of the filtered mail. If I am expecting a message from someone and I've forgotten to use an expiring address (and it's an automated system not capable of confirming) I can find the message in my queue and authorize it myself.
4) Can't spammers click a link or hit 'reply' just like anyone else?
Probably -- but the economics of spam are based on a few things.. First is that spammers remain anonymous. It's exceptionally rare that they use a valid Reply-To address (it makes it too easy to find them). And second, it's possible to implement a challenge-response system that can't be automated (you've seen those systems that display numbers/letters as graphics and you have to enter what you see into a box to validate you're not an automated process). A spamming-human could probably validate themselves bypassing all of these methods -- but spam is based on the economics of placing the cost burden on me. If they have to spend their time on each person they try to communicate with, it's no longer cost-effective to spam.
Conclusion? This approach is the only 100% effective way to make sure my inbox remains free of mail I don't want. It places the cost burden on the spammer, rather than myself, for unsolicited email. It keeps my inbox private. The ONLY drawback is a small inconvenience for people who are trying to contact me "out of the blue". I can live with that.
Say whatever you want about the approach I've taken -- but my inbox is now spam-free. Is yours?