Are You Sending Spam? (Yes, You!)
The other day I received a polite but impassioned plea from Richi Jennings, a blogger and self-proclaimed spam expert. He tried to convince me that features in some of the products I’ve written about recently -- specifically, programs with features that bounce e-mail back to spammers -- actually increase the amount of spam we all get.
Here's what he wrote:
"Steve, Choicemail's 'unknown-sender registration' and the 'bounce' features of MailSnoop and MailWasher are really terrible ideas. Don't forget that the 'sender' of spam is almost always forged.
"For the love of all that's holy, I beg you not to promote these features -- they will get your readers blacklisted, causing their e-mail not to go through!"
I need to clarify what Richi said. You can set some programs to bounce messages back to spammers and make them think your address is no longer working. Quite often a message from a challenge/response system will get treated as spam and bounced back with the rest of the junk e-mail.
And quite often these messages float around the Net when someone using challenge/response also has a computer virus.
Richi's not just spitting into the wind. I get a half-dozen or so of these misguided challenge/response e-mails every day; and no, none are for me.
Typical challenge/response message I get regularly that has nothing to do with me
What's Challenge/Response?
You may be in the dark, so here's an explanation: An e-mail challenge/response (often called permission-based) system looks at every message you receive, checks to see if the sender is in your address book, and rejects it if it's not.
The spamming part comes into play when the person sending the e-mail receives a reply from the challenge/response program, challenging the sender to prove he or she isn't a spambot. That's done by asking a simple question or filling in a few letters or numbers. If the sender passes the challenge, the e-mail lands in your in-box.
Take two minutes and read "Spam-Proof Your In-Box" for more details on how challenge/response works, and if you have time, get a Wiki tour of it here.
Tomorrow: Jennings Challenges Bass
PC World's Marketplace
PC World's Free Whitepapers
tech news tech blogs community & forums laptop prices software reviews downloads
Richi Jennings here. Perhaps I could "politely" encourage you to read more at http://richi.co.uk/blog/ where you may or may not find some "impassioned expertise"
Dear Mr Bass,
While I fully understand your concerns about the challenge/response (C/R) process, I feel that it’s necessary to correct a number of misconceptions.
Misconception #1 – don’t confuse concept with implementation – a good C/R system WILL block and just silently delete bounceback messages
In most cases, the FROM address itself is bogus and so challenges just go into the void.
It may very well be the case that you are getting more bogus challenges than most. It is in the strong interest of spammers to prevent C/R systems from being widely adopted BECAUSE THEY WORK. How better to prevent C/R from being adopted than by causing influential journalists such as yourself to become sufficiently annoyed that you write articles objecting to the process? With a wide audience, and the ability for people to quickly find your article through web searches, your articles serve to help eliminate solutions that really work – and the only people who benefit by this are the spammers.
In addition to the above ...
Rather than objecting to the occasional mis-directed challenge, consider instead that the combination of a good C/R system and an internet-wide sender-id framework would solve the spam problem completely. Think about this --- C/R systems provide users with 100% spam blocking – with the rare (and it is rare, but see below) generation of a challenge to some other legitimate person. A sender-id or SPF process simply prevents a forged FROM address from being used. It doesn’t stop spam because spammers can create temporary domains and still send stuff out with fake usernames – but they can’t use fake domains.
So rather than objecting to C/R systems, you should be loudly advocating the wide adoption of sender-id or SPF along with C/R systems – that would be the end of spam.
My views are partial. I am the VP of Software Development at DigiPortal Software who is making ChoiceMail.
Dear Nebojsa Djogo, there's nothing "occasional" or "rare" about it. That's just wishful thinking. In many cases, the From: header or envelope sender contain real email addresses of innocent 3rd parties. Or are you calling me and Steve liars? We receive this junk all the time.
Most of my spamtraps are secret -- I'm fairly sure that spammers aren't deliberately targeting them.
If you think for a moment about how SPF/PRA/SenderID work, you wouldn't make such claims. Time and again in this industry, we've seen egg on the faces of those who claim to have discovered the Final Ultimate Solution to the Spam Problem (look up FUSSP on Google). Hint: spammers can easily choose a forged sender address that matches the IP of the sending zombie.
Dear Richi,
I am not sure how did you interpret my words so that you arrived at the conclusion that I called someone a liar? I actually said … “It
may very well be the case that you are getting more bogus challenges than most”
I also do not understand your comment about SPF, Domain Keys and so on …
>”Hint: spammers can easily choose a forged sender address that matches the IP of the sending zombie.”
This leads me to believe that you do not entirely understand how some of these technologies work.
“Domain Keys” for example ensures that the CONNECTED sender IP is approved for that domain or the mail is a fake.
If by “a zombie” you actually refer to a computer INFECTED by a trojan horse virus or a computer compromised is some other way then yes … it is possible to send spam from such a “zombie”, but that is a completely different problem.
If someone stole your car - there is nothing you could do to prevent the thief to do anything with it. The goal is to stop the stealing...