[Dshield] Spam Email is there a solution "finally"?

Brian Dessent brian at dessent.net
Thu Dec 18 22:33:34 GMT 2003


IT Manager wrote:
> 
> Speaking of Spam E-mail, I came across this little excerpt in an E-mail that
> someone had sent to me. It asks me to please verify my business before I can
> send this particular person an E-mail.

It's not particularly new, as there are lots of companies and programs
to do this.

In my opinion, they are all terrible.  The challenge/response method
essentially shifts the entire burden of filtering to everyone else but
the recipient.  In essense, it turns the situation around so that the
recipient is saying to the rest of the internet, "I don't want to deal
with this so now you must."  It doesn't make the problem go away, it
just moves it to someone else.

For one thing, any software that replies automatically to the "From:"
address of incoming mail is broken by design.  The sender address listed
in spam is almost always invalid, or the address of some innocent third
party (a 'joe-job'.)  In this case these system just make joe jobs worse
for the victim by filling up their mailbox with a bunch of "please
confirm" crapola.

Then there's the problem of whitelisting.  Every user of one of these
things has to use it properly and whitelist mailing lists and other
automated things.  However it seems like hardly anyone does.  As a
mailing list manager you get plenty of these stupid things sent to the
administrative address of the list, from lazy people that expect YOU to
whitelist THEM.  Even worse are the really broken ones that reply to the
SENDER of each post to a mailing list.  It *really* annoys me when I
post to a mailing list and receive in response some "please verify
yourself" message from some loser that I don't know.  Worse, a lot of
them won't even tell you what the actual email address is -- some only
refer to the 'protected' recipient by first name!  This makes it even
harder for a mailing list administrator or poster to track down the
individual and hit them with a cluestick.

I, and many others, will categorically never click to verify these
things.  If you sign up to my mailing list, it's your responsibility to
whitelist it, not mine.  But there's also the issue of trust.  By
confirming yourself with one of these services you get added to a
database on their server of active email addresses with a live recipient
-- this is like pure gold to spammers.  While I don't think that any
company actively sells these lists to spammers, there's the issue of
security and having someone steal their lists; or what happens when the
company folds and sells its assets.  But that aside, at least one such
slimeball company had the nerve to spam their entire database
advertising their spam-blocking service!  In their deranged opinion, any
email address that had PASSED though their system was now fair game for
them to spam -- not just the people that signed up for it, but their
correspondants!  That is completely unacceptable.  I know that's sort of
an isolated incident, and not all of these systems suffer from such lack
of morals, but it's something to remember.

I know spam sucks and is annoying, but this challenge response crap is
not the solution.  It's like sticking your head in the sand and saying
"I don't see it!  Not my problem!"  Sure, you don't get any spam
anymore.  But you also annoy plenty of other people for that
convenience.

Brian




More information about the list mailing list