|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
[PLUG] Re: TMDA (was Re: whitelisting for POP3)
|
* Stephen Gran <steve@lobefin.net> [2004-03-24 19:53:42 -0500]:
> That being said, it sounds like you're looking for soething like TMDA.
> It's a challenge response system that puts the onus of communication on
> the sender - in other words, I send you an email, TMDA sends me back an
> email telling me that my message is being held, and I must respond to
> this email in order to get my original email through to you. After a
> successful negotation, my next emails are not held. I think you can
> also specify what addresses are not held in your configuration, or at
> least I would hope you can.
>
> Note that this is not an endorsement - I think that TMDA is obnoxious,
> and have ruleset that dump such messages in my SPAM folder. But you
> might like what it does for you.
I've been considering using TMDA or something like it for a while. I
can appreciate the "it's obnoxious" argument; so what can be done to
make it less obnoxious?
But first, exactly what about it is obnoxious? If I get a challenge
in response to an email I sent... presumably I don't know the person
and I was sending a completely unsolicited message. If this is the
case you find to be obnoxious, then we'll just disagree and you can
ignore the rest of this message.
However...
What if I get a challenge in response to a message I *didn't* send?
E.g. someone spams a TMDA user while spoofing my address. Well,
OK that's obnoxious.
Here are some things that a C/R system should do which, last I checked,
TMDA does not:
Message IDs and Subject: headers of all outgoing mail should be added to
the whitelist, not just addresses. This will allow people to reply to
me in private about something I posted to a public list.
Any message which would generate a challenge should be tested against a
spam filter. Yes I know if the spam filter was perfect we wouldn't need
the C/R system... which implies that there will always be some "collateral
damage" (sending challenges to people who never mailed me in the first
place).
I would add some other filters as well. E.g. any message which is PGP/GPG
signed would pass without a challenge.
Also, when I was first looking into this, I found a pretty good rule of
thumb (sorry no attribution):
The text of the challenge message should be sympathetic to the person who
is emailing you, and not be full of flames for the spammer who will never
read it anyway.
So Stephen, if you've read me this far: can the obnoxious part be mitigated
or is it hopeless?
OBTW: Even if you were a cretin who didn't care about being obnoxious...
how are you going to get your legitimate email from ebay or newegg? Add
them to the whitelist, sure, but they get spoofed a lot.
Regards,
--
Mark M. Hoffman
mhoffman@lightlink.com
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|