Challenge to the Death

I’m no one special just because I get a boatload of spam every day, but I do, and it’s annoying. My mail host provides SpamAssassin protection at the server level, trapping most of the incoming junk messages before I ever get a chance to review them. If it catches some false positives once in a while, I long ago decided that life is far too short to bother wading through its harvest, even irregularly, so I leave them there for eventual deletion by the system.

There are plenty of junk messages that do make it through, though, and those are filtered through the reasonably effective junk filters provided in Microsoft Entourage. I’ve always liked this application-level protection; using a custom view, I can easily monitor the spam filter for messages erroneously marked as spam. It’s really the way I prefer to manage my mail.

Over time, though, the number of junk messages that make it through SpamAssassin has gradually increased, as has the number of false positives I see in Entourage. One has to admit, spammers are Darwinian fighters if nothing else; they adapt and re-calibrate with great persistence — their uncompromising vision of a low-finance, Viagra-fueled utopia just won’t be denied. After seven years of this kind of noise level, I’m just getting weary of combing through my email every day.

I know I could add a utility to my computer like SpamSieve to help improve this error rate; I tried it once and didn’t really like it that much. And I know I could move over completely to Gmail or some other Web-based mail program with purportedly much better, centralized spam protection, but I have a low tolerance for webmail as a general rule. So I’ve been thinking about using a challenge/response spam protection system. Is that totally awful? I know there are many drawbacks, but is anyone out there using such a system successfully?

  1. I personally don’t mind C/R – but you’re asking for a lot of issues – prepare to be blacklisted for your outbound challenges.

    First thing – I would investigate with Dreamhost just how configurable SA is (for you). I have the benefit of my own dedicated server, and I have things turned way up – all manner of online checks, RBLs and such. It can take up to 30-45 seconds for it to do its tests, but the net result is under half a dozen false positives a day (versus around 100 messages caught). If you’re curious, I can give you my config.

  2. Between SpamSieve and SpamAssassin, I haven’t had a spam email make it through to my inbox for several days now, which I reckon is a pretty good hit-rate. Challenge/response is suckful for everyone except you – including people you really want to be nice to. It irritates me no end when I have to take extra action just to get an email through to somebody I should legitimately and easily be able to get a message to.

  3. Just FYI, you don’t have to use Gmail’s webmail interface — many people, myself included, use POP access. And you can even setup Gmail for pseudo-IMAP capabilities.

    And, as you’ve implied, having Gmail’s centralized spam protection works great, especially because you have a ton of users contributing to its rules.

    In fact, Gmail’s POP access has been a godsend for me in terms of keeping down spam, because spam has to go through TWO filters before reaching my inbox. First, it gets filtered by Gmail, which catches 95% of my spam. Then, when downloads the messages, it sends them through the bayesian filter, which has had four years of training — that catches the other 5%. I literally get almost zero spam in my inbox, even though I’m sent about 50 spam messages a week.

  4. Personally I can’t stand C/R systems as it puts the onus of responsibility on the sender. If you’re getting slammed I can understand why you’d consider implementing such a system, but for myself I would rather use other systems to combat spam than make it more difficult to get in touch with me.

    I use a two-tiered system to combat spam: on the server (which I administer myself) I have set up a combination of SpamAssassin, RBL, and Razor. This filters out 99.9% of the spam that I normally receive, which is usually around 125-200 spam emails a day spread over 2-3 accounts.

    The small handful that gets through the server-side protection is captured by popfile, which is a bayesian-based filtering system that filters email into buckets – one of which can be spam. It’s really, really awesome and after training it’s incredibly accurate.

    Obviously the server-side stuff requires a bit of time and some unflappable copy-and-paste skills, and popfile isn’t too straightforward to install on the Mac (something I’m working on remedying). But this works for me – 0 spam in my inbox.

    Anyway, as I said at the start of this, C/R systems may work, but they’re a pain in the ass for the sender so I personally don’t think they’re worth the trouble.

  5. In my experience, the useful, relatively spam-free life of an e-mail address is about three years… give or take 1 depending on how slutty you are about giving it out.

    As such, the most useful way to curb spam is simply to change e-mail addresses every few years. It sounds like a bitch, but really, it isn’t. You send one e-mail out to a few hundred of the people you care about, then you start using a Gmail address for all online forms, and you’re pretty much switched over. If certain people don’t get your message, so be it… you’re easy to look up online if they really want to get ahold of you.

  6. SpamAssassin’s default configuration is fine for the majority of spam, but to really kill spam dead you need some sort of statistical filtering tuned to your personal email habits. Spam Sieve does this on the client side and SpamAssassin can be configured to enable Bayesian filtering on the server side. A few years ago, I became obsessed with killing spam on my machine and finally found the right combination of aggressive content filtering and Bayesian filters, both using SpamAssassin.

    Basically, I’ve got a folder on my IMAP account called “Junk” that spam gets filtered to automatically. The occasional spam that does get through gets moved to this folder and then, once a week, I have a script that runs that automatically analyzes my spam and non-spam mail. This script also automatically deletes the spam mail so that my inbox doesn’t fill up and so that I don’t have to touch anything.

    Fortunately, someone has already done the hard work and has instructions on how to set this up at Dreamhost: SpamAssassin for Dreamhost.

    Once I set up SpamAssassin’s bayesian filters, I went from about 20 spams a day not being caught to about 5 per week.

    Challenge/response systems are, to me, a “the terrorists have won” solution. C/R makes email implicitly more difficult, both for you and the people trying to communicate with you. Bayesian filtering works and with a little bit of upfront time/prep can work really well and without much effort once it’s set up.

  7. 50 spam a week? Yeesh, that’s nothing.

    But I second Sage’s recommendation: forward all email accounts to Gmail, and use it’s POP access through yr local mail app. Added benefit of having a great interface to your mail when you’re out and about, and the spam filter is very good. (Tho my one complaint is that Gmail sometime’s seems to “eat” random emails, most often pwd reminders and the like — sometimes they’re nowhere to be found.)

    I usually only get 1-2 spam a day, with no false positives — this is down from hundreds a day. Recently there’s been some new method of spam-trickery that’s been making it through the blockades, which is really irritating. Give up already!

  8. Well, to use a Bush-like expression: If you use Challenge/Response, then the spammers have won.

    I almost never bother to answer on a challenge I get sent, I don’t know why it irks me that much, but it does. This probably is because most of the challenges I get sent are responses to spam that gets sent when one of my domains gets used for yet another “Joe Job”. When cleaning my mailbox for spam that has slipped trough my filter (which does a good job at catching hundreds of messages *a day*), my subconscious catalogs the challenges as spam itself.

    My setup: basic SpamAssassin filtering on the server (catches most 419, Poker, diplomas, Rolex, …), combined with a Bayesian-trained SpamAssassin on the client. This way “known good” gets promoted to the inbox, “known bad” goes into a folder that gets checked maybe once a month, or when then odd password reminder I’m expecting seems lost. The cases in between get moved to a staging folder, which I check about once a day, and which I use to train my filters.

    (unrelated: when I click the “Forget this information” radio button, the form is cleared – FF – Win)

  9. Thirded on Gmail, I use the POP connection for incoming and forward all my old addresses there. I even use the web interface sometimes, though I never thought I would.

    I have only had one false positive in more than six months and no actual spam getting through. Losing emails is not an issue, although gmail does have some interesting rules when sending to yourself (eg as a reminder).

    My only gripe is that you can’t hide your gmail address; it appears in the mail header with “on behalf of” so sometimes you get people replying on your gmail address even though it’s not specified for return (depends on the mail client).

  10. I wholeheartedly recommend Postgrey. I’ve set it up on our mail servers, incoming mail from unfamiliar senders are rejected for 60 seconds before allowing it through. Most spam servers won’t bother queuing and resending rejected mails.

    The downside? Sometimes I’ll have to wait up to ten-fifteen minutes for a message from an unknown sender to arrive. I can certainly live with that.

  11. You’ve surely considered this, but you’re stacking the odds against you if you don’t disguise the email address on your About page, or use a form instead.

  12. Gmail’s spam filter used to work wonders. Now, however, it’s letting through the new “image spam” (for lack of a better term).

  13. How about using Gmails hosted email option, the best spam protection, webmail, and the convinence of your domain, for free…. it works for me.

  14. I use SA on my own dedicated server and it doesn’t catch everything either. I’ve tried just about every email client out there including Entourage. I’ve recently switched to using Mozilla Thunderbird for my email client mainly because it has the best spam filter out of all the email clients you can use. There are some things that I miss in Thunderbird like it doesn’t handle email signatures that well and it doesn’t have categories in the addressbook. But I’ve been willing to put up with those short comings because the spam filter is simply the best. You have to train it at first by telling it what things are junk but after a couple of days it will be working like a dream!

  15. Most Spam solutions leave me with the annoying task of looking through all the marked Spam for false positives. I find one about once a week, and so I have to keep sorting through it all. To my thinking, that makes Spam filters a poor solution.

    The most effective Spam killer I’ve seen is Earthlink’s (and similar) “honeypot” systems.

    Earthlink sets up multiple email addresses that have no purpose but to attract Spam. When identical emails hit several of those addresses, Earthlink can safely assume that they’re Spam. Not probably Spam, but certainly. No false positives.

    Earthlink subscribers can turn on a level of Spam protection (Medium, I think) that deletes these. No need to screen them, they’re all definitely Spam.

    I’ve kept my Earthlink account and routed all my email through the Earthlink servers just for that feature. Last time I looked, it screened about 85 or 90% of my Spam, so that I’m down to only ten or twenty a day now.

  16. I’m surprised you didn’t like SpamSieve. We just installed it on our most spammed (i.e. the longest tenured) employees at my company and everyone loves it. I recommended it after reading rave after rave from various bloggers, and it even surpassed my own expectations.

  17. I’m surprised you didn’t like SpamSieve. We just installed it on the computers of our most spammed (i.e. the longest tenured) employees at my company and everyone loves it. I recommended it after reading rave after rave from various bloggers, and it even surpassed my own expectations.

  18. I second Johnny; Gmail’s hosted option is superb. For free one gets POP support, an excellent webmail interface that comes in handy when traveling, a fantastic spam filter, top-notch email account management, and most importantly, email addresses at your own domain. All of my geeky and non-geeky friends alike have gone with Google’s hosted program and never looked back.

  19. I have done it all, special spam assassin rules… the whole nine yards.

    The best protection to my 150 SPAMS a day? Forward to gmail and then have gmail forward to a secret hidden account… basically using gmail as a spam filter-relay.

    Then I send out from one account and download from another account… (all in the same “account” in

  20. Additional note: I use MailSmith, by Bare Bones, on my Mac — its only real drawback is that it won’t parse html , and I have to click the icon to have html email opened in my default browser.

    But anyway, SpamSieve is bundled with MailSmith, and I’ve been running it for well over a year, and it’s easily 99% accurate. I do sometimes get a Spam in my inbox, but after identifying it, SpamSieve catches future similar Spams. Likewise, I sometimes get non-spam in the Spam mailbox, but I mark it and SS gets smarter.

    But again, despite its effectiveness, even at 99%, I still have to look over all the Spam in case of false positives…

  21. I’ve got SpamBayes running on my Dreamhost account. It rocks. Since trained (which took 3 days), SB has only let through 2 (yes, 2) spam messages over the course of 3 months. (I get around 75/day). Might want to look into it.

  22. I personally use SpamArrest to protect every account I have (5 total, as of this evening).

    I ran the gauntlet of Spam filters and found all of them lacking. No matter how accurate a single filter would be, eventually, some spam would get through it. Tired of the cat/mouse, I looked into a challenge/response system. Frankly, I couldn’t live without it. I get maybe 1 SPAM a month, usually a phish from a domain I’ve authorized (Amazon, Paypal, BankofAmerica, etc).

    My clients don’t enounter any issues, as I’ve white-listed their domains. My friends don’t see the challenge, as I’ve white-listed their accounts based on Mail.apps sent logs.

    It’s a gorgeous thing.

  23. I use spamcop. It gets rid of just about every bit of spam headed my way.

    There’s the odd false positive, but you can check what’s held via a web interface and whitelist senders if needed.

    All you need to do is forward your mail through their service.

    I tried all kinds of other systems, c/r, software, hosted, you name it, but spamcop’s the only one that doesn’t get in the way.

  24. Khoi, I know you’re unlikely to see this post at this late date, but I would encourage you to give SpamSieve another go-around. I’ve had the same email address for about seven years, and it still filters out the ~100 or so spam messages I get daily from having that address public for so long. It’s well worth it for $25 or so.

  25. Jeff: after these comments, I did go back and try SpamSieve. I dunno, there’s something clumsy about its AppleScript implementation that doesn’t sit right with me. I recognize that it does a good job capturing spam, but I couldn’t bring myself to buy it. I haven’t yet installed it on my new Mac, and I’m probably not going to. But if it’s working for you, then more power to you.

Thank you! Your remarks have been sent to Khoi.