[milters] Archive

Lists Index Date Thread Search

Article: 1334
From: Anthony Howe
Date: 2006-12-04 03:17:20 -0500
Subject: Re: Which milter does this?

Removal...........: milters-request@milter.info?subject=remove
More information..: http://www.milter.info/#Support
--------------------------------------------------------

Thom Paine wrote:
> I tried emailing a person at a company that I had never contacted
> before and the first email to her required me to reply to an email her
> mail server sent for verification that I was a live user.
> 
> I'd like to implement a milter like that on my server, but I'm unsure

No you don't. You do NOT want a challenge/response milter as it's 
considered the worst anti-spam measure by many in the anti-spam 
community. From my USENIX Login July 2005 article "Shoot the messenger":

http://www.snertsoft.com/downloads/shoot-the-messenger-howe0506.pdf

----
Challenge/Response

This technique looks at the sender of a message and, if
he is unknown to the recipient, accepts and quarantines
the message. The server then sends some sort of
challenge back to the sender (who must reply, and
reply correctly if it’s an are-you-human test) before the
server allows the quarantined message to be delivered
to the recipient. A successful result is typically cached
or stored indefinitely.

C/R seems to be the least welcomed of all the possible
methods to filter spam. A fair amount of spam and particularly
viruses fake the mail address of a real person.
So one of two things happens: if the sender is known
to the recipient, the message gets through without
being caught; if the sender is not known, then odds are
the challenge message is sent to a perfect stranger, thus
creating even more spam. After a while, this gets to be
really annoying for the stranger whose address has
been abused. The SpamHaus [correction SpamCop] DNS blacklist considers
C/R systems to be just as bad as spam and will blacklist
machines using C/R.
----

I've chosen never to implement such and refuse to answer such 
challenges. I've seen people subscribe for a SnertSoft download account 
only to have the mail with their assigned password get stopped because 
of C/R. I don't acknowledge C/R messages. Making other people jump 
through hoops so you can get your mail doesn't work.

(Discussions about whether call-backs and call-aheads are C/R, should be 
conducted in a different thread; my short answer call-backs and 
call-aheads are automated C/R at the server/MTA level and never hit a 
human's mailbox.)

> of what it is called. I tried googleing for a few and I didn't seem to
> get any good hits.
> 
> I was thinking that this might be the best milter to combat spam.

Bzzzt. Wrong. Thanks for playing. I can't emphasize enough how bad C/R 
is as a solution. Looks great in theory, but in practice it just doesn't 
work.

> Since I'm new to milters, can anyone offer suggestions on what a good one is?
> 
> I have mailscanner and spamassassin installed on my mail server, but I
> still get about 50 spam messages a day.

For a MailScanner gateway, milter-ahead is popular. MailScanner author, 
Julian Field, I'm told recommends milter-gris and milter-null. My 
preferences are milter-link and milter-null.

I'm sure others list members will have their favourites too.

I do have a new anti-spam product being developed and it works really 
well with MailScanner. More news on this should be available in the new 
year.

-- 
Anthony C Howe          Skype: SirWumpus                    SnertSoft
+33 6 11 89 73 78         AIM: SirWumpus    Sendmail Milter Solutions
http://www.snert.com/     ICQ: 7116561
     http://www.snertsoft.com/



Lists Index Date Thread Search