Date: Wed, 18 Aug 2004 19:10:43 -0400 (EDT) From: "Keith F. Lynch" <kfl at KeithLynch.net> To: WSFA members <WSFAlist at WSFA.org> Subject: [WSFA] Re: SpamArrest Reply-To: WSFA members <WSFAlist at WSFA.org> I strongly recommend against Spam Arrest (http://www.spamarrest.com/). Challenge & Response systems are antisocial, and often don't work with other mail software, especially with mailing lists such as this one, or with other people who are also using Challenge & Response systems. See http://kmself.home.netcom.com/Rants/challenge-response.html. (Yes, the first section is badly formatted, but what it says is still valid.) SpamArrest is one of the worst Challenge & Response systems, for several reasons. For one thing, it requires that someone not just reply, but that they answer questions based on an image on a web page. People with text-only accounts are locked out. As are people with email access but not web access (e.g. folks on Fidonet, or other store-and-forward systems). For another thing, the SpamArrest company is notorious for harvesting email addresses from everyone who replies to any SpamArrest C&R email, and spamming them! See http://static.samspade.org/spamarrest.html. What works much better than C&R is blocking all email from known rogue sites. There are several blacklists you can subscribe to, some of them for free. Interestingly, several of them list SpamArrest.com as a rogue site, meaning that any C&R message from a SpamArrest user will be deleted unread. Blacklisting can be combined with content-based blocking, so that certain words or phrases cause email to be discarded. Or with a Bayesian scheme, where the ratio of spammish phrases to non-spammish phrases is looked at. Unfortunately, spammers are getting around Bayesian filters simply by making their spams larger, padding them with chunks of non-spammish text harvested from books. Blacklisting can also be combined with blocking all HTML email. This used to work quite well, since 99.9% of all spams were HTML, and 99.9% of all non-spams were *not* HTML. Unfortunately, spammers are getting smarter, often sending their spams as plain text. And non-spammers are getting dumber, often inexplicably sending their legitimate email as HTML. At the beginning of this year I finally gave up on all forms of filtering (except by length -- I still block all *immense* emails, since it would only take a handful to trash my account) and went to a combination of whitelisting and disposable email addresses. Every WSFA member, and everyone who has been to even one WSFA meeting in the past decade, is on my whitelist, as is everyone with whom I have exchanged email, and about ten thousand other people. Anything anyone on my whitelist sends to any address of mine will get to me, unless it's gigantic (over 90k -- the size of a novel). I'm currently changing disposable addresses every ten days. Anyone who sends anything non-gigantic to my current disposable address (or to one I discontinued less than 24 hours ago) will get through. I wish I didn't have to do this. I wish there was a way to get not more than a dozen spams a day, without risking losing legitimate email. Unfortunately, when Congress came out on the side of spammers instead of the rest of us, it became clear that the cavalry wasn't riding to the rescue, and there was no point in putting enormous effort into holding the fort for one more day. I value email immensely, and for several years I was spending the majority of my free time fighting spam. Which turned out to be about as productive as mopping the bathroom floor while the toilet was still overflowing, when no plumber is coming. In a few years, email will only exist in small enclaves of people who already know each other. Experts are *already* recommending that email addresses be shared only with people you trust, and that you should never open messages from people you don't know. And all so that a few hundred criminals can send literally trillions of unwanted messages for the sole purpose of defrauding as many of us as possible. What a terrible waste. There are no good solutions. There are several mediocre solutions -- I'm using one. But SpamArrest is an especially bad implementation of a bad solution.