ASK Me No Questions, I'll Tell You No Lies
March 10th, 2004 by Chris DiBona in
I give up.
I tried.
I really did.
But I don't have the energy for it anymore.
Yes, I'm talking about spam. I've tried them all--spambayes, spamassassin, freakishly complex procmail recipes, weird dæmons, collaborative filters and the rest. None of them work. Or, all of them work but only for a short amount of time or only for someone else--not me. My usage profile is such that it is very difficult for any spam fighting technique to work.
The issues are as follows:
I receive a lot of "stranger" mail from viewers of my segments on TechTV that I want to read. I also get mail from reporters and others who are interested in this or that, but who have never corresponded with me before.
Much of the incoming mail comes from domains that the spammers seem to enjoy spoofing from: AOL, Hotmail, Earthlink and so on.
I get HTML mail, attachments and all kinds of multimedia, thanks to the work on our game, Rekonstruction.
I get bulk mail in the form of mailing lists to which I subscribe.
I've used the same e-mail address now for some 8 years and have published it in countless emails, articles, on television and the radio.
In fact, the only way that my mail could be more difficult for a spam filter to clean is if I worked for Pfizer on a certain pill for, um, nevermind. Spambayes did a nice job for a long time--few false positives, not a lot of spam hitting the box--but over time it got worse and worse. Spamassassin similarly lasted only a few months and gave me more false positives than I could stomach.
Going without a spam filter, however, is e-mail suicide for me. For instance, in the 48 hours since I turned on ASK, I've received 1,188 spam e-mails. This means if I don't do something about them, I will be forced to delete broad swaths of mail, which means I'll be deleting legit email by accident.
ASK is the Active Spam Killer. I run it as a procmail recipe, but you can run it in a number of different ways. ASK is a functional, simple, confirmed-sender only e-mail filter. Basically, if I haven't gotten e-mail from you before, you get a nice e-mail asking you to reply, thus confirming you are a human and not a subhuman, lice-infested, vomit-smelling, loser spammer. ASK also comes with a program to scan your mboxes to derive e-mail addresses. I ran this against my historical archive, and it found 12,000 or so e-mails from people who have e-mailed me over the seven or so years since I started storing my e-mail.
I first was exposed to ASK as part of an e-mail conversation that included Kirk McKusick of BSD fame. Initially, I was taken aback by the finality of such a system, but over the past few months, I determined that Kirk is right--I simply don't have the time to mess around anymore. If I know you, don't worry, your e-mail goes through; if I don't, ASK requires one step that you need to take only once. I don't think this is a lot to ask of people who e-mail me out of the blue.
ASK is easy to install. With a fast download and RPM installation, and it was in place in no time. It took about 20 minutes to scan my past folder archive and generate the whitelist, and then I turned it on. I'm also running spambayes to deal with some of the more egregious viruses that spoof the names of friends, which sewed up a few holes in the process. ASK is written in Python, so you need to have that installed first, but Python comes standard on so many distributions that this requirement is hardly a hurdle.
Since installing ASK, around five pieces of spam have made it through to my inbox. All of them were viruses spreading from spoofed addresses of friends. One even came through with the spoofed address of LJ Editor in Chief, Don Marti, which led me to turn on the spambayes prescanning. The sad thing about using such a draconian system is I know some people won't reply to the ASK confirmation e-mail request. I'm okay with this, it isn't as if I'm not missing some email from folks as it is with current spam technology.
The only way to win this war is not to play, so I've stopped.
ASK can be found at www.paganini.net/ask/.
Special Magazine Offer -- 2 Free Trial Issues!
Receive 2 free trial issues of Linux Journal as well as instant online access to current and past issues. There's NO RISK and NO OBLIGATION to buy. CLICK HERE for offer
Linux Journal: delivering readers the advice and inspiration they need to get the most out of their Linux systems since 1994.
Sorry, offer available in the US only. International orders, click here.
Delicious
Digg
Reddit
Newsvine
TechnoratiSubscribe now!
The Latest
Featured Videos
Email is one of the least private and least secure forms of communication, although few people realize this. MixMaster is one way to allow secure, anonymous communication even over the very public medium of email. This tutorial will get you started with MixMaster quickly and easily.
In case you were wondering about the fun side of Linux World Expo, we thought we'd give you a peek at our shenanigans. We at Linux Journal love what we do so much, that we can't help but have a ball wherever we go.
Recently Popular
From the Magazine
September 2008, #173
Feeling a bit like a Thermian? Never give up, never surrender! Someday, you could go from underdog to top dog. Just take a look at a few of the underdogs we highlight in this issue: Mutt, djbdns, Nginix, Gentoo, Xara and the program voted mostly likely to fail just a few years back—Firefox. If Firefox is not radical enough for you, check out Chef Marcel's column for some more alternatives. Having trouble mapping your program data to your relational database? If so, Rueven Lerner shows you some tricks in his At The Forge column.
Need to run GUI applications on your server in the next state? In his Paranoid Penguin column, Mick Bauer shows you how to do it securely. Kyle Rankin keeps hacking and slashing and shows you a few split screen secrets you may not be familiar with. Finally, we all know what happens next February, but only Doc knows what happens afterward.
Re: cat /dev/DiBona/brain: why spam filtering doesn't work
On March 22nd, 2004 Anonymous says:
I could like to offer a comment about this. I have been using spamassassin for at least 3 months.
I change the score of rules to suite my personality. First off, I have Pyzor installed, so in ~/.spamassassin/user_prefs I merely use "score PYZOR 5" which means if it's in Pyzor, it's not worth reading since it's probably (99%) spam.
Then, I also change several other rules. For example, the FORGED_MUA_OUTLOOK and FORGED_RCVD_YAHOO, I set these and all other "forgery" and "fakery" rules to 5. I have an email account with AOL, yahoo, and MSN, and sending myself emails and running filters on them shoes them to be geniune, i.e. the rule does not trigger.
I also set MICROSOFT_EXECUTABLE to 5, since honestly NO ONE should be sending windows executables in email, even if they ARE a newbie. lol
Also, I can add email distribution lists that are sent using (for lack of a better, clean word) stupid emailers, I can add them to my whitelist in the same ~/.spamassassin/user_prefs file.
Is there a perfect spam filtering agent? no. Right now spamassassin is at 99% accurate, and the 1% is spam delivered to inbox, not false positives. Hotmail, honestly, is about the closest thing, with spam filter set to "exclusive". However, this will also prevent new people's eamils from getting through.
Please feel free to read my spamassasin config, http://www.puresimplicity.net/~neosadist/user_prefs .
The web and email are changing. But are ISP's doing anything about it? In my opinion, no, very few do anything. I continuously get BCC'd emails from all kinds of spammers. A KMail filter to the effect of "if it's NOT TO or CC to my email, it's trash" also worked well.
There are many methods. Spamassassin is, in my opinion, the best, especially when equipped with Pyzor/Razor/DCC tools built in (i.e. those tools are also installed on the machine) and with bayes filtering. I have shortcut filters (basically macros) I can run in KMail that help make it this way. There is no perfect spam filtering method, but spamassassin gets close.
Re: cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No
On March 18th, 2004 Anonymous says:
I have to say that I just can't believe it. I shake my head every day at the general stupidity that is rampant in IS/IT industry. Want to almost eliminate spam, put in some SIMPLE sanity checks into your mail server.
I use postfix, but the concept is simple. Does the connecting computer identify itself correctly (helo, name-to-IP, IP-to-name etc).
Oh, forgot to mention why I said "stupidity"; I can't even add all of the rules because sysadmins CAN'T setup thier mail server correctly. So, instead of doing what they are suppose to, many admins just become part of the problem.
I can not even believe how many of the companies that should know better, don't. I just shake my head...
And I do have to admit that I love the RBL's for postfix. I went from rejecting approx 42,000 emails (with only a couple for rules) to 105,000 with a couple RBL's added to postfix per month. Now throw on spamassassin...
Re: cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No
On March 18th, 2004 Anonymous says:
Hi
It seems to me that there is not a technical answer to spam because spam is not a tech problem. Attempting to solve it by technology has resulted in an arms race that gets faster and faster.
I think spam is a social problem and will be solved by a social solutions. There seem to be two main aspects to this:
1) Western societies, and probably others, are remarkably tolerant of junk. We have junk mail, junk food, junk newspapers, junk advertising; the list goes on. We were happy to live with this until computers and the net started to drown us in rubbish.
2) There are few consequences to sending spam. Spam will stop when the social costs of sending it are too high. If spammers risked losing everything they own as a result of their actions spam would largely disappear. There will always be some 'background level' just as there will always be graffiti.
So, sorry guys, but I thisk this is one we can't deal with by using increasingly complicated programs. We need to act more responsibly as a community.
Just my 2c worth.
Re: cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No
On March 17th, 2004 random (not verified) says:
As has been pointed out, if you can script challenge/response on your end, the spammers can do so on their end. For a more robust solution see " SPF Overview" by Meng Weng Wong in this months LJ. It will take a while to have a significant
effect, but not so long as you might think as it will already work to eliminate spoofed AOL e-mails.
On the other hand, I'm certain that challenge/response will make a fine temporary solution for you until the problem is wrestled down to a managable level overall.
challenge response email systems cause more problems than they s
On March 17th, 2004 Anonymous says:
TMDA etc reply automatically to spam and viruses - therefore their messages ARE spam. The number of challenge messages I have received in response to vastly outnumbers the number of challenge messages I have received in response to actual messages I sent.
I have configured my mail server to reject some of the common challenge messages, but the TMDA spam continues.
When I receive a challenge message in response to spam or virus I always reply and let the ASK/TMDA spammer receive some spam.
Re: cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No
On March 12th, 2004 Anonymous says:
I really hate challenge/response systems. They are the lazy, selfish option,
simply shifting the spam burden out of your inbox into those of other people.
Most virus and spam mail now forges a genuine sender addres, so most of the
challenges you send out are to people who never sent you a thing. So they
receive your useless challenges on top of all the spam, virus messsages,
spurious NDRs and pointless "We received a virus from your address so we're
notifying you even though we ought to know that the sender address was forged"
harrassment.
Challeng/response systems are stupid and selfish and so are the people who use them.
Other limits of C-R systems
On March 12th, 2004 Anonymous says:
1) You can't whitelist useful email from those you don't know yet, like all possible
employers offering a job after reading your online CV.
2) http://securityfocus.com/infocus/1766
Ciao,
Marco
Re: cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No
On March 10th, 2004 Anonymous says:
If you're going to do challenge-response, by all means use competently written systems like ASK and TMDA.
However, please reconsider doing challenge-response at all. All you're doing is shoving your problem off on others.
That's because 90% (as seen here, may be only 50% elsewhere) of alleged email sender addresses, to whom you auto-respond with your challenges, are forged by spammers or worms. Even worse, spammers and worms both tend to use valid, but unauthorized, addresses.
You are thus sending substantively identical email (the challenges) to large numbers of people who didn't sign up for them (the forgery victims picked from the spammer's list, or picked by the worm from local caches).
That's bulk email. And that's unsolicited email. So yes, you're spamming people with your challenges.
Please stop thoughtlessly spamming others in your attempt to get rid of your own spam problem. Thank you.
Re: cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No
On March 10th, 2004 Gamara (not verified) says:
Well, I disagree with you. The only people who get "spammed" are those who are emailing me that I do not know. Like I noted in the article I have built up a base of 12k email address for comparing against, and I watch my outgoing mail to keep that fresh. I also do not take part in newsgroups.
In fact ask is set up to give me a virus from a spoofed address before sending out a challenge to someone who would already be in the whitelist, which if you had read the article, you would have noticed. I also have SA inline to delete the obvious spams/virii.
People emailing me directly off lists can go through authentication, so can people emailing me who I've never traded email with.
Chris
Re: cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No
On March 11th, 2004 Anonymous says:
> The only people who get "spammed" are those who are emailing me that I do not know.
You seem to have missed the entire point of the objection to use of challenge-response systems.
As I clearly noted, the alleged sender addresses are being widely forged. Here, 90% are forged. Other places, 50% are.
Either way, the majority of those people -aren't- the ones mailing you, yet you challenge their addresses anyway, and you do so in bulk.
> In fact ask is set up to give me a virus from a spoofed address before sending out a challenge to someone who would already be in the whitelist, which if you had read the article, you would have noticed
I did read the article. Thanks anyway, but you've still missed the point of the critique of your new, abusive practices.
If you have someone whitelisted, then of course you're not going to send them a challenge.
It's your sending large numbers of unsolicited challenges to people who didn't send you mail that's the problem.
In the end, you're just sluffing off your spam problem onto innocent victims who aren't in your whitelist. In order to ignore your own spam, you're challenging forgery victims, in bulk, in effect if not intent doing your best to double the spam volume on the net.
That's a bad thing. In fact, the attitude that seems to be enabling you to do it (me first, consequences for others be damned!) is similar to the lack of care for the commons that drives spammers in the first place.
I don't think that attitude makes for friendly neighborhoods.
Please reform. Please become a network neighbor I won't have to block and report as a spammer.
Re: cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No
On March 12th, 2004 Anonymous says:
hello,
I simply do not understand what You are all talking about?
Frindly network neighbour? Innocent victims? The fact
ist that 90% of my mail is spam. So if some innocent
victims will have to reply to my challange, so be it.
Now I would love to live in a society where we are
all friendly to each other, we share stuff and keep
our doors open, but this is not the way this planet is
functioning.
v.
Re: cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No
On March 12th, 2004 Anonymous says:
then you are an a$$hole. you are pushing your problem off on other people.
you should have thought about it before widely posting your e-mail address. you could've obfuscated your e-mail address. you could change addresses periodically, (6 months or so?), assuming that anything coming from an address you haven't used in 1-1.5 years must be spam.
what you are doing is no better than the original spammers; you are just helping them to distribute their messages, so that *they* dont get blacklisted, but *you* do. I hope you get sued for aiding spammers, dick.
Re: cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No
On March 15th, 2004 Anonymous says:
So your solution to spam is to change your e-mail address every 6 months? That just makes it harder for all of your legit contact to get ahold of you.
Why you might ask? Because everytime you change it, you would need to contact everybody to let them know. Not only that, but before long, you would have an ugly address, johndoe334311232@ instead of your original, easy to remember one, johndoe@
Re: cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No
On March 15th, 2004 Anonymous says:
Quit being an idiot. My solution is for you to take responsibility for your own actions, for one thing. You should be more careful about broadcasting your unscrambled e-mail address, etc. etc. etc. Everybody else realized this many years ago, and don't use their true address when posting to newslists.
Any legit contacts will have sent you mail in the past, so they will be on your whitelist - no matter which address they use, you'll still see their mail.
Any new contacts will use your new address, so they will not be turned away by the expiration date.
There are *very* serious issues with C-R systems, as others already mentioned.
See http://securityfocus.com/infocus/1766 - if two people have challenge-response systems, then neither one can communicate with the other, this is one of many issues.
Also, if someone comes up with a method for two challenge-response systems to work together, then this too is easily exploitable by spammers.
Obviously, systems which totally prevent legitimate communications between people are NOT the wave of the future!
Use a good filter or two, and DEMAND effective laws... that's the best solution.
That's not true
On March 10th, 2004 Anonymous says:
I receive confirmation requests for messages I have never sent. I receive virus notifications for messages I could not have possibly sent. I receive mailer daemon bounces for messages I didn't send.
Those are a nusiance. If you don't realize this can be a problem you are not giving this enough thought.
1) Realize that confirmation requests can be used to harrass people and depending on what they quote out of the original message, they can be used to make your server send spam.
2) Both spammers and worms forge email addresses to hide their locations. Sometimes they use real addresses (actually quite often). If lots of people start deploying these confirmation tools we will start seeing the number of invalid confirmations being received become a real problem.
3) You have to avoid confirmation loops. What if you send a message to someone else using a different confirmation system? Remember the fun of the early autoresponder programs and .forwards? If you avoid the loop you still have the problem that neither sender nor recipient sees anything about the original message. The sender will just assume you didn't want to respond.
Re: That's not true
On March 11th, 2004 Anonymous says:
I'm using a similar scheme, although not based on ask,
with great success.
Regarding your concerns:
1. The confirmation requests should be made 'precedence bulk'
so they can be treated as spam and thrown away.
This avoids loops.
2. If both people used such a system, it would still be possible
to start direct communication (replies to messages are
accepted), and would still filter the spam.
3. The overall number of confirmations does not look like a
problem for me, since they are dealt with mechanically.
Spammers will stop spamming once no humans read
their spam.
Re: cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No
On March 10th, 2004 Anonymous says:
I get 10 messages a day indicating that email sent from "me" is being bounced because its suspected spam. Spammers are putting legitimate email addresses (mine) as the reply to or sender fields. You will now start spamming me with challenge response stuff? This will then get filtered by my software....Now neither of us can communicate.
Re: cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No
On March 10th, 2004 Anonymous says:
I think you missed the point that the author of the parent post was trying to make. If Snidely McSpammer sends you email that claims to be from an Innocent Bystander who is *not* one of your 12,000 closest friends, then IB gets your challenge. If Snidely sends 100,000 spams purporting to be from IB's address, and (let's suppose) 1% of the victims use ASK or a similar scheme, IB receives 1000 unsolicited challenges from people s/he doesn't know. I think the challenges count as spam in that case.
George
Re: cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No
On March 10th, 2004 Anonymous says:
Here's the problem. Evil Spammer uses my e-mail address in the "from" header on a spam sent to you. Your auto-reply goes to me, but I did not send you the message.
This is not a theoretical problem. My domain gets around 50 of these unsolicited auto-replies per day -- a small but rapidly growing percentage of my total spam problem.
The one thing that may improve the effectivity of challenge-response is the wide-spread adoption of a certified sender solution like SPF. ASK would be able to verify that a spam did not originate from my domain and avoid sending me an unsolicited challenge.
Signed email is the only thing that works in the end
On March 10th, 2004 Anonymous says:
As someone else said, how long til spammers will learn to
react to your challenge? Okay, that requires the From/Reply-to
existing.
And what about address spoofing? Will get more and more, until
these systems... oh, wait, we
Re: Signed email is the only thing that works in the end
On March 15th, 2004 Anonymous says:
Spam is a problem for one reason - it works. It works for one reason - it's incredibly cheap. A spammer can send out millions of messages, get a handful of responses, and make money. Thus one solution to the spam problem is to increase the cost to the spammer - increase the cost of sending an email. This doesn't necessarily mean directly charging money - processing time, bandwidth, etc. all have costs associated with them. If you increase any of these requirements for an email, you start cutting into spammers profits and make spam less attractive for those out to make an easy buck. In order for spammers to respond to your challenges, they would have to make a number of changes to their mode of operation. They would have to use a valid reply address, which ties them to a specific system and provides a trail which can be followed back to the spammer. It requires a system with sufficient bandwidth and processing power to deal with all of the challenges the spam would generate. These things would drastically work to reduce the amount of spam that is generated.
Address spoofing might work to some extent, but that requires some knowledge of the person you're sending the email to. Buyint a CD with 10 quadrillion email addresses and spamming away no longer works. Neither does just sending bots out to spider the net and harvest email addresses from web pages and news group posts.
Nothing is absolute. You can't completely ensure that you receive no spam. You can't make your system 100% safe from viruses, trojans or crackers. Life is just another word for risk. But you can minimize risk, and this, properly implemented, is an effective way to do that.
Re: cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No
On March 10th, 2004 Anonymous says:
I see mainly two problems with the above:
1. What if the guy that sends you the e-mail also has a whitelist system? And what about posting to newsgroups? You want to receive replies, but I would never engage in a challenge/response dance just to help someone else.
2. What about all the spam out there with one of my addresses in the "from" line. If these systems would be popular, the amount of spam bandwidth would double.
Re: cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No
On March 10th, 2004 Gamara (not verified) says:
I actually noted on this (lightly) i nthe article, I also posted a comment below that covered this....in short, I know the lists I am on and use a virus checker too.
Chris
Where?
On March 10th, 2004 Anonymous says:
I don't see where you responded to this. Using a virus checker first is a good idea to avoid harrassing people. What about a spam filter (with a very high threshold to avoid false positives) to avoid adding to other people's misery?
Re: cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No
On March 10th, 2004 Anonymous says:
These systems are one of the most hated thing on the Internet.
They stop spammer all right, so far, but they can also make you
lose precious messages, like:
1) (already mentioned) people who want to try to help you or need
to contact you after seeing a message in a mailing list
2) when you are job hunting: no employer will bother to go through
the process: he will simply trash your CV and go to the next candidate.
So, to use these systems, one should have several email addresses very carefully separated and/or know very well how the sw works, and be
prepared to risk the cases above, and be careful on how to use mailing lists...
Not so easy as it seems.
Ciao,
Marco
knows very well how he is filtering
Re: cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No
On March 10th, 2004 Anonymous says:
> they can also make you lose precious messages, like:
> 1) (already mentioned) people who want to try to help you or need
> to contact you after seeing a message in a mailing list
Use TDMA message tags to allow replies to that particular message for a week or so to get through without being challenged. Presto.
> 2) when you are job hunting: no employer will bother to go through
> the process: he will simply trash your CV and go to the next candidate.
Or put prospective employers in your whitelist.
Re: cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No
On March 18th, 2004 Anonymous says:
Or set up another email address and put it on your resume.
Re: cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No
On March 10th, 2004 Gamara (not verified) says:
It is worth pointing out that using other methods of fighting spam, you lose messagesto false positives and just plain human error anyway. And if I were looking for ajob, I'd likely not use an ask like solution for a while.
As for the list question, I answered this sort of below. Thanks for the post though.
Chris
Re: cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No
On March 10th, 2004 Anonymous says:
Still Marco:
the line after my name in my first message is there by mistake. I'm not so
sure of myself :-).
Tagged Mail Delivery Agent
On March 10th, 2004 Anonymous says:
TMDA is another Python challege/response style spam filter that might be worth considering:
http://www.tmda.net/
It has blacklists and whitelists.
It can also tag out-going mail which ensures that anybody replying to your email won't get challenged. It can generate time-dependent tags (e.g. replies with 7 days will not get challenged).
There's even a cgi interface which looks just great.
http://www.tmda.net/tmda-cgi/
Anyway, take a look at the features page:
http://www.tmda.net/features.html
If you're happy with the notion of challenge/response for strangers, then TMDA is worth considering!
Re: cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No
On March 10th, 2004 Anonymous says:
If this becomes widespread, what's to stop a spammer automatically responding to your challenges?
Less likely, what's to stop spammers identifying pairs of email addresses which are on each other's white lists? (This sounds much harder, I guess, but there are some obvious ones - support@big-isp.com, famous-linux-personality@tramseta.com, etc are good whitelist candidates).
Actually they are already doing this
On March 10th, 2004 Anonymous says:
I've been getting spam that goes to myself and one to three other people in the same domain. The spammer randomly selects some to be in the "to" and some in the "cc". They aren't alphabetically ordered or anything. This really screws up my white listing to the point where I had to make SpamAssassin give less negative weight to the whitelist.
Of course the spammers may be targetting *@blah.com as much as TMDA whitelists but it is effective against both.
The only solution is to use unique domains for your email addresses :)
Re: cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No
On March 10th, 2004 Anonymous says:
To maintain economies of scale, bulk-mailing is generally:
An impersonal process where the recipient is not distinguished.
A one-way communication channel (from spammer to victim).
The spammer would need to have an active account which can process and respond. The server would likely be flooded with responses, bounces, etc. It could also be traced.
Re: cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No
On March 10th, 2004 Anonymous says:
I have nothing against these kinds of systems in general, but sometimes I run across them when people have posted to a mailing list asking for help. When I reply and I get a request to verify I never respond: I always just throw away the request. If they go through their "held mail" and see it, that's fine. If they don't, they'll just have to look at the mailing list to see the response (many of the lists I monitor for help don't require people to subscribe in order to post, and most people don't subscribe). If they don't do either one, I guess they didn't want help that badly after all.
I suppose it's stubborn but I get a TON of email every day and I'm not interested in spending time helping people (for free!), only to have to spend more time dealing with their protection schemes. In this case, where I'm trying to help someone who's asked for help, I view the request for verification as spam in MY mailbox!!
Maybe that's perverse, but that's the way I feel about it.
P.S. I also never "unmunge" mailing addresses when responding to requests for help: if a reply to the address in the message bounces, I trashcan it immediately.
Re: cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No
On March 14th, 2004 Anonymous says:
Surely you would be replying to the mailing list rather than the person directly? And this mailing list would hopefully be on persons whitelist or failing that auto-detected by ASK. Replying offlist just means that there is no searchable record of the answer to the question - which get's asked again and again and ...
Re: cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No
On March 10th, 2004 Anonymous says:
Hear hear!
It's even more annoying when somebody contacts me directly asking a question.
If you are using a C/R antispam system, and you want to email me a question that I will spend time answering, it's only polite to whitelist me first!
Re: cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No
On March 10th, 2004 Anonymous says:
With a mature tool like TMDA, you can generate a one-time throw-away (or time limited) email address - which you can use with impunity. Without respondents even realising what's going on.