TMDA (Anti-Spam) - We can do this together!

[tgpaul]

Calling all JPC veterans!

For those of you who don't know, TMDA is an anti-spam tool that works using a unique strategy: it is whitelist-based. In other words, while traditional anti-spam software blacklists (or bans) e-mails that meet certain criteria, TMDA blocks EVERYTHING until it is explicitly approved. How does this work you ask? Upon installing the software, you can setup a list of all trusted e-mail sources right off the bat. Anyone who is not on the list and attempts to e-mail you will get an automatic response asking to confirm his/her e-mail address by sending another e-mail with a passcode. Upon authentication, the address is added to the whitelist and the person never has to confirm anything again. It works on the assumption that a spambot is not intelligent enough to respond to an e-mail challenge.

There are issues with this approach however. This may not be suitable for business use; customers may be turned off by the fact that they have to confirm their e-mail address. However for personal use, it is extremely effective. Studies show that when set up correctly, fewer than 6% of all emails will require authentication. Please refer to www.tmda.net for all the details.

Now the tricky part: getting this program to run on JPC's virtual servers and in conjunction with CPanel. I am looking for people who know the ins and outs of JPCs servers (I'm a noob to the community), and know what can and can't be modified through JailShell. The installation procedure is fairly straightforward given unrestricted access, though we may need to find a few workarounds on the virtual servers. Is anyone up for this? It probably won't take too long, and every minute spent will be well worth the utility it offers.

Admins: Offer to setup this software for us! It would a lot easier if the software were set up the proper way. Plus fewer spams = happy customers!

Everyone else: Vote in the poll to show your opinion of this software!

Let's do this!

TGP

[Vin DSL]

OMG!!! Hahahaha! I voted and it took me to:

http://jaguarpc.com/forums/showthrea...&threadid=3412

I'm somewhat interested in 'whitelisting', but I don't think it's going to work for me. I'm not really a eMail kinda guy.

I receive an occasional mail from the Teamsters concerning labor contract negotiations, a few from my registrar - Dotster, and a report of downtime on my website. All the rest, I could care less about.

If I knew I could 'whitelist' the IBT, Dotster, and InternetSeer, than there would be no problem, but I doubt if 'they' are going to send me a confirmation.

[G.Bloke]

I won't give it long before spam bots are setup to harvest the passcodes and automatically reply. Also this would cause havoc with genuine automatic mailings, for example order/billing/password confirmations. You couldn't register an account on this fourm for a start!

Whilst all of the measures currently being used to fight spam work to some extent the only way spam is going to be stopped effectively is to introduce a new protocol. The old email protocol is outdated. It wouldn't mean a change in email clients just a update to mail servers, however I think it will be a while before anything is done.

[stevenha]

I'd give it a try, but cautiously. If it could be enabled so that I could gradually build up a decent whitelist, without actually blocking anything until its fully turned on a few months later, it might be OK.

But we have to be careful, because as G.Bloke and VinDSL pointed out, a number of automatic mailings are absolutely important... like domain registration renewal notices, TLD notices, hosting notices, forum registration confirmations, affiliates, software purchase unlock codes, and those all important christmas eCards that people send ( hehehehe).

It would be great therefore, if there was some way to audit the things that TMDA is blocking... like maybe getting an email daily from TMDA summarizing all the things its blocked. And it would need to have an easy way to turn it off, for precicely those situations where you are buying or registering for something new online, but can't predict where the confirmation emails will come from.

I also predict that it will really inhibit people from sending comments about my website. Very few people do nowadays, even if you plead and beg them to, but TMDA will probably kill that kind of email altogether.

[gerilya]

I vote somewhat interested: it's a nice feature to have but certainly not to the extent I would 'do anything to get this software'
Here is another solution that is challenge/response: http://www.spamarrest.com
30 days trial, $34.95 for a year.

[gerilya]

Originally posted by stevenha
I also predict that it will really inhibit people from sending comments about my website. Very few people do nowadays, even if you plead and beg them to, but TMDA will probably kill that kind of email altogether.

Consider having on-line form for feedbacks. I would guess that some people just don't want to disclose their e-mail addresses.

[Vin DSL]

Originally posted by gerilya
Consider having on-line form for feedbacks...

Funny you should mention that. I have had many, many, ppl contact me using the feedback form on my site, and not one spam yet... Hrm...

http://www.lenon.com/modules.php?name=Feedback

[tgpaul]

Let me address some of these comments.

First off, why not start building a whitelist today, and don't implement it for a few months, when you feel it's "comprehensive enough?"

Second, entire domains can be whitelisted. I believe any regular expression can be used to allow or block a set of addresses.

Third, the mailing lists issue is addressed by TMDA as well. TMDA can tag your messages with a sender address, which is an e-mail address that only a certain sender (or domain) can use. So if you receive a monthly bulletin from a particular website, and you're unsure which e-mail address the company uses to mail it (or it changes), you can create an e-mail address that would look something like user-sender-a741af@mydomain.com that would accept e-mails ONLY from sender.com without confirmation.

Finally, keep in mind that this tool is useful mostly for personal e-mail. I personally do not have a website (yet) or a business where I am required to be in contact mostly with people with whom I've never spoke before. I still get an exorbitant amount of spam, despite efforts to safeguard my address. However, there is a final feature to TMDA that could help EVERYONE: the dated address. Dated addresses allow a user to safely distribute an e-mail address that is only good for a certain period of time (5 days, a week, whatever). It can't be modified by a person or bot to change the timeframe because it is generated using strong encryption, with a unique private key that you generate upon installation of TMDA. If for some reason the online form (which I think is a magnificent idea) for feedback doesn't work for your needs, like on a newsgroup, the dated address is ideal. While TMDA's author doesn't specifically mention this, if you would rather have an e-mail link on your website than an online form, I'm sure it would be relatively easy to mimic the dated address generation script in Perl, so that it can be dynamically generated for use on a webpage (with the caveat to the viewer that the address will only be valid from a certain date to a certain date).

Please check out these features yourselves at http://www.tmda.net/config-client.html

TGP