[thelist] Serious antispam measures

Kasimir K evolt at kasimir-k.fi
Mon Apr 19 02:48:13 CDT 2004 

 > Sounds tiring for the scant quantity of legit email I get. And what
 > about my poor mother? I have found the subject line route to work
 > pretty well, and it didn't have to be that complex.

Trying to find logically solid ways to this utterly fascinating problem:

In order to distinguish between legitimate mail from illegitimate you 
must require legitimate senders to include in the message something, 
that illegitimate senders are unable to include. This included thing 
must also be something that you are able to filter automatically.

This is different from typical anti spam filter, that filters *out* mail 
that is thought to be unsolicited, as in this approach you filter *in* 
mail that is thought to be allowable.

What to require to be included depends on many factors, primarily the 
intelligence of illegitimate senders (and legitimate senders' too :-)

Some time back spammers searched for addresses on the web: then it was 
enough, that your required an address that you knew was not published on 
the web. Now spam bots search for addresses on individuals' address 
books etc., so requiring a certain address is no good any more. (my 
'date for address' approach offers too little help to this, for too high 
a price, it's not good). Current spam bots are limited to scanning 
addresses, they don't scan subjects or message bodies, so for now it is 
sufficient to require something to be added in the subject.

But if I was to write a spam bot, I would scan your sent mail folder, 
and use the subjects that you have yourself used for each recipient - 
and I'm pretty sure others have had this idea too, even the 
greedy/malicious people.

The idea of spam is to deliver you a message body with spammer's 
content, and the sender's address and the subject are irrelevant for 
this end. So how I see it now, the future proof method is to require 
something in the message body, that your email system is able, and spam 
bots unable, to detect automatically. I wouldn't use a password on the 
first line, as this is too obvious. A good solution might be to require 
a certain phrase, for example after the greeting.

Of course it would be easier not to require anything from the senders, 
but then it would be easier for spammers too. So the choice of your anti 
spam measures is a compromise between the trouble of implementing that 
measure, and the trouble of receiving spam.

.kasimir

More information about the thelist mailing list