FrontPage | Mr Blog | HowTo | RecentChanges

SpamCap

http://www.toyz.org/images/spamcapcut.gif

Introduction

Yet another email verification system (see [demo]).

Spam Cap is just another implementation in a long line of those implementing a sender confirmation system in an attempt to control unsolicited email (SPAM), more recently referred to as challenge-response.

For information on how subscribers use Spam Cap, visit [Using Spam Cap].

The idea of having a sender perform some kind of action to verify they are a real person and thereby cause their mail to be delivered is not new. I'm not sure who came up with it first, but some of the early implementations I'm aware of include:

Many other similar systems and other anti-spam projects can be found on [Freshmeat] and [Sourceforge]. There are probably countless others scattered around the net as well.

More recently, several commercial services have emerged implementing similar ideas, including:

Earlier this year, Spam Arrest was found to be spamming people who e-mailed its customers. See: SpamArrestIsASpammer! Others have reported that several other challenge-response email providers have done the same.

The most recent entrant into the challenge-response email fray is Mailblocks who now is claiming patents on ALL challenge-response systems. They purchased two patents and have been attempting to aggressivly use them against competitors, filing suits against Spam Arrest and [EarthLink]. However, the validity of the patents, originally filed in 1997, is questionable based on prior art, as described in part in the following Cnet article: http://news.com.com/2010-1032_3-1003921.html

Caveats

You should know that I don't think this idea has legs, long-term. It relies on white-lists to verify senders using the contents (headers) of the mail messages themselves. This information can be easilly forged and so spammers will eventually get around all such systems, simply by pretending to be people on your white-lists (as many virus programs already do today).

In fact, one of my reasons for building this system is to test the theory that this whole concept is a sham. It seems to be perceived as a Holy Grail of spam fighting. Before you hand over your hard earned cash for a service like this, please understand that they have problems, some of which I believe are fundamentally flawed. Fiirst, they are based on 'white-lists' and therefore must accept that the 'From:' address in an email is meaningful and indicitive of the actual sender (it isn't, as it can be easily forged).

Other specific problems with systems like Spam Cap and commercial systems that want to charge you money for this type of service include:

However, my main reason for not jumping on the bandwagon with respect to these systems is that their expanded use (such as widespread adoption of commercial systems like Spam Arrest), will simply encourage spammers to more often forge 'From:' headers, which will cause a meltdown of this entire appoach (See: [whitelists based on From: lines may not work much longer]). I guess it's an elitist view, honestly, as today, white-lists are somewhat effective, mostly because most people aren't using them yet, so the spammers haven't put in effort to work-around them. If systems like Spam Cap (or Spam Arrest) become popular, spammers will put in the required effort, and we'll escalate what is effectively an arms race, to a higher level.

The popular media has begun to report aboput a few of these caveats, instead of hailing challenge-response e-mail verification systems as the end of all spam, as they did at first. Below are a few examples of the changing tide:

If you have read this far, and care to read more of my spam-related rants, see:

Other Projects

Another project I've been involved in recently is videoconferencing research at EarthLink. For more information see the following page: [Conference Manager (free beta)].

Credits

Spam Cap is a weekend hack. It was only possible as a result of a lot of wonderful open source packages developed by others, particularly [mapSoN] and the ultimate mail munging tool, [procmail]. These packages are open source and may be downloaded at the above sites. Spam Cap uses mapSoN as the underlying agent. Spam Cap simply wraps a web-based verification system using CAPTCHAs around it.

The simple CAPTCHA implemention is based on the ideas (but not the code) from the [CAPTCHA] site. My CAPTCHA implemention uses Jef Poskanzer's PBMPLUS utilities and may be downloaded, such as it is, here: [pbmcaptcha.tar].

Otherwise Spam Cap is just some CGI, shell scripts, and procmail recipies that are specific to my needs, and generally not organized into a publishable form. If you are interested in the hodge-podge of scripts and hacks anyway, please drop me an email at: <david@bdt.com>.