agbinfo's Journal: How to eliminate SPAM

During a recent Slashdot story regarding a mailing-list being blocked, I came up with a simple idea to eliminate spam.

Someone has probably thought of it already but I was thinking that I should publish the idea before someone else patents the idea if it hasn't been patented already

The idea goes like this:

• Only white listed FROM sources can send to your base email address. So you can email me directly at my.name@my_company.com but only if you are on the whitelist.
• If you send an email to my base email address and you are not on my white list, you receive a reply with a link to an http site where you may need to provide some info and pass a CAPTCHA test.

• If you pass the test either (a) you get an email address in the form my.name--1xhy2349zz0@my_company.com which you can use to reach me in later correspondence and not have to pass the CAPTCHA test. (b) You get added to my white-list. In either case, the mail that was sent doesn't need to be resent

  If you don't pass the test and you are not on my white list, I don't want to hear from you.

• A potential improvement could be to accept emails if any of the CC'ed addresses matches a white listed address or if the email address used to reach me was assigned to an email address in the CC'd list. This would allow Reply-To-All to work w/o any major issues.
• If I want to register to a mailing-list, I generate the above address myself and provide it to the site.

  Other alternatives include:

  • Use an address without the my.name such as anonymous--12hjhyb8yh@my_company.com
  • Use a self named address such as my.name--from-slashdot@my_company.com to easily identify the source responsible for an eventual leak.
  • Check a special folder for a confirmation email. If the email server waits 5 to 10 minutes before sending the link, this gives you time to intercept the latest confirmation message and add the sender to the white list.

That's it. If any of the addresses get compromised, simply delete the "TO" email from the list of valid emails or remove from whitelist.

Deleting an email address could even provide an automatic unsubscribe message to mailing lists that provide the required interface

When replying, use either the base address or the secondary address - It doesn't matter. A smart email client would provide the ability to automatically add the "to" base addresses to your whitelist.

This method could easily be implemented by google, msn, yahoo and other web email service providers as well as email servers.

It's too simple there must be a flaw but I don't see any it.

Why not to use whitelists

[WGR]

What makes you think spammers wouln not add themselves to your whitelist by using forged from headers.

The from address has no validity as to the originator of email and most spam uses forged headers.

Re:

[agbinfo]

They can forge all they want. They can only get added to the white list by the user so they would need to forge the address of a white listed individual.

Since you'd only keep trusted people on the white list for the base email name, that shouldn't be a problem.

If a trusted person forwards an email with your address and a spammer gets that email and tries various combination, you just remove the trusted person from the white list and provide them with a new destination email with an explanation as to why t