Comment A message from the author (Score 1) 333
I'm getting beat up on slashdot.... shocking! :)
Ok, so I wrote this lil' thing when I got really tired of getting hundreds of spams a day. After finishing Robocode I decided to try a new game - spam. Believe it or not - and to my own surprise - it actually works. I'd just like to clear up a few misconceptions here and say a couple things:
1 - It is not a C/R system. I hate them too (especially Earthlink's, as my wife is so fond of harping on). FairUCE only reverts to C/R when it believes the mail is spoofed. And C/R is only used to establish identity, not prove you're human, so the challenges - I call them inqiries - are extremely polite and easy to respond to. The responses are digitally signed so difficult to spoof.
2. The determination of whether the mail is spoofed is not as simple as reverse DNS. Basically FairUCE wants the the smtp client to be in the same class B as any server in an MX, NS, or A record for any domain or parent domain of the bounce email address provided... or matching reverse DNS. You might be surprised how many senders fit this. In my experience it's very rare for a legitimate email to be challenged. FairUCE would find relationships for many of the examples posted in other comments here; have you actually tried it? :-)
3. It's designed to be a fallback for SPF or other identity systems. If, as AOL and Microsoft (and I, now) believe, sender identity is the antispam wave of the future, then we'll need a fallback for what to do when those records don't exist. FairUCE is just one example; it happens to work today.
4. Yes, it may be a hassle to install it due to requirements. Sorry; first iteration, I wrote it to run on my own server. If you like it I'll make it better, or maybe you'll make a better one. The license is the one I had to choose to get it out there to you; all I'd like to do is show that sender identity works.
5. Here are my stats from yesterday:
Total incoming messages: 442
Messages accepted: 39
Messages rejected: 10
Inquiries sent to confirm sender's identity: 303
Inquiries sent to check sender's reputation: 87
Inquiries responded to: 0
--NEW-- senders: 3
- accepted: 0
- rejected: 0
- ignored: 3
Percentage of your incoming email that is spam: 90.5-91.18%
Percentage of spam blocked by FairUCE: 99.26-100%
6. To those concerned about the bandwidth taken up by the challenges: They go to a dedicated queue with a 1 hour (configurable, of course) lifetime, and they're tiny. IMHO I'd rather my server do a tiny bit of extra work to save me time, because I don't want to have a "spam" folder anymore. If you want, though, you can configure it so you have a spam folder and don't send challenges. Up to you.
I'm getting, uh, beat up a lot by people who insist that it can't work, and not just at slashdot. But for me it is working. YMMV, but I'm getting bulk email I want, mailing lists I want - neither of which were sent a challenge - and I'm pretty happy with a 99%+ success rate without looking at message content.
In summary, I don't think you've seen technology like this before; if you had, then I'd be running it. It IS different. It's not perfect. But maybe it's something to build on... I hope so anyway.
Thanks
-Mat
Ok, so I wrote this lil' thing when I got really tired of getting hundreds of spams a day. After finishing Robocode I decided to try a new game - spam. Believe it or not - and to my own surprise - it actually works. I'd just like to clear up a few misconceptions here and say a couple things:
1 - It is not a C/R system. I hate them too (especially Earthlink's, as my wife is so fond of harping on). FairUCE only reverts to C/R when it believes the mail is spoofed. And C/R is only used to establish identity, not prove you're human, so the challenges - I call them inqiries - are extremely polite and easy to respond to. The responses are digitally signed so difficult to spoof.
2. The determination of whether the mail is spoofed is not as simple as reverse DNS. Basically FairUCE wants the the smtp client to be in the same class B as any server in an MX, NS, or A record for any domain or parent domain of the bounce email address provided... or matching reverse DNS. You might be surprised how many senders fit this. In my experience it's very rare for a legitimate email to be challenged. FairUCE would find relationships for many of the examples posted in other comments here; have you actually tried it?
3. It's designed to be a fallback for SPF or other identity systems. If, as AOL and Microsoft (and I, now) believe, sender identity is the antispam wave of the future, then we'll need a fallback for what to do when those records don't exist. FairUCE is just one example; it happens to work today.
4. Yes, it may be a hassle to install it due to requirements. Sorry; first iteration, I wrote it to run on my own server. If you like it I'll make it better, or maybe you'll make a better one. The license is the one I had to choose to get it out there to you; all I'd like to do is show that sender identity works.
5. Here are my stats from yesterday:
Total incoming messages: 442
Messages accepted: 39
Messages rejected: 10
Inquiries sent to confirm sender's identity: 303
Inquiries sent to check sender's reputation: 87
Inquiries responded to: 0
--NEW-- senders: 3
- accepted: 0
- rejected: 0
- ignored: 3
Percentage of your incoming email that is spam: 90.5-91.18%
Percentage of spam blocked by FairUCE: 99.26-100%
6. To those concerned about the bandwidth taken up by the challenges: They go to a dedicated queue with a 1 hour (configurable, of course) lifetime, and they're tiny. IMHO I'd rather my server do a tiny bit of extra work to save me time, because I don't want to have a "spam" folder anymore. If you want, though, you can configure it so you have a spam folder and don't send challenges. Up to you.
I'm getting, uh, beat up a lot by people who insist that it can't work, and not just at slashdot. But for me it is working. YMMV, but I'm getting bulk email I want, mailing lists I want - neither of which were sent a challenge - and I'm pretty happy with a 99%+ success rate without looking at message content.
In summary, I don't think you've seen technology like this before; if you had, then I'd be running it. It IS different. It's not perfect. But maybe it's something to build on... I hope so anyway.
Thanks
-Mat
