chalenge response software

chalenge response software

[Joseph C. Lininger]

HI all,
I was asked by several people on this list to post a review comparing the two spam fighting systems that offer a chalenge/response mechanism. Below is the comparison, but first, a little description of how the systems work. I have included only a very basic description of what happens. If you are willing to put in the time, you can actually cause these programs to do some very fancy things, but that is left as an exercise for the user.

When you install the software, you create a whitelist of people you know. Generally this list will be generated from your email address book. When someone sends you a message, the software checks to see if the sender of the message is on the whitelist. If the user is on the list, the message is delivered to you with no further processing. If the person is not on the whitelist, the message is held and a confirmation request is sent to the sender of the message. The sender is requested in this confirmation request to verify his or her email address by replying. If the sender does this, then their original message will be delivered to you, and their address will be automatically added to your whitelist. If the user never replies, you never see the message. The idea here is to prevent spammers who use false or temporary email addresses from being able to reach you. The confirmations will never reach them, so they won't be able to respond. Since the vast majority of spam is sent from fake addresses, implementing a system like this virtually eliminates spam.

There is some administration and planning that goes into a system like this. For example, you need to ensure that chalenges are not sent to email lists. What you have to do depends on exactly how you choose to set things up. Because there are so many server setups out there, and because I assume if you are using a system like this you know what it would involve, I have chosen to omit a discussion of this topic. I would be willing to help people who decide to implement one of these solutions.

Now, on to the comparison.

TMDA
Homepage: http://www.tmda.net
Tagged Message Delivery Agent (TMDA) is the first solution we will look at. This is actually more than a simple chalenge/response system. It can function as a complete mail delivery agent (MDA), replacing programs like procmail and maildrop. It knows how to deliver to both mbox and maildir style mailboxes.

This program aproaches the spam problem using two methods. First, the program implements a chalenge/response mechanism as described previously. Second, a technique known as message tagging is implemented. Basically, what happens is that messages can be given tags based on keywords, dates, senders, and a few other criteria. If someone sends a message to a valid tagged address, the message is delivered with out being chalenged. This allows you to do things like subscribe to a mailing list using a key word address and have replies sent to your personal address automatically delivered. Because of the hastle associated with using these tagged addresses, I never used that feature. I simply used the header and body matching capabilities of the program to check for list content and the like.

This is the more featureful of the two programs. It has all kinds of configuration options (almost too many) and can filter on a variety of different criterian. If you want to use a web interface rather than the command line, there is a separate package called tmda-cgi that provides this option.

TMDA can work with just about any mail server software out there. It is fair to say, however, that it may have some problems with virtual domains depending on how your setup works. This is especially true if you are using the web interface, which you will probably want to do if most of the users on your server are not techies or if they don't have access to a shell. In fact, this is why I switched systems.

Active Spam Killer
Active Spam Killer (ASK) is simply a chalenge/response program. It does not implement anything other than basic mail filtering for the purpose of deciding whether or not to send a chalenge, which means you will have to use a separate MDA like procmail or maildrop if you want more advanced mail filtering. Active Spam Killer is a bit easier to set up than TMDA, but to be fair, I had already had experience setting this kind of thing up when I did the ASK setup. This was not true when I did TMDA.

ASK includes the command line tools for administration much like TMDA does. There is no web interface, but it does contain a neat feature called remote commands. This allows you to do things like edit your whitelist, process your pending messages, and other things of this type simply by sending emails to yourself. Not all ASK features are available using this interface, but most of the things standard users will need are. ASK is a bit smarter about sending chalenges than TMDA. For example, it attempts to determine if the message is coming from a mailing list by looking at the headers, and it will not send a chalenge if it is. This program integrates pretty much seemlessly with virtual domains as well. Finally, you can have ASK store your pending queue in maildir format for easy browsing with imap clients if you like. This is supposed to happen in the next major release of TMDA as well I believe.

My Setup
In case you are curious, here is the setup I am using on my domain pcdesk.net. All domains I host use the same setup. Messages are processed by a MDA called maildrop. The job of maildrop is to do any sorting into folders and that kind of thing. Maildrop is configured so that if no rules are matched, the message is handed to active spam killer. ASK will then either deliver to the main inbox for the user, or send a chalenge depending on the sender of the message.
---
Joseph C. Lininger
jbahm@pcdesk.net
Note, the following is used for automated processing. Please leave in tact if quoting me in a reply.
Verification: 5eab38a77ac40416e075be8f50607ff7

Re: chalenge response software

[Chuck Hallenbeck]

Joseph,

Many thanks for this review. It comes along at a very timely point in my
never ending reconfiguration cycle here.

Chuck


-- 
The Moon is Waning Gibbous (90% of Full)
Home page at http://www.mhcable.com/~chuckh
Speakfreely address 24.105.197.112:2074

RE: chalenge response software

[Adam Myrow]

Am I right in assuming that these tools will only work properly if you run
your own mail domain?  I.E., for the average home user, who gets his/her
mail from a POP3 server or IMAP server on their ISP, can such tools still be
used?  My current tool is a procmail filter called Spam Bouncer.  It's
basically a very complex set of procmail rules that tags messages as ok,
bulk, possible spam, and definitely spam.   It uses a scoring system which
you can customize to decide what levels to use to tag messages.  You can
have probable and definite spam go to different places, and you can also
filter some viruses.  It comes with a sample .procmailrc file which you can
modify to suit your needs.  You can (and should,) create two files
containing your legitimate email addresses.  One is for mailing lists, and
the other is for personal email.  Such messages are stored automatically,
and undergo no further processing.  It really cuts down on false positives.
This filter is updated frequently, so it's a good idea to check the web site
every once in awhile.  It catches almost all my spam.  There is a special
email address you can send spam that it misses to, so the author can look at
it and add rules to catch it in future releases.  Lastly, there are optional
features to send complaints to spammers, and offer senders who get blocked a
password to get their email through.  I never use these features, but I can
see how they might be useful to some people.  The web page for this filter
is at http://www.spambouncer.org.  It works quite well with my setup of
fetchmail retrieving my email, and sendmail only allowing connections from
localhost.

Re: chalenge response software

[Joseph C. Lininger]

Whether or not you can run something like what I have discussed depends on 
exactly how you pick up your mail. The short answer is, I don't recommend it 
unless you run your own server. Here is the reason. When you pick up your 
mail via fetchmail or what ever mechanism you are using, the 
chalenge/response software will examine the messages and send out 
confirmations. However, this does not happen until you pick up the mail, 
which is probably quite a while after the person sends it. Then, when the 
person replies, the chalenge/response system doesn't receive the 
confirmation until the next time you pick up your mail. I think you can see 
what will happen. Messages can end up taking a long time to be delivered to 
you. It may not be so bad with people who have an always on connection and 
poll their mail stores every few minutes, but I'd still say the ideal 
situation for a system like this is if you have your own domain and your own 
server running it. There are a few client-side chalenge/response solutions 
out there, but I don't recommend them for the same reason.
--
Joseph C. Lininger
jbahm@pcdesk.net
Verification: 5eab38a77ac40416e075be8f50607ff7