FC: MailSoap.com co-founder on challenge-response spam blocking

[Declan McCullagh <declan () well com>]

Previous Politech message:
http://www.politechbot.com/p-04735.html

---     

To: <declan () well com>
Subject: Re: More on Earthlink's email challenge, Mailblocks lawsuit
Date: Fri, 9 May 2003 09:15:09 -0600
Organization: MailSoap, Inc
From: Kevin Zollinger <kevin-dated-1052925219.5088b1 () mailsoap com>
X-Delivery-Agent: TMDA/0.59
X-TMDA-Fingerprint: /nYiHKxXMQIZ8xJZ0+6tC0tg2Rs

Declan,

We have a very small company (Very small!) called MailSoap that we started
because we wanted to offer challenge-response that worked to people like my
Grandparents. We started with some open source software written by Jason
Mastaler (http://tmda.net) and added a custom interface to webmail. We
worked with Jason and his merry band of programmers to make sure that our
system was configured properly. We've been using the software for well over
a year with great results. I'd like to respond to a couple of your points.

First, you are concerned about the lack of a Turing test from ipermitmail.
TMDA, and therefore MailSoap only requires that a first time sender respond
to the challenge email. In the 18 months that we've been testing the system
we've only have 6 pieces of spam get through. The vast majority of all
spammers use invalid return email addresses, and those spams are deleted
immediately. Those that are foolish enough to use a real email address don't
respond to the challenge. Second, because we have verified that their email
address is a working one we can choose to take action against them. I have a
law firm on standby for such actions, but to be honest I've had two spams
make it through this year, and didn't sue. Because I've only seen those two
spams I don't really have the anger needed to start the lawsuit anymore.

Second, you are concerned about privacy policies. You should be concerned
about them. I think that ours is very good (http://mailsoap.com/privacy.php)
and agree that these are important. I don't think that anyone will have any
concerns about ours, but would be happy to respond to any critics! Ours is a
service intended to protect "people like us" from spam and virii. We have no
intentions of abusing people, their privacy or their time in a lame attempt
to get rich.

Third, you discovered a flaw in the mechanism at ipermitmail. Other venders
have had similar problems and as long as they all start from go instead of
leveraging the work that has already been done we will continue to see
broken implementations of CR email systems. As you know CR email systems
started in mailing list software 10 years ago. There is no reason for an
email vendor to ignore 10 years of development when they develop their
software. If your email client is standard compliant you should only need to
authenticate once with us. If I send you the initial email you won't need to
authenticate at all! I am not saying that we are perfect, only that we've
had a much longer period of shake out than others.

Finally, you are right to be concerned about the impact CR will have on
email lists. That has been one of the toughest issues to come to grips with.
TMDA offers a keyword address that allows me to subscribe to an email list
with an address that does not require confirmation. If you search your
subscriber list for kevin () mailsoap com you won't find it. I subscribed with
a keyword address that looks something like
kevin-politech.5h1dg55 () mailsoap com. The string of numbers is a short bit of
encryption intended to ensure that no one other than me can setup a keyword
address, and in this case has been changed from the real one.

As a final thought, there is a proposal to standardize the method used to
mark system generated email. As users of email we should support this
effort, and once the standard is set we should all hold our email providers
responsible for their implementation of the standard. We already try to
determine if a message has come from a mailing list or a robot so that we
don't send inappropriate challenges, but without a standard it is pretty hit
and miss. I would hope that with your support we can get a standard method
to identify machine generated emails so that we can act appropriately.

As always, I enjoy your list and you work. If you should choose to share my
thoughts feel free to do so. You can even include my email address if you
would like. Keep up the good work.

Kevin Zollinger
kevin () mailsoap com
Co-founder of MailSoap, the home of trouble free email!




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
-------------------------------------------------------------------------
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
Like Politech? Make a donation here: http://www.politechbot.com/donate/
-------------------------------------------------------------------------