Derek> I've been tempted to use TMDA...
UGH! I *abhore* those things!
> ...they do nothing to actually stop spam...
> If you install TMDA or its ilk, you won't receive email from me...
LOL! Why do people get so emotional about this?
...[Admins] are among the most intractable group I've run across...
Oh, yeah. :)
To play devil's advocate -- again, I don't use TMDA -- I'll address
the excellent (but general) C/R points that Dave brought up:
Your C/R system might return the original message to the sender.
- TMDA doesn't do that, it sends a new "challenge" message.
Your C/R system might also enable [BCC] joe jobs
- TMDA doesn't do that (for BCC's as Dave described).
Your C/R explains exactly to the spammers what they need to do in order to
get mail accepted at your domain
- Spammers don't do that. It's simply not profitable for the ~1%
customer success rate they see. And if you still use the other
techniques (SpamAssassin, RBLs, etc.) you'd be no worse off, even if
they did do it.
...they backfire, cause others to have to work, and will get you listed...
- So, should we also ban Postfix/Procmail/"vacation"/Majordomo
because some people are too stupid to set those up correctly?
TMDA is pretty well-thought out. It includes (for example)
protections against C/R auto-response loops.
End-user arguments against TMDA because "my time is too valuable for
that" don't hold water. Composing an email to me takes minutes, but
clicking Reply/Send takes maybe 5 seconds. If I send email to someone,
the TMDA config would need to auto-whitelist that person (for sure).
But if a stranger emails me, then, if they can't be bothered to click
"Reply -> Send", then I can't be bothered to read their email.
For those who responded against TMDA: if I set up a procmail bounce
rule that simply required all email to come with a GPG signature, would
you reject that for the same reasons you reject TMDA? Or would that be
acceptable because it's all geeky and strong encryption and whatnot...?
Do you also refuse to post to any forum using CAPTCHA? How dare
they outsource their [web forum] spam problem onto you! Do you also
refuse to visit HTTPS sites that don't use a trusted cert? (Accepting
the cert takes a lot more effort than Reply->Send.) How dare they
outsource their unwillingness to give Verisign $30 onto you!
The strongest argument I've seen against TMDA is that it can cause
joe jobs against the sender's (forged) address. But that is also true
of mailing list confirmations and vacation auto-responders. So, should
those also be banned from the Internet?
Here's a good article with some more counter-points:
http://www.kuro5hin.org/story/2003/8/20/233517/720
I still don't use TMDA, because I'm more on the admin side of the
fence, but in principle I don't see why TDMA couldn't solve the spam
problem... especially for published addresses like "[email protected]".
Hitting Reply -> Send is a lot more convenient than dealing with
CAPTCHA, for example.
--Derek
On 12/18/2009 10:03 AM, John Baxter wrote:
On Thu, Dec 17, 2009 at 9:40 PM, Derek Simkowiak <[email protected]> wrote:
I've been tempted to use TMDA:
If you install TMDA or its ilk, you won't receive email from me unless
you whitelist me yourself. I refuse to allow others to outsource their
spam problem to me, so I never jump through the hoops. (Quite aside
from the fact that I'm very careful about what links to click on in
email--examining the raw source in most cases first.)
--John
