Jeff Key

Why not just use POPFile?

http://popfile.sourceforge.net/

It's free, and it works extremely well (bayesian).

1) It's Bayesian, whereas SpamArrest is challenge/response -- I've used both and I prefer c/r. The best thing is that it puts the onus on the sender, not the receiver, so there's no need to waste your time looking for false positives.

2) Web mail client. When it comes to friends/family, most of them use web mail clients, AFAIK.

3) It looks like POPFile is a client-side, Perl-based proxy. That alone would prevent me from recommending it to friends/family because I would be the guy they called if they had any problems. SpamArrest is simple: You enter your POP3 info from your email client on their website and change your email client's POP3 info to point to them. Done. If anything breaks, it's on SpamArrest's side and they deal with it before you even know about it. Gotta love the ASP model.

The best choice, of course, is to use whatever works for you.

If they're using webmail (hotmail, gmail, etc) wouldn't the built-in anti-spam tools be sufficient? I thought we were talking about POP3 all along.

As for putting the burden on the receiver, what about mailing lists, order confirmations, and the like? You still have to "allow" machine generated emails that you want to receive, otherwise the c/r process will automagically reject them.

If their existing anti-spam tools are sufficient, that's great. I'm not proposing that everyone start using it.

SpamArrest has a white list for mailing lists.

As for order confirmations, you probably need to authorize an email address the first time (auto-confirm@amazon.com, for example), but this isn't unique to SpamArrest's implementation.

I'm not saying SA is the be-all-end-all cure for spam. However, there are few programs/services that actually improve my life and this is one of them. I've tried just about every other spam technology and this, for me, is the sweet spot.

As I said in my last comment: The best choice is whatever works for you.

Hmm, well, I think whitelists have just as many drawbacks as bayesian, they're just different ones. Eg you still have to parse through your "rejected" emails to figure out which ones are valid, until the system is trained.

I guess what I'm objecting to is the illusion that the whitelist approach is ultimately less work for the user-- it's not. Just a different set of pros and cons.

I agree that whitelists aren't completely efficient, but the only time you really need to manage your own w/SpamArrest is for things like mailing lists (one time for every list you subscribe to) and things like order confirmations (again, one time for each company). Not much effort and weeks can go by without having to worry about such things.

I'm speaking purely from experience, I'm not advocating a particular approach. My experience is that SpamArrest takes the least of my time. As always, YMMV.

Thanks for your comments.

Sorry, I didn't address your first item:

That's one of the things I love about SpamArrest: There is very little involvement from _me_ required. No training, none of that stuff that most other approaches require. 95% of the work is done by the people that send me mail. I am 100% certain that the email that winds up in my inbox has been sent by someone that has taken 30 seconds to verify that they're for real, or someone I manually added to the whitelist (as you mentioned above).

I admit that I do check the "unverified" email every once in a while just to make sure nothing is in limbo. I can honestly say that for your average user (ie. friends and family) that this isn't necessary. Anything that's of any importance will have a valid return address, and legitimate people do validate themselves.

I just checked my whitelist and 346 people have validated themselves. A good chunk of these are automated emails; things list newsletters, order confirmations, etc. Again, if people are sending something they consider important, they will give a valid return address, even if it's an automated email.

The one exception that really cannot be automated with SpamArrest's approach is mailing lists, but again, this is a one-time effort per list on the part of the SpamArrest user and I don't consider it a horrible inconvenience.

After some further consideration, I agree that a big part of the problem is that it is TOO EASY to send emails-- so in that light, adding an additional 30 second hurdle isn't necessarily a bad thing.

Although this will depend heavily how tech-savvy the sender is; my mom would likely give up immediately if she got an automated response about authenticating on a website first. It really depends how much you want to entrust to your audience in terms of resposibility above and beyond hitting the "SEND" button. For example, if you were operating generic tech support via email.

I am also nervous about the implicit assumption that all machine generated email must be ruled spam by default, and all email must have *forced human sender intervention* to be considered valid.

Bayseian filters typically achieve ~97% effectiveness pretty rapidly, so the issue of training isn't that severe after the first week. 97% is very good, but it's nowhere near the ironclad ZERO percent you got with the whitelist. I guess it's a tradeoff: how much do you care about inconveniencing valid senders, versus looking at 3% spam per week?

And I think in both cases you have to dip into the "spam" folder periodically. It's just a question of which side you want to err on (strictness).

Mom-factor: My mom used it, and she's a model technophobe. :) If you send me an email and you aren't in my whitelist, you get an email back that says "click this link". You are sent to a web page, type in a word and from that point forward I'll always receive your email w/o hassling you or me. Not a single person has complained about the inconvenience.

Forced human sender intervention: That's what makes it great! :)

Inconveniencing valid senders: Considering it takes 30 seconds (max) to validate themselves, and they only have to do it once, I don't think its a big deal at all. Again, no one's ever complained -- actually quite the opposite; people have asked me about it and some have signed up (this was pre-free).

97% effectiveness: That's excellent. I love the Bayesian techniques. Technically, they're very cool, too. If I used a Bayesian filter, I would have received 328 (10,934 * .03) spam. Using SpamArrest I received three. I would get three hundred times more spam using a Bayesian approach. That, my friend, won't convince me to switch anytime soon. ;)

Dipping into the spam folder: I agree, somewhat. It certainly doesn't hurt, but I honestly think it's not an issue for casual email users like most friends and family (or at least mine). The only time my mum needs to go into the spam folder is if she is expecting something, but didn't get it. An order confirmation is a good example. She goes into the unverified folder, puts a check next to the email, clicks verify, and then confirm emails from Amazon will come through forever. I think this is distinctly different than having to check for false positives. I don't recall ever checking my unverified folder and seeing something that made me think "oh man, I would've totally been screwed if I hadn't seen this". Trust me, I've wanted to! I don't love software and wait for it to disappoint me; it has to _earn_ my love, which is why I'm so happy about SpamArrest. I still do check my unverified folder every so often, but not nearly as often as I used to..because it's not necessary. Whitelisting will be even more useful once the SenderID stuff is implemented, since people won't be able to spoof who they are as easily (although this hasn't been an issue for me yet).

At the end of the day, your solution works great for you and mine works great for me. I'm just getting the word out about a product I really like. The fact that it's effective is not debatable -- it's proven itself, as yours has. Which is better? Like everything in this industry, it's subjective and irrelevant.

Well, technically you would have received 100x more spam, not 300x. :)

Of course, with the kind of systemic abuse we're seeing (comment spam included) sometimes these measures are necessary; it's just a question of how far you want to go.

Interesting link on global statistics for POPFile, gathered through the "report anonymous statistics" option in the application:

http://www.usethesource.com/popfile_stats.html

97% was just a guesstimate, but it looks like that is a reasonable real world expectation for a bayesian algorithm based on this data.

Amazingly, 66% of all reports have accuracy of 97% *or greater*.

Pingback from  Internet Infos  » Blog Archive   » The Secret to No Spam It Pays