chalenge response software

[Joseph C. Lininger]

HI all,
I was asked by several people on this list to post a review comparing the two spam fighting systems that offer a chalenge/response mechanism. Below is the comparison, but first, a little description of how the systems work. I have included only a very basic description of what happens. If you are willing to put in the time, you can actually cause these programs to do some very fancy things, but that is left as an exercise for the user.

When you install the software, you create a whitelist of people you know. Generally this list will be generated from your email address book. When someone sends you a message, the software checks to see if the sender of the message is on the whitelist. If the user is on the list, the message is delivered to you with no further processing. If the person is not on the whitelist, the message is held and a confirmation request is sent to the sender of the message. The sender is requested in this confirmation request to verify his or her email address by replying. If the sender does this, then their original message will be delivered to you, and their address will be automatically added to your whitelist. If the user never replies, you never see the message. The idea here is to prevent spammers who use false or temporary email addresses from being able to reach you. The confirmations will never reach them, so they won't be able to respond. Since the vast majority of spam is sent from fake addresses, implementing a system like this virtually eliminates spam.

There is some administration and planning that goes into a system like this. For example, you need to ensure that chalenges are not sent to email lists. What you have to do depends on exactly how you choose to set things up. Because there are so many server setups out there, and because I assume if you are using a system like this you know what it would involve, I have chosen to omit a discussion of this topic. I would be willing to help people who decide to implement one of these solutions.

Now, on to the comparison.

TMDA
Homepage: http://www.tmda.net
Tagged Message Delivery Agent (TMDA) is the first solution we will look at. This is actually more than a simple chalenge/response system. It can function as a complete mail delivery agent (MDA), replacing programs like procmail and maildrop. It knows how to deliver to both mbox and maildir style mailboxes.

This program aproaches the spam problem using two methods. First, the program implements a chalenge/response mechanism as described previously. Second, a technique known as message tagging is implemented. Basically, what happens is that messages can be given tags based on keywords, dates, senders, and a few other criteria. If someone sends a message to a valid tagged address, the message is delivered with out being chalenged. This allows you to do things like subscribe to a mailing list using a key word address and have replies sent to your personal address automatically delivered. Because of the hastle associated with using these tagged addresses, I never used that feature. I simply used the header and body matching capabilities of the program to check for list content and the like.

This is the more featureful of the two programs. It has all kinds of configuration options (almost too many) and can filter on a variety of different criterian. If you want to use a web interface rather than the command line, there is a separate package called tmda-cgi that provides this option.

TMDA can work with just about any mail server software out there. It is fair to say, however, that it may have some problems with virtual domains depending on how your setup works. This is especially true if you are using the web interface, which you will probably want to do if most of the users on your server are not techies or if they don't have access to a shell. In fact, this is why I switched systems.

Active Spam Killer
Active Spam Killer (ASK) is simply a chalenge/response program. It does not implement anything other than basic mail filtering for the purpose of deciding whether or not to send a chalenge, which means you will have to use a separate MDA like procmail or maildrop if you want more advanced mail filtering. Active Spam Killer is a bit easier to set up than TMDA, but to be fair, I had already had experience setting this kind of thing up when I did the ASK setup. This was not true when I did TMDA.

ASK includes the command line tools for administration much like TMDA does. There is no web interface, but it does contain a neat feature called remote commands. This allows you to do things like edit your whitelist, process your pending messages, and other things of this type simply by sending emails to yourself. Not all ASK features are available using this interface, but most of the things standard users will need are. ASK is a bit smarter about sending chalenges than TMDA. For example, it attempts to determine if the message is coming from a mailing list by looking at the headers, and it will not send a chalenge if it is. This program integrates pretty much seemlessly with virtual domains as well. Finally, you can have ASK store your pending queue in maildir format for easy browsing with imap clients if you like. This is supposed to happen in the next major release of TMDA as well I believe.

My Setup
In case you are curious, here is the setup I am using on my domain pcdesk.net. All domains I host use the same setup. Messages are processed by a MDA called maildrop. The job of maildrop is to do any sorting into folders and that kind of thing. Maildrop is configured so that if no rules are matched, the message is handed to active spam killer. ASK will then either deliver to the main inbox for the user, or send a chalenge depending on the sender of the message.
---
Joseph C. Lininger
jbahm at pcdesk.net
Note, the following is used for automated processing. Please leave in tact if quoting me in a reply.
Verification: 5eab38a77ac40416e075be8f50607ff7