I have a website that takes paid subscriptions. 10 days before a
subscription expires, a script that runs via cron sends out an email
notification.

So I have sitting in my in box an email from an automated spam blocking
program asking me to verify that my email address is real before it will
send an email with my from address to the recipient.

My email address is real, but the email in question may not be. I send
out a dozen or so automated emails every night, but my email address is
also forged onto hundreds of spam emails every day. The spam blocker
does not give a subject line for the email in question or any of the
content, so I can't tell whether it came from my site, or it is spam.

The recipient's email address is not in the list of emails that were
sent out last night, but there are other ways a legitimate email could
be sent from my site. I am inclined to ignore the email from the spam
blocker. If the email in question is spam, I don't want the recipient to
be flooded with spam emails with my return address forged onto them.

So why can't spam blockers include the subject line of an email that
they are questioning? Don't they know that not all generated emails are
spam?

Scott Bryce <sbryce@scottbryce.com> wrote:

> So why can't spam blockers include the subject line of an email that
> they are questioning? Don't they know that not all generated emails are
> spam?

I recently complained to one of those "spam stoppers". The reason they do
it? They make a shit load of money from idiots. Do they stop spam? No. Do
they cause spam themselves? Yes.

Just report their shit using spamcop, or email them directly and mention
"legal actions". The latter worked fine for me regarding spam arrest.

--
John Bokma http://johnbokma.com/

AISE/AWW/SEO/web development forum: http://seo-expert-wiki.com/

Scott Bryce wrote:

> I have a website that takes paid subscriptions. 10 days before a
> subscription expires, a script that runs via cron sends out an email
> notification.
>
> So I have sitting in my in box an email from an automated spam
> blocking program asking me to verify that my email address is real
> before it will send an email with my from address to the recipient.
>
> My email address is real, but the email in question may not be. I send
> out a dozen or so automated emails every night, but my email address
> is also forged onto hundreds of spam emails every day. The spam
> blocker does not give a subject line for the email in question or any
> of the content, so I can't tell whether it came from my site, or it is
> spam.
>
> The recipient's email address is not in the list of emails that were
> sent out last night, but there are other ways a legitimate email could
> be sent from my site. I am inclined to ignore the email from the spam
> blocker. If the email in question is spam, I don't want the recipient
> to be flooded with spam emails with my return address forged onto
> them.
>
> So why can't spam blockers include the subject line of an email that
> they are questioning? Don't they know that not all generated emails
> are spam?

The chances of a spammer sending a forged from address with your
domain/sender address to someone that's legitimately on your mailing
list that pays to use your site/services, is quite unlikely. Some
people (without notice to the people that email them) suddenly add a
spam check that just requires a one-time verification that the sender
isn't a spammer. Obviously if the spam checking routine only checks
the "from" field and nothing else, then yes, they could get a spam
email from a spammer claiming to be you, which would be against most
odds. Besides, spammer or not that send this email, if you don't
verify that you're not a spammer, they won't get your email. To combat
this in the future, you should simply keep track of what users had
emails sent out to them on what date/time. If there is any message ID
or header information, you can compare that with the mail logs (or have
your host do it). Honestly, though, the chances are pretty unlikely.
I'd not worry.
--
Tim Greer, CEO/Founder/CTO, BurlyHost.com, Inc.
Shared Hosting, Reseller Hosting, Dedicated & Semi-Dedicated servers
and Custom Hosting. 24/7 support, 30 day guarantee, secure servers.
Industry's most experienced staff! -- Web Hosting With Muscle!

Tim Greer wrote:
> The chances of a spammer sending a forged from address with your
> domain/sender address to someone that's legitimately on your mailing
> list that pays to use your site/services, is quite unlikely.


I checked. The recipient isn't in my database. But I shouldn't have to
check. Spam blocker software should at least let me know what the
subject of the original email was.

Scott Bryce wrote:

> Tim Greer wrote:
>> The chances of a spammer sending a forged from address with your
>> domain/sender address to someone that's legitimately on your mailing
>> list that pays to use your site/services, is quite unlikely.
>
>
> I checked. The recipient isn't in my database. But I shouldn't have to
> check. Spam blocker software should at least let me know what the
> subject of the original email was.

I see, I thought you were saying they were in your database. I'd
implement something that can auto-cross check that. I agree that you
shouldn't have to check and that the anti-spam software should provide
at least a header, but it's pretty uncommon (other than from mailing
lists -- I understand that is the problem though) to have to
bounce/auto-reply with the message to verify, since most people email
directly and those are the people they usually count on seeing the
message, those people knowing they emailed them.

I think some anti-spam verification software like this will not auto
respond back with the subject, let alone the body, because then people
would get getting back scatter spam, where they actually spam people in
the bounce/auto-reply (even a subject could contain everything a
spammer needs some sucker to see). If that happened, then the person
that had the anti-spam "verify you're real" system, would be reported
(legitimately) as the spam source. I assume this is why it doesn't
include anything from the original email.

There's no good way around it, and it's not even good to force people to
verify (after all, you were a victim of the non-spam content back
scatter, because their system blindly assumed you were the sender or
just didn't care if you were or not). I would conclude their system on
their end, is poor. For that reason, as well as for the reason you've
outlined (not giving you any indication that you were the one that
actually emailed them -- from your mailing list).

Obviously, it's intended and usually works for the sake of someone
almost always knows who they've emailed, so there's no debate about if
you sent it and need (or want) to verify you are real. So, I'd only
suggest some method to cross check, since you ultimately should know as
well (and it can save some hassle), even if it is a mailing list. I
don't pretend their system is not working with broken logic though, but
that's the only suggestion I can conceive at this point, and having
more time I'd put more thought into it. I think that's pretty much it
though.
--
Tim Greer, CEO/Founder/CTO, BurlyHost.com, Inc.
Shared Hosting, Reseller Hosting, Dedicated & Semi-Dedicated servers
and Custom Hosting. 24/7 support, 30 day guarantee, secure servers.
Industry's most experienced staff! -- Web Hosting With Muscle!

Tim Greer wrote:
> I see, I thought you were saying they were in your database.

I didn't even check until I responded to your earlier post.

> I'd implement something that can auto-cross check that.

I don't get these often enough to make it worth the time to implement
something like that.

> I think some anti-spam verification software like this will not auto
> respond back with the subject, let alone the body, because then
> people would get getting back scatter spam

I thought there must be a reason.

Scott Bryce wrote:

> Tim Greer wrote:
>> I see, I thought you were saying they were in your database.
>
> I didn't even check until I responded to your earlier post.
>
>> I'd implement something that can auto-cross check that.
>
> I don't get these often enough to make it worth the time to implement
> something like that.
>
>> I think some anti-spam verification software like this will not auto
>> respond back with the subject, let alone the body, because then
>> people would get getting back scatter spam
>
> I thought there must be a reason.

I wouldn't count on there being a good reason for most things and how
they are implemented, including anti-spam methods these days, to be
perfectly honest. :-) Most likely, the creator of that method didn't
consider thinking it through, or didn't care.
--
Tim Greer, CEO/Founder/CTO, BurlyHost.com, Inc.
Shared Hosting, Reseller Hosting, Dedicated & Semi-Dedicated servers
and Custom Hosting. 24/7 support, 30 day guarantee, secure servers.
Industry's most experienced staff! -- Web Hosting With Muscle!

Content-Transfer-Encoding: 8Bit


Scott Bryce wrote:

>So I have sitting in my in box an email from an automated spam blocking
>program asking me to verify that my email address is real before it will
>send an email with my from address to the recipient.

If it's from someone you know, you might want to warn
them that they are about to get blacklisted for spamming.
If it isn't from someone you know or you can't tell whether
it's from someone you know , go ahead and report them as
the spammers they are.

Why Challenge-Response is a Bad Idea
http://tardigrade.net/challengeresponse.html

Why are auto responders bad?
http://www.spamcop.net/fom-serve/cache/329.html#CR

Challenge-Response Anti-Spam Systems Considered Harmful
http://linuxmafia.com/faq/Mail/challenge-response.html

Challenge-response systems are as harmful as spam
http://www.politechbot.com/p-04746.html

Challenge-Response is not a doorbell but a gun shooting decoys
http://pm-lib.sourceforge.net/README.html#4

Moronic Mail Autoresponders (A FAQ From Hell)
http://partmaps.org/era/mail/autoresponder-faq.html

A Spam-Fighter More Noxious Than Spam
http://www.businessweek.com/magazine...7/b3840044.htm

A fundamental problem with challenge/response anti-spam systems
http://utcc.utoronto.ca/%7Ecks/space...spam/CRProblem

Why I hate Challenge-Response
http://blog.commtouch.com/cafe/misce...enge-response/

Challenge-Response Spam Blocking Challenges Patience
http://www.pcmag.com/article2/0,2817,1113101,00.asp

Bogus Challenge-Response Bounces: I’ve Had Enough
http://taint.org/2005/09/11/012434a.html

Challenge/Response Considered Harmful
http://spamlinks.net/filter-cr.htm#issues-harmful

--
Guy Macon
<http://www.GuyMacon.com/>