A Review of Whitelisting Technology for Spam Prevention
1) It works. Spammers generally do not use real From: or Reply-To: addresses. Therefore, they never see the confirmation e-mail and cannot reply to it. We advertise our service as being 99% effective for most customers because, well, it is.
2) It is more prevalent than it used to be. I say this because when we first used the technology, it created a fair amount of confusion — regardless of how we wrote the response e-mail to the remote sender. Now people have seen enough of them to be aware of what it is.
1) Spammers have begun to use mailboxes which they have found to have autoresponders in them. Often these semi-hijacked mailboxes will send back a reply to the confirmation e-mail which results in letting the original spam through.
2) “Let my confirmation e-mail talk to your confirmation e-mail and do lunch.” Yes, it happens. “You didn’t respond to my confirmation e-mail.” “I never got it.” “Why?” “Well, I’m on a whitelisting system, too.” Sure, people who regularly check their sandbox or pending queue will often see these — unless they get hundreds of spams per day. And spammers WILL occasionally send e-mails with something which looks like a confirmation request in the subject line just to get you to look.
3) Occasionally spammers will use a real mailbox. When they get a confirmation request from you, they apparently mark you as a real box, and you get added to more lists. We have had instances where people signed up for our Zero Spam Tolerance service (ZST for short) who are getting just a few spams per day. Within a month, their pending queue is chock full of hundreds of messages per day. Which brings me to my next point. There is little if anything which you can do to prevent this from happening.
4) Server load can be out of line with whitelisting. Your mail server is going to want to send a confirmation to each sender. Given that some of these are real (hijacked) boxes, the server will run into a fair amount of timeouts, deferrals and delays in sending to boxes that may already be full. That impacts server performance.
5) There are still some people who don’t know what a confirmation message is. I’ve had some genuinely important e-mail which was delayed because the remote user didn’t check their inbox after sending me something urgent, and I didn’t check my pending queue during that window of time.
With the con list outnumbering the pro list, some might be inclined to bypass this technology. I still use it. On the front end, we utilize a Barracuda spam appliance which catches a lot. For the spam which does get through, I have a whitelist on my mailbox. It catches the rest very effectively. (If Barracuda would get a clue, they would add this functionality on an “optional” basis to all levels of their appliances and sew up more of the anti-spam market than they already have.)
That leaves me with a Barracuda quarantine box which very rarely has a real message in it and a ZST pending queue which occasionally will have a real message in it.
The cost for this wonderful service? Free, if you run your own server. Visit http://tmda.org/ and download the software for your own mail server. If you use an ISP for hosting or outsourcing your mail, they will have to provide this service. Or you can outsource your boxes to a company like ours. We also resell Barracuda if you are interested in a spam appliance solution.
Leave a Reply