Ben Cantrick (mackys) wrote,
Ben Cantrick

  • Mood:
  • Music:

A big FU to spammers: Ben's email address goes whitelist.

Since I'll soon be getting a new email address for the first time in a decade, I'm thinking about what I can do to avoid spam. I didn't have complete control over web, email and other services at my old ISP, but I will at the new place. I'm planning to go to what I consider close to the ultimate Fuck You to spammers: I'm going to impose a whitelist on my email address and only email addresses on the whitelist will get through.

I don't want to actually prevent legit email from people I didn't previously know from reaching me, though. So I need an error recovery mechanism. The best one I've seen is to send an email back to the rejected address, with the URL of a web page that contains a captcha. The user can load up the page and solve the captcha, and then their email address will be added to the whitelist. This way they only have to go through the trouble once.

Distorted number-letter captchas were broken a few months ago by a researcher. I can't find the Slashdot story, but PWNtcha should be convincing enough. So I think I'd rather use something akin to kitten-auth. You'll basically have to load up a CGI script that will serve an image and a form. The <img=> URL will be a symlink dynamically generated on a random basis at run time, so spam-bots won't be able to read the text in the tag and auto-gen it. If I'm feeling really malicious, I might even put an intentionally fake word as the text in the img tag, and auto-ban any IP address that types in the obviously fake name. There are also a couple other tricks I can apply here that I won't mention in public.

The end result of this, I'm hoping, is that I'll be able to spread my email address far and wide without using any of the obnoxious obsfucation that I've engaged in for the last decade, but the spammers will still get bounces. I'll put the email addresses of everyone I know in the whitelist initially, of course. So hopefully almost nobody who I've ever emailed before will have to do the captcha.

We'll see how it all works out. There's a story on /. today about spammers paying people $0.60/hr to solve captchas. I don't believe I'm clever enough to create a captcha that is solveable only by my friends and no other human beings in the world. Kitten-auth and similiar schemes are designed to block bots, not human beings. If they can afford to hire people, I'm sunk. But I suspect they won't go to the trouble to hire a person just to spam me. And of course I can manually delete addresses from the whitelist if they do manage to sneak through once in a while.

Basically, I'm just looking to make their lives hard. See, the spam wars in general is an arms race. The technology on both sides gets continuously more sophisticated, but nobody ever really wins. That said though, I'm more than happy to build and test weapons if I know they're for the good guys. Anything I can do to hurt the spammers is a good thing.

Edit: Looks like ESP-PIX is about as good as I'm going to get for an off the shelf solution. I should probably make my own image and word database though, since the security of the captcha depends on the secrecy of the image and word database. If I want to be really smart, I should make sure none of the images I use are in Google Image Search.

Edit 2: Wanna know why people still spam? How does 3/4 of a million per month sound?
  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.