Forum OpenACS Development: Re: New Package: Spamassassin/TMDA Control Panel

Collapse
Posted by Chris Davies on
Based on Jade's prior comment, I can probably guarantee you that it is TMDA.  :)

TMDA can work on the machine that receives your mail, intercepts it and checks user-defined rules to see whether it should challenge the email.

You can do a number of things with it and your email like giving out email addresses with an expiration date, keyword emails, emails for particular senders.  You can then define the rules if someone hands out your email address from one of the above.

Combined with SpamAssassin, I have seen 2 spams in the last 72 hours (down from ~70/day) that have gotten through.  If I wasn't using TMDA as a backup to spamassassin, I would have never seen the spam.  I decided that if the spamassassin score was <1.0, I wouldn't pass it to TMDA -- which allowed two 0.0 spams to come through.  It also doesn't challenge people aggressively, because I personally find the system quite obnoxious.  For my setup, TMDA stopped 1 legitimate email (I don't know why they didn't reply -- perhaps they were confused, perhaps they were out of the office before the reply came back), allowed 1 to come through that did confirm, and stopped 2 payment receipts from our merchant bank and stopped the rest of the spam.  If I had let TMDA take over completely, I would still be writing rules  :)

You can define the challenge email message that gets sent to the sender, define incoming (and outgoing) filters to be applied to mail, and much more.  Most of the spam I receive came from 2 places -- 1, an innocent link on my personal home page, 2, bugs I filed with debian.org.

In both cases I could have used TMDA's disposable email addresses.  On the home page, since it is a mailto and quite likely to be an impulse thing, handing out an email that has expired already would require everyone to confirm.  You could be nice and offer up a mailto link that expired in 1 day, allowing the person clicking to send through, but the next time they would be challenged.

As for the bugs, I could have set an email address that expired in 15 days to allow the developers to contact me in regards to the bug without being challenged.  After 15 days, it would then challenge subscribers.

There are other ways to disguise mailto: urls and allow communication.  You could use javascript which the spambots don't currently decode.  You could use entities, which currently the spambots don't decode.  You could use a mailform (and there is a mailform package in contrib I believe), or you could roll your own using ad_form and acs-mail-lite.

There are many ways to use TMDA -- I just hope that it doesn't get abused too much.

Just think -- if you used a keyword email address for your login at sites like OpenACS.org, if you ever forgot your password, you'd probably be out of luck remembering what the email address was that you signed up with.  Then you have to sign up again.

A keyword address for openacs.org with TMDA might look something like:

mailto:username-keyword-openacs.bda9d0@domain.com

So, don't forget your username/password  :)