Why I use TMDA to reduce spam

Home : Stuff about me : Contact information : TMDA


When you send me email for the first time, you will encounter the Tagged Message Delivery Agent (TMDA), which is the spam-filtering system I use. Specifically, you will be asked to reply to a confirmation request before the message is actually delivered to me. When you confirm, the original message is dropped into my inbox (i.e. you do not need to resend it), and your address is added to my "whitelist" of approved senders so that you won't need to confirm messages in the future. (Unless, heaven forbid, I decide you are a bozo, and move you to my blacklist.)

I apologize for the inconvenience of making legitimate users jump through an extra hoop in order to send me mail, but I consider this a reasonable price to pay for not having to wade through literally hundreds of junk messages that arrive at my addresses each day, or to put up with the inevitable false-positive errors that a content-based filtering system would make. (In April 2009 my server got an average of about 6000 spams per day, one every 15 seconds; fortunately, most of those went to obsolete addresses, so TMDA only saw about 300 per day. But even that is still way too much to wade through.) On the bright side, you only have to confirm once, as opposed to making sure that none of your "Subject:" lines ever have the words "viagra", "oxycontin", "investor alert", "enlargement", . . . or any likely misspellings of the foregoing.

The beauty of whitelisting as opposed to content-based antispam solutions is that it insists merely that each sender use a valid return address, yet it is astonishingly effective. The reason it works so well is that spammers don't want to be caught by using a working return address, so they make them up. (Besides, who would read something from "Joe Sleazebag <js@spammer.com>"; email from "Lana Sexpot <oohbaby@willing.org>" stands a much better chance of being seen.) But I don't care to read mail from anybody who doesn't want me to be able to reply, so I lose nothing.

But sometimes a spammer uses somebody's real address as the return address for a batch of spam. That's called "backscatter," or sometimes a "joe job." I've only been the "joe" once, getting 17,000 messages in the space of 12 hours, and it was not fun. If this ever happens to you, you will get tons of bounce messages for spam sent to people who changed their email address, probably to get away from the spam, and a few confirmation messages from people like me who use TMDA or similar systems. But since I have TMDA configured to skip the challenge for messages that Spamassassin tags as probable spam, you are not likely to be bothered by backscatter coming from my domain. However, if you do get "joe-jobbed" and are seeing lots of challenges coming from TMDA installations, you can easily deflect them simply by configuring your mail software to drop bounces (which you will probably want to do anyway). Failing that, you can get in touch with me, and I'll be happy to move you to my blacklist so that spam that uses your forged address is simply dropped (but this will only stop the confirmation requests that come from my addresses).


Bob Rogers <rogers@rgrjr.dyndns.org>