>>> TMDA 
   
About
Introduction
History
Features
Challenge / Response
Donations
Advocacy
 
Install
Requirements
Download
Installation
Upgrading
 
Configuration
Overview
Pre-Config
Server Config
Client Config
Config Variables
Filter Spec
Filter Sources
Templates
Virtual Domains
tmda-ofmipd
User HOWTOs
 
Support
Help
FAQ
Lists & Newsgroups
List Archives
Commercial Support
External Docs
TmdaWiki
 
Miscellaneous
Mirrors
Logos
Merchandise
 
Contact
TMDA Users List
 
© 2001-2004
  

TMDA's Challenge/Response system

Challenge/Response is an old idea, and one which has been used by mailing list management software for years, but it's surprisingly effective against spam.

TMDA's Whitelist-centric Strategy   ``Deny everything that is not explicitly allowed''
    With TMDA, unrestricted access to your mailbox can no longer be assumed, a premise which spammers rely heavily upon.

    The way TMDA thwarts incoming junk-mail is simple yet extremely effective. You maintain a "whitelist" of trusted contacts which are allowed directly into your mailbox. Messages from unknown senders are held in a pending queue until they respond to a one-time confirmation request or "challenge" sent by TMDA. Once they respond to the confirmation, their original message is deemed legitimate and is delivered to you. TMDA then adds their address to your whitelist so they won't have to confirm future messages. To see what the confirmation process looks like, send me a test message, and then reply to the confirmation request.

    This methodology has the advantage of being very selective about what it allows in, while at the same time permitting legitimate, but previously unknown senders to reach you.

    Optional use of TMDA's tagged addresses will greatly reduce the number of unknown senders who are actually sent a confirmation request.
Traditional Blacklist-centric Strategy   ``Allow everything that is not explicitly denied''
    Traditional anti-spam technical countermeasures are based upon maintaining a "blacklist" containing e-mail addresses, domains, and/or network subnets of known junk-mailers. Or worse, a "profile" of message headers and message body text that fits the software's idea of what a piece of spam looks like.

    The problem with this approach is that spammer's intrusion techniques are evolving as fast as your prevention techniques are, so the battle is never ending. Maintaining the blacklist or spam "corpus" is often just as time-consuming as pressing the `Delete' key on the easily recognized junk messages. If wasted time is your biggest complaint with junk e-mail, you can see why these traditional methodologies are flawed.

    The chance of accidental "false positives" is also significantly higher with this more complex approach. If you really want effective and reliable UCE control, you need something like TMDA that doesn't rely on heuristics that spammers can work around.