Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: TMDA / Challenge Response / CAPTCHA

  1. #1
    bjquinn is offline Advanced Member
    Join Date
    Nov 2005
    Posts
    175
    Rep Power
    9

    Default TMDA / Challenge Response / CAPTCHA

    Hi, I was wondering if Zimbra implemented (or allowed the addon of) any sort of challenge-response mechanism, like TMDA. I'm not married to TMDA specifically, just anything that works similarly. Any ideas?

  2. #2
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    I've tried to bring this up before...didn't go anywhere...and the discussion got hung up on autowhitelists & expiring whitelists.

    Even the simple 'please click this link to prove your not a spammer' would be fine.

    The captcha would be tricky, would you have them reply with the answer in the first part of the body/subject? or would you point them at a webpage on your server? (but that's just asking for more connections...)

  3. #3
    jholder's Avatar
    jholder is offline Former Zimbran
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    20

    Default

    Quote Originally Posted by bjquinn View Post
    Hi, I was wondering if Zimbra implemented (or allowed the addon of) any sort of challenge-response mechanism, like TMDA. I'm not married to TMDA specifically, just anything that works similarly. Any ideas?
    Are you talking about a captcha for login or a challenge/response for MTA type of stuff?

  4. #4
    bjquinn is offline Advanced Member
    Join Date
    Nov 2005
    Posts
    175
    Rep Power
    9

    Default

    Nah, I'm talking about challenge response for deciding whether you're going to allow an email through to the recipient or not. I don't really need CAPTCHA either, just the simple "hey click here to tell me you're probably not a spammer, or if you are I can probably track you down" would work fine.

    Again, I'm not married to TMDA, but since it's what I'm familiar with, I know it works with postfix, but I'm afraid that Zimbra has modified up your typical postfix setup that it may not be possible to integrate it. On Google, I've only found a couple of dead ends and the following post --

    <quote>
    Mike Carifio wrote:
    > I've installed zimbra 3.0 oss edition. Underneath, zimbra runs postfix
    > as user 'zimbra'. I'd like to integrate tmda 1.0.3. The configuration
    > directions (ServerConfiguration - TmdaWiki) talk about
    > ~/.tmda/config and ~/.forward and so forth. Is that really
    > ~zimbra/.tmda/config and so forth? Or do I use /etc/tmdarc for this?
    >
    > There are no local users on the server, they fetch their email via IMAP.
    > The credentials are kept in a MySQL database. So there isn't a per user
    > config and .forward file (right?).

    It sounds like you should follow standard "virtual users" instructions,
    in which case ~/ would represent each individual users's mail "home"
    directory.

    Often with virtual users, even though they don't need a "home"
    directory, there's something equivalent, which might have this layout:

    /path/to/email_domain/email_username/
    Maildir/
    .tmda
    .forward
    etc.
    </quote>

    ... which is less than helpful.

    Is there actually an alternative to TMDA? It's the only one I ever really hear about, and it seems the geek world has turned their backs on challenge response, but that doesn't change my boss's mind who went from 600 spam a day to 6 spam a year.

  5. #5
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,477
    Rep Power
    56

    Default

    I'm not in favour of challenge response system (I think they just add more spam) but have you considered postgrey?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  6. #6
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    If you do all the other spam improvements possible it really is a moot point. (another anti-spam things to try)

    The problem with challenge/response systems is always the issue of whitelisting & extra traffic. People would just get annoyed if their always getting return emails etc every time they email you; when last discussed, the whitelisting mechanisms become an issue. Do you manually enter domains/IP's? Automatically add domains (or addresses) people send to? Automatically troll everyone's address books for allowed senders and compile it into another database? What happens to newsletters where there's no human on the other end who would check replies for challenges? When you only get an email from whomever once every 6 months that address might have been long gone from the auto-databases, so you do need a user managed list...
    It just goes on and on... and it's actually how the idea of eventually having individual user whitelists in Zimbra came to be.

    Yes it would be cool to deliver it to some folder called 'unverified', then automatically upgrade it's not-spam status when someone replies to the challenge response...The tough part: modifying the x-spam flags, then moving the message to the inbox all without hickups if the user is currently viewing/replying to that particular message-I guess just a detailed error message if they try to move/mark ok something that already just recieved a response. (a high 'refresh' rate on that folder will cut down on some of it)

    The biggest concept that's hard to compromise on is the idea of never re-prompting people uselessly; somewhere along the line the database gets too big. As Bill pointed out, graylisting is so much nicer because it requires no human interaction, still re-checks that they want to send it, auto-whitelists, and cleans up it's own database.
    -Yes you could have a challenge response system remember allowed senders for x days as well-I was just listing postgrey's features.
    Last edited by mmorse; 09-15-2007 at 11:01 AM.

  7. #7
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    I should point out that it would be very cool to have user made temp address that work on the TMDA concept, valid for time, and/or only allow replies from certain people. - I think this explains it best: ClientConfiguration - TmdaWiki

    I would definitely find that more useful than recipient delimiters, and would be a cool build upon to the standard just allowing the users to make temporary aliases.
    Bug 17404 - Allow users to create aliases for themselves

    So you would have options like:
    -Make temporary alias that contains the user name first then a short random string (most people want it identifiable-imagine the alias nightmare; it's like the 'allow sending from any address, a lot of organizations can't have that)
    -Limit incoming replies to specific addresses ______
    -Valid for ___ days
    -Require challenge-response

    When applied as an alias for incoming, it also gets added to your identities list so you can send from it.
    Last edited by mmorse; 09-14-2007 at 12:40 PM.

  8. #8
    bjquinn is offline Advanced Member
    Join Date
    Nov 2005
    Posts
    175
    Rep Power
    9

    Default

    phoenix and mmorse,

    I do appreciate your help and suggestions. I will check out graylisting, maybe that will help.

    As for challenge-response, I've used it now for years. I understand its faults, but believe me, if you go from 600 spam a day to zero, you never go back. With respect to "other" spam blocking techniques (spamassassin, RBLs, etc.), they're far from capable of blocking everything, especially if you receive exceptionally high amounts of spam (my users complain "I got TEN SPAM today!", ignorant of the 1000 spam they DIDN'T get). And they can be wrong and inconvenient, just as challenge-response systems can be. Surely you've had the experience of being incorrectly listed by an over aggressive blacklister? Or had an email you sent out or were meant to receive that disappeared into the abyss? There's definitely a possibility of collateral damage with typical spam filtering techniques also. At least challenge response gives the sender an opportunity to know that his email isn't going to be accepted, and gives him some recourse. And the receiver has but to check his "pending messages"/"unverified" folder for the offending message. However, I'm open to anything else I should look at.

    As for mmorse's unverified folder idea, that's exactly what I do with TMDA and qmail today. Do I get that serious pat on the back? Actually, it's really simple. I have an IMAP folder that is simply a symbolic link to a folder for that user that TMDA keeps "pending" messages in. That's their "SPAM" folder, which you can optionally also scan with Spamassassin to cut it down if you wish. If I were really smart, I'd only send challenges out for emails that fail a spamassassin test. (I'm not that smart, but that WOULD be cool!) Actually, receiving an email from a new email address is a fairly rare thing. I can't think of any of my users who could even get one email from a new person per day. It's quite painless, even if the person on the other end is too stupid to click "reply" on a simple confirmation request. I do no manual entry. An address is whitelisted simply when the sender responds to a confirmation request OR my user sends an email out to someone. It's all automatic. Of course, if I wished to manually whitelist an address or an entire domain, I could. And of course, the sender ONLY receives a confirmation request the FIRST time IF my user hasn't already sent them an email.

    You don't need human-managed lists, nor do whitelist contents expire, because the databases of VALID addresses never get very big, so you NEVER have to re-prompt people. ONLY the first time. How many KB is your address book, after all? I have enough space on my server for millions of users' address books. TMDA auto-upgrades an email's spam status after a challenge is responded to.

    TMDA's too smart to get stuck in autorespond loops. There's a folder to check for missing emails (like for a list when there's nobody on the other end, but of course, you could just whitelist that by sending the list address an email). You only have to check that folder once in a blue moon, when you feel like an email has gone missing. I mean, really, if done correctly, challenge response is pretty painless. And POWERFUL. It's amazing to wake up in the morning and see ONLY real email in your inbox, not a single spam email, day after day, month after month.

    As for the complaints about backscatter spam, and that innocent bystanders can receive large amounts of spam if his address is chosen by the spammer as a spoof "from" address, although this is possible, I see this as very rare. For example, my mail server yesterday received 400,000 messages. 99.2% of that was sent to email addresses that don't exist. None of those would generate challenges. Of the remaining 3200 messages, how many of those do you think were sent spoofing addresses that actually DO exist? Likely none, maybe one or two? Most of the challenges that my mail server attempts to send out go to domains that don't exist. That's work for my mail server, not anyone else's. For the few challenges that get sent out to real email servers, I'd imagine that at least 99.2% of those are sent to email addresses that don't exist at that domain, at which point the receiving mail server doesn't have to do anything but say "450" and drop the connection. IF there's backscatter spam generated by challenge response, it's insignificant.

    Anyway, </rant>. Sorry for the tirade, I do appreciate your suggestions and will look into them. I just had to get some of that off my chest because I think there's a lot of FUD out there with respect to challenge response systems, mostly based on old, badly behaving challenge response systems that nobody uses anymore.

    On that long note, I'm off to research what postgray does.

    Thanks for the help!

  9. #9
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    I'm sold on your ideas as long as it's 'simply reply to this email' based:
    a) If your servers are down, you want the response method to still work/queue up till your stuff is back online
    b) If you feel like adding an additional level-you could put a captula image in the email and make them reply with it in the body.

    Of course if you make any headway on your own sweet-also start an RFE. Might mark it dependent on Bug 6953 - Per user spam white lists in the UI because I still feel that's gonna be needed first for any good challenge-response system; it's not 100% required but it would ease people's mind's about the topic. But your right-just a training button & outgoing automatic training makes it work for the most part.
    Last edited by mmorse; 09-15-2007 at 11:27 AM.

  10. #10
    bjquinn is offline Advanced Member
    Join Date
    Nov 2005
    Posts
    175
    Rep Power
    9

    Talking

    I'm glad I actually scared up a little support for the concept. Sometimes that's a little difficult. At any rate, any ideas on how to implement something like this? It'd be a lot of work I imagine, but since the folks over at TMDA.net have already done it (and it supposedly works with postfix), couldn't we integrate that and save ourselves all the trouble?

    Oh, and by the way, I'm completely down with the "simply reply to this email" concept. I don't think anything CAPTCHA-based is necessary, at least not yet. I just thought something like that might have already been implemented and I could have dumbed it down for my purposes.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Is it started or not
    By kwelipatton in forum Installation
    Replies: 10
    Last Post: 03-28-2006, 11:11 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •