Aliases of Limited Value for Spam Control

One approach to spam control is to give out special email addresses to third parties. For example, you might hand out david.ferris.paypal@example.com rather than just plain david.ferris@example.com. You could then have a much higher level of trust in email sent to david.ferris.paypal@example.com, and you could identify it as coming from the sender you expect it to be from.

This approach hasn’t worked very well. One problem is that recipients get confused by the strange addresses that have been assigned to them, and so they call the help desk. Plus, to automate this, the technique has to be mixed with challenge/response, which can effectively turn you into a spammer.

To illustrate, MailChannels dropped its aliasing offering to focus on other spam control techniques, such as tarpitting.

David Ferris

One Comment

  1. Posted June 19, 2006 at 8:30 AM | Permalink

    I have been working with unique addressing for almost two years and this has proven to be a most effective method of keeping the spam away. While it may seem confusing to some, that is actually much of the strength of the system.

    Let me elaborate on this point. First and foremost, spammers hate anything that is more involved than the ordinary addressing since it means that they need to change algorithms to allow for even more intense dictionary attacks to be conducted. With more complex email addresses they are exponentially less likely to stumble across a legitimate address purely by dumb luck. In plain English, if it would take an infinite number of monkeys a thousand years to accidentally write the play “Hamlet”, it would take only a fraction of that time to accidentally write the title. Same with email addresses. The harder they are, the more protected they are.

    Second, unique email addresses allow me to completely shut off anyone who I decide is a spammer. This takes the control out of someone else’s hands and back in my own control. The beauty of this is that I may actually like getting email from someone that another person may feel is a spammer. Remember, there is no such thing as one-size-fits-all. In my case I do business with some online companies, and since they have personal addresses I am able to track how they use them. If they use them ethically they can keep on sending me messages. If they share my address or sell it to a spammer I have the ability to shut down them and everyone to whom they sold my name. Try doing that with a normal address. Most people would end up either investing big bucks in filtering or just simply changing their email address alltogether.

    The third thing that is great about special addresses is that you can track their performance. For example, a company sets up a marketing campaign and places ads in ten newspapers. In each paper they can put a slightly different version of the address, all being aliases of the same address. The effectiveness of the campaign can be tracked and future marketing dollars can be allocated more efficiently, all without the need of bothering the IT department with requests for many additional email addresses. This avoids extra work in provisioning the addresses, provides a single point where all email is checked, and keeps software licensing costs down since each address requires a license on many email systems such as Exchange.

    I tried filtering email for years before making this switch. What I feared most when making the change was that this was radically different than any other method of spam protection I had used, and what I feared was exactly the case. This is radically different, and that is why it works. The Websters Dictionary definition of insanity is the act of continuously repeating an action that one knows to produce adverse effects and expecting different results. Since adding more filters to a system that is always being circumvented still doesn’t work, I would have to assume that the use of spam filters is insane. It is time to stop the maddness. It is time for something radically new.

  2. Posted June 19, 2006 at 8:38 AM | Permalink

    Robert, I agree with you, and I also have used multiple addresses for six years now. However, you and I are not “normal” users. David’s point is that the difficulties of doing this are beyond the vast majority of users. Also, attempts to automate the process don’t appear to be gaining traction.

    richi.

  3. Posted June 19, 2006 at 8:38 AM | Permalink

    My company has been using a spam control service for about one year now that uses aliases as its primary tool to combat spam. The results have been stunning. My inbox now looks and feels like it did in 1995, before spam existed. All email in it for the past year has been only from people I want to hear from. And as importantly to us, our exchange server is no longer hijacked by hackers. This saves server resources and doesn’t make our company look like a spammer to the outside world.

  4. Posted June 19, 2006 at 8:50 AM | Permalink

    David, unfortunately, the product you use, Reflexion, uses challenge/response techniques to allocate the addresses. Our advice is to avoid any product which needs to auto-reply to inbound messages. The problems with C/R make such solutions obnoxious and error prone.

    As we’ve written before, C/R actually turns your organization into a spammer, and causes delivery failure rates far in excess of regular spam filters’ false positives.

    richi.

  5. Posted June 19, 2006 at 10:43 AM | Permalink

    Richi:

    Reflexion’s best practice is not to use challenge/response. We recommend the use of spam folders, either personal, delegated or held on our server, for those users that want to combine whitelisting with what we call supplemental addresses. However, some customers requested C/R, so it was added to the product, but not as the default setting.

    Most users configure the service to create new addresses only when the user themselves begin a dialog with a new correspondent, or when they make a Web-based disclosure, neither of which operates off of a challenge.

    Also, whitelisting itself is an option in Reflexion. You can also employ a content-based filter, which does not require C/R as well. Supplemental address management works equally well with filtering or whitelisting.

  6. Posted June 19, 2006 at 10:53 AM | Permalink

    Joe, yes I should have stressed it’s an option, sorry.

    My point was that David McCary’s company has it set up with C/R turned on, as I discovered when I tried to email him. I happened to notice that his challenge had gone into my quarantine — correctly, in my view.

    I think this topic is fodder for a future blog post. Feel free to continue the conversation here!

Post a comment

You must be logged in to post a comment. To comment, first join our community.