Even thought SpamAssassin was doing a reasonable job, I was still spending time every day dealing with spam. So, this morning, I upped the ante and deployed TMDA (Tagged Message Delivery Agent).

TMDA works like this:1. An e-mail comes into the system.

  1. If that e-mail matches a whitelist, it is delivered.
  2. If that e-mail was sent to an e-mail address that contains a special date string, and if that date string is active, then the e-mail is delivered.
  3. If the e-mail matches any of numerous other flexible, user-established criteria, it is delivered.
  4. If it matches none of these criteria, the incoming e-mail is quarantined. At the same time, an e-mail is sent back to the seeming originator of the e-mail, asking them to confirm that they sent the e-mail in question.
  5. If a proper confirmation is received, the original e-mail is released and delivered.
  6. If an improper confirmation is received, the e-mail is destroyed.
  7. If no confirmation is received, the e-mail is destroyed. TMDA is often derided as a solution that is nearly as bad as the problem it solves. At some level, I buy the arguments behind that statement. It does create more message traffic on the Internet and it can seemingly spam people with confirmation requests whose addresses were appropriated by spammers to affix to spam.

Using TDMA in partnership with SpamAssassin, as I’m doing, seems to be the right approach. TDMA only send confirmations about messages that SpamAssassin marks as ham (i.e., not spam). That reduces the number of confirmations sent by TDMA to one or two a week.

If you’re someone with whom I regularly correspond, you will most likely never even notice that I’m using TDMA. If you were to change e-mail addresses, and use the new e-mail address to e-mail me out of the blue, then you would notice as the new address would not be on one of my whitelists.

One of my favorite aspects of TDMA is the ability to created so-called dated e-mail addresses. Dated e-mail addresses seemingly expire after a pre-determined period of time. So, while the e-mail address is in the active window, e-mail flows through the address transparently. However, once that window closes, e-mail sent to the address will be subject to either destruction, bouncing, or confirmation. Now, I’m using dated e-mail addresses when I purchase something from someone on-line. If they get frisky with sending me newsletters I don’t want, the address they have will expire after a period of time (I generally choose a week) and I don’t have to worry about seeing their goofy, unwanted newsletters.

By the same token, I can now create e-mail addresses that only work for certain domains. So, I can use one address to buy tickets from United Airlines, but if they turn around and sell my e-mail address to someone else, that address will not function for the third party. Again, that is an excellent defense against spam as it prevents the third party from spamming me if my address is sold.