BoxTrapper ?

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
Feel free to write one. Before you do, be sure to look up challenge/response and make sure you understand why if you do this a lot of folk will consider you a spammer and blocklist your server.

And be sure to use some other method besides form-to-email to gather information from all sites hosted on your server using BoxTrapper, or else everyone who fills out a form on a site hosted on your server will get an email telling them they've sent an email that needs to be verified. Most won't connect it with the form they clicked on, so your clients will never get those responses.

I'd love challenge-response if it would only work.

Jeff
 

rldev

Verified User
Joined
May 26, 2004
Messages
1,074
With all due respect Jeff, I am making a request for a feature. I have no desire to write one as I am not in the business of writing plugins.

BoxTrapper / Sandbox or whatever you want to call it, works well for many people. I do not know what "form" you are referring to as I have never filled out a form in such a setup. Simply click on a validation link.

"Most won't connect it with the form they clicked on, so your clients will never get those responses."

It is the choice of the client to use it. Many have requested it and generally understand how it works. Most of these people only want to receive email from a handful of people. For this it is a reasonable solution. I do understand the problems entailed with bounceback emails, bu how do larger email services like mailblocks deal with it?
 
Last edited:

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
With all due respect Jeff, I am making a request for a feature. I have no desire to write one as I am not in the business of writing plugins.
I'm sorry if you took my response personally; I was merely trying to point out the problems inherrent in this kind of solution. Why? Because the way to implement your request is in exim.conf. And currently I'm maintaining DirectAdmin's exim.conf file.

Please feel free to ignore the rest of this response; it simply explains why challenge-response systems are a bad idea.
It is the choice of the client to use it. Many have requested it and generally understand how it works.
I'm not so sure. For example I don't think you understood what I mean by a form response and why it creates a problem.

For an example, look at my home page, here; you'll see a Subscribe to our Newsletter link near the bottom left. That's a form. It's processed by a form-to-email program and the responses come to us in emails. That's how most website owners get responses to forms on their websites.

Normally the workflow is simple; the form (in our case a perl script but it could just as easily be a php form) sends us an email from the email address the visitor filled in. Then we can subscribe (manually or automatically) the visitor to receive our emails. (In fact, we write them first to make sure they want to subscribe, and that someone else didn't fill in their information maliciously.)

However, if we were using BoxTrapper the workflow would be a bit more complex:

The email would come to the address we have set up for it. It would be intercepted by BoxTrapper. BoxTrapper would tell them that they've written an email to us, and that we won't accept it until they approve that it was really sent by them. Since they know they didn't send us an email they'd be confused and it's doubtful they'd approve their, as far as they know, unsent email.

Since it's only a newsletter request, who cares. But what if it's more than a newsletter request. What if it's an enquiry for an expensive product?

It's my feeling that customers won't understand that they'll no longer get most inquiries directed to their site if they run something like BoxTrapper, and that they'll blame the hosting company for losing their email.

And even if they do understand the problem, it's your server that's, sooner or later, going to end up sending spam. And this is why I suggested you read about challenge-response solutions.

I presume you don't want your server to be an open relay, because then spammers would use it.

BoxTrapper and other challenge-response systems have a similar problem.

Spammers send out emails with forged from addresses. If one of your addresses ever gets forged as a from address by a spammer you'll see the problem. Lots of servers using challenge-response will send challenges to you. Sometimes hundreds of thousands of them.

Now consider what happens when a spammer forges some innocent person's email address as the from address on a dictionary-attack spam to a site on your server. A site using a catchall email box. Say they try 1000 emails to nonexistent addresses at the domain hosted on your server. At this point your challenge-response system is going to send 1000 challenges back to that innocent person.

Which would make you a spammer. Which would get your server put on one or more blocklists; possibly the SORBS blocklist; they charge to remove you. Which might even get your upstream provider mad at you.

Perhaps DirectAdmin staff will see your post and create a feature such as BoxTrapper.

Perhaps some third party company will look at your post, and decide to create it as a plug-in or an alternative exim.conf file.

I'd still recommend you don't use it.

Jeff
 

pucky

Verified User
Joined
Sep 9, 2006
Messages
795
I actually agree with Jeff for once. Boxtrapper and Challenge response is trouble. If you want to get your box blacklisted by RBL's then go ahead and use it. When we see these options enabled on a cPanel server we turn them off.
 

Reyner

Verified User
Joined
Dec 20, 2003
Messages
63
This is interesting and I can understand the risk of challenge-response and I agree to Jeff completely. So, what would be the best spam filter then? What do big companies like Google or Yahoo use for their spam filter? Also, what if BoxTrapper is implemented with IP counter or DNS lookup so the forgery related error can be significantly minimized? Just a thought.
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
This is interesting and I can understand the risk of challenge-response and I agree to Jeff completely. So, what would be the best spam filter then?
We use a combination of SpamBlocker, SpamAssassin, and DirectAdmin Spam Filters. All come with DirectAdmin.
What do big companies like Google or Yahoo use for their spam filter?
They use a lot of custom stuff they've written themselves, but basically it's a combination of blocklists (often their own), and the same techniques as used in SpamAssassin.
Also, what if BoxTrapper is implemented with IP counter or DNS lookup so the forgery related error can be significantly minimized? Just a thought.
Please explain.

Thanks.

Jeff
 

Reyner

Verified User
Joined
Dec 20, 2003
Messages
63
One of the reason why boxtrapper can be a boomerang is due to its capability of not being able to distinguished between forged 'from' and the legitimate mone. So, with spamblocker (or similar) before it reaches boxtrapper, we can find out if it's forged which will eliminate the challenge-response issue. We also received more and more people who asked for boxtrapper type of solutions. They end up going to cPanel because it has BoxTrapper as add on.
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
And how would an IP Counter or a DNS lookup tell you if it's a forgery or not, given that according to RFCs anyone can use his gmail or hotmail address when writing from his home, office, or internet café system?

This problem is why we've removed all those specific sender checks for hotmail, gmail, yahoo, return addresses, from SpamBlocker.

You can add anything you want, but when we write the exim.conf file for DirectAdmin we really have to write to the lowest common denominator needs of of it's users, in most cases as defined by the RFCs.

SPF records would be helpful if they were mandatory, but that would break the same RFCs, which is why they'll never be mandatory.

Or do you want to tell your customers they can use BoxTrapper but they can't get email from anyone using a non-hotmail server to send email with a hotmail return address (for example)?

Jeff
 

Reyner

Verified User
Joined
Dec 20, 2003
Messages
63
And how would an IP Counter or a DNS lookup tell you if it's a forgery or not, given that according to RFCs anyone can use his gmail or hotmail address when writing from his home, office, or internet café system?

This problem is why we've removed all those specific sender checks for hotmail, gmail, yahoo, return addresses, from SpamBlocker.

...

Jeff
We can do the same with BoxTrapper. I can see that it can be quite laborious to build something like this. I hope someone will come up with it one day.
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
I've removed my immediately prior post and the reply it generated. I was confused.

But the arguments I have about filtering not working as you'd like it to still hold.

I don't want to be a spammer, and I'd never use Boxtrapper. Boxtrapper saves me spam at the expense of me sending hundreds, perhaps thousands, of spam emails a day. My point is that Boxtrapper will eventually get YOU into blocklists until/unless you solve the problem. And there are some blocklists you can't easily get out of. One even assesses a charge of $25 for EACH complaint they've received, to get off their list.

Here's what's going to happen: Someone is going to send you a spam email with a blocklist owner's forged address as the from address (this happens continually, spammers love to harrass blocklist owners). You're going to send the blocklist owner an email saying he needs to respond. He's going to know he didn't write you so he's going to consider you a spammer and add you to his blocklist.

It can, does, and will happen.

Solve the problem.

Then the world will beat a path to your door.

But be aware that no one has been able to solve the problem for years.

Jeff
 
Top