Top

A Real Solution to Spam? (Mailblocks Review)

July 7, 2004

Mailblocks - a better way to do e-mail

Everybody complains about spam.

I built my first website shortly before Mosaic and web graphics came along (yes, I’m older than dirt), and I’ve owned my own domain since shortly thereafter (and numerous more over the years). Back in those halcyon days, we all put our e-mail addresses on our web sites. We even posted to Usenet with our own addresses. Then came spam, and address harvesters, and it was too late to do anything — e-mail addresses that I’ve owned forever are on every spam list that is peddled. For better or worse, though, I still want to get mail from people who’ve had my address since back when, so I keep those addresses, and have put up with the bombardment.

Over the last year, it’s gotten particularly bad — hundreds and often thousands of junk messages a day. Bad enough that if I’m on a dial-up line, I can’t hardly download them fast enough to filter them. Forget about using mail on a PDA or smartphone.

Something had to give.

Something did…


Server-side bayesian filtering hasn’t worked well for me — it was a pain in the butt to train a remote filter to my needs, and as a result too high an incidence of false positives meant that I still needed to download the spam catch and manually poke through it. Then the false positves and leaked spam had to be sent back to the filter on the server for more training. Too time-consuming and not feasible on slow connections or small devices.

Client-side filtering became untenable — having to license filters for each device / OS was expensive, filters are impractical on small devices, and the bandwidth requirements put using it on GPRS or dialup connections out of the question.

Just putting up with it wasn’t an option — too high a chance of missing important messages, and much of what I do lives and dies by e-mail.

There are various proposals in place to hopefully reduce or eliminate spam with newer mail technology, but realistically, even the first of these will be lucky to appear sometime next year. I can’t wait that long.

That pretty much leaves Challenge/Response. In a challenge/response system, you have a "whitelist" of users who you’ll accept mail from, and other users are forced to authenticate (just once) before you receive mail from them. Typically, they’ll receive an automated e-mail reply with an action they need to perform to prove they are a real person, and not some spambot.

I’d been reluctant to try Challenge/Response — when much of your business is conducted via mail, the last thing you want to do is to overly annoy a client or a prospect — but the other options had pretty much been played out. As a result, I decided to carefully examine what I really needed to make a C/R system work.

Ideally, I would have liked something I could run on my own server, but the only candidate I found was RhinoSoft’s Zaep, which is expensive ($200 for the full-featured version), and the lack of captchas or similar techniques to weed out automated responses meant quite a bit of spam still got through in my testing.

Considering services as the alternative then, I came up with this list of requirements:

  • High Availability — Spam or no spam, mail is the still the net’s killer app; I can’t put up with my mail being unavailable, or (worse) inbound mail bouncing.
  • Ease of Control — I have to easily be able to add new entries to my whitelist, in addition to people who approve themselves.
  • Bot Elimination — Captchas or other techniques that don’t allow spammers to easily automate adding themselves to my whitelist.
  • Whitelist Download — I need to be able to download and backup my whitelist as it grows — if the service should turn poor, or worse, go out of business, I want to be able to move elsewhere and keep my current whitelist; it’s one thing to ask a business contact to authenticate themselves once — doing it multiple times would be unacceptable.
  • Bypass Techniques — There has to be a way to send an e-mail to an address that doesn’t require authentication. I have various forms for support and other tasks that shouldn’t generate an approval message, and I want to be able to give an address for online purchase tracking that goes straight to my mailbox. Ideally, this should take the form of "disposable" addresses — if one starts gathering spam, you can throw it away and create another.
  • IMAP/POP3 — I don’t want to give up my mail clients to use the system. I need to be able to get my mail via IMAP or POP3.
  • "Smart" SMTP — Similarly, I want to send my outbound mail THROUGH the system, and have it automatically add the recipients to my whitelist if they’re not already there. It’s inexcusable to send someone an e-mail and then have them have to authenticate when they reply (at least, if they reply with the same address you sent it to).
  • Alternate SMTP Ports — Thanks to spammers, SMTP is blocked in too many places these days, forcing outbound mail on port 25 to go through a local SMTP server where it can be accounted for. I need to be able to get to the service’s "Smart" SMTP via a port other than port 25.
  • Good Web Frontend — There are times when a good web mail system can’t be beat. All features of the system should be available from any web browser if I need them.
  • Multiple Accounts — For years, I’ve had mail from multiple addresses filtering into the same inbox. I need to be able to do the same here, but I also need the "authentication" e-mail to come from the address the user sent the message to, just to avoid confusion.
  • Security — Ideally, the service will use secure IMAP/POP3/SMTP/HTML to prevent sniffers from capturing passwords or message traffic, particularly on Wi-Fi systems.

Looking at a lot of services, and reading a lot of reviews, I decided that Mailblocks appeared to meet most of my needs, and so I gave their Premium Service a try.

Options

Mailblocks has three levels of service:

  • Free — Access to the core features, but you can’t use your existing e-mail address, you have 5mb of storage and 5 trackers (more on trackers below), and you can’t use your own mail client (webmail only). This service is ad-supported.
  • Basic — For $10 a year, you can use your own mail client, and up to 10 existing e-mail addresses. This level has 15mb of storage, and 15 trackers, and is probably sufficient for all but the most spam-laden user.
  • Premium — At $25 a year, this is the same as the Basic service, but it includes 100mb of storage, and 25 trackers.

Compared to most pay webmail services, the Premium service is a bargain for 100mb, even without the Challenge/Response system. I went ahead and signed up for the Premium service, and have been using it for just shy of two weeks now.

All services allow attachments up to 6mb.

Setup

Setup was reasonably straightforward. I exported my contacts from my e-mail client (Entourage, although most e-mail programs have a similar feature), brought them into Excel for a little quick cleanup (removing some dead wood, mostly), saved it as a CSV file, and uploaded it to Mailbocks via their web frontend. This not only gave me my beginning whitelist, it also gave me a nicely formatted address book on the web frontend that will let me look up basic PIM information (address, phone, etc.) from the web page.

Mailblocks has a nice approach to bypassing the authentication system. You create a "tracker" which is a unique mail address (at mailblocks) that goes directly to your inbox or a folder of your choice. Depending on your service level, you have between 5 and 15 of these. At any time, you can delete a tracker and add a new one, in case an old one made it to a spam list. I created a handful and set up my addresses that wouldn’t be authenticated.

You set up your existing e-mail accounts on the Options page of the web frontend. To do this, you identify the account, and select whether you’re going to forward the mail from it, or whether Mailblocks should retrieve it. Forwarding is fastest, if you have that option on your account. Otherwise, Mailblocks will pretend to be a mail client and retrieve the mail. In addition to POP3 retrieval, Mailblocks can retrieve your mail from AOL, Yahoo, Hotmail, and MSN accounts.

Operation

New e-mail from users in your whitelist (address book) appears directly in your inbox — people on your whitelist will never know you’re using the service, unless they examine the headers.

Mail from other users goes to a "pending" folder, and the sender gets an "authentication" message. This message directs them to a web page where they have to type in the value in a captcha in order to prove they’re a real person. If they do so, then the message is moved to the inbox automatically.

You can also move messages from the pending folder manually, and the sender will be automatically added to the whitelist. Otherwise, the message sits from 4 to 10 days (user configurable) and is eventually deleted.

It should be noted that this is where your storage amount is important — I get enough spam each day that even set to a "4 day kill", my pending folder takes a noticeable amount of the 100mb. I probably couldn’t use the 15mb service, although people who get "average" amounts of spam would probably do fine with it.

During the first week or so, I watched the pending folder very carefully, so I could pick out mailing lists, newsletters, etc. that I wanted to approve, and catch any stray users I’d somehow forgot about on the whitelist. After the first week, I just review it every now and again, or if I’m looking for something in particular.

Mailblocks also allows you to set up additional folders, and offers a basic "rules" setup, allowing you to automatically filter specific messages to specific folders, delete them, or set various flags.

Use

The entire system can be used from the web front end, if you like. It’s quite nicely implemented, and looks a lot like a real mail client; it’s fast, has address book integration, and seems to work well with everything — although they warn you that it’s "optimized" for Internet Explorer (what isn’t?), it works without a hitch for me with Firefox and Safari.

My preference is to use my own mail clients, however — Entourage on the Mac, Outlook on the PC, and "Inbox" on my PocketPC.

Although they offer POP3 service, I opted to use IMAP, since that gives me access to all of the folders on the service. IMAP response is snappy, and it supports "stay connected", allowing me to know when a new message is in my inbox immediately.

Using the system from an IMAP client is quite easy — you can review the pending folder directly, and if you move a message to the inbox, the sender is whitelisted, just like with the web front end Whenever I review the pending folder, I mark the entire thing as "read", so I can set my client to "view unread" and just see the new additions when I look at it again.

Like many people, I tend to keep a lot of e-mail. Since with IMAP, the mail stays on the server until you move it yourself, this has changed my use somewhat. Now I tend to file away important messages locally (by doing "move to folder" in my mail client) as soon as they’re dealt with.

Using IMAP also simplifies using multiple mail programs on multiple machines, since everything stays in place until I move it — I can check mail from my PDA or my Windows box, or a client’s web browser, and not have to worry about "where it was retrieved" — it will still be there when I check it on the Mac, where I’ll eventually move it off into storage.

Outbound mail goes to Mailblocks via SMTP of course, so that the recipients can be automatically whitelisted. Mailblocks provides an alternate SMTP port so I can leave my notebook and PDA set to a single SMTP server, and not have to shift it as I travel from connection to connection.

It’s nice to have my mail usable again. It’s been a long time since I’ve left a mail program automatically retrieve mail, as the constant "incoming mail" noise as it catches spam is too distracting. Now if I hear it, odds are it’s something real. I’m also really enjoying being able to actually use my Pocket PC for mail, without having to weed through hundreds of spams on a little screen.

It doesn’t stop everything, however. I still get some spam, when they forge the sender’s address and it’s on my whitelist. I get maybe 5 – 10 of these a day, which is quite manageable — other folks might get more like 5 – 10 a week.

Downsides

Mailblocks at this time does not have the option of using secure IMAP/POP3 or SMTP, or even encrypted passwords. This is no worse than most mail servers, but it’s still a hole that needs to be sealed, and it will make me continue to be wary collecting my mail from public Wi-Fi hotspots. They offer secure login for the web front end, but not a fully secured session. I hope that they’ll consider addressing these issues in the future.

As noted above, a little spam still seeps through. This is a bit disappointing, but there’s probably no way around it at present. At least it’s a very manageable amount.

It also annoys me that my "Pending" folder is charged against my my storage amount. Frankly, I’ll probably never come close to 100mb, even with the pending folder (I might hit 25mb of pending), but it’s still aesthetically displeasing to see it counted.

Finally, it annoys me that I can’t customize the "Authentication" e-mail more — they let me put a paragraph of my own explanation on it, but they still include a pitch for their service. I can understand why they do this, but it still seems a little tacky. Besides, if I really like the service and want to endorse it, I’ll join their affiliate program and do it myself (which I have done). If they offered to eliminate the e-mail pitch, I’d happily pay an extra $5 – $10 a year to get rid of it.

Conclusion

On the whole, I’m very pleased with the service. It’s easily worth $25 a year to me — spam filters on PC and Mac together cost me twice that, and aren’t anywhere near as effective. That doesn’t even consider time I’ve lost downloading and sorting through spam.

I was quite reluctant to go to a Challenge/Response service, but so far I’ve not had a single complaint. It’s tastefully and carefully done, for the most part, and on the whole, the few downsides are quite minor.

I wouldn’t hesitate to recommend this service to anyone.

Mailblocks – A Better Way To Do E-Mail

Be Sociable, Share!

Comments

8 Responses to “A Real Solution to Spam? (Mailblocks Review)”

  1. David Fiegenschue on August 3rd, 2004 7:54 am

    Chuck, thanks a lot for this review… it sounds like a good solution.

    It’s been great working with Anna on our various projects.

  2. harryllee on August 20th, 2004 5:13 pm

    If memory serves, you’re still a young whippersnapper, perhaps uglier than dirt, but not older. thanks for the clue on mailblocks. I owe you many rolls of nickels

  3. Tim on August 26th, 2004 7:58 am

    Challenge/response has holes. For example, see article at:

    http://www.freedom-to-tinker.com/archives/000389.html

  4. Chuck Lawson on August 28th, 2004 11:35 am

    Thanks for the link, Tim.

    Using C/R undeniably has a lot of problems. For me, however, it sucks less than all the other alternatives I’ve tried, which is most of them.

    Other folks mileage is likely to vary—in fact, Harry (who commented just above you) has been having fits getting Mailblocks to work in the same manner it works for me.  It’s not at all clear why it’s working different for him, tho.

    I’ve had the exact scenario you describe in your post happen several times. In practice, however, it’s no different to the sender than the original message getting caught in a spam filter and never fished back out by the intended recipient (which happens a lot.)

    E-mail now has an inherent unreliability that it didn’t have in say, 1997—if you send a message to someone and don’t receive an acknowledgement of some kind, it’s pretty much best to assume that it never made it to the recipient. Whether it got caught in their spam filters (or their ISPs), or a C/R response got caught in your own, the outcome and the symptoms are the same, and you either will end up retrying, tracking down the breakdown, calling someone on the phone, or being disappointed.

    In short, it all sucks.  For me, this just sucks less as a recipient.  Other people’s mileage may vary, probably depending on how much spam they receive, and what devices (and how many) they’d like to be able to use for mail.  My prefered scenerio is to be able to check my mail on my PowerBook, my XP box, my PDA, or via webmail on whatever random system is handy.  This is the only solution I know of at the moment that renders those all useful with the volume of spam I receive.

    – Chuck

  5. Bruce Fieldman on September 27th, 2004 11:01 pm

    I also was very excited at the prospects offered by Mailblocks and signed up. 

    I am frustrated, though, by the failure of Mailblocks to integrate better with my own domain name and the various email addresses on my server.

    I chose the option of registering my email addresses in separate Mailblocks boxes and having my server forward mail there.  Unfortunately, though, in order to continue keeping mail from my various boxes separate, I am forced to use IMAP, therefore having to manually copy over the files into local folders as you do.  This isn’t a major issue, but what would be the harm in allowing one to attach a mail forwarder to send the mail back to my server?

    Much more significantly for me, Mailblocks sends all mail out for authentication using my Mailblocks email address.  This causes a number of problems.  People, let’s say clients or potential clients, who send me email to say,
    will receive back an email requesting authentication from
    .  Anyone who sends anything to any email address on my server that is forwarded to Mailblocks with receive their authentication request from that address.  Then, after they authenticate themselves, Mailblocks moves that email from pending into the inbox, not to the box it will be sent to after it has been added to the whitelist.  So, I have to pick through my email, find email for other family members or associates, and copy them over to their respective folders.

    Not only should Mailblocks allow you to design your own authentication requests, it should also send out the request for you from your own email address.  The request should appear as though it is from me with my address. 

    Another problem I have had with Mailblocks is that, unfortunately, sometimes its authentication requests do not get through and are apparently marked as spam.  I tried to test Mailblocks by setting up a Hotmail account and sending myself an email. The email got put into the pending folder but my Hotmail inbox never received an authentication request.  AOL was also not allowing Mailblocks through, but I suppose this might have changed by now.  I am wondering whether if Mailblocks could send out their requests using my own address, whether this would cut down on the places that would block it out.  I guess probably not since the SMTP server would remain the same. 

    I am toying with the idea of trying to use a more traditional spam filter on my server, like Spamassassin, but kicking back a note from me that would ask the sender to go to a form on my website to send me a message after passing through a captcha.  I could then manually put that person on a whitelist.  Sure, the original email would be lost, and I would have to intervene manually once per person, but I would maintain control of this process.

    What do you think?

  6. Paul Davies on October 9th, 2004 11:08 am

    Mailblocks is a great utility except when they do not send a challenge response to genuine emails.

    Their support on the subject tends to be made up as they go along providing all sorts of fictional reasons why they didn’t send a C/R

    At one time I was told I would need to manually check my pending mail for genuine email – I pointed out that this is what I had to do anyway before using mailblocks – this was met with silence.

    Most people I communicate with use Lotus Domino mail – not once has any of these senders ever received a C/R

  7. pat on December 25th, 2004 10:55 pm

    the amount of email ( spam) I get is sick, because my name is Pat I get womens product email dating sites ( offering free for me since I am female( that sucks)) but the worst is when I do manage to track down one of these slime balls who serve the spam ( evil ISP’s) they act all innocent and tell me they will comply. ( or it’s not their fault) then add me to more lists. My idea is a bit over the edge… (hunt these jerks down, and slit their throats in their sleep). for now I do not respond, I sort out my clients, and wish Mozzilla had a real plan that worked. My ISP charges me if I get more traffic( on my home server) so for now I use the “play dead” method.. Just keep adding filters, delete them every 2 months, and start over. It’s really not worth it for a non profit artist such as my self. I am older than dirt, and a poor starving artist, and I really do not condone violence, ( as mentioned above) so thanks for letting me vent.

    any one thought of boycotting some of the ISP’s who promote spam? Are we all living in a world where only criminals have rights? open for Ideas…

  8. Gary LaPointe on March 25th, 2005 9:26 pm

    I disagree with the negative comments.  None of those problems are very big IF you check your pending folder every so often (that’s where non-authenticated mail gets held until it’s moved).

    Plus every time you send a message it automatically authenticates the address.

    The message it sends out is modifiable, I’ve changed mine to have a few sentences about me so they know the message is really from me.

    It’s really a great service!  Especially if your only other choice is just what’s built into a mail client.

    Gary

Got something to say? [privacy policy]

You must be logged in to post a comment.

Bottom