A Real Solution to Spam? (Mailblocks Review)
July 7, 2004
Everybody complains about spam.
I built my first website shortly before Mosaic and web graphics came along (yes, I’m older than dirt), and I’ve owned my own domain since shortly thereafter (and numerous more over the years). Back in those halcyon days, we all put our e-mail addresses on our web sites. We even posted to Usenet with our own addresses. Then came spam, and address harvesters, and it was too late to do anything — e-mail addresses that I’ve owned forever are on every spam list that is peddled. For better or worse, though, I still want to get mail from people who’ve had my address since back when, so I keep those addresses, and have put up with the bombardment.
Over the last year, it’s gotten particularly bad — hundreds and often thousands of junk messages a day. Bad enough that if I’m on a dial-up line, I can’t hardly download them fast enough to filter them. Forget about using mail on a PDA or smartphone.
Something had to give.
Server-side bayesian filtering hasn’t worked well for me — it was a pain in the butt to train a remote filter to my needs, and as a result too high an incidence of false positives meant that I still needed to download the spam catch and manually poke through it. Then the false positves and leaked spam had to be sent back to the filter on the server for more training. Too time-consuming and not feasible on slow connections or small devices.
Client-side filtering became untenable — having to license filters for each device / OS was expensive, filters are impractical on small devices, and the bandwidth requirements put using it on GPRS or dialup connections out of the question.
Just putting up with it wasn’t an option — too high a chance of missing important messages, and much of what I do lives and dies by e-mail.
There are various proposals in place to hopefully reduce or eliminate spam with newer mail technology, but realistically, even the first of these will be lucky to appear sometime next year. I can’t wait that long.
That pretty much leaves Challenge/Response. In a challenge/response system, you have a "whitelist" of users who you’ll accept mail from, and other users are forced to authenticate (just once) before you receive mail from them. Typically, they’ll receive an automated e-mail reply with an action they need to perform to prove they are a real person, and not some spambot.
I’d been reluctant to try Challenge/Response — when much of your business is conducted via mail, the last thing you want to do is to overly annoy a client or a prospect — but the other options had pretty much been played out. As a result, I decided to carefully examine what I really needed to make a C/R system work.
Ideally, I would have liked something I could run on my own server, but the only candidate I found was RhinoSoft’s Zaep, which is expensive ($200 for the full-featured version), and the lack of captchas or similar techniques to weed out automated responses meant quite a bit of spam still got through in my testing.
Considering services as the alternative then, I came up with this list of requirements:
- High Availability — Spam or no spam, mail is the still the net’s killer app; I can’t put up with my mail being unavailable, or (worse) inbound mail bouncing.
- Ease of Control — I have to easily be able to add new entries to my whitelist, in addition to people who approve themselves.
- Bot Elimination — Captchas or other techniques that don’t allow spammers to easily automate adding themselves to my whitelist.
- Whitelist Download — I need to be able to download and backup my whitelist as it grows — if the service should turn poor, or worse, go out of business, I want to be able to move elsewhere and keep my current whitelist; it’s one thing to ask a business contact to authenticate themselves once — doing it multiple times would be unacceptable.
- Bypass Techniques — There has to be a way to send an e-mail to an address that doesn’t require authentication. I have various forms for support and other tasks that shouldn’t generate an approval message, and I want to be able to give an address for online purchase tracking that goes straight to my mailbox. Ideally, this should take the form of "disposable" addresses — if one starts gathering spam, you can throw it away and create another.
- IMAP/POP3 — I don’t want to give up my mail clients to use the system. I need to be able to get my mail via IMAP or POP3.
- "Smart" SMTP — Similarly, I want to send my outbound mail THROUGH the system, and have it automatically add the recipients to my whitelist if they’re not already there. It’s inexcusable to send someone an e-mail and then have them have to authenticate when they reply (at least, if they reply with the same address you sent it to).
- Alternate SMTP Ports — Thanks to spammers, SMTP is blocked in too many places these days, forcing outbound mail on port 25 to go through a local SMTP server where it can be accounted for. I need to be able to get to the service’s "Smart" SMTP via a port other than port 25.
- Good Web Frontend — There are times when a good web mail system can’t be beat. All features of the system should be available from any web browser if I need them.
- Multiple Accounts — For years, I’ve had mail from multiple addresses filtering into the same inbox. I need to be able to do the same here, but I also need the "authentication" e-mail to come from the address the user sent the message to, just to avoid confusion.
- Security — Ideally, the service will use secure IMAP/POP3/SMTP/HTML to prevent sniffers from capturing passwords or message traffic, particularly on Wi-Fi systems.
Looking at a lot of services, and reading a lot of reviews, I decided that Mailblocks appeared to meet most of my needs, and so I gave their Premium Service a try.
Mailblocks has three levels of service:
- Free — Access to the core features, but you can’t use your existing e-mail address, you have 5mb of storage and 5 trackers (more on trackers below), and you can’t use your own mail client (webmail only). This service is ad-supported.
- Basic — For $10 a year, you can use your own mail client, and up to 10 existing e-mail addresses. This level has 15mb of storage, and 15 trackers, and is probably sufficient for all but the most spam-laden user.
- Premium — At $25 a year, this is the same as the Basic service, but it includes 100mb of storage, and 25 trackers.
Compared to most pay webmail services, the Premium service is a bargain for 100mb, even without the Challenge/Response system. I went ahead and signed up for the Premium service, and have been using it for just shy of two weeks now.
All services allow attachments up to 6mb.
Setup was reasonably straightforward. I exported my contacts from my e-mail client (Entourage, although most e-mail programs have a similar feature), brought them into Excel for a little quick cleanup (removing some dead wood, mostly), saved it as a CSV file, and uploaded it to Mailbocks via their web frontend. This not only gave me my beginning whitelist, it also gave me a nicely formatted address book on the web frontend that will let me look up basic PIM information (address, phone, etc.) from the web page.
Mailblocks has a nice approach to bypassing the authentication system. You create a "tracker" which is a unique mail address (at mailblocks) that goes directly to your inbox or a folder of your choice. Depending on your service level, you have between 5 and 15 of these. At any time, you can delete a tracker and add a new one, in case an old one made it to a spam list. I created a handful and set up my addresses that wouldn’t be authenticated.
You set up your existing e-mail accounts on the Options page of the web frontend. To do this, you identify the account, and select whether you’re going to forward the mail from it, or whether Mailblocks should retrieve it. Forwarding is fastest, if you have that option on your account. Otherwise, Mailblocks will pretend to be a mail client and retrieve the mail. In addition to POP3 retrieval, Mailblocks can retrieve your mail from AOL, Yahoo, Hotmail, and MSN accounts.
New e-mail from users in your whitelist (address book) appears directly in your inbox — people on your whitelist will never know you’re using the service, unless they examine the headers.
Mail from other users goes to a "pending" folder, and the sender gets an "authentication" message. This message directs them to a web page where they have to type in the value in a captcha in order to prove they’re a real person. If they do so, then the message is moved to the inbox automatically.
You can also move messages from the pending folder manually, and the sender will be automatically added to the whitelist. Otherwise, the message sits from 4 to 10 days (user configurable) and is eventually deleted.
It should be noted that this is where your storage amount is important — I get enough spam each day that even set to a "4 day kill", my pending folder takes a noticeable amount of the 100mb. I probably couldn’t use the 15mb service, although people who get "average" amounts of spam would probably do fine with it.
During the first week or so, I watched the pending folder very carefully, so I could pick out mailing lists, newsletters, etc. that I wanted to approve, and catch any stray users I’d somehow forgot about on the whitelist. After the first week, I just review it every now and again, or if I’m looking for something in particular.
Mailblocks also allows you to set up additional folders, and offers a basic "rules" setup, allowing you to automatically filter specific messages to specific folders, delete them, or set various flags.
The entire system can be used from the web front end, if you like. It’s quite nicely implemented, and looks a lot like a real mail client; it’s fast, has address book integration, and seems to work well with everything — although they warn you that it’s "optimized" for Internet Explorer (what isn’t?), it works without a hitch for me with Firefox and Safari.
My preference is to use my own mail clients, however — Entourage on the Mac, Outlook on the PC, and "Inbox" on my PocketPC.
Although they offer POP3 service, I opted to use IMAP, since that gives me access to all of the folders on the service. IMAP response is snappy, and it supports "stay connected", allowing me to know when a new message is in my inbox immediately.
Using the system from an IMAP client is quite easy — you can review the pending folder directly, and if you move a message to the inbox, the sender is whitelisted, just like with the web front end Whenever I review the pending folder, I mark the entire thing as "read", so I can set my client to "view unread" and just see the new additions when I look at it again.
Like many people, I tend to keep a lot of e-mail. Since with IMAP, the mail stays on the server until you move it yourself, this has changed my use somewhat. Now I tend to file away important messages locally (by doing "move to folder" in my mail client) as soon as they’re dealt with.
Using IMAP also simplifies using multiple mail programs on multiple machines, since everything stays in place until I move it — I can check mail from my PDA or my Windows box, or a client’s web browser, and not have to worry about "where it was retrieved" — it will still be there when I check it on the Mac, where I’ll eventually move it off into storage.
Outbound mail goes to Mailblocks via SMTP of course, so that the recipients can be automatically whitelisted. Mailblocks provides an alternate SMTP port so I can leave my notebook and PDA set to a single SMTP server, and not have to shift it as I travel from connection to connection.
It’s nice to have my mail usable again. It’s been a long time since I’ve left a mail program automatically retrieve mail, as the constant "incoming mail" noise as it catches spam is too distracting. Now if I hear it, odds are it’s something real. I’m also really enjoying being able to actually use my Pocket PC for mail, without having to weed through hundreds of spams on a little screen.
It doesn’t stop everything, however. I still get some spam, when they forge the sender’s address and it’s on my whitelist. I get maybe 5 – 10 of these a day, which is quite manageable — other folks might get more like 5 – 10 a week.
Mailblocks at this time does not have the option of using secure IMAP/POP3 or SMTP, or even encrypted passwords. This is no worse than most mail servers, but it’s still a hole that needs to be sealed, and it will make me continue to be wary collecting my mail from public Wi-Fi hotspots. They offer secure login for the web front end, but not a fully secured session. I hope that they’ll consider addressing these issues in the future.
As noted above, a little spam still seeps through. This is a bit disappointing, but there’s probably no way around it at present. At least it’s a very manageable amount.
It also annoys me that my "Pending" folder is charged against my my storage amount. Frankly, I’ll probably never come close to 100mb, even with the pending folder (I might hit 25mb of pending), but it’s still aesthetically displeasing to see it counted.
Finally, it annoys me that I can’t customize the "Authentication" e-mail more — they let me put a paragraph of my own explanation on it, but they still include a pitch for their service. I can understand why they do this, but it still seems a little tacky. Besides, if I really like the service and want to endorse it, I’ll join their affiliate program and do it myself (which I have done). If they offered to eliminate the e-mail pitch, I’d happily pay an extra $5 – $10 a year to get rid of it.
On the whole, I’m very pleased with the service. It’s easily worth $25 a year to me — spam filters on PC and Mac together cost me twice that, and aren’t anywhere near as effective. That doesn’t even consider time I’ve lost downloading and sorting through spam.
I was quite reluctant to go to a Challenge/Response service, but so far I’ve not had a single complaint. It’s tastefully and carefully done, for the most part, and on the whole, the few downsides are quite minor.
I wouldn’t hesitate to recommend this service to anyone.