Results 1 to 10 of 19

Thread: TMDA / Challenge Response / CAPTCHA

Hybrid View

  1. #1
    Join Date
    Nov 2005
    Posts
    175
    Rep Power
    10

    Default TMDA / Challenge Response / CAPTCHA

    Hi, I was wondering if Zimbra implemented (or allowed the addon of) any sort of challenge-response mechanism, like TMDA. I'm not married to TMDA specifically, just anything that works similarly. Any ideas?

  2. #2
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    I've tried to bring this up before...didn't go anywhere...and the discussion got hung up on autowhitelists & expiring whitelists.

    Even the simple 'please click this link to prove your not a spammer' would be fine.

    The captcha would be tricky, would you have them reply with the answer in the first part of the body/subject? or would you point them at a webpage on your server? (but that's just asking for more connections...)

  3. #3
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    21

    Default

    Quote Originally Posted by bjquinn View Post
    Hi, I was wondering if Zimbra implemented (or allowed the addon of) any sort of challenge-response mechanism, like TMDA. I'm not married to TMDA specifically, just anything that works similarly. Any ideas?
    Are you talking about a captcha for login or a challenge/response for MTA type of stuff?

  4. #4
    Join Date
    Nov 2005
    Posts
    175
    Rep Power
    10

    Default

    Nah, I'm talking about challenge response for deciding whether you're going to allow an email through to the recipient or not. I don't really need CAPTCHA either, just the simple "hey click here to tell me you're probably not a spammer, or if you are I can probably track you down" would work fine.

    Again, I'm not married to TMDA, but since it's what I'm familiar with, I know it works with postfix, but I'm afraid that Zimbra has modified up your typical postfix setup that it may not be possible to integrate it. On Google, I've only found a couple of dead ends and the following post --

    <quote>
    Mike Carifio wrote:
    > I've installed zimbra 3.0 oss edition. Underneath, zimbra runs postfix
    > as user 'zimbra'. I'd like to integrate tmda 1.0.3. The configuration
    > directions (ServerConfiguration - TmdaWiki) talk about
    > ~/.tmda/config and ~/.forward and so forth. Is that really
    > ~zimbra/.tmda/config and so forth? Or do I use /etc/tmdarc for this?
    >
    > There are no local users on the server, they fetch their email via IMAP.
    > The credentials are kept in a MySQL database. So there isn't a per user
    > config and .forward file (right?).

    It sounds like you should follow standard "virtual users" instructions,
    in which case ~/ would represent each individual users's mail "home"
    directory.

    Often with virtual users, even though they don't need a "home"
    directory, there's something equivalent, which might have this layout:

    /path/to/email_domain/email_username/
    Maildir/
    .tmda
    .forward
    etc.
    </quote>

    ... which is less than helpful.

    Is there actually an alternative to TMDA? It's the only one I ever really hear about, and it seems the geek world has turned their backs on challenge response, but that doesn't change my boss's mind who went from 600 spam a day to 6 spam a year.

  5. #5
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    I'm not in favour of challenge response system (I think they just add more spam) but have you considered postgrey?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  6. #6
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    If you do all the other spam improvements possible it really is a moot point. (another anti-spam things to try)

    The problem with challenge/response systems is always the issue of whitelisting & extra traffic. People would just get annoyed if their always getting return emails etc every time they email you; when last discussed, the whitelisting mechanisms become an issue. Do you manually enter domains/IP's? Automatically add domains (or addresses) people send to? Automatically troll everyone's address books for allowed senders and compile it into another database? What happens to newsletters where there's no human on the other end who would check replies for challenges? When you only get an email from whomever once every 6 months that address might have been long gone from the auto-databases, so you do need a user managed list...
    It just goes on and on... and it's actually how the idea of eventually having individual user whitelists in Zimbra came to be.

    Yes it would be cool to deliver it to some folder called 'unverified', then automatically upgrade it's not-spam status when someone replies to the challenge response...The tough part: modifying the x-spam flags, then moving the message to the inbox all without hickups if the user is currently viewing/replying to that particular message-I guess just a detailed error message if they try to move/mark ok something that already just recieved a response. (a high 'refresh' rate on that folder will cut down on some of it)

    The biggest concept that's hard to compromise on is the idea of never re-prompting people uselessly; somewhere along the line the database gets too big. As Bill pointed out, graylisting is so much nicer because it requires no human interaction, still re-checks that they want to send it, auto-whitelists, and cleans up it's own database.
    -Yes you could have a challenge response system remember allowed senders for x days as well-I was just listing postgrey's features.
    Last edited by mmorse; 09-15-2007 at 12:01 PM.

  7. #7
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    I should point out that it would be very cool to have user made temp address that work on the TMDA concept, valid for time, and/or only allow replies from certain people. - I think this explains it best: ClientConfiguration - TmdaWiki

    I would definitely find that more useful than recipient delimiters, and would be a cool build upon to the standard just allowing the users to make temporary aliases.
    Bug 17404 - Allow users to create aliases for themselves

    So you would have options like:
    -Make temporary alias that contains the user name first then a short random string (most people want it identifiable-imagine the alias nightmare; it's like the 'allow sending from any address, a lot of organizations can't have that)
    -Limit incoming replies to specific addresses ______
    -Valid for ___ days
    -Require challenge-response

    When applied as an alias for incoming, it also gets added to your identities list so you can send from it.
    Last edited by mmorse; 09-14-2007 at 01:40 PM.

Similar Threads

  1. Is it started or not
    By kwelipatton in forum Installation
    Replies: 10
    Last Post: 03-28-2006, 11:11 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •