Features

EDITOR’S NOTE: The Berkeley Daily Planet extends a hearty welcome to Beyond Chron, (www.beyondchron.org) the Voice of the Rest, a new online publication launched by Randy Shaw, the director of the Tenderloin Housing Clinic. His announced goal is to “provide coverage of political and cultural issues often distorted or ignored by the Bay Area’s largest newspaper, the San Francisco Chronicle... with a critical look at the cutting edge issues of the day.” The Daily Planet has agreed to provide a newsprint outlet from time to time for interesting articles from Beyond Chron. We are pleased to launch this collaboration with part one of an article on spam blocking by Berkeley resident and technology expert Henry Norr. Part two will appear next week. 

Just over a year ago—on March 21, 2003, to be precise—I sat down at what was then my desk at the San Francisco Chronicle to bang out a column about Mailblocks, a spam-blocking e-mail service that was set to debut the following Monday. I’d been trying out the product for two or three weeks, and I was sold—I gave it a rave review. 

Unfortunately, hardly anyone ever got to see that column. The bosses at the Chron killed it—and shortly afterwards fired me—because I’d been among the tens of thousands of people demonstrating in the city’s streets against the attack on Iraq the day before. I told my supervisors they were making a mistake: even if they were going to can me, I argued, they should run that column anyway, because Mailblocks offered a neat solution to a real problem, and they had a chance to be the first publication anywhere to review it. But they stood on principle—how, after all, could readers trust someone openly opposed to the war to review an e-mail service? 

Since then, Mailblocks has managed to make a name for itself without my assistance. As its website (www.mailblocks.com) boasts, it has garnered glowing reviews from, among others, PC Magazine, PC World, and Wall Street Journal personal-tech columnist Walt Mossberg. But when Beyond Chron founder Randy Shaw contacted me with an invitation to contribute to the project, he confessed he hadn’t heard of Mailblocks before, and my guess is that a lot of other Bay Area folks who might benefit from the service still don’t know about it, either.  

Besides, since my Chronicle career ended with Mailblocks, I can’t resist the symmetry in starting with it at Beyond Chron. 

Death to spam 

Here’s how my year-ago review was to begin: 

“Who would pay $10 a year for a web-based e-mail service when you can get Hotmail or Yahoo Mail for free? Well, suppose the service in question offered a clean, elegant look, faster and simpler access to your mail (through your browser or almost any mail application of your choosing), more storage space for old mail, and—get this—no spam whatsoever? And suppose you could even keep your old address at Hotmail, Yahoo Mail, America Online or a standard Internet mail server, but use the new service to retrieve the real messages from those accounts and leave the spam behind?” 

Some of the details have changed, but that’s still the basic picture. I’ve been relying on Mailblocks ever since I lost my Chron e-mail a year ago, and in all that time only about a dozen pieces of spam have shown up in my inbox. And that’s certainly not because the spammers don’t know where to find me—my Mailblocks inbox handles all messages sent to two widely publicized e-mail addresses, as well as others I’ve used to register at countless websites. For a while I even had it set up to hunt for meaningful messages in my ancient Yahoo and America Online inboxes, until I finally decided that was pointless.  

In this day and age, when spam is said to account for nearly two thirds of all e-mail traffic and fighting it has become a major industry, can anyone report better results than I’ve had with Mailblocks over the last year?  

Granted, you could do as well with a so-called “white list” system—one that allows no mail into your inbox unless the sender is on a list of addresses you’ve authorized. The problem with that approach, aside from the racist terminology, is that most of us can’t afford and don’t want our inboxes to be quite that closed off to the world. Think of the long-lost childhood chum, or the friend who just got a new e-mail address when she changed jobs or Internet service providers, or the stranger who could become a client or customer—if their addresses aren’t on your white list, their messages won’t get to you. 

The beauty of Mailblocks is that it slams the door on spam but offers a key to folks like those. And if you, like me, still feel some humanistic ambivalence about technology, you’ll probably get some satisfaction from knowing that the whole system relies on the inability of even today’s powerful computers to meet a challenge most 8-year-olds could toss off in a few seconds. 

Challenge/Response 

Mailblocks’ approach is actually akin to classic “white list” systems, in that it relies mainly on a database of authorized addresses to determine which messages to deliver to your inbox. (You don’t have to create the database manually—for starters, you can just import the address book from whatever program you now use for mail, and any address you write to is added automatically.) 

What Mailblocks adds is a technology known as challenge/ response. (Other companies, including other e-mail services and anti-spam software vendors, use variations on the idea, but Mailblocks claims to own the key patents on it; besides, no one else has integrated it into a full service as smoothly as Mailblocks.)  

Here’s how it works: Whenever a message to you from someone not on your authorized list arrives at the Mailblocks servers—whether it’s sent directly to your Mailblocks address or to any other account you’ve asked Mailblocks to monitor—the service delivers it not to your inbox but to a separate folder called Pending. At the same time it fires off an automatic reply to the sender, in your name. You can add your own wording, but the heart of the message reads “Because this is the first time you have sent to this e-mail account, please confirm yourself so you’ll be recognized when you send to me in the future.”  

To do so, the sender is invited to click on a URL, which in turn opens a page displaying seven digits, printed at varying angles against a multicolored, pointillist-style background, with instructions to type the number into an empty field.  

Now, for most people, this isn’t much of challenge. Just type in the seven digits and hit return, and Mailblocks automatically moves your message from the recipient’s Pending folder to his inbox and adds your name to the authorized address list. For spammers, however, it’s a different story. They’re blasting out messages by the billions and getting paid only a fraction of a cent for each one—even if they were to see the Mailblocks challenge (which is unlikely because they usually transmit their pitches from phony addresses), there’s no way they could afford to pay a human even for the seconds it would take to hit the link and enter the number. 

The obvious solution, from the spammer’s perspective, would be to automate the process. But for now at least there’s evidently no practical way to do so—computers simply don’t “see” well enough to recognize digits displayed the way Mailblocks does.  

Of course, many humans don’t either. Even simple color blindness, I’m told, can make it difficult to meet the challenge. But Mailblocks provides a workaround for the visually impaired: they need only forward the challenge message to the service’s support team, and their name will be authorized. A sufficiently motivated spammer could no doubt set up a system to take advantage of this back door automatically, but so far they apparently haven’t found it worth the trouble. 

As long as that remains true, Mailblocks’ challenge/response system provides practically bullet-proof protection against machine-generated mail. There’s a problem, though: not all machine-generated mail is spam—the category also includes electronic newsletters you’ve subscribed to, confirmations for orders you’ve placed at online shopping sites, and various other kinds of messages you might actually want to appear in your mailbox. For these cases Mailblocks provides a couple of pretty good solutions. There’s a special option in the address book, for example, for mailing lists, or you can enter entire domains (e.g., beyondchron.org) if you’re willing to accept mail from anyone at the organization. 

The best workaround, though, is something Mailblocks calls (oddly) “trackers.” These are additional addresses each subscriber to the service can create and give out when subscribing to a listserv or making an online purchase. Messages sent to your tracker addresses are delivered automatically, without challenge, to your inbox. If a spammer somehow gets hold of one of your trackers—something that happened to me once—you can easily delete it and create a new one; the only hassle is that you have to provide the new address to any site that had the deleted one on file, or else you’ll never see anything else it tries to send you.  

The other big problem with the challenge/response system, I’ve found, is not technical but social: a significant percentage of the people writing to me for the first time—including my wife, the first time she used my Mailblocks address—don’t respond to the service’s challenge message. Maybe they’re scared it’s some kind of trick, like the mail sent out by the online swindlers known as “phishers;” maybe they’re just too busy to bother, or resent the modest hassle.  

In these cases, you can easily authorize the sender yourself—just drag and drop the message from the Pending folder to your inbox, or use a popup menu, or reply to the message. To do so you have to locate the legitimate messages in your Pending folder, which implies wading through the swamp of spam accumulating there. If that’s a price you’re not willing to pay, you could just decide you don’t really care about mail from anyone too lazy or unmotivated to bother responding to the challenge; in that case, Mailblocks will automatically delete the message, like everything else left in your Pending folder, after four, eight, or 14 days (one of the many configuration options Mailblocks provides). 

ª