Poco Junk Mail FAQ - Challenge/Response Method

I am currently using a challenge/response method within PocoMail to deal very effectively with SPAM. Here are the details:

I essentially use what I call a "qualified sender" approach. A sender either has to be already known to me (i.e., be in my address book) or has to prove to me that he/she is a "real" person sending the mail.

The crux of the approach is using several filters on incoming messages as follows:

Filter 1: Using the %addressbooks% filter variable, I check if the send is in my address book. If so, I stop processing, this is an "okay" sender.

Filter 2: Check if the subject line contains a passcode, let's say "sesame". If the subject line does contain the word "sesame", stop processing, this is an "okay" sender.

Filters 3-8, I'll discuss in a moment, but are not essential for this explanation.

Filter 9: Occurs for all messages that get to this point (i.e., I check for an @ in the "to:" field) and does the following:

  1. Changes the account to a "postmaster" account I have set up
  2. Sends an auto reply/bounce message out from a template I've set up. The AutoBounce message says, "I don't know who you are, so my mail program has rejected your message. If you're a real person, please re-send your message with the word "sesame" in the subject line and I'll respond accordingly and add you to my address book so you don't get this message againl"
  3. Moves the message to a "quarantine" folder I have setup and marks it as "read".

This way, I receive all the messages from anyone in my address book and from anyone who takes the time to respond to my autobounce message, but don't ever see any of the mass generated SPAM messages.

A couple of additional notes:

  1. I use a postmaster account to send my autoreply from so that the autobounces that SPAM senders back don't end up in an endless loop back and forth. (I never check this postmaster account.)
  2. Filters 3-8 check for some special cases where I want to receive messages even if a person might not be in the address book. One filter checks against the %exceptsenders%" variable to see if the sender is on my accepted senders list. Another filter checks for mail from any sender with "postmaster" or "mailer-daemon" in the "from:" field so I get back any rejects of mail that I've sent. Another filter checks for any messages that contain "-- original message --" or "writes:" or "wrote:" or "reply separator" or "--sean", which are all things that might be on replies to messages I've sent. Two other filters check against the "%junksenders% and the "%junksubjects% variables to make sure these people/subjects aren't on my blacklist. (I don't have the autojunk filters turned on -- I prefer to check manually.)
  3. A suggestion another forum-poster added to this idea was to do all these checks as pre-download filters (couldn't do pre-download on the replies-to-me filter, though) so you don't even download the messages. I personally like to see what's in the quarantine folder every once in a while, but I think pre-download is not a bad idea.

Anyway, this approach has pretty much eliminated any junk mail I get. I'd be interested in any feedback or suggestions for improving the process, and I hope others find it helpful.

Disadvantages of this Method

These comments are from Michael, not from Sean.

This system may work for personal email but it has the following drawbacks:

  • You probably want your own domain name for this method. At the very least you will need to setup a couple of email accounts (one for the post master).
  • It will not work for businesses, it would almost certainly result in lost messages and lost sales.
  • You are likely to miss a time sensitive message if it is sent from an unknown sender.
  • If other people start using this system you may find yourself in a loop where they never receive your message (they send an autoresponse back to you which you intercept and send an autoresponse back to them. (One of the additional filters in filters 3-8 does deal with this but you need to pay special attention to those messages).

Note: If you use this method you should setup an account for the post master and delete all the messages from the server.