whitelist filtering

[ataferner]

The functionality and most importantly ease of use of this program http://www.qurb.com built natively into Thunderbird would be most excellent. I'd prefer this over spamfiltering any day!

[petrarch]

The functionality and most importantly ease of use of this program http://www.qurb.com built natively into Thunderbird would be most excellent. I'd prefer this over spamfiltering any day!

And also inconveniences anybody that wants to send you mail, damaging innocents. A mail system that requires authorization before sending is fundamentally less open than what we have today. There's no reason not to use filtering when quality software such as spamassassin exists.

[ataferner]

And also inconveniences anybody that wants to send you mail, damaging innocents. A mail system that requires authorization before sending is fundamentally less open than what we have today.

Thats not what this program does. The whitelist only determins what emails will hit your inbox. anything not on the whitelist will be put into a seperate folder. If you receive a legitimate email from someone that is not on your white list it takes only 1 click to add them to your list. It does NOT damage innocents. It does NOT require authorization. Email remains exactly as open as it is today. Its only your own inbox that doesnt remain open to anyone. If you are going to comment on something I suggest you do your homework first.

There's no reason not to use filtering when quality software such as spamassassin exists.

I accept this to be your opinion but other people don't think so. And thats why programs like this exist and people pay to use it. I use it at work and it works like a charm and is much easier to manage than any spam filter i have tried so far.

from spamassassins.org:

Using its rule base, it uses a wide range of heuristic tests on mail headers and body text to identify "spam", also known as unsolicited commercial email.

Sounds too complicated to me. Why do i need to use a "wide range of heuristic tests" when I can simply check the sender against a whitelist?

[petrarch]

Thanks for clarifying. Not all whitelisting software is like this, hence the misunderstanding.

So, my next question is, how is this any different from the whitelisting feature in, say, spamassassin? In fact, using spam filtering software actually adds more functionality by correctly identifying mail that probably isn't spam whether you've received mail from that individual or not. Are you just asking for a frontend to keep track of whitelisted senders?

[ataferner]

So, my next question is, how is this any different from the whitelisting feature in, say, spamassassin?

I really dont know if it IS different. Maybe its not. All i was saying it would be a nice feature to have such functionality "built in" in Thunderbird. Yah i guess in essence it really is just a frontend to keeping track of whitelisting users and only allowing their mail to hit the inbox. I just really think their approach is VERY easy userfriendly and is worth taking a look at.

[ataferner]

IMHO the problems with spam filters no matter how sophisticated they are is that there ARE false positives. Granted there might be very little, but as long as there are.. you have to keep checking your "junk" folder to see if a legitimate mail crept by. And if you have to check your junk folder anyway, why not just whitelist your trusted senders? I dunno, it just seems like a much less complicated solution to me.

[Thumper]

This has "extension" written all over it in 18-pt red lettering.

- Chris

[petrarch]

IMHO the problems with spam filters no matter how sophisticated they are is that there ARE false positives. Granted there might be very little, but as long as there are.. you have to keep checking your "junk" folder to see if a legitimate mail crept by. And if you have to check your junk folder anyway, why not just whitelist your trusted senders? I dunno, it just seems like a much less complicated solution to me.

Here's the way I see it. Spamassassin does all you want, and then a whole lot more. If you're concerned with false positives, you can up the threshold to identify spam. It's extremely configurable when it comes to this. You can also whitelist all the people you want. If anything, what's needed is a good port of Spamassassin to Windows (I can never tell if this actually has happened or not). If this were done, it could be plugged in to Thunderbird, AND all users of Windows mail clients would stand to benefit.

I think that is the more robust solution.

[ataferner]

Spamassassin does all you want, and then a whole lot more. If you're concerned with false positives, you can up the threshold to identify spam. It's extremely configurable when it comes to this. You can also whitelist all the people you want. If anything, what's needed is a good port of Spamassassin to Windows (I can never tell if this actually has happened or not). If this were done, it could be plugged in to Thunderbird, AND all users of Windows mail clients would stand to benefit.

I use windows (as well as linux) so unless there is a good port of it like you said I dont see how it does "all i want and then a whole lot more". Also this comes down to ease of use. Most end users don't want to spend a lot of time tweaking spam filters or configuring spam assasin. Having a very easy to use method to manage a white list is STILL in my opinion a feature that would benefit Thunderbird.

[petrarch]

So what are you advocating? A gui frontend for already existing software? Writing such software from the ground up? Thunderbird plugin? Builtin?

I admit I'm wondering about the utility of this anyway. If your whitelist rarely changes, there doesn't seem to be a pressing need for an automated way of keeping track of addresses. If your whitelist changes rapidly, that means you're frequently getting mail from people you haven't before, in which case the Spamassassin model makes more sense, as it doesn't necessarily rely upon the preexisting reception of mail to correctly identify whether or not something is spam. If you could explain, it would be helpful!

[ataferner]

So what are you advocating? A gui frontend for already existing software? Writing such software from the ground up? Thunderbird plugin? Builtin?

Ugh. So mozillla.org shouldnt write a mail client because other ones already exist? Popup blocking plugins existed for a variety of browsers. That didnt stop the mozilla team from writing this from scratch and adding this aweome feature and building it INTO the browser. So YES, i am advocating that it would be a great feature if Thunderbird had a built in GUI to very easily manage a whitelist of accepted senders.

I admit I'm wondering about the utility of this anyway. If your whitelist rarely changes, there doesn't seem to be a pressing need for an automated way of keeping track of addresses.

Its not automated. Its just EASY to manage. if my list rarely changes then whenever I have to change it.. its 1 click to add somone. If i change it often. well then again.. one click to add somone (or their domain). Its not about automation. Its about ease of use.

What it boils down to is this: Because of false positives you have to check your junk folder anyways. So to me it makes more sense to filter out the posssibility of 200 accepted senders than to filter out the possibility of 2 gazillion possible spams.

Think about the way IM works. You only allow those to contact you that you accept. You don't try to block those that you dont want! Think about the way firewalls work. You only accept the whiltelist of IP traffic.

[petrarch]

So what are you advocating? A gui frontend for already existing software? Writing such software from the ground up? Thunderbird plugin? Builtin?

Ugh. So mozillla.org shouldnt write a mail client because other ones already exist? Popup blocking plugins existed for a variety of browsers. That didnt stop the mozilla team from writing this from scratch and adding this aweome feature and building it INTO the browser. So YES, i am advocating that it would be a great feature if Thunderbird had a built in GUI to very easily manage a whitelist of accepted senders.

Why should Mozilla reinvent the wheel when quality code is out there that already does this? It makes more sense for them to plug something like Spamassassin into Mozilla. It lets the Spamassassin people go on making outstanding anti-spam software, while Mozilla can go on making an outstanding mail client. The result is less work writing new stuff, and easier maintainability.

I admit I'm wondering about the utility of this anyway. If your whitelist rarely changes, there doesn't seem to be a pressing need for an automated way of keeping track of addresses.

Its not automated. Its just EASY to manage. if my list rarely changes then whenever I have to change it.. its 1 click to add somone. If i change it often. well then again.. one click to add somone (or their domain). Its not about automation. Its about ease of use.

I don't think this needs to be built in then. It's already really simple to manage the ruleset for a given filter, so periodically changing a whitelist is simple enough as it stands. If your whitelist is changing that rapidly to necessitate cluttering things up with a one-click addition to this specific ruleset, then you should probably be using something like Spamassassin anyway.

What it boils down to is this: Because of false positives you have to check your junk folder anyways. So to me it makes more sense to filter out the posssibility of 200 accepted senders than to filter out the possibility of 2 gazillion possible spams.

I don't follow your logic. Under your system, you end up with a lot more false positives than you would if you used spamassassin.

Think about the way IM works. You only allow those to contact you that you accept. You don't try to block those that you dont want! Think about the way firewalls work. You only accept the whiltelist of IP traffic.

These are poor analogies. IM != email. Moreover, it's not true that you only allow those to contact you who you accept. Sure, you can configure it that way, but it's not written in stone.

If you're running a mailserver, firewalls are going to pass most SMTP traffic. Packets are usually dropped based upon information such as source IP, domain, etc, not the envelope sender for an email; that's something the mail server looks at.

[ataferner]

Why should Mozilla reinvent the wheel when quality code is out there that already does this?

For the same reasons other features that already exist as plugins are built into mozilla / firebird / etc etc.
Also just because the code exists doesnt mean its as easy to use as the feature i am suggesting to be built in.

It's already really simple to manage the ruleset for a given filter, so periodically changing a whitelist is simple enough as it stands.

What YOU consider simple is probably not considered so simple by 90% of end users. The solution Qurb offers creates such a behind the scene rule with 1 single click. _That_ is simple and therefore extremely powerful.

If your whitelist is changing that rapidly to necessitate cluttering things up with a one-click addition to this specific ruleset, then you should probably be using something like Spamassassin anyway.

I never said _my_ whitelist changes rapidly and is cluttering things up. Can spamassassin do this: you see a false positive in your junk folder. With 1 click spam assassin adds the sender to the whitelist and moves the message to the Inbox. Unless spamassassin can do this with 1 click on windows with Outlook or Thunderbird (etc) then It doesn't have the powerful functionality and ease of use that is appreciated by 90% of end users. Qurb can do this. It would be nice if Thunderbird could do this.

"I don't follow your logic. Under your system, you end up with a lot more false positives than you would if you used spamassassin.

Maybe, maybe not. It would depend on how many often a particular user's whitelist changes. But that doesn't matter in my opinion anyway. If you have to check the junk folder ANYWAYS what difference does it make if you find a false positive every 50th check or every 3rd check. You already spend the time CHECKING.. thats the entire point. But with a system to move a mail to the inbox and select the sender as a whitelist sender with 1 click is what makes it friendly.

These are poor analogies. IM != email.

Just because email != IM doesn't make this a poor analogy. Both are messaging systems and both have the potential for users to be contacted unsolicited. Except on most IM services you can't add another user without the explicit permission (whitelisting).

A firewall has a whitelist of allowed packets! Although I admit that analogy is not as fitting as IM.

With spamfilters you are on an endless hunt to catch up with new techniques to hide spam by using misspellings, or spacing out words, or inserting dots or whatever crazy methods spammers come up with. To me 1 click whitelist management makes A LOT of sense and other people who have tried Qurb think so too. I think it would be a feature as loved by the community as tabbed browsing and popup blocking. But that's just my opinion.

[petrarch]

Why should Mozilla reinvent the wheel when quality code is out there that already does this?

For the same reasons other features that already exist as plugins are built into mozilla / firebird / etc etc.
Also just because the code exists doesnt mean its as easy to use as the feature i am suggesting to be built in.

Okay, but you still haven't explained why Mozilla needs to write new code when GPLed code already does exactly what you are asking for here.

It's already really simple to manage the ruleset for a given filter, so periodically changing a whitelist is simple enough as it stands.

What YOU consider simple is probably not considered so simple by 90% of end users. The solution Qurb offers creates such a behind the scene rule with 1 single click. _That_ is simple and therefore extremely powerful.

Anybody who is capable of using the Mozilla filters dialogue is able to do this right now, without any additional effort on the part of the Mozilla coders. If you are arguing that the filters dialogue box is too complicated, then please file a bug report, as it needs to be fixed promptly.

Also, where is the source of your 90% statistic? I'm sure you're not fabricating numbers in an attempt to bolster your argument.

If your whitelist is changing that rapidly to necessitate cluttering things up with a one-click addition to this specific ruleset, then you should probably be using something like Spamassassin anyway.

I never said _my_ whitelist changes rapidly and is cluttering things up.

Okay, so which is it: does your whitelist change rapidly or not? If it doesn't change rapidly, it doesn't make as much sense to make changing the whitelist a 5 second process as opposed to something less than 30 seconds. You can still get this as a plugin, but it's not needed frequently enough to justify being builtin to a streamlined mail client.

If it does change rapidly, you're lots of mail from people you haven't received mail from before, in which case you should be using software that can tag messages appropriately whether the author has been seen before or not; spamassassin.

Can spamassassin do this: you see a false positive in your junk folder. With 1 click spam assassin adds the sender to the whitelist and moves the message to the Inbox. Unless spamassassin can do this with 1 click on windows with Outlook or Thunderbird (etc) then It doesn't have the powerful functionality and ease of use that is appreciated by 90% of end users. Qurb can do this. It would be nice if Thunderbird could do this.

Spamassassin isn't the software responsible for what you're talking about here. That's the job of the mail client. This is something of a red herring though, because with Spamassassin, you're not going to get many false positives. I get hundreds of messages a day, and I honestly can't recall the last time I've seen a false positive; they're pretty rare in my experience.

"I don't follow your logic. Under your system, you end up with a lot more false positives than you would if you used spamassassin.

Maybe, maybe not. It would depend on how many often a particular user's whitelist changes. But that doesn't matter in my opinion anyway. If you have to check the junk folder ANYWAYS what difference does it make if you find a false positive every 50th check or every 3rd check. You already spend the time CHECKING.. thats the entire point. But with a system to move a mail to the inbox and select the sender as a whitelist sender with 1 click is what makes it friendly.

Because it takes a lot less time to scan a junk folder filled with spam, and delete it all, than to move incorrectly tagged false positives to the appropriate box. It's better to use software that prevents false positives from making it to the junk folder to start with; that's what computers are for. Your solution promotes false positives, the problem getting worse the more diverse the mail you receive is. It's possible to whitelist senders while still not dumping non-spam mail into the junk folder. Moreover, if you're really concerned about it, you can just up the threshold for marking something as spam, and make false positives stastically meaningless.

These are poor analogies. IM != email.

Just because email != IM doesn't make this a poor analogy. Both are messaging systems and both have the potential for users to be contacted unsolicited. Except on most IM services you can't add another user without the explicit permission (whitelisting).

This isn't true on AOLs IM network, which, unless I'm mistaken, accounts for the vast majority of instant messaging traffic.

With spamfilters you are on an endless hunt to catch up with new techniques to hide spam by using misspellings, or spacing out words, or inserting dots or whatever crazy methods spammers come up with.

Which is why it makes sense to let the spamassassin people continue to modify the software, while letting the Mozilla folks ensure it can be readily plugged in to Thunderbird. The worst that could possibly happen is for spamassassin to be completely useless, in which case it would just function as a whitelisting service, which is what you're advocating. I fail to see how you can continue to argue for something so inferior, using preexisting software offers so much more.

[comomolo]

Spamassassin is IMHO precisely the kind of bloatware no one but geeks would like to use. It's a server side solution, thought for administrators and computer geeks, not "for the rest of us". I had it as an option in my hosting package and have disabled it a couple of weeks after I started using it. It's complicated, error prone, _does_ yield false positives (not to mention the many false negatives) and I simply don't want it to manage my mail, because I CAN'T UNDERSTAND ITS MANY TWEAKS, and I DON'T WANT TO LEARN THEM and I also won't hire a system administrator to do that. (I'm happy that at least an open source project, Mozilla Firebird, is taking care of the featuritis problem in open source. I just hope Thunderbird follows the example.)

What I want to see and can't find is a software that would reply to an unknown sender the classic blurry image of a word only readable by humans. If the "human" who sent me his/her message replies properly they'll be included in my whitelist and never asked again (this process should be automated and, essentially, it would be the core of the software I'm talking about). This should run at server level (the whole point is avoiding the download of tons of garbage) and -here comes my suggestion- have an interface through the mail client, in this case, Thunderbird, or if it's so difficult (I'm not a developer) through a web interface. The whitelist would reside in the server but managed through the client. Easy and clean.

My mailbox isn't a public place. You can write me, but only if I like you you can keep writing me. I can't see how this hurts "innocent people". All antispam solutions I've seen so far -including Spamassassin- force me to download spam messages from my server in order to check if the spam filtering has been done right. As long as this isn't changed in the anti-spam tools designers' minds, so called "anti spam solutions" are simplistic (albeit very complicated algorithm wise) patches to a serious problem: megabytes downloaded for nothing and time spent checking the work done by the anti spam filter.

I just want to verify who's trying to write me, and since most spam is machine originated and reply addresses used by them are fake I would never see the spam messages and not a single human being would be prevented from reaching my mailbox (as long as he/she can identify a few letters inside a blurry image...). Everybody is aware about the spam problem. Nobody will feel insulted if you explain clearly why authorization to write you is needed.

Besides, if you believe YOUR mailbox is a public place, you can always keep using Spamassassin and other inelegant solutions like it...

My euro 0.02

C