I agree with the first commenter who recommended greylisting. In general, you need to move as much of your spam detection to the SMTP level as possible. This means pointing your domain’s MX records at your email service provider’s system and not doing any SMTP forwarding of your email. I wrote about this in my blog in For me, the spam problem is solved.

I used Knowspam and then SpamArrest for a while. They really worked. Checking my email was a joy again, just like it was ten years ago, when I’d know that every email Eudora picked up was for me, personally. It really was a revelation. I loved it.

But, after 18 months or so I gave up on the challenge/response system. Really, it shifts and changes the problems of spam from your inbox to another system. First, there’s the problem of people missing your challenge and their email never getting to you. Second, I always felt bad if I gave my email to someone, in person, and knew that they’d get a challenge when they’d email me. It seemed rude and overly-complex, especially for non-techy people. I felt unfriendly and self-important.

Ultimately it’s a trade-off between how much spam annoys you and makes you ineffective, and how rude you can bear to be to people. Since giving up SpamArrest I’ve been more comfortable that new people emailing me will get through, and I won’t annoy them. The downside is that I dread checking my mail in the morning, even after Spam Assassin has done its job.

More and more spam is getting to my inbox these days, and it’s now a choice between making Spam Assassin’s threshold so draconian that legitmate mails will get trapped, and going back to Spam Arrest. The more annoyed I get, the less I care about pissing off new friends/contacts.

That other people (spammers) have made email such a chore thoroughly depresses me.

Aliencamel’s email service is by far the best solution. I’ve been using it for more than a year now and it’s terrific. I highly recommend for you guys to check it out. Plus it integrates into your existing workflow.

Please do understand that client side spam fighting is sooo ‘90’s.

I think T-Rex makes a good point about challenge-response based spam filters: http://www.qwantz.com/index.pl?comic=499 (Can’t seem to make that URL work as a link with the comment system.)

If I had a Windows machine, I would certainly be trying Cloudmark. It sounds great, and is endorsed by Neil Gaiman.

(I’m actually currently using SpamStamp which is a fairly vanilla Bayesian filter. It is basic, and only somewhat effective.

My email addresses have been online since 1996 and so attract a lot of spam - with up to 2000 per day recently. For a public-facing web service keeping your email addresses secret simply doesn’t work. Sure, I have secret addresses, but that isn’t the whole solution as if they are used, they are no longer secret. Many of my enquiries are from new contacts, so whitelisting is of limited scope. For years I’ve tried many client-side filtering solutions, using the good offices of Pegasus, Eudora and latterly Thunderbird. All have worked to an extent, but never to my satisfaction. Especially in the good old days of dial-up modems the attraction of a server-side solution was always significant. It sucks when you pay by the minute to download 2000 spams!

Last November I took on SpamArrest, and I am still with them today. I find the service to be good, with perhaps no more than 0.2% false positives and and false negatives. It seems particularly good at handling email lists and moderation of forums by email, which can be problematic with any filtering system. It took some work to set it up to my liking, and like local filters this does need a constant, low-level scrutiny and tweaking to ensure that it is getting it right.

I very much regret the inconvenience that challenge-response does cause to my contacts, and I recognise the abhorance that others have expressed. For those who prefer to use it I also have a web form which bypasses the SpamArrest system, and some people do chose to use it. I am aware of a very few messages which have slipped through the system and never reached me, but in the bad old days there ware similar numbers that would get accidentally deleted by my local filtering system too.

I would recommend SpamArrest for high-volume emailers with many new contacts. It needs to be watched and requires careful management, but hey, that’s what we all do for our valuable customers, don’t we?

I highly recommend popfile, which is an open-source, perl-based über-Bayesian filter system that runs locally. It doesn’t just filter spam, it filters all email into user-defined “buckets”.

I have a fairly extensive post on using popfile on Mac OS X here that covers how I use popfile (in conjunction with Spam Assassin on the server). It’s a bit out dated, though - I need to post an update - but it’ll give you a basic idea of how to use it.

(By the way, it’s cross-platform and runs on Mac OS X, Windows, Linux, etc.)

I have to say that I have general, total, almost unreasoning hatred for challenge reponse systems. I try to send someone an e-mail, and I’m supposed to jump through hoops to do it? I don’t have time for that, and I sure don’t appreciate other folks (who I’m usually trying to help) forcing me to jump through hoops to get hold of them. I generally will NOT jump through challenge-response hoops to talk to people unless I REALLY need that person and I can’t just call them.

Think of it this way: How do you deal with folks who try to shove extra work onto you?

When evaluating a challenge/response solution, you might also want to investigate what happens if two people (using different challenge/response providers) try to e-mail one another. I bet it works if they are on the same service, but I suspect problems with competing services.

One other thing: Poke around the RBLs before committing to one. I’ve had trouble with SpamCop on more than one occasion because they like to block sizable chunks of address space, and I’ve ended up as collateral damage. I can’t tell you how infuriating it is to have some bunch of people who you don’t control tell you that you can’t send e-mail and that they just don’t care.

Good luck on finding a solution that fits you!

I tend to disagree with the use of challenge-response systems, because they essentially double the resource consumption (particularly bandwidth and CPU cycles) of all mail going through the account - spam included. Also, as Nessa mentioned it will mark your address as “active” (even though you might never see the spam because it’s been blocked, the spambots don’t know that and will send more and more once they know it’s a valid address)… resource consumption just keeps increasing.

I personally go for Bayesian filtering, like many above. Greylisting also looks very interesting (I’ll definitely take a closer look at that).

Oh, and I agree with the comments above - comment/response systems suck major ass. I run into them fairly often when dealing with support or sales emails from clients and they drive me nuts.

This might seem obvious but make sure your personal e-mail address starts with a name not included in your URL. I’ve noticed that some spammers can hit your inbox by duplicating your URL ie example@example.com. Also, they try the obvious ones like info@example.com and etc.

I use Spamassassin on my mail server to filter out obvious spam and am training it to Spam/Ham like K.M. mentioned. Usually, I have all (yes, on every account, unlike K.M.) my spam forwarded to a single mail acct and check it with Yahoo! Mail, setting up filters for it to go directly to trash in Yahoo. I check legit mail with Thunderbird and Outlook. Yahoo! Mail has more bandwidth to suck up hundreds of spams than my DSL. I guess I could have spam sent to the Yahoo address directly, but I like to keep my mail on my own server for as long as possible.

Lastly, set your mail server to bounce(:fail:)/blackhole e-mails addressed to nonexistent e-mail addresses instead of forwarding it to a main account. If it is a human, they’ll figure out that they spelled your addr wrong when you bounce it. Blackhole sucks up all e-mail. Otherwise you can set up an account just for failover mail if you’re afraid of missing something. It seems that my server is smart enough not to bounce mailing lists that manually set the to: to a different addr by using the envelope-to: field in the header. I’d go with the fail for a bit, as people finally figure out how to spell your name, then go to blackhole after a few months.

The junk e-mails that peeve me to no end are the ones friends send you marketing deals for. You know, someone intended well but gave your e-mail address to “ProstituteFriendsEmailsForAnIpodShuffle” then those companies consider your e-mail fair for marketing use. My friends are all told that if send anything to me via 3rd party (quizzes, etc), use XYZ address instead and ping me via direct e-mail/IM/etc to check XYZ. It’s become an informal protocol. There’s also Legit marketing mails that don’t process their unsubscribe list. Punks. I manually blacklist those addresses.

That’s what works for me but I probably get less e-mail than you.