lzcd has asked for the wisdom of the Perl Monks concerning the following question:

I’m planning on implementing a pessimistic spam filter for an e-mail address under my control.
The filter would kill any mail not bearing a valid token id.

Tokens, in this case, are nothing more than DB entries with a counter that decrements upon each usage.
If required, I might add in other criteria such as time and sending address.

I’m planning on offering ‘single use’ tokens on my web page as a possible alternative to giving away my e-mail address. The act of getting a token and the required e-mail address should be painless for a human user but beyond the capabilities of your normal e-mail collection bot. (eg. Requires a post operation etc.)

This way I should hopefully get the best of both worlds.

To those I know, there’s the following options:
- I can give an ‘unlimited use’ token for those whom I trust but just wish to annoy. ;)
- I can give a ‘limited use’ token for those I must survive multiple correspondences with but absolutely no more than necessary.
- I can add somebody’s pertinent details to the filter and forgo the need for a token at all.

To those I don’t know, I give the opportunity to contact me via e-mail without the significant possibility of catching the ever popular spam epidemic.

Okay I can dig up as many Mail handling modules as the next guy so my question isn’t related to code specific things.

It’s more of a sounding board type of thingie.

Does anybody know of a similar system already in place?

Are there any subtle security issues here that I’m likely to find out the hard way?

Spam collection bots may be relatively easy to outsmart but crackers and the like are not. Any tips here for a person familiar with the CGI coding do/nt’s but not the e-mail ones? (eg. Overflows in the token generation page etc.)

Thank you for your hair loss time.

Replies are listed 'Best First'.
Re: Pessimistic Spam filtering
by Coyote (Deacon) on Jan 09, 2001 at 11:31 UTC
    I don't know of any systems that specifically do what you want, but the Mail::Audit module may be a good place to start. TPJ #18 has a pretty good article about Mail::Audit. You can find it at Of course you need to be a subscriber to read the article. I've been using a Mail::Audit based script for a while now as a replacement for procmail.

    Of course, the real challenge here is not the filtering, the generation of the token or even the security, but how are you going to make the system usable for the people who wish to send you mail.


Re: Pessimistic Spam filtering
by footpad (Monsignor) on Jan 09, 2001 at 19:55 UTC
    You might also consider taking a peek at a set of related articles by Dominus, which contain some very interesting discussion along these lines.


Re: Pessimistic Spam filtering
by turnstep (Parson) on Jan 09, 2001 at 17:43 UTC
    Would you be requiring someone to put the token in the body of the message? That's seems a high onus on the sender. You might want to make the token part of your email address, perhaps with the plus syntax. Also, the decrementing counter seems pretty easy to spoof/abuse. I'd be inclined to just get another email address, and control who gets access to it. Finally, you can look into the many spam filtering services already available, which, when set as "pessimistic" as possible, will catch well over 90% of your spam.
Re: Pessimistic Spam filtering
by redcloud (Parson) on Jan 10, 2001 at 00:34 UTC
    You could take a look at Kiwi. It's not exactly what your looking for (the tokens don't time out exactly the way you want) but it might be a good place to start.