That’s quite a spam filtering system you’ve built yourself. Can I assume then that you get a substantial amount of spam? I can’t imagine going through all this trouble for just a few hundred, or even a few thousand, spam emails per day…

Also, one thing I personally don’t like is the challenge-response system. This might work on a personal level, but when it comes to a company’s face, I have to disagree with it. The onus should be on the company, not the individual to contact you. Enough said, this was already debated above.

Otherwise I think you have a very powerful spam prevention system. Have you every looked at creating a commercial product based on this?

1.First all emails get filtered through a whitelist. The software I’m using can scan through my archived emails and address book and add all emails on installation. After this, everyone I send a email to automatically get white listed.
2.Then the rest of the emails go through a White rules filter, the exact opposite of a spam filter. Emails containing my name or company name are accepted (email addresses are easy to harvest, but very few spammers are able to get my name and address unless you give it to them). Emails sent from my website (using a secure contact form with hidden “to” email) is accepted. On my site I also ask customers contacting me by regular email to put a verification code in the subject line (if you click the link this code will be inserted automatically). All emails containing this code is accepted.

This covers everyone I ever received or sent email to plus practically all my customers who contact me through my website. Whats left are people contacting me out of the blue without using my site.

3. These emails are filtered through a Bayesian filter. The filter also allow for rule based filtering. I’m using rules to filter out sexually explicit words in the subject and image spam (Most Bayesian filters are not very good in detecting image spam.).
4. Emails getting a very high spam score from the Bayesian filter get deleted automatically.
5.The rest of the emails are checked for spoofed from addresses (using SPF records).
6.The emails passing this final test will receive a challenge response message just to make sure no real emails ever get caught in the spam box without giving the sender an option to get his message through. Of course no email is ever challenged twice.

This combination works quite well because:

A.) Everyone already known to me get through with no filtering. I provide options for everyone not already known to me to get trough via my website. 99% of all legitimate emails will reach me through this whitelist/rules system.
B.) Most real emails not caught by my white list/rules will be accepted by my Bayesian filter and reach my inbox with no hassle or need for people to verify themselves.
C.) The Challenge response email assures no valid email ever will just disappear. At the same time the automatic deletion of forged emails and high spam score emails reduces the amount of challenges sent and minimizes the drawbacks of traditionally configured challenge response systems that indiscriminately will just send lots of emails to everyone not on your whitelist.

Here are some additional thoughts. Personally, I don’t really know that much about email, nor do I really want to. Although it’s A core part of my business, it’s not THE core of my business. The less resources I need to allocate to handling this issue the better.

At this stage as we’re still fairly small, I can’t afford to have someone playing and configuring the mailserver. I looked at SpamAssassin and to me the biggest issue is that although it appears very effective, it requires a substantial amount of time and effort. As well, upgrades seem to be anything but seemless… This is not something I want to do, or allocate resources to. The benefits do not outweigh these higher costs. Maybe when I reach 10,000-20,000 spam emails a day, but for now it’s not worth it (our support and customer service emails are handled by another system).

Patrick, from MicroISV on a Shoestring, suggested an alternative solution called Popfile which he says is much easier to use. After the praise he gives it, I have no doubt! I looked into this option a little, and it looks interesting. I’m going to give SpamBayes a little more time before trying something else, but this will probably be my next option unless something else attracts my attention.

Another suggestion was grey listing. Although I appreciate this suggestion, it unfortunately puts the onus back again on the person trying to reach me, which I don’t really agree with.

As well Ali suggested I limit the number of email addresses supplied for LandlordMax. This is fine when we were smaller, but as grew we needed more differentiation. Also, since you might not be as aware of how our support system works, none of the support emails come to me. We’ve already purchased a customer support system (HelpSpot which I recommend). This is only for emails addressed to me from this blog and my company (and some internal email addresses from our project management system, support system, etc.). The spam we get for LandlordMax is actually filtered through HelpSpot’s Bayersian filter, which is working great now that it’s been trained.

So far I have to admit I like SpamBayes. It took minutes to install, didn’t require any server configurations, and is very effective. Because of the quantity of emails I receive, it didn’t take nearly as long as I thought it would to train. Within a day I’ve already noticed a significant drop in spam emails in my inbox. Of course there have been many false positives, but these are already starting to drop significantly! I suspect that within a week or so it’ll be at a point where I’ll be content enough to leave things as they are.

The less amount of effort I have to spend to resolve this issue the better. This is not my company’s core competency, nor this does really bring in any additional revenue (it does however prevents me from losing revenues). This is like building a customer service system because it’s interesting rather than what pays the bills. It’d be fun, but I can’t justify it.

I’ll definitely post a follow-up article in a month or so to let you all know how it’s going. And please do continue to offer suggestions, it’s really helping me! And I’m sure many of the other people who come here are finding it useful too! Thanks again for all the help

I too recommend SpamBayes for Outlook. It works beautifully for me, catching around 300 spams a day with no errors.

Joel had one of his interns implement bayesian filtering for FogBugz, a paper is available.

The first step is changing to two email addresses, one which receives all support requests, pre-sale enquiries, feedback, and all enquiries originating from your website.

The other one should receive all emails from people you meet in person. For example, if you meet someone in the elevator who might be a potential client, you would give him this email address. This is also the one which is printed on your business cards etc. This one shouldn’t be available anywhere on your website.

The next step is, adding a contact form to your website, and removing all mailto: links and other mentions of the first email address. The contact form would email you whenever someone uses it, with a known string such as ‘Web Support:’ in the subject. Then you would configure your email client to filter all email, except those with ‘Web Support:’ in the subject to be sent to your junk folder.

Since the second email is never revealed on the web, you won’t get any spam (or, only a little spam) on it. And since the first one is only supposed to be used from the contact form, you won’t have to worry about other emails.

Just the best I could come up with. Also, if you really hate this problem, why not scratch your own itch and build a decent spam-fighting prodocut for your uISV? ;0)

Basically it just tells a mailserver that you’re busy and to resend the message in 5 minutes (or however long). Spam email servers aren’t built to deal with this kind of thing, since they’re blowing through email as fast as humanly possible…so supposedly this puts a huge damper on the spam you receive.

The only flaw I’ve seen with it (aside from non-compliant servers just not returning your mail at all) is that you’ve got a five-minute wait delay in your email. Perhaps you can combine this with some form of Whitelisting to let certain people straight through the filtering?