Authenticating Mail Servers

There are a bunch of exciting ideas out there about how to add some level of authentication to SMTP. It would be great to see these ideas get traction. While spammers forge addresses all the time, most of it doesn't affect Qurb users. Spammers must guess an address on your Approved Sender list to get through.

However, as whitelist solutions become more common, address forgery will become more common, and sophisticated too. At some point we'll need better authentication. Since SMTP doesn't have any authentication, it won't take much to improve.

There are probably many more variations on this DNS theme out there, but these are two proposals that I'm aware of:

A DNS RR for simple SMTP sender authentication

Designated Senders Protocol A Way to Identify Hosts Authorized to Send SMTP Traffic

Ultimately any successful proposal must be easy to deploy with on the software people are already running and it must be possible to adopt it incrementally. If the whole world needs to switch at once, it isn't going to happen. Leveraging the DNS seems like a good hack.

First Qurb Review

The first Qurb review is out. We didn't knock the ball out of the park, but we did pretty good for a 1.0 product. We got a higher score than any other anti-spam solution other than McAfee SpamKiller. I'm not a big SpamKiller fan, it's too complicated, but they are on version 4.0 so they do have some polish.

Reviewers are going to have a hard time with Qurb. It works so differently than most anti-spam solutions I'm concerned it won't benchmark well. You need to use it on your real email for a couple weeks to appreciate it. There are more reviews in the pipeline. We'll see how they come out.

Mailing List Headers

It would be great if all mailing lists included the headers described in RFC 2369 and RFC 2919. Qurb uses these headers (and some others) to allow mailing lists to be an Approved Sender. Most modern mailing list managers (MLMs) support these headers, but not every list administrator configures things correctly. There are also some old lists which still don't use the standard headers.

I hope the various anti-spam laws under consideration will require these mailing list headers for all bulk mail. While it won't stop the hard core spammer, it will make it easier to get off (or block) the lists of legal but sleazy bulk mailers.

The Road Less Traveled

We knew when we launched Qurb that it was going to be controversial. While most anti-spam solutions are trying to solve the problem of identifying spam by looking at the contents of the email Qurb just looks at the sender. If the sender's address in on your Approved Sender list, the mail goes to your Inbox. If the sender's address is not on the list, the mail is quarantined for later review. That's it. Pretty simple.

Anti-spam solutions like Qurb are typically classified as whitelists. Most whitelists that have been built so far haven't been very good. The day we launched we got ripped in a Wired article. Here is my favorite quote, from Steve Atkins:

"These guys are from AvantGo. They aren't stupid. So they may have something we haven't seen. I'm willing to wait and see, but I've seen (similar systems) come and I've seen them go, and they've all been bad."

This is classic rhetorical technique. First complement your opponent on something irrelevant. You don't want to be perceived as unfair, after all. Then slam them on point. Of course, Mr. Atkins hadn't actually used Qurb. Apparently when you're a "Spam Consultant" using the software you are commenting on isn't a prerequisite for getting a quote (and a link to your web site) in a Wired article.

Coming from AvantGo, we're comfortable playing the contrarian. In 1997 when we started the company the conventional wisdom was that high speed always-on wireless data was just around the corner. Billions of dollars were bet on this and almost all of the wireless start-ups starved to death when it didn't happen. We're now in 2003 and high speed always-on wireless data is just starting to become real. Today millions of people use AvantGo by syncing with their PC. Low-tech, but very effective.

The original Palm Pilot did less than Newton, General Magic, or Go. It did much less than your laptop. Why did it succeed? For some products features matter more than simplicity. For others doing one thing really well is what counts.

Qurb does one thing really well. It keeps all of the spam out of your Inbox. Our design goal was simple: Qurb had to be easier to use than the delete button. That's a high bar, but the people who use the product tell us we succeeded.

There are legitimate slams of Qurb 1.0, but I haven't seen them reported yet. Hopefully we'll ship 2.0 before they find them. If you've used a whitelist anti-spam solution and were unhappy with it, don't assume Qurb will have the same problems. Read about how Qurb works, and give it a try.

For Immediate Release

Qurb 1.0 has been released! Check it out. Spam has become a serious problem for me and lots of other folks over the last few years. I'm really excited to be working on an anti-spam product. The reactions I get when I tell people what I'm working on are great. If you want to make a friend, just tell them you're fighting spam. Everyone hates spammers.

By the way, we pronounce 'Qurb' just like 'Curb'. Feel free to pronounce it however you like so long as you spell the URL right: www.qurb.com.