Using BoxTrapper

episkey · #1 03-12-2008, 12:40 PM

In the customer review section someone posted a message about problems with spam. GatorJoshi posted some suggestions, including information about BoxTrapper.

For those who don't know, BoxTrapper uses the challenge-response method to reduce spam. It has a whitelist of email accounts that are approved. When you get email from an account that's not on the whitelist BoxTrapper puts the email in a queue and sends what is known as a challenge message to the sender. If the sender responds correctly to the challenge, then the sender is added to the whitelist and any queued messages from that sender are released.

While challenge-response is controversial, I think it is appropriate in some circumstances. However, I find the BoxTrapper application lacking in a couple of ways. In subsequent posts I'm going to explain the problems I have with BoxTrapper, because maybe the problems result simply from a lack of understanding that others here can set right.

episkey · #2 03-12-2008, 12:58 PM

The first problem I have with BoxTrapper is that the default verify message is not very user friendly. If you edit that message you see this:

Quote:

To: %email%
Subject: Your email requires verification verify#%msgid%

The message you sent requires that you verify that you
are a real live human being and not a spam source.

To complete this verification, simply reply to this message and leave
the subject line intact.

The headers of the message sent from your address are shown below:

%headers%

The resulting message is confusing to those who don't understand how to read email headers. After some experimentation, I've found the following verify message to work better overall:

Quote:

To: %email%
Subject: Your email requires verification verify#%msgid%

Your email account was recently used to send a message:

---------------------
TO: %acct%
FROM: %email%
SUBJECT: %subject%
--------------------

To help prevent junk email and email forgery, the recipient of this message asks that you perform a one-time verification of your email address. You will only need to do this once.

To complete the verification, simply reply to this message without making any further changes or additions.

episkey · #3 03-12-2008, 01:08 PM

One little problem with the verify message I've posted above is that %acct% will be replaced with the email address for final delivery. This interacts badly with email forwards, as the following example illustrates.

Suppose you have BoxTrapper enabled and set up with my verify message for yourname@yourdomain.com. You also have sales@yourdomain.com forwarded to yourname@yourdomain.com. If someone sends an email to sales@mydomain.com they are going to get a challenge message that tells them they sent email to yourname@yourdomain.com -- only they didn't.

So I suppose this is why the default verify message appends the headers. But even then, before the sender sees those headers (which they may or may not understand), they will see a message from yourname@yourdomain.com -- even though they sent a message to sales@yourdomain.com.

You can avoid this, of course, by making sure you don't forward other addresses to an address that is protected by BoxTrapper.

episkey · #4 03-12-2008, 01:22 PM

What I'd really like, though, is to be able to append the senders original message to the challenge message. This is way easy for most people to understand -- and this is the way TMDA (an open source app) does it. With TDMA, you can have a verify message like this:

Quote:

TO: %email%
SUBJECT: Please confirm you message

This message was created automatically by mail delivery software (TMDA).

Your message attached below is being held because the address
%email% has not been verified.

To release your message for delivery, please send an empty message
to the following address, or use your mailer's "Reply" feature.

%acct%-confirm-%msgid%

This confirmation verifies that your message is legitimate and not
junk-mail. You should only have to confirm your address once.

If you do not respond to this confirmation request within 14 days,
your message will not be delivered.

---------------------

Quote:

Subject: [original subject]
From: [original sender]
Date: [original date]
To: [original recipient]

[body of message]

I have not been able to figure out how to do something similar with BoxTrapper, which brings me to my second problem: The documentation cPanel provides for BoxTrapper is sketchy, and I haven't been able to find more complete info anywhere.

episkey · #5 03-12-2008, 01:38 PM

The final problem I have with BoxTrapper is that the only way I can find to review the message queue is via the cPanel.

If I am the domain admin for a small business and I've set up email accounts for 10 people, I don't want to give those 10 people cPanel access. I also don't want to be reviewing the BoxTrapper queue for the email accounts of those 10 people.

TMDA can be set up so that the end users of email accounts can check their own queue, manually release messages (and thereby automatically whitelist the sender), and even directly modify their own whitelist.

I guess the bottom line is that I wish HG would install TMDA. It's open-source and well-documented. (Of course, if I had a dedi...)