March 10, 2015 · spam

Fighting Spam at Forward Cat

When I started Forward Cat it was little more than a personal project but, without any kind of marketing, the monthly visitors have kept growing. Nowadays it has processed nearly one million emails and more than 15000 temporary email addresses have been created.

However, along with people that use it to avoid spam and to preserve their online privacy, spammers themselves have started using it. For reasons unknown to me, they started sending scam emails from their servers and they forced the replies go through a Forward Cat temporary address. Because of that, I received many angry emails from spammed people, the domain got blacklisted at Spamhaus and my server provider threatened to shut down the service.

At that point I realised that if I wanted to keep it alive I would have to treat spam more seriously. The first thing I did was to add a form to report abusive users accessible from the homepage. But what should I do with those accounts? Just deleting them would alert the spammers that something was wrong and it wouldn’t prevent them to create the same temporary addresses to keep receiving replies. Then I remembered this post on how Stack Overflow deals with trolls and I decided that I would also hellban my spammers. In essence, everything would work normally but they wouldn’t receive any reply. And even if they knew about the anti-spam measures, they wouldn’t be able to tell whether they were hellbanned or that nobody was replying to their spam due to bad grammar.

Another issue was that because the project is open source, it could be easy to bypass the anti-spam checks. To solve that I took inspiration from public-key cryptography, where the algorithm is open for anyone to inspect but the data (in my case, blacklisted words) is kept private. So far these simple actions have kept the spammers at bay, but I will probably have to improve them if new ones arrive. The goal is to make spamming using Forward Cat a hassle so they desist to do it.

Happy forwarding!

Comments powered by Disqus