I really ike the fact that Comodo is going into antispam. But I still think the way it works is more for corporates than for consumers like us. I’m not going to send my friends a e-mail with a code so we know they are not spam. 
Here’s my opinion on this interesting topic, for what it is worth.
Just to be clear it’s an opinion about the long term development of CAS, not about short term issues. Also I am not a Comodo employee, and I have no idea what Comodo’s opinion is!.
CAS, as currently designed, has four powerful advantages over most anti-spam systems:
- 100% (or so nearly 100% as makes no difference) spam exclusion
- spam mails are kept out of email client inboxes entirely both because quarantined mails are kept in a separate database, and because of 100% exclusion
- CAS is capable of fully automated operation. (Most antispam systems require you to regularly review a folder full of probable spam)
- it avoids the high costs (whether financial costs or community effort) of maintaining accurate public blacklists, or effective spam filtering rules.
These are substantial advantages, but the technique currently used to achieve 100% exclusion, challenge-response, has significant disadvantages, too:
- users don’t like the idea that friends and collegues may receive challenge emails
- recipents of challenge emails may not do what is asked and may be discouraged from further communication with you
- challenge emails, both because of their similar format and because of the quantity that may be sent, can be blocked by other anti-spam software
- CAS can be seen as adding to spam, if you consider CAS challenge emails to be spam. (Although of course if everyone used CAS spam might be greatly reduced in volume, as there would be no point in sending it!)
The disadvantages can be reduced considerably by good software design. Having fully editable challenge emails (and all other emails) helps with three of these. Making sure that comprehensive whitelists are built, automatically, from installation will help with all four. It’s also important to help users develop confidence in the challenge-response approach, which they are likely to find unusual and unexpected. The building of confidence can be addressed by careful explanation in installation routines, a simulation mode perhaps, the option to progress to challenge-response gradually via a less ‘unexpected’ approach, the option to delay sending challenge emails to give time for quarantine database review, and the ability to keep user-viewable logs of challenge emails sent.
But for some users challenge-response will never be right. For example if you are a salesperson and receive sales leads by email from previously unknown people you are not going to want to run the risk of discouraging potential customers. If you are trying to run an very user friendly support service of some description, the same applies.
If CAS is to appeal to all then, CAS needs to add email exclusion policies more suitable to such groups. Important questions then are:
- How far does Comodo want to go beyond its sworn default-deny philospohy to provide for such groups? For example, the most commonly used commercial policy, filtering out emails that have spam characteristics or which are on DNSBL lists is default-allow.
- How far away from 100% spam exclusion is Comodo willling to go. CAS achieves 100% exclusion precisely becuase it is default-deny
- How costly a solution is Comodo willing to entertain?
Some possibilities are:
- develop an ‘assisted manual filtering’ mode, in which all mail which is not on white or black-lists is presented to the user for review. In fact this mode already exists in CAS, it just needs to be revealed & slightly enhanced. This approach is default deny and excludes 100% of spams (subject to user error).
- develop a hybrid approach in which people start with a default-allow blacklisting approach and move over time to a default- deny approach (whether asssisted manual filtering or challenge response), as they build their whitelists
- develop a better default-allow approach than anyone else, perhaps using Melih’s sggestions of employing large numbers of people to check and maintain blacklists, or using a proper Bayesian approach with multiple indendendant ‘sensor’ modules contributing to spam probability. (In the latter approach the sensor modules might be developed by a community, or by a significant sized group of Comodo employees). This option seems to go with CAS becoming a paid Comodo service, as there is lot of labour cost involved!
Any other options? What do you think? Please add your comments everyone!
Best wishes
Mouse
These are exactly my points.
These are substantial advantages, but the technique currently used to achieve 100% exclusion, challenge-response, has significant disadvantages, too:
* users don't like the idea that friends and collegues may receive challenge emails
* recipents of challenge emails may not do what is asked and may be discouraged from further communication with you
* challenge emails, both because of their similar format and because of the quantity that may be sent, can be blocked by other anti-spam software
* CAS can be seen as adding to spam, if you consider CAS challenge emails to be spam. (Although of course if everyone used CAS spam might be greatly reduced in volume, as there would be no point in sending it!)
These are used very well in company environment. But not in a consumer market.
I can see what you are going at with your possibilities. And some of them truely are interesting.
Why don’t Comodo just give the customer a choice on how they want to use it
Yes indeed. Many thanks for your response and support.
Not sure that challenge-reponse is less useful in a consumer than a corporate environment though. Think it is finer grained than that - depends on what job you are doing, personal style preferences, work culture, etc.
Lets see what other people think!
Mouse