How FrozenSpam works

Five filtering layers, chained. From cheapest (network-edge reject) to most subtle (challenge-response). Defense in depth, not a single filter.

Overview — the 5 layers in order

An incoming email crosses these filters in this order. At each stage, more than 90% of remaining spam traffic is eliminated. Whatever passes layer 5 (challenge-response) is guaranteed human.

1. Layer 1 — Spamhaus DNSBL + postscreen. Pre-DATA rejection of known SMTP zombies (botnets, blacklisted IPs). Eliminates ~70% of spam traffic at the TCP phase. Near-zero CPU cost.
2. Layer 2 — SPF + DKIM + DMARC authentication. Verification that the sender has the right to send from their domain. If authentication fails with strict DMARC policy, the email is rejected.
3. Layer 3 — Antivirus + Bayesian pre-filter (optional). ClamAV scan of attachments for known malware. Statistical Bayesian filter (rspamd / SpamAssassin) that learns from your inbox's classic spam. Off by default in V0 (per the manifesto: we don't read your emails), enableable on demand.
4. Layer 4 — Backscatter guard. If a mail passes layers 1-3 but SPF fails silently, FrozenSpam does not send a challenge (to avoid polluting a spoofed inbox). The mail is dropped. No backscatter, ever.
5. Layer 5 — Challenge-response. The remaining mail comes from an authenticated, non-blacklisted, technically clean sender. If they aren't in your whitelists or in your outbound log, FrozenSpam asks them to prove they're human. Once validated, they join your contacts for life.

This layered architecture is the FrozenSpam signature. Competitors advertising "challenge-response anti-spam" often only implement layer 5 — without authentication, backscatter guard, or DNSBL early-reject. That's what makes them slow, brittle, and backscatter generators.

1. Challenge-response, clearly explained

When a new email arrives from a sender you don't know, FrozenSpam doesn't deliver it immediately. Instead, it quarantines the mail and sends a challenge to the sender: a short email asking them to click (or reply, depending on your config).

If the sender is human, they validate in 10 seconds. Their original email arrives in your inbox immediately, and they automatically join your whitelist — they'll never receive another challenge.

If the sender is a bulk-mailing bot, they don't validate (spammers don't have the time, and technically, their infra isn't built to handle replies). The email stays in quarantine then is purged after 30 days.

2. Your outbound automatically feeds your contacts

Here's the mechanism no one else implements correctly.

When you write an email to someone, FrozenSpam knows it. That person is now considered a legitimate contact. If they reply, or even if they write to you for the first time later, no challenge will be sent. Their email arrives directly.

It's the technical guarantee that no conversation you initiate will ever be blocked by FrozenSpam. That's what separates a painful anti-spam (which isolates your contacts) from an anti-spam that fades away (which learns by watching you write).

3. Backscatter guard — why we don't challenge spoofed addresses

Spammers send emails impersonating someone else (your bank, a colleague, you). If we sent a challenge to those false addresses, we'd be polluting innocent inboxes with our challenges: this is called backscatter.

FrozenSpam first checks the SPF and DMARC records of the sender's domain. If authentication fails, the mail is dropped silently, with no challenge. No backscatter, ever.

What FrozenSpam does NOT do — transparency first

An anti-spam doesn't do everything. Here's what FrozenSpam doesn't cover, so you know what to expect.

• No attachment antivirus. If you need mail AV scanning, complement with ClamAV or a dedicated solution.
• No long-term archiving. Quarantine keeps emails 30 days then purges. If you want to keep everything, use your downstream MTA.
• No webmail. You keep your usual mail client — Outlook, Apple Mail, Thunderbird, Gmail web, whatever you want.
• No content analysis by default. The body of the email is not inspected unless you explicitly enable the Bayesian pre-filter (advanced option, off by default).

The full flow, in 30 seconds

Here's what happens when an email arrives at your domain yourcompany.com protected by FrozenSpam:

1. Mail arrives at mx1.frozenspam.com (your new MX).
2. PostScreen + Spamhaus DNSBL reject known SMTP zombies before the mail is even read.
3. SPF + DKIM + DMARC are verified. If authentication fails, the mail is dropped silently (backscatter guard).
4. The FrozenSpam engine checks your whitelists and outbound log:
   • If the sender is known → mail passes immediately to your final mail server.
   • Otherwise → mail quarantined, challenge sent to sender.
5. Mail is delivered to your final server (Exchange, SmarterMail, M365, OVH, Gandi, etc.).
6. You read your mail as usual, no change to your mail client.