-----Original Message-----
From: Jim Ramsay [mailto:i(_dot_)am(_at_)jimramsay(_dot_)com]
Sent: Tuesday, January 06, 2004 4:57 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: [spf-discuss] Re: Great stuff
R. Scott Perry wrote:
I can't wait until everyone fixes SMTP everywhere so I
don't have to
resort to challenge/response spam killing like I do now.
*Please* do not use C/R!
My holy-war sense is tingling.
While it is extremely effective in reducing spam *you* see,
it also has
a very high false positive rate, and other problems.
Problems often
seen in C/R systems include:
Depends what you mean by "false positive" I suppose - I've
only received
one peice of spam since using installing TMDA (http://tmda.net), and
only had one real user who couldn't figure out how to get through.
Please note that I'm not asking you to use it, I didn't even
say that I
like using it or that it's a good idea, but I by my definition it
creates less false-positives than any sort of content-filtering and
hopefully makes spamming less effective in general, hopefully
discouraging spammers.
[1] You end up being a spammer (the majority of spam sent
to you will
result in confirmation requests being sent to innocent victims)
On the off chance that a spammer puts in a "real" address in the
envelope sender (I think they usually just generate random strings),
this is true. However, I feel that this is seldom and using
SPF should
reduce this.
Also, if you say that a bounce is spam, I suppose all MTAs
are guilty of
this, really, and only SPF can save us :)
[2] Spammers now send pretend confirmation requests,
presumably to make
people less likely to respond to C/R requests
This doesn't work with TMDA because TMDA's confirmations are
cryptographically secure, so they cannot be faked. Fake
confirmations
are challenged again.
[3] Many people respond to C/R requests that they never initiated
I don't understand exactly what you mean, but if you are referring to
[1] above, this has happened exactly once, and it was because of a
mis-configured MTA which sent a bounce to my reply-to address
instead of
the envelope sender.
[4] C/R companies have been known to send out spam and
harvest addresses
of people sending to their customers, and apparently sell those
addressses to spammers
TMDA is not a company, it is a peice of software. If other companies
sell addresses to spammers, wouldn't those spammers just get
caught by
the C/R again anyway?
[5] The C/R system is patented, so most anti-spam programs
using C/R
have legal liabilities waiting to be ironed out
I am not bothered by this. There is probably well-documented
open-source prior art which may shut down any real legal
problems. If
not I'll cross that bridge when I get to it.
[6] Confirmations sent to mailing lists won't work
Not entirely true - TMDA has facilities for this, including
sender-specific tagged addresses which bypass the challenges
entirely,
for more details, see
http://tmda.net/faq.cgi?req=show&file=faq04.008.htp
It's quite easy.
[7] Confirmations sent to others using C/R cause problems
Again, TMDA covers most eventualities, see the TMDA FAQ
http://tmda.net/faq.cgi?req=show&file=faq04.012.htp and
http://www.tmda.net/config-client.html (the section about
X-TMDA header).
[8] People like me that offer a free service (helping
people with DNS)
end up losing money (by spending time investigating and
responding to
C/R systems, dealing with spam received as a result, etc.)
and sometimes
get fed up with C/R systems and eventually stop offering
free advice
(never knowing how many people won't get it), harming everybody.
I'm not sure of your context here... Do you mean that you've decided
that giving free advice has become too costly for you because
of all the
extra time you spend responding to challenges and sorting through bad
challenges from spammers forging your address?
I'd say if the people you're trying to respond to aren't courteous
enough to put you on their whitelist before they send you their help
request, or if they don't provide an easy way for you to
reply to their
message and not be challenged (like detailed for TMDA in
http://tmda.net/faq.cgi?req=show&file=faq05.005.htp), they
don't deserve
your free help.
For example, if I sent you an email asking for your help, expecting a
single reply, my reply-to address would automatically be a
date-limited
tagged address which would go straight through to me from you if you
replied to my message within 14 days of me sending it, so you
wouldn't
be hassled by my C/R solution at all. If I expected that my
request to
you would be an exchange of emails off and on over a long period of
time, I'd put you on my whitelist and you'd never see my C/R system
ever. Anything else is just rude and a discourteous use of C/R.
Challenges should only be sent to people you don't know
already who are
trying to contact you for the first time. Since then it would be you
trying to contact me for the first time, I don't think it's
too much to
ask you to prove your identity to me by clicking "reply" once.
[9] Legitimate E-mail from automated services won't be seen
(such as
when ordering products online)
Not true with TMDA - I can either use a time-expired tagged address,
whitelist the email address first, or just browse through my pending
queue and manually let out automated emails.
In closing, i honestly don't think that C/R is a perfect solution to
spam, and I admit that there are some really bad C/R implementations
which should be fixed or trashed. I personally believe that
TMDA is the
best C/R tool out there with very few of the common problems
with other
C/R's.
I think that fixing SMTP is the only real way to stop spam.
Hurrah for
SPF, I really hope it catches on! However, as SMTP is still
broken, I
will continue to use C/R (responsibly, I hope!) and challenge bad C/R
users to shape up, and hope that some day either SMTP is fixed or
spammers give up.
--
Jim Ramsay
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily
deactivate your subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡