From: "Lee Murach" <lemur(_at_)codemode(_dot_)com>
A sends a message to B. B sends it back to A, whereupon A resends the =
message to B. The result: B receives A's message, and A learns B's spam =
code.
Think for a second what happens if this is widely implemented.
Evil spammer sends spam to B, claiming it's from A. B sends it to A,
and because A is nice and well behaved, it learns B's spam code and
replies. B gets the spam anyway.
Of course, you can finesse the protocol by having A not respond to
messages it knows it didn't send, but the book-keeping gets onerous
for large organizations. And if the challenge/response is implemented
in the MUA, A has to deal with "reflected" spam.
But the spammer, assuming he doesn't already know the codes, will be =
obliglied to receive and process replies from each recipient in order to =
learn them. This is scarcely practical.
Why not? Domains cost $10/year. It's no sweat to set up a domain and
a Linux box for a day just to do the handshaking. You disappear the
next day.
This is another kind of challenge-response system, but the response is
too easily automated, and the extra traffic is not justifiable.
--
David.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg