Hi David,
You're right of course. And thank you for pointing that out. I didn't post
to this list because I thought I had anticipated every possible objection to
my proposal, or because I supposed that no one else was thinking along the
same lines. Rather, I had hoped that people here would be on their toes,
and would be able to raise objections that had not occurred to me, as you
have done. I've received some well-considered email to my post. Thanks for
the enlightenment, all ye respondents!
In my original conception, I had the spam line contain both a from-spam-code
and to-spam-code. But when I considered an exchange between two peers, it
appeared that two codes were superfluous, and that one would suffice. Oops.
Actually, A does need to check B's reply to see that it contains A's spam
code where it ought to be. Otherwise, the spam-shake can be spoofed. So
make this correction.
As for the fly-by-night spammer, it seems you're right that it's not as
impractical as I was assuming. It's possible that an e-mail protocol could
make the spammer identifiable, in this case because you wouldn't expect a
legitimate bulk-mailer to be receiving a flood of spam-replies. And perhaps
the ISP could stop a spam in progress by holding onto these replies. But
that's not what I was trying to achieve.
--
Lee
----- Original Message -----
From: "David F. Skoll" <dfs(_at_)roaringpenguin(_dot_)com>
To: <asrg(_at_)ietf(_dot_)org>
Sent: Tuesday, March 18, 2003 5:22 PM
Subject: [Asrg] Re: Anti-spam idea
From: "Lee Murach" <lemur(_at_)codemode(_dot_)com>
A sends a message to B. B sends it back to A, whereupon A resends the =
message to B. The result: B receives A's message, and A learns B's spam
=
code.
Think for a second what happens if this is widely implemented.
Evil spammer sends spam to B, claiming it's from A. B sends it to A,
and because A is nice and well behaved, it learns B's spam code and
replies. B gets the spam anyway.
Of course, you can finesse the protocol by having A not respond to
messages it knows it didn't send, but the book-keeping gets onerous
for large organizations. And if the challenge/response is implemented
in the MUA, A has to deal with "reflected" spam.
But the spammer, assuming he doesn't already know the codes, will be =
obliglied to receive and process replies from each recipient in order to
=
learn them. This is scarcely practical.
Why not? Domains cost $10/year. It's no sweat to set up a domain and
a Linux box for a day just to do the handshaking. You disappear the
next day.
This is another kind of challenge-response system, but the response is
too easily automated, and the extra traffic is not justifiable.
--
David.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg