At 5:32 PM -0800 3/24/03, Brad Templeton wrote:
I wrote a challenge/response system six years ago that simply asks for any
reply at all -- it doesn't put any burden on the other party, and would be
easy to defeat with something as simple as an autoresponder. Yet it works,
the spammers have not attempted to use this simple defeat. Once they start,
If a challenge response system puts messages in the "look at me
later" queue if you don't respond, then I don't think spammers will
care. (And it's not clear that you'll be that much happier as a user
of the system. You will have to scan the queue.)
Why is not clear to me is a) how anyone expects your typical user to
whitelist commercial addresses and mailing lists in advance and b)
how a challenge response system (which had *better* respond to
envelope from) avoids getting them removed from said list, or not
receiving notification about their purchase or what not.
Just consider the following.
1 User sends email to asrg-request(_at_)ietf(_dot_)org?subject=subscribe
2 Think quick. What address should you whitelist? asrg(_at_)ietf(_dot_)org?
asrg-request(_at_)ietf(_dot_)org? Nope. asrg-admin(_at_)ietf(_dot_)org(_dot_) And you knew
that because...?
3 asrg sends back a confirmation request. Now as it happens, it does
this from asrg-admin(_at_)ietf(_dot_)org (envelope) and asrg-request (from).
But some mailers use a custom address for this. But let's assume
we're dealing with the average user here. They either didn't do
anything at all (forgot they had to) or their software whitelisted
based on the To: address (asrg-request).
4.1 A challenge gets sent back to the asrg list. The result depends
on a combination of how the list software works and how the challenge
software constructed its reply.
4.1.1 It's treated as a bounce and the user is not added
4.1.2 It's treated as a confirmation and the user is added
4.1.3 It goes to the admin, who says something I can't repeat and
throws it in the trash.
4.2 It makes it through because we whitelisted the right thing.
5 The first list message comes through. If you had whitelisted
asrg-admin, you're fine. If you whitelisted asrg-request, we
challenge it. If the list software uses a different envelope from
each time, you got problems.
Now, let's take amazon.com.
I've received automated email from payments-messages(_at_)amazon(_dot_)com,
orders(_at_)amazon(_dot_)com, auto-confirm(_at_)amazon(_dot_)com, eyes(_at_)amazon(_dot_)com,
amazon-news-sender(_at_)amazon(_dot_)com, editer-sender(_at_)amazon(_dot_)com,
science-fiction-editor(_at_)amazon(_dot_)com(_dot_)(_dot_)(_dot_) and they actually send mail from
their domain--never mind what happens if they higher m0.net or
someone to deliver it.
And if you start sending challenges to those--Amazon's going to see
them as bounces and dump me.
Of course we could just whitelist all of amazon.com. But I rather
suspect the spammers might figure that one out.
If you want challenge/response to work, the first thing you should do
has nothing to do with challenge/response. The first thing is to
come up with an RFC for a standard format for challenges so that
automated mail systems can recognize that they aren't the same as
bounces. And come up with a protocol whereby they can reply and say
"Yo! I'm an automated system you idiot." Where you go from there I
don't know.
However, see my next message on "Protocols".
--
Kee Hinckley
http://www.puremessaging.com/ Junk-Free Email Filtering
http://commons.somewhere.com/buzz/ Writings on Technology and Society
I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg