On Tue, Mar 25, 2003 at 09:13:46AM -0500, Kee Hinckley wrote:
At 5:32 PM -0800 3/24/03, Brad Templeton wrote:
If a challenge response system puts messages in the "look at me
later" queue if you don't respond, then I don't think spammers will
care. (And it's not clear that you'll be that much happier as a user
of the system. You will have to scan the queue.)
Any challenge/response system has to put the unresponded messages into a
queue to look at later. However mine simply mails me a summary at the end
of the day of messages not responded to for over 2 days. This summary is
just headers and a few lines of body. You pick any messages you want from
it and they are delivered. The summary is sorted by spam-score. I could
use a fancy spam scorer but a very simple one works pretty well.
So on the occasions when somebody does not respond, or mailing list mail comes
in, it shows in the summary and always in the top. If I were to improve the
UI it would just mean a quick click to correct the mailing list.
It works very well, and as noted I have been running it with success for
six years, and almost no spam gets through it. I get 240 spam/day
delivered to it. I don't find it much of a burden at all to browse the summary
once a day. In fact, it's somewhat amusing since I am interested in spam
trends.
There is a psychological reason for this. As a heavy email user, I read
mail all day long, so spam is a constant interruption. When it's once a day,
the attitude is very different. It's like my paper mailbox, which also gets
lots of junk mail. Once a day I take it in, hold it over the garbage pail,
and drop the junk mail and take my real mail. Like most people, I never
felt it was enough of an annoyance worth reworking the postal service over.
Why is not clear to me is a) how anyone expects your typical user to
whitelist commercial addresses and mailing lists in advance and b)
how a challenge response system (which had *better* respond to
envelope from) avoids getting them removed from said list, or not
receiving notification about their purchase or what not.
No autoresponder should respond to a bulk message at all. No, users will
not whitelist their mailing lists, but my system works reasonably well.
Of course, there is another alternative which also works well at least in
newsgroups, which is to use a filtered address to post to newsgroups and
an unfiltered for mail you send out to everything but mailing lists. Mailing
lists are a problem. One would like to use the "public" address in mailing
them, but it's a pain to configure most lists to take mail from an address
other than the one you subscribe under. Because, the irony not being lost, of
spam.
Just consider the following.
1 User sends email to asrg-request(_at_)ietf(_dot_)org?subject=subscribe
2 Think quick. What address should you whitelist? asrg(_at_)ietf(_dot_)org?
asrg-request(_at_)ietf(_dot_)org? Nope.
asrg-admin(_at_)ietf(_dot_)org(_dot_) And you knew
that because...?
I think this is a hard problem. Some try to solve it but you can't do it
entirely by looking at outgoing subscribes. Many people subscribe via
the web.
Another good thing you can do is notice patterns to spot possible mailing
lists you have joined on incoming mail.
4.1 A challenge gets sent back to the asrg list. The result depends
on a combination of how the list software works and how the challenge
software constructed its reply.
No, only broken autoresponders, which should be taken off the list, would
challenge list mail with a proper Precedence header.
(Oddly, most spammers don't put on proper precedence headers, and if you want
to, you can temporarily use that as an indication of non-spam!)
You won't convince me a challenge/response system won't work, because I have
been using one with great success for 6 years. It's not a matter of
opinion. However, they do have flaws, and handling legit mailing lists is one
of them -- they are the killer in almost all spam systems. They also
have trouble with anonymous mail, which goes into the review queue.
However, I would strongly oppose a challenge/response system without a
regular summary of the blocked mail. In fact, all spam systems should offer
one. They can sort it by spam score, and make it infrequent, but it should
always be there. If your mail is to be blocked, you should know it, and
there should be a way to detect bugs and errors in the blocking software.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg