On Wed, Mar 26, 2003 at 10:37:20PM -0700, Vernon Schryver wrote:
Why do some spammers curently test 10,000 arbitrary user names at many
domain names to see if they are valid with either Rcpt_To "vrfy" or
trial spam? Whatever their reasons, wouldn't it be far faster and
easier for them to get the same information using the opt-out system?
That is indeed the problem I am pointing out. I noted dictionary attacks
as another possible avenue. That's less likely with a cleaning "service"
in that the service could notice that you're trying to clean a dictionary
list, but even then it's hard to fully protect.
One way or another, if there is an opt out list, the spammers will get
ahold of most of it, and presumably abuse it.
However, it should be noted that this would be a particularly strong
offence, sent to people who are known hostile to spam, so doing this would
bring down even harsher penalties, but I wouldn't bank on their effectiveness.
If the list is seeded with tens of millions of addresses which are bogus, it
it becomes harder, but there must be no way for them to find out if those
addresses are bogus -- ie. you must not be able to verify them with vrfy,
and mail servers must accept delivery for them, or they will be quickly
weeded out. The seeded addresses would of course contain lots of dictionary
style addresses (common names, initial plus common last name etc.)
But it would possibly result in a lot of spams you have to eat just to make
this tactic ineffective.
It was for this reason that I decided that the rather unsatisfactory approach
of getting a new mailing address that had a reserved word in the domain to
indicate opt-out was all that could be done to be immune to this particular
attack. But it's pretty dramatic, having to get a new email. (though you
could have an autoresponder on your old email to tell people about your
new one, and even forward the old one for a time etc.)
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg