From: Brad Templeton <brad(_at_)templetons(_dot_)com>
Why do some spammers curently test 10,000 arbitrary user names at many
domain names to see if they are valid with either Rcpt_To "vrfy" or
trial spam? Whatever their reasons, wouldn't it be far faster and
easier for them to get the same information using the opt-out system?
That is indeed the problem I am pointing out. I noted dictionary attacks
as another possible avenue. That's less likely with a cleaning "service"
in that the service could notice that you're trying to clean a dictionary
list, but even then it's hard to fully protect.
I don't understand that. I am talking about a dictionary attack on
the opt-out list. Separately, anyone running an SMTP server and paying
any attention notices some current dictionary attacks. Some dictionary
attack spamware seems to be multi-threaded and hits SMTP servers with
100s of names per second.
...
If the list is seeded with tens of millions of addresses which are bogus, it
it becomes harder, but there must be no way for them to find out if those
addresses are bogus -- ie. you must not be able to verify them with vrfy,
and mail servers must accept delivery for them, or they will be quickly
weeded out. The seeded addresses would of course contain lots of dictionary
style addresses (common names, initial plus common last name etc.)
...
Enough people already use trap lists such as
http://www.rhyolite.com/anti-spam/dict-attack.html so that there are
millinos of such traps. They are somewhat effective for things like
the DCC, but they're certainly not The Final Solution To Spam.
...
It was for this reason that I decided that the rather unsatisfactory approach
of getting a new mailing address that had a reserved word in the domain to
indicate opt-out was all that could be done to be immune to this particular
attack. But it's pretty dramatic, having to get a new email. (though you
could have an autoresponder on your old email to tell people about your
new one, and even forward the old one for a time etc.)
I don't understand that because it seems to imply that people either
opt-out of everything or nothing. Anyone who want's to opt-out of
everything is best served by not having an address, or at least not
having an address that is ever given to anyone but very close personal
friends who won't pass it on.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg