ietf-asrg
[Top] [All Lists]

Re: [Asrg] Re: Asrg digest, Vol 1 #133 - 14 msgs

2003-03-28 22:33:55
On Fri, Mar 28, 2003 at 05:36:34AM -0800, James Lick wrote

On the other hand, I could use such a facility to automatically say
"no" to any address verification for pleasure.com, a domain of mine
which is frequently forged and which I never use on outgoing email.
Bingo, no more spam forged from that domain name.  If yahoo, hotmail
and AOL deploy it, you can no longer just randomly generate forged
mail from that.

  To which, my response was going to be...

More serious aspects of such a system are that it may drive spammers
to forge spam from real addresses instead of fake, and that they
may use such facilities to do address verification or dictionary
attack harvesting.

..bingo.

I would also like to say that I am disappointed in a lot of the
criticisms of spam blocking/prevention techniques.  A lot of people
are rejecting systems outright for having one or more flaws, when
the system can still be effective despite those flaws.  Rather,
one should evaluate a system not on whether it can be circumvented,
but instead focus on the benefits of making things more difficult
for the spammers.  Even if it is just a minor hassle to get around,
it is still causing pain for the spammers.

  Spammers *WILL* adapt.  Spammers may have started off as primitive
pond scum, but today they're highly evolved pond scum.  If a system can
be trivially circumvented, it *WILL* be circumvented.  Here's where I
disagree with you.  You are evaluating a sample of spam in your inbox,
and asking "How much will be blocked if I implement rule X?".  I feel
that you should also ask "How easy is it to circumvent without the
consequence of reduced delivery of spam?".  The blocking of anonymizing
relays can be "circumvented" by not using them, but other avenues of
delivery aren't as "good" from the spammer's viewpoint.  Forging an
existing address instead of a non-existing address is relatively easy.

-- 
Walter Dnes <waltdnes(_at_)waltdnes(_dot_)org>
An infinite number of monkeys pounding away on keyboards will
eventually produce a report showing that Windows is more secure,
and has a lower TCO, than linux.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg