ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] New take on emerging idea. (yet another C-R system?)

2003-04-09 16:21:48
from [Brad Templeton] [Permanent Link] 
On Wed, Apr 09, 2003 at 04:00:43PM -0600, John Fenley wrote:

From: Kee Hinckley <nazgul(_at_)somewhere(_dot_)com>

This is going to require a longer explanation.
Looking ten years down the road I see ai programs that can respond to the 
"type the word" type requests easily.
I see spam as coming directly(avoiding relays altogether) from spammers who 
stick around at a real $10 domain just long enough send out 100 million 
spams(with 300 million decoys to mess with baysean filters) and answer the 
tests, then change their ip's(possibly by moving their equipment 
physically) to avoid RBLs(or any sort of blacklist).

Farfetched? you tell me.
Nobody would ever go that far to send spam.....
yeah right.



My view is that arms races aren't as bad as you depect.  More to the point,
if what we do to stop spam will have some "collateral damage" then in fact
we want to be in the arms race, because we want to use the minimum change
to cause the minimum collateral damage, until such time as that minimum is
no longer working, and then move to the next phase.

What that means is that a proper spam design system may well contain a
series of steps, worked out in advance, though not necessarily revealed
to the public, which can be applied when needed, but not before.

Challenge/response is like this.  In fact, today, C/R works by simply
asking for any reply at all.   Eventually that will cease to be true, but why
make users jump through any hoops before we need them.    We can even
announce that our next plan, after simple-reply fails, is a turing test,
without naming the test.   One could even have a service that keeps upgrading
your turing tests.

Of course another good idea is to give users options.  For example, one
could include in a challenge both a turing test (What is this picture?) or
a request for proof of CPU time (run this java applet in the background,
it will report to me when it is finished and your mail will be delivered.)

The user can choose to do either.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Ban the bounce; improved challenge-response systems, J C Lawrence
Next by Date:  Re: [Asrg] New take on emerging idea. (yet another C-R system?), John Fenley
Previous by Thread:  Re: [Asrg] New take on emerging idea. (yet another C-R system?), John Fenley
Next by Thread:  Re: [Asrg] New take on emerging idea. (yet another C-R system?), J C Lawrence
Indexes:  [Date] [Thread] [Top] [All Lists]