On Wed, 9 Apr 2003 22:42:31 -0700
Brad Templeton <brad(_at_)templetons(_dot_)com> wrote:
On Wed, Apr 09, 2003 at 08:45:32PM -0700, J C Lawrence wrote:
Are we sufficiently agreed that challenge/response will be a part of
the solution that we can move ahead on its design?
People are free to run C/R systems.
Which doesn't answer the question.
A system designed for widescale use should indeed follow a set of
principles:
a) Properly handle mailing list mail
Precedence header, or a heuristic of List-* headers, precedence header
and others?
b) Never challenge a reply to an E-mail you sent, even if you sent it
from elsewhere and a different account which aliases over to the real
mailbox.
There's some ambiguity there. Consider:
Bubba email Bruce and Bruce replies (the simple case).
Bubba emails a list and several list members reply.
Bubba emails Boffo, Boffo forwards to Bernie, and Bernie replies.
Which means:
1) There has to be some way that transient consent it copied to the
receiver
2) That there needs to be some form of copy control on the consent
token which is copied by the receiver (so that it can't be freely used
as a get-spam-in-free token.
c) Include protections against loops, obviously and challenging other
challenges, autoresponses etc.
Not to belabor the obvious, but this would seem to be true for C/R
systems which use email as the transport for both directions. I don't
see that we need to define or mandate that both the challenge and the
response need to be email-based.
d) Provide a means to allow the user to review all their blocked mail
(sorted by spam score) to catch the people who did not respond to the
challenge. Yes, these happen regularly even with simple challenges,
and not because the other person is lazy.
While I agree as a user, that seems like an implementation choice, not a
question for a standards definition. Certainly if we go so far as to
arrive at or give the nod to a reference implementation it wouldn't hurt
if this were present...
e) If you don't do (d), provide some other means for anonymous mail
and yes, mail from people with broken mailers, to make it to you.
Would this be better expressed as:
A C/R system should provide a method for the user protected by that
C/R system to review mail held pending a response in case the
challenged sender is unable to respond correctly (eg due to foreign
language or disability reasons).
I'm imagining a two fold system here:
A challenge has standards-defined identifying characteristics which
clearly state that it is a consent challenge. Because of these
characteristics mail systems can distinctly recognise challenges as
different from other mail traffic.
An emailed reply to a challenge can attempt to be an answer to the
challenge, or can be an indication that there was some problem with
the challenge. Obviously an attempted response would be handled on
its own merits, however a commentary on a challenge might cause the
held message to be flagged for the receiving user's attention. eg:
Bubba mails Boffo.
Boffo sends Bubba a challenge.
Bubba can't understand Boffo's challenge (he's blind).
Bubba uses his MUA's challenge-query feature to send a
challenge-problem reply back to Boffo.
Boffo upon reviewing his challenge-held mail sees a message from
Bubba which is flagged (MUA implementation detail) for his
attention.
Of course spammers who operate MXes, or who retain use of an MX long
enough can send similar challenge query messages, but that's acceptable
at the protocol level. We're in the realm of heuristics, and there's
nothing to say that receiving MUAs can't also provide additional hinting
heuristics in their processing of the display of challenge held messages
etc.
2) Do we need to define a taxonomy of the rights and forms of consent
being acquired, or are we content with a simple, "I can send you
mail?"
Simpler is better
Yes-ish. I tend to think that there needs to be at least a concept of
date ranging, of a consent token being valid for only a limited period.
One possible use of such a date prevention would be partial prevention
of nefarious reuse of a consent token by others (see above forwarded
mail reply case).
3) Is there more needed within the challenge/response system for spam
prevention other than/outside of the simple challenge response (eg
some sort of testimonial or contract on the basis of the responder)?
Nope.
What about subscribing to a list? I'm tending to think that the
subscription negotiation for a list should also establish the
appropriate consent tokens (and perhaps filtering defaults?), and if
dated consent tokens are supported, a means for refreshing consent
tokens over time. Similarly for commercial bulk mail (of the zealous
marketing dept variety, not address harvested spam), I could easily see
legislative support for such if the mail self-identifies itself as
commercial bulk. Lastly of course come chain letters and variations on
the Nigerian email. Surely those should state up front that they are a
chance in a lifetime opportunity to earn millions and get the girl(s).
--
J C Lawrence
---------(*) Satan, oscillate my metallic sonatas.
claw(_at_)kanga(_dot_)nu He lived as a devil, eh?
http://www.kanga.nu/~claw/ Evil is a name of a foeman, as I live.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg