From: waltdnes(_at_)waltdnes(_dot_)org
To: ASRG list <asrg(_at_)ietf(_dot_)org>
Subject: Re: [Asrg] [Asr?g] Legal side track
Date: Wed, 16 Apr 2003 22:12:18 -0400
On Tue, Apr 15, 2003 at 08:03:43PM -0600, John Fenley wrote
> >From: waltdnes(_at_)waltdnes(_dot_)org
> > In plain English, this is an ugly/dirty war, and if you insist on
> >using Marquis of Queensbury rules against a dirty opponent who doesn't,
> >you will end up losing the war. I don't want to lose the war.
>
> Fighting cleanly is the only way to truly win.
>
> There are only 3 flaws I can find in my "clean" system now.
>
> 1. Spoofed addresses
> Spoofing addresses will only work if the spoofed address has a large
> subscriber list. That will be tough to deal with.
> 3. resistance to Challenge/Response(which i don't see as a problem)
> Once people get used to it, it will be like second nature.
The *ONLY* way it'll work will be as a pseudo-reject at the SMTP
stage, e.g. a "950 Challenge: blah, blah, blah" message, which will be
seen by legitimate senders, and replied to. If it's at the MUA level,
then innocent 3rd parties will get mailbombed. Think orders of
magnitude in excess of...
> Mar 29 04:09:20 manson filt-smtpd[15474]: DENYMAIL: (tim(_at_)mailkey(_dot_)com) ->
(waltdnes(_at_)waltdnes(_dot_)org) [217.199.183.18]
[repeated many times]
A user of my system would never even know this sort of thing was happening.
A ddos of this sort would then become another benefit to adopting the
system.
For real shits and giggles...
- Spammer somewhere on the net sends a spam "From:" a forged address
of joe(_dot_)blow(_at_)bad(_dot_)example(_dot_)com to
john(_dot_)smith(_at_)foobar(_dot_)invalid
- john(_dot_)smith(_at_)foobar(_dot_)invalid uses challenge/response. His
MUA sees a
non-whitelisted "From:" address and sends a challenge to
joe(_dot_)blow(_at_)bad(_dot_)example(_dot_)com
- joe(_dot_)blow(_at_)bad(_dot_)example(_dot_)com uses challenge/response.
His MUA sees a
non-whitelisted "From:" address and sends a challenge to
john(_dot_)smith(_at_)foobar(_dot_)invalid
- john(_dot_)smith(_at_)foobar(_dot_)invalid challenges
joe(_dot_)blow(_at_)bad(_dot_)example(_dot_)com
- joe(_dot_)blow(_at_)bad(_dot_)example(_dot_)com challenges
john(_dot_)smith(_at_)foobar(_dot_)invalid
- ...do you see the problem here ?
http://www.pontifier.com/challenge.html
As writen(not updated since the 10th though i need to) my system is not
suseptible to this sort of infinite loop.
See "when a message arrives:"
#3 Check the sender against the list of sent tests. If there is no previous
test pending completion go to #4 If there is a pending test, store the
message for delivery upon test completion. end
John Fenley
_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*
http://join.msn.com/?page=features/virus
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg