ietf-asrg
[Top] [All Lists]

RE: [Asrg] I want spam gone by the end of the year.

2003-04-21 09:12:08
This is a tactic I have seen time and again: There is no time to do the
job properly, so the only alternative is to do things my way, MY WAY,
CANT YOU IDIOTS HEAR ME?? M-Y W-A-A-A-A-Y-Y-Y-Y-Y-Y!

And every time this happens with a ludicrously short time horizon the
result is the same, years after the original deadline has passed the
group is still nowhere and still trying to solve a problem with the same
inadequate analysis and solution.

I went to an SDMI conference in London four or five years ago, their
deadline was by Christmas... I don't think they have got any further
since.


Challenge response is not a new scheme, ask Nathaniel he had a challenge
response on his email system years ago. Either he whitelisted me or he
has stopped using it. If the latter perhaps he could explain why?

The problem with challenge response is that it does not eliminate spam,
it merely displaces it. Every time a message is sent to one of these
people they send out a spam.

Challenge response is simply a weak form of authentication. There are
existing known attacks that bypass it - the hijacked mailing list being
only one example. If all that is required is to reply to the challenge
spam senders will soon adapt. If C/R became common then so would the
counter-strategy.

There are much better forms of authentication possible that are stronger
and less intrusive to the end user. S/MIME with self signed keys being
one. 90% of all email clients in use today have native S/MIME support,
plugins for the rest are readily available.

Even authentication on the basis of the IP address of the outgoing mail
servers is more secure than C/R. It is true that attacks exist but they
are not as simple as those for C/R.


                Phill

Attachment: smime.p7s
Description: S/MIME cryptographic signature

<Prev in Thread] Current Thread [Next in Thread>