ietf-asrg
[Top] [All Lists]

RE: [Asrg] Hello- and my 2 cents

2003-04-22 12:12:28
As much as challenge/response is imperfect, its burden on 
both parties drops
as it is used by more people.

That is not the case at all. The overhead of C/R systems on the
end users increases directly with the number of users. The more
people use those schemes the more spam I get from the people 
using them.

Understandably the folks who control the architecture are 
concerned that C/R
can be hacked, requires too much overhead, learning curve, 
some dropped
messages, etc.  However, could it possibly make it worse?  I 
don't think so.

Make that huge numbers of dropped messages. Again, I don't respond
to C/R systems, I am far from unusual here. These systems predate
filters by many years. They even predate spam. Bornstein was using 
his C/R system long before spam was the problem, I seem to remember 
that it was a bozo filter to ask if the person concerned was simply

The onus at this point is for C/R proponents to demonstrate that
the response rates are acceptable,

Let's not assume that everyone is that incompetent that they 
can't make this work.  And spammers don't respond and won't 
respond to auth requests.  If you would like to check my 
logs I'll show you. 

Spam senders don't react to any countermeasure until it is 
sufficiently well deployed. So that is a bogus argument. The
issue is whether the scheme will work when it is worthwhile
to try countermeasures.

If authorization on the basis of domain name was widely used
without authentication we all agree that spam senders would
soon abuse it as a means of bypassing whitelists.

I am pretty sure that many C/R systems are foiled quite easily 
by just forging the from address so it purports to come from
a user of C/R. That will guarantee a reply to the challenge.


                Phill
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg