As much as challenge/response is imperfect, its burden on
both parties drops
as it is used by more people.
That is not the case at all. The overhead of C/R systems on the
end users increases directly with the number of users. The more
people use those schemes the more spam I get from the people
using them.
Understandably the folks who control the architecture are
concerned that C/R
can be hacked, requires too much overhead, learning curve,
some dropped
messages, etc. However, could it possibly make it worse? I
don't think so.
Make that huge numbers of dropped messages. Again, I don't respond
to C/R systems, I am far from unusual here. These systems predate
filters by many years. They even predate spam. Bornstein was using
his C/R system long before spam was the problem, I seem to remember
that it was a bozo filter to ask if the person concerned was simply
The onus at this point is for C/R proponents to demonstrate that
the response rates are acceptable,
Let's not assume that everyone is that incompetent that they
can't make this work. And spammers don't respond and won't
respond to auth requests. If you would like to check my
logs I'll show you.
Spam senders don't react to any countermeasure until it is
sufficiently well deployed. So that is a bogus argument. The
issue is whether the scheme will work when it is worthwhile
to try countermeasures.
If authorization on the basis of domain name was widely used
without authentication we all agree that spam senders would
soon abuse it as a means of bypassing whitelists.
I am pretty sure that many C/R systems are foiled quite easily
by just forging the from address so it purports to come from
a user of C/R. That will guarantee a reply to the challenge.
Phill
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg