Who said auth had anything to do with domain names? Coming from Versign I
would think that you would believe in auth, since that seems to be your
company's business.
And the fact that previous C/R systems didn't work is as bogus as the
argument that failure of previous attempts to fly before the Wright Brothers
was predictive of future flying capabilities.
Not responding to authentication requests is more indicative of crankiness
than anything else. I fail to believe that users would spend more time on
auth than on spam delete activities, esp as acceptance was widespread. If
there is only one type of C/R system, yes it would be defeated by spammers.
With many types, frustrating spammer automation attempts, they might be more
successful.
I think it is clear that some people in this group think that there will be
a magic bullet for spam prevention/eradication. That's crazy. This is not
a technical problem, it is economic at its core.
Will C/R systems work perfectly at the gateway layer? Not without a great
economic (read: commercial) effort. Do they work at the individual layer
(ie outlook inbox)? Absolutely.
Dave
-----Original Message-----
From: asrg-admin(_at_)ietf(_dot_)org [mailto:asrg-admin(_at_)ietf(_dot_)org] On
Behalf Of
Hallam-Baker, Phillip
Sent: Tuesday, April 22, 2003 2:12 PM
To: 'asrg(_at_)permissiontechnology(_dot_)com'; Hallam-Baker, Phillip; 'Murali
Krishna
Devarakonda'
Cc: 'ASRG @ IETF'
Subject: RE: [Asrg] Hello- and my 2 cents
As much as challenge/response is imperfect, its burden on
both parties drops
as it is used by more people.
That is not the case at all. The overhead of C/R systems on the
end users increases directly with the number of users. The more
people use those schemes the more spam I get from the people
using them.
Understandably the folks who control the architecture are
concerned that C/R
can be hacked, requires too much overhead, learning curve,
some dropped
messages, etc. However, could it possibly make it worse? I
don't think so.
Make that huge numbers of dropped messages. Again, I don't respond
to C/R systems, I am far from unusual here. These systems predate
filters by many years. They even predate spam. Bornstein was using
his C/R system long before spam was the problem, I seem to remember
that it was a bozo filter to ask if the person concerned was simply
The onus at this point is for C/R proponents to demonstrate that
the response rates are acceptable,
Let's not assume that everyone is that incompetent that they
can't make this work. And spammers don't respond and won't
respond to auth requests. If you would like to check my
logs I'll show you.
Spam senders don't react to any countermeasure until it is
sufficiently well deployed. So that is a bogus argument. The
issue is whether the scheme will work when it is worthwhile
to try countermeasures.
If authorization on the basis of domain name was widely used
without authentication we all agree that spam senders would
soon abuse it as a means of bypassing whitelists.
I am pretty sure that many C/R systems are foiled quite easily
by just forging the from address so it purports to come from
a user of C/R. That will guarantee a reply to the challenge.
Phill
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg