At 10:19 PM 4/25/03 -0400, Kee Hinckley wrote:
At 1:13 PM -0700 4/25/03, scott(_at_)spamwolf(_dot_)com wrote:
On 2003-04-22 "Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com> wrote:
Kee does have a good point, it is the reason that I cannot afford to use a
scheme like that. A single lost email could cost my company thousands. I
don't get enough traffic on my personal email address to be worth tracking.
There's no need to lose any email for a /count/ of false positives.
Send a challenge message, but deliver the email as if no challenge
system was in place.
True. But I still wouldn't use it in a commercial environment. As
many people have said--c/r systems are annoying. I'm not going to
inflict that on a potential customer.
Indeed, and that probably should be tested for as well.
However the question came up, "how many people don't respond
when faced with a challenge?" I've heard the number zero mentioned,
and I've heard people dispute that number, but I've no evidence in
either direction. The obvious answer IMO is to find someone who /is/
willing to test it, and count. Or better still, a lot of someones.
Although I don't like challenge response as a primary defense,
I do like it as a second line. That is, I send you a challenge
if and only if you fail the other spaminess tests.
It's still annoying of course,
but not as bad as having your email discarded silently,
or bounced with no good recourse. ("Sorry, your mail server's
IP address is unacceptable. If you want to send me email, change it...")
BTW - there is a class of people who actually would tolerate
annoying the sender as long as they could insure a near 0 false
negative rate - parents. No, I'm not suggesting that we change
the internet to appease them, just pointing out that there's a
diversity of opinions on what's acceptable and what isn't.
If you are going to run a test, I would like to test a lot of systems,
not just challenge response. For example, recording whether the
incomming email uses pipelining, whether the rDNS is "correct",
whether the IP is listed on blacklist(s), whether the envelope
from is valid, and pretty much any other data that you can think
Detecting pipelining is presumably going to require software changes.
For the envelope from and the rDNS; what do you mean by "correct"?
Some people check if the rDNS matches the field given in HELO.
(supposedly, a large amount of spam comes from IPs that don't have
rDNS at all) That's what I meant by "correct" rDNS.
I expect that challenge response would also require a number of
software changes. Even if all you do is install TMDA, it's going
to take some real work. I think the software changes are trivial
compared with finding willing test subjects, but then I've already
written a lot of this stuff, so maybe I'm a bad test point.
Scott Nelson <scott(_at_)spamwolf(_dot_)com>
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg