I do something that superficially resembles Challenge/Response, but I
think it's a lot better <g>. First some definitions...
1) Whitelist - a list of IP addresses, email addresses, rDNS,
whatever, from which I unconditionally accept email. This is a small
portion of the internet.
2) Blacklist - a list of IP addresses, email addresses, rDNS,
whatever, which I block at the smtp stage. This is a small portion of
the internet.
3) Greylist - the vast majority of the internet that doesn't fall
into either 1) or 2) above.
What many Challenge/Response systems do wrong...
1) They function at the MUA stage. Both the "From:" address, and the
"MAIL FROM" greeting can be forged by spammers. This ends up
contributing to DDOS attacks on innocent 3rd-parties whose email
addresses are forged by spammers as the originating address.
2) They challenge everybody who is not on a small whitelist, as a
matter of principle.
How I handle things differently...
- I use SMTP-stage blocking (i.e. during the SMTP transaction). ISPs
that implement end-user-configurable filters at the SMTP transaction are
few and far between, but I've got an account at one. Email that I don't
accept gets a 550 message back to the sending MTA, not a bounce message
to a possibly forged address.
- The 550 message (with very few exceptions) contains "If yours was a
legitimate email, see http://..." which points to a webpage of mine that
lists a temporary unfiltered email address that I create especially for
the purpose of bypassing my filters. Most spammers don't read their
reject messages; in fact the ones who send via compromised/hijacked
3rd-party machines don't even see the reject message.
- My philosphical difference with most Challenge/Response systems is
that I view C/R as a safety net for handling a small amount of
collateral damage (aka "false positives") from my blocklist rules,
whereas traditional C/R systems apply C/R to everyone who is not part of
a small whitelist. In practice, that translates into me not blocking my
Greylist, i.e. the vast majority of the internet which I do not have
reason to believe to be a high spam-to-legitimate-email ratio. My C/R
is only applied to areas from which I get a lot of spam. Thus, I can do
aggressive blocking; people who want to get through to me still can; and
my use of C/R is very limited.
--
Walter Dnes <waltdnes(_at_)waltdnes(_dot_)org>
Email users are divided into two classes;
1) Those who have effective spam-blocking
2) Those who wish they did
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg