At 10:05 PM 5/12/2003 -0400, Eric Dean wrote:
> However, one problem with C/R systems is that spammers do not currently
> have an incentive to break them since there are many other ways to send
> spam. If C/R systems become wide spread, spammers will have an
> incentive to
> attack them and perhaps (gasp) even manage to break them.
Well, we better build something they can't break. There are many, many
smart people on this list that can surely put something together over time
> How would a whitelist handle mailing lists? What about automated computer
> programs that notify users, like Ebay's auction bots? And what about
> anonymous email, if C/R is implemented everywhere, can anyone send
> anonymous email anymore? What about opt-in email that the receiver forgot
> about the original opt-in? And email that is sent from different email
> addresses everytime (like some mailing lists)?
All of these are important tactical issues..any more?
What is the intent of a C/R system? Is it merely to double-check the
sender's email address to make sure it is working and valid, or is it also
to make sure that the sender is a human being and not a computer? If it is
only the first, that we are trying to make sure that the sender has a valid
email address, then it might make sense to develop an automated C/R
protocol that can be used by email clients and senders' MTAs to reply to
the challenge. This will take care of issues like dealing with lists,
automated bots and anonymous remailers - the list server will simply reply
to the response via this automated protocol. It will also hide the C/R
process from users. The obvious flaw is that the spammer will use it too -
but they will have to use a valid email address to do it, or own their own
MTA and domain (which is not a problem since we already see spammers owning
name servers). However, if the intent of C/R systems is to make sure that
the sender is human, than it essentially must perform a Turing test.
Current techniques include using specially coded graphic images, etc.
I personally think that the intent of the C/R systems is to make sure that
the originating email is valid. Thus it would make sense to have an
automatic protocol for verification which can be utilized by systems to do
so. This way we will undo one of the problems that the open nature of the
Internet currently has - lack of checking who sent email, without disabling
ability for machines to send emails. I don't think we should be seeking to
create systems that verify whether the sender is human since the Net is
full of computers sending email too - many of which are very useful and are
not spammers.
One way to implement this automated C/R protocol is by using headers
similar to the "return receipt" feature defined in RFCs 1894 and 2298.
Yakov
---------------------------------------------------------------------------------------------------
Yakov Shafranovich / <research(_at_)solidmatrix(_dot_)com>
SolidMatrix Research, a division of SolidMatrix Technologies, Inc.
---------------------------------------------------------------------------------------------------
"One who watches the wind will never sow, and one who keeps his eyes on
the clouds will never reap" (Ecclesiastes 11:4)
---------------------------------------------------------------------------------------------------
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg