we went over this terrain in the camram project a couple of years
ago. Anytime
you make a response something that can be auto responded to, you
create a hole
for spammers. one thing I believe to be very important is a list
of signatures
for messages recently sent and the challenge should contain a
matching signature
for the message it is challenging. That way, when the challenge
is handled, the
mail user agent can verify that the client really did send a message the
challenge was returned for by matching signature and destination address.
Well...what I'm thinking would allow for both. I'm in the midst of writing
this up. But we should support both an automated method of challenge
response verification as well as a manual method handled by the user. In
this manner we would eliminate a certain type of spam..that which is forged.
Other types of spam would get handled in a different manner.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg