At 02:59 PM 5/15/2003 -0600, Vernon Schryver wrote:
> From: Yakov Shafranovich <research(_at_)solidmatrix(_dot_)com>
> ...
> >ok..well should we try to identify those methods, or should we just say
> >"don't challenge lists"?
>
> If an automated protocol for C/R is in place, why shouldn't we challenge
> lists? If the list software supports the protocol, it will response to the
> challenge automatically. ...
Is that a joke? I guess not.
What is the real goal a C/R system? I thought it had something to do
with reducing "spam." How does spam differ from any other bulk mail
except in whether it is solicited?
Actually its not a joke. As outlined in the Eric's C/R draft:
"This document proposes the use of MIME experimental content-type values
for automated C/R control at either the server or client software
level. In addition, this document proposes a C/R method that requires user
manual intervention with existing mail systems and clients that may not be
compatible with automated C/R methods."
There are two separate things here - an automated protocol and some
guidelines. The primary intent of C/R is to make sure that email comes from
a valid email address. As pointed out prior on the list
(https://www1.ietf.org/mail-archive/working-groups/asrg/current/msg04700.html):
>>"What is the intent of a C/R system? Is it merely to double-check the
sender's email address to make sure it is working and valid, or >>is it
also to make sure that the sender is a human being and not a computer? If
it is only the first, that we are trying to make sure >>that the sender has
a valid email address, then it might make sense to develop an automated C/R
protocol that can be used by email >>clients and senders' MTAs to reply to
the challenge. This will take care of issues like dealing with lists,
automated bots and >>anonymous remailers - the list server will simply
reply to the response via this automated protocol. It will also hide the
C/R process >>from users. The obvious flaw is that the spammer will use it
too - but they will have to use a valid email address to do it, or own
their >>own MTA and domain (which is not a problem since we already see
spammers owning name servers). However, if the intent of C/R >>systems is
to make sure that the sender is human, than it essentially must perform a
Turing test. Current techniques include using >>specially coded graphic
images, etc."
Making Turing tests would be highly impractical. Even now, TDMA and
MailCircuit systems do not use them, instead a simple reply to any
challenge message will verify the sender. However, in the last two years
according to MailCircuit only 4 spammers did so.
Yakov
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg