ietf-asrg
[Top] [All Lists]

[Asrg] RE: TitanKey and "white lies"... (Faking SMTP hard errors "improves" C/R utility?)

2003-05-29 12:45:00
You raise a really good point: do we break SMTP compliance by lying?  

We think that the fact that SMTP tells the truth is the heart of all the
spam problems in the first place.

Peter

-----Original Message-----
From: Bob Wyman [mailto:bob(_at_)wyman(_dot_)us] 
Sent: Thursday, May 29, 2003 9:35 AM
To: Peter Kay
Subject: FW: TitanKey and "white lies"... (Faking SMTP hard 
errors "improves" C/R utility?)




-----Original Message-----
From: Bob Wyman [mailto:bob(_at_)wyman(_dot_)us] 
Sent: Thursday, May 29, 2003 3:19 PM
To: 'Peter Kay'; 'asrg(_at_)ietf(_dot_)org'
Subject: TitanKey and "white lies"... (Faking SMTP hard 
errors "improves" C/R utility?)


TitanKey (mentioned by Peter Kay, it's President in an 
earlier mail concerning IPR) seems to be employing a slight 
twist on the Challenge and Response process that is commonly 
used by many others. (see:
http://www.titankey.com/)
      While the process of generating challenges in response 
to "unknown" senders is normal, TitanKey claims that they do 
something unique in that in addition to the challenge mail, 
they also respond to the original mail by issuing a permanent 
"user unknown" SMTP error. They have filed at least one 
patent application for this process.
      TitanKey claims that this tiny modification to normal 
C/R procedure results in a "massive" improvement in the 
utility of challenge and response systems since spamming 
software won't be able to distinguish between real "user 
unknown" errors and the fake ones issued by TitanKey. Since 
spamming programs typically respond to a permanent SMTP error 
by removing that email address from the list of active 
emails, you shouldn't ever receive more than one email from 
any one spammer... Given that the "reply-to" addresses used 
by spammers are usually false, the spammer will never see the 
challenge message which is sent after the SMTP error is 
generated, thus, they can't do any analysis of the challenges 
to determine which "user unknown" errors were "faked" and 
which were real. 
      Whether or not this works, it is somewhat disquieting 
to think that the "solution" to the problem is to have our 
servers violate the SMTP protocol by sending false status 
codes. (Note: This would seem to call into question the claim 
on the TitanKey website that "The Titan Key follows all SMTP 
standards.") On the other hand, if it works, it works...
      Should we add "prevaricating servers" as one of the 
methods in the taxonomy of potential solutions? I can imagine 
the marketing slogans
now: "My server lies. Does yours?" Or, "Our server lies 
better than yours does." "Honesty will get you nowhere..."

              bob wyman

Note: You can find the TitanKey patent online at: 
http://l2.espacenet.com/espacenet/viewer?PN=WO0116695&CY=ep&LG
=en&DB=EPD
Click on the link at "Requested Patent" to see the images.





_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg