You raise a really good point: do we break SMTP compliance by lying?
We think that the fact that SMTP tells the truth is the heart of all the
spam problems in the first place.
Peter
-----Original Message-----
From: Bob Wyman [mailto:bob(_at_)wyman(_dot_)us]
Sent: Thursday, May 29, 2003 9:35 AM
To: Peter Kay
Subject: FW: TitanKey and "white lies"... (Faking SMTP hard
errors "improves" C/R utility?)
-----Original Message-----
From: Bob Wyman [mailto:bob(_at_)wyman(_dot_)us]
Sent: Thursday, May 29, 2003 3:19 PM
To: 'Peter Kay'; 'asrg(_at_)ietf(_dot_)org'
Subject: TitanKey and "white lies"... (Faking SMTP hard
errors "improves" C/R utility?)
TitanKey (mentioned by Peter Kay, it's President in an
earlier mail concerning IPR) seems to be employing a slight
twist on the Challenge and Response process that is commonly
used by many others. (see:
http://www.titankey.com/)
While the process of generating challenges in response
to "unknown" senders is normal, TitanKey claims that they do
something unique in that in addition to the challenge mail,
they also respond to the original mail by issuing a permanent
"user unknown" SMTP error. They have filed at least one
patent application for this process.
TitanKey claims that this tiny modification to normal
C/R procedure results in a "massive" improvement in the
utility of challenge and response systems since spamming
software won't be able to distinguish between real "user
unknown" errors and the fake ones issued by TitanKey. Since
spamming programs typically respond to a permanent SMTP error
by removing that email address from the list of active
emails, you shouldn't ever receive more than one email from
any one spammer... Given that the "reply-to" addresses used
by spammers are usually false, the spammer will never see the
challenge message which is sent after the SMTP error is
generated, thus, they can't do any analysis of the challenges
to determine which "user unknown" errors were "faked" and
which were real.
Whether or not this works, it is somewhat disquieting
to think that the "solution" to the problem is to have our
servers violate the SMTP protocol by sending false status
codes. (Note: This would seem to call into question the claim
on the TitanKey website that "The Titan Key follows all SMTP
standards.") On the other hand, if it works, it works...
Should we add "prevaricating servers" as one of the
methods in the taxonomy of potential solutions? I can imagine
the marketing slogans
now: "My server lies. Does yours?" Or, "Our server lies
better than yours does." "Honesty will get you nowhere..."
bob wyman
Note: You can find the TitanKey patent online at:
http://l2.espacenet.com/espacenet/viewer?PN=WO0116695&CY=ep&LG
=en&DB=EPD
Click on the link at "Requested Patent" to see the images.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg