On Friday, May 30, 2003, at 18:11 US/Eastern, Barry Shein wrote:
I'll answer such inquiries, a quick check on google would probably
confirm I've answered many thousand such queries, but I think if I
were then confronted with a C/R requiring me to go web site etc I'd
say "good luck buddy!"
Most of my point really was the web addr which can often mean firing
up a browser etc. If it were just a matter of responding in e-mail I'd
be more inclined to respond.
Let me understand how this TitanKey system is supposed to work...
1. I send mail to Joe Smith.
2. I get a bounce message saying that there's no Joe Smith account, and
that
my e-mail wasn't delivered. I delete it immediately, of course.
3. I get an e-mail claiming to be from Joe Smith, saying that I need to
go
read a web page to get permission to send him e-mail. The web URL
presumably has some information encoded in it.
4. I remember that Joe Smith was actually someone I tried to e-mail, and
I don't bin the challenge immediately.
5. I go visit the web page.
It seems to me that the assumptions in steps 3 & 5 are a major problem,
because users are well aware that (a) clicking on encoded URLs is one
of the tricks spammers use to verify your e-mail address, resulting in
your getting more spam; and (b) that spammers and worms often use the
e-mail addresses of your friends in the From: field to try and persuade
you to read and respond to their spam.
As far as step 4 goes, I'll be generous and assume I'm the only person
who doesn't remember the e-mail addresses of everyone he sends mail to.
There's also the question of whether TitanKey saves a copy of all the
e-mail it sends 550 responses to. If it does, then you're basically
using up as much disk space and bandwidth as just delivering the spam.
If it doesn't, then you're expecting the sender to go find a copy of
the e-mail he tried to send--assuming he kept a copy--and send it
again. I find it very hard to believe anyone would really jump through
a hoop *that* high.
Now, I may be wrong, so what if users *are* prepared to go visit a web
site in response to a challenge from a C/R system? In that case, I give
it about a week before we start seeing spam that's a verbatim copy of
the TitanKey C/R text, followed by a URL which redirects to a porn
site. Users learn to associate C/R system challenges with porn spam, or
(even worse) their Bayesian spam filter recognizes the cloaked URL and
learns to filter out challenges automatically.
In fact, a similar problem applies to any other C/R system--inevitably
we'll see spammers sending fake C/R challenges as a means of obtaining
confirmed e-mail addresses.
mathew
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg