From: mathew <meta(_at_)pobox(_dot_)com>
...
As far as step 4 goes, I'll be generous and assume I'm the only person
who doesn't remember the e-mail addresses of everyone he sends mail to.
I also forget, even when the message was sent to a single person.
Then there are the cases when I'm doing a "reply-all" to a message
from a stranger who sent copies to half a dozen colleagues.
This problem applies to all of the C/R systems I've seen described, except
those that assume that software on 100,000,000 desktops is upgraded first.
...
Now, I may be wrong, so what if users *are* prepared to go visit a web
site in response to a challenge from a C/R system? In that case, I give
it about a week before we start seeing spam that's a verbatim copy of
the TitanKey C/R text, followed by a URL which redirects to a porn
site. Users learn to associate C/R system challenges with porn spam, or
This also applies to all C/R systems that don't assume both sender
and receiver are running new, as yet unspecifed (not to mention not
designed or written) software.
(even worse) their Bayesian spam filter recognizes the cloaked URL and
learns to filter out challenges automatically.
Why is that worse? Many people will think expect their Bayesian or
other filters such as SpamAssassin to recognize the "please click
or respond" boilerplate of a challenge as likely junk.
C/R advocates will tell me I'm being nasty and negative, but others
should consider the numbers. Assume a C/R system becomes popular.
Spammers will then imitate C/R "click or respond" boilerplate just as
they now blather about imaginary laws. Some spammers will honestly
think that sending an "click or respond" challenge is a legitimate
"confirmed opt-out subscription" mechanism and have software that does
something with responses. As soon as you have reponded to the challenges
of your regulare correspondents (or whitelisted them), most of the
challenge boilerplate you'll receive will be spam. If you don't have
any ego or money invested in the C/R system, what will you do? Why
won't you will tune your filters to reject mail that looks like
challenges even if that wrecks the C/R system for you?
Some C/R advovates will tell me I'm stupid besides negative and that
challenges will be easily distinguished from the fakes by some means.
I'll respond that if that were possible, we could apply the same means to
ordinary mail and skip the whole challenge/response hassle.
In fact, a similar problem applies to any other C/R system--inevitably
we'll see spammers sending fake C/R challenges as a means of obtaining
confirmed e-mail addresses.
Let's not over generalize. Just as not all spammers (do not) honor
550-unknown-user SMTP status and the question whether most do or not
is meaningless, some spammers won't be using C/R fakery to clean their
lists but will simply be capturing "eyeballs."
The fundamental problem with C/R systems is the same as with most
propose spam solutions. It is their advocates they assume that mail
recipients, spammers, and legimate senders are just like the people
advocating the proposal. There is an oddly consistent refusal of
advocates to play devil's advocate against their own proposals. People
assume that everyone, spammers as well as the general public, will go
against individual self-interest to make the proposal work. No one
seems to have ever heard of Murphy or know that Murphy was an optimist,
because the other guys are actively looking for ways to bend the system.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg