ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] Re: TitanKey and "white lies"... (Faking SMTP hard errors "improves" C/R utility?)

2003-06-01 23:12:47
from [Scott Nelson] [Permanent Link] 
At 06:21 PM 6/1/03 -0400, mathew wrote:
[edited]


Now, I may be wrong, so what if users *are* prepared to go visit a web 
site in response to a challenge from a C/R system? In that case, I give 
it about a week before we start seeing spam that's a verbatim copy of 
the TitanKey C/R text, followed by a URL which redirects to a porn 
site. Users learn to associate C/R system challenges with porn spam, or 
(even worse) their Bayesian spam filter recognizes the cloaked URL and 
learns to filter out challenges automatically.

In fact, a similar problem applies to any other C/R system--inevitably 
we'll see spammers sending fake C/R challenges as a means of obtaining 
confirmed e-mail addresses.



It's probably true of most systems in use, but any?  
Never use absolutes, they will always get you in to trouble.

Suppose that all challenges included the Message-Id: of the 
quarantined message in it's In-Reply-To: and/or References: header.
(like all DSNs should - grrr)

Then as long as mail clients can recognize message-ids they've created,
it's a simple matter to accept any you've generated, and discard any
that you haven't.  (Handy for those forged return address bounces too.)

If you're worried that spammers will start forging plausible ids 
for their In-Reply-To: headers, or that's too hard for your computer
to remember a few thousand IDs, here's a simple way to create them.
id = "UTC.N@" . md5sum(UTC, N, domain, secret);
where N doesn't repeat in one second intervals (PID is traditional),
and secret is several high quality random bits (say, 16 bytes worth).

That still leaves replay attacks using IDs scraped from 
mailing lists within the expiry date.
With a few tiny changes to the way mailing lists work,
it would actually be possible to close that hole too,
but I think that's a bit excessive for something that 
is only a remote possibility.



IMO the killer problem with C/R is the "automated notice of 
something important" message.  Frequently, those don't even have 
a valid return address, much less a human that will click 
on your web site.


Scott Nelson <scott(_at_)spamwolf(_dot_)com>
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Short-term versus Long-term focus: A bit of economics ( was: RE: [Asrg] TitanKey and "white lies"... (..."improves" C/R utility?)), Barry Shein
Next by Date:  RE: [Asrg] TitanKey and "white lies"... (Faking SMTP hard errors "improves" C/R utility?), Peter Kay
Previous by Thread:  Re: [Asrg] Re: TitanKey and "white lies"... (Faking SMTP hard errors "improves" C/R utility?), mathew
Next by Thread:  Re: [Asrg] Re: TitanKey and "white lies"... (Faking SMTP hard errors "improves" C/R utility?), Vernon Schryver
Indexes:  [Date] [Thread] [Top] [All Lists]