ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Asrg] 6. Proposals - Challenge/response - CRI

2003-08-15 08:45:57
from [Andrew Akehurst] [Permanent Link] 
In what follows, I'm referring to the CRI draft proposal as posted in:
  http://www1.ietf.org/mail-archive/working-groups/asrg/current/msg06731.html

This is my initial reaction, I'm going to re-read in detail and
provide some more detailed feedback later next week.

The use of CRI MIME message headers described in section 1.3
looks interesting. This seems good because it's transparent
to non-CRI MTAs which will just pass the message on, presumably
leaving the issuing of a challenge to a later stage, e.g. use
of a CRI-enabled MUA.

Out of these headers, this one caught my eye:

  "CRI-Sender-Exempt: identifies that the sender desires to not 
   receive a CRI message. i.e. mailing list"

I'm glad you've included support for mailing lists. I'd like to
know how you envisage this being used in practice. In section 4.2
you state that:

  "Mailing lists may include CRI-Sender-Exempt headers to 
   indicate that challenge messages should not be posted to
   the mailing list..."

What will be the content of such a header? Is it just a flag
such as "CRI-Sender-Exempt: 1"? If so, what would stop a 
spammer from adding such headers to their messages?

Is it true that a spammer who used such headers simply wouldn't
be sent a challenge message? If so I guess they wouldn't have the
opportunity to answer a challenge and thus get themselves 
permission to send to the receiver. So maybe it's not in their
interests to try and use such a header.

The need to rewrite mailing list software to generate such headers
is potentially more of an issue. Supposing I decided to use CRI
yet subscribed to some mailing lists which didn't generate such
headers. How could I ensure such messages got through?

My other "first reaction" to the proposal is that the SMTP idea is
interesting although the use of a 4xx temporary failure code for a 
challenge will of course result in non-compliant sender MTAs
retrying and repeatedly failing. Of course in the end they'll
give up and then will the sender's original message bounce back?

I'm interested here in the interoperability issues between MTAs
which support CRI and those which don't. Some more discussion in
that area would be helpful.

As an aside, I'll be away for several days so I won't be checking
e-mail for a while. But I'll leave everyone to debate the issues
and will join in again when I return.

Andrew

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: 2. Spam Analysis - Economics (was Re: spammer economics; was: RE: [Asrg] hiring challenge responders), Matt Sergeant
Next by Date:  [Asrg] 2.a.1 Analysis of Actual Spam Data - Experimental Design, Terry Sullivan
Previous by Thread:  [Asrg] 0. General - Posting Guidelines Reminder, Yakov Shafranovich
Next by Thread:  RE: [Asrg] 6. Proposals - Challenge/response - CRI, Eric Dean
Indexes:  [Date] [Thread] [Top] [All Lists]