----- Original Message -----
From: "Matt Schneider" <matt(_at_)spamhaus(_dot_)org>
To: asrg(_at_)ietf(_dot_)org
Subject: Re: [Asrg] Please critique my anti-spam system
Date: Sun, 5 Dec 2004 18:28:10 +0000 (GMT)
Almost every criticism you have is answered in my article, but I will repeat
the points.
Hello, there is a standardized reply form out there for these sorts
of things, but I couldn't find it right away.
Anyway, I see several problems with this:
- the sub-address doesn't add anything, it's no different than
making up a new email address
If you made up a new email address then people who use your old address cannot
contact you. With my system you never fear losing contact because of an
address change.
- without using this system, you can already set up an
autoresponder on old addresses to let people know where to find you
A spammer could easily harvest your new adddress from the autoresponder.
Spammers don't bother since so few people do this now. My system is designed
to be used by a billion people and still remain secure.
- I don't like that you're supposed to spam everyone you know and
they're supposed to immediately drop everything and go change you
in their address book (and this expects that grandmothers that are
just getting the hang of their AOL will be able to figure this out
or even understand what this all means).
Each individual can decide for themselves whether to activate this system or
not. I assume you are talking about what happens the first time someone
activates this system. Everyone on your contact list is sent your new email
address, but you can elect not to have this initial mass mailing. Remember,
these people are white listed so their emails will get through even without a
sub-address. Grandma can send you email using your old address, she'll just be
sent a reminder to update her address when she sends you an email without a
sub-address.
- white listing is nothing new
Whitelisting in this context is completely new.
- challenge/response is nothing new
This is not challenge/response, this is far superior. I clearly contrast these
two systems in my article.
- if you want to not burden your friends with an initial
challenge.. instead of spamming them to change the email address
they have for you (still a burden) then why not add everyone in
your address book to the "already passed the challenge procedure"
list ?
The only people who ever need to decode a CAPTCHA are people who are not using
a valid sub-ddress and who are not on the white list.
- CAPTCHA assumes everyone using this system speaks English.
My CAPTCHA usuable across all languages. People almost always communicate via
email with people who can read the same language. Correspond with someone who
has Chinese as their default language and the instructions for the CAPTCHA will
be in Chinese. There are additional logical ways that the language issue will
be addressed.
- As soon as a spammer starts getting CAPTCHA responses, they will
fire these off to a sweatshop in China or India to have them
solved, then they will have live, valid e-mail address, with
complete sub-address, that they can now sell to other spammers at a
premium.
See the second yellow highlighted text block in my article to understand why
this is not feasible.
- Nobody's going to upgrade their own SMTP servers to process
bounces from every anti-spam system out there.
No upgrade is needed. The upgrade I proposed was for convenience. Servers
today are already fully compatible with my system.
Let's say I send out 2 inquiries to sales departments about buying
something. If one of them sent back this CAPTCHA thing, I probably
wouldn't even bother jumping through all the hoops, I'd just go buy
from the other place. The moral of this story is, this system
can't be used by anyone who places any sort of value on receiving
email from non-spammers.
I highly doubt that a sales department would routinely distribute an email
address with a deactivated sub-address. Remember, my system intergrates
perfectly into the current email system. Traditional email addresses will
still function, and an email address with a valid sub-address will function
exactly like an ordinary email address.
Michael G. Kaplan
P.S. Can someone let me know the proper way to respond to these emails. I've
been hitting reply and then I've CC'd asrg(_at_)ietf(_dot_)org but when I do
this I notice when I got to the discussion board archive thread index that you
can't tell which email I'm responding to.
--
_______________________________________________
Find what you are looking for with the Lycos Yellow Pages
http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg