ietf-asrg
[Top] [All Lists]

Re: [Asrg] Please critique my anti-spam system

2004-12-05 12:34:23

----- Original Message -----
From: "Matt Schneider" <matt(_at_)spamhaus(_dot_)org>
To: asrg(_at_)ietf(_dot_)org
Subject: Re: [Asrg] Please critique my anti-spam system
Date: Sun,  5 Dec 2004 18:28:10 +0000 (GMT)

Almost every criticism you have is answered in my article, but I will repeat 
the points.



Hello, there is a standardized reply form out there for these sorts 
of things, but I couldn't find it right away.

Anyway, I see several problems with this:

- the sub-address doesn't add anything, it's no different than 
making up a new email address

If you made up a new email address then people who use your old address cannot 
contact you.  With my system you never fear losing contact because of an 
address change.

- without using this system, you can already set up an 
autoresponder on old addresses to let people know where to find you

A spammer could easily harvest your new adddress from the autoresponder.  
Spammers don't bother since so few people do this now.  My system is designed 
to be used by a billion people and still remain secure.


- I don't like that you're supposed to spam everyone you know and 
they're supposed to immediately drop everything and go change you 
in their address book (and this expects that grandmothers that are 
just getting the hang of their AOL will be able to figure this out 
or even understand what this all means).

Each individual can decide for themselves whether to activate this system or 
not.  I assume you are talking about what happens the first time someone 
activates this system.  Everyone on your contact list is sent your new email 
address, but you can elect not to have this initial mass mailing.  Remember, 
these people are white listed so their emails will get through even without a 
sub-address.  Grandma can send you email using your old address, she'll just be 
sent a reminder to update her address when she sends you an email without a 
sub-address.

- white listing is nothing new

Whitelisting in this context is completely new.  


- challenge/response is nothing new

This is not challenge/response, this is far superior.  I clearly contrast these 
two systems in my article.

- if you want to not burden your friends with an initial 
challenge.. instead of spamming them to change the email address 
they have for you (still a burden) then why not add everyone in 
your address book to the "already passed the challenge procedure" 
list ?

The only people who ever need to decode a CAPTCHA are people who are not using 
a valid sub-ddress and who are not on the white list.  


- CAPTCHA assumes everyone using this system speaks English.

My CAPTCHA usuable across all languages.  People almost always communicate via 
email with people who can read the same language.  Correspond with someone who 
has Chinese as their default language and the instructions for the CAPTCHA will 
be in Chinese.  There are additional logical ways that the language issue will 
be addressed.

- As soon as a spammer starts getting CAPTCHA responses, they will 
fire these off to a sweatshop in China or India to have them 
solved, then they will have live, valid e-mail address, with 
complete sub-address, that they can now sell to other spammers at a 
premium.

See the second yellow highlighted text block in my article to understand why 
this is not feasible.

- Nobody's going to upgrade their own SMTP servers to process 
bounces from every anti-spam system out there.

No upgrade is needed.  The upgrade I proposed was for convenience.  Servers 
today are already fully compatible with my system.



Let's say I send out 2 inquiries to sales departments about buying 
something.  If one of them sent back this CAPTCHA thing, I probably 
wouldn't even bother jumping through all the hoops, I'd just go buy 
from the other place.  The moral of this story is, this system 
can't be used by anyone who places any sort of value on receiving 
email from non-spammers.

I highly doubt that a sales department would routinely distribute an email 
address with a deactivated sub-address.  Remember, my system intergrates 
perfectly into the current email system.  Traditional email addresses will 
still function, and an email address with a valid sub-address will function 
exactly like an ordinary email address.

Michael G. Kaplan

P.S.  Can someone let me know the proper way to respond to these emails.  I've 
been hitting reply and then I've CC'd asrg(_at_)ietf(_dot_)org but when I do 
this I notice when I got to the discussion board archive thread index that you 
can't tell which email I'm responding to.

-- 
_______________________________________________
Find what you are looking for with the Lycos Yellow Pages
http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg