I greatly appreciate everyone for their time and consideration for critiquing
the anti-spam system that I presented earlier this week. I present my response
to the critique.
As a reminder my system it is located at:
http://home.nyc.rr.com/spamsolution/An%20Effective%20Solution%20for%20Spam.htm
First I would like to say a word about efficacy:
One basic tenet of the anti-spam effort has always been that that is foolish to
believe that spammers can't automate puzzle solving, character recognition, or
other hoops that legitimate users must jump manually. This has always been
true until the development my CAPTCHA. This is the first and only CAPTCHA
developed that is invulnerable to technical circumvention. I have to admit
that I am surprised that this innovation in and of itself has not generated
more discussion.
This CAPTCHA, in combination with my unique application of it, will likely do
what no other system has ever hoped to do: Allow strangers to communicate with
you while preventing spammers from sending you email with near perfect
efficacy. On occasion a spammer will harvest an address via one of the usual
ways. I?ll guess that every three or four months a TYPICAL user will suffer a
day or two of spam and will need to deactivate a single sub-address. Otherwise
this system is beyond any technical subversion. Is there any other system
existing or proposed that can claim this?
Every anti-spam system has flaws. Many of these flaws would be tolerated if
the system blocked spam with near perfect efficacy. Any flaws with my system
should be evaluated in this light.
I have reviewed the posts and the following represents what I believe to have
been the major issues that were brought up. I include my responses.
This system is not appropriate for many people ? True. Certain email users
such as many business people, people who must maintain email addresses posted
on websites or other public venues, and countless others will find this system
undesirable and will not be able to use it. This system is ideal for the
typical email user who is plagued by large amounts of spam. Instead of
focusing on who this system cannot help we should be focusing on the enormous
number of people for who this system will be ideal and who will experience near
total elimination of spam from their lives after employing it.
The system has flaws ? True. This system is not perfect; it is merely vastly
superior to the status quo for most users. If you have an example of a better
system then please speak up.
Bounces ? The fact that my system employs bounces seems to greatly disturb many
people. The strongest objection concerns the additional burden these bounces
will put on the email system. The theoretical maximum increase in email
traffic that this system could generate would be 100% if we consider an email
account that receives emails with invalid sub-addresses exclusively. The near
perfect efficacy of my system for blocking spam would justify such expenditure.
How would you feel if your email provider said to you ?I know you are
overwhelmed by spam and that this system will virtually eliminate it but doing
so could cause a near doubling of your email traffic so you can?t use it and
you must live with this spam burden forever??
Filters likely increase email traffic to much greater extent, albeit
indirectly, as spammers generate vast quantities of spam to get around them.
Spam filters don?t even have anywhere near the likely efficacy that my system
will have. So a filter is tolerable, but my system isn?t?
Another concern with bounces is that spammers will forge an innocent
person?s address and then this innocent person will get flooded with bounces.
Some people with easily guessable email addresses will confront this problem.
People who employ my system will never have to worry about such bounces since
their addresses cannot be guessed. This is a concern, but not a big enough of
a concern to halt such a highly efficacious system.
Language ? There was also a lot of concern over how the bounces would be
managed by recipients who use different languages. I would respond that most
people who correspond with each other do so in the same language. Also many
web-sites use the common technique of showing icons of international flags to
represent languages, and clicking on your respective flag will bring up a page
with your own language. This same technique can apply to bounces. This will
cover the vast majority of email users, though I admit that people who can only
read a less commonly used language may not be accommodated as easily. I am
confident that it is possible to devise methods to further address this issue,
but the aforementioned technique will cover most people.
Spammers will always be able to reacquire some of your addresses ? This obvious
truth actually highlights the strength of this system. Deactivating
compromised sub-addresses becomes progressively less disruptive as more and
more of your correspondents use uniquely generated sub-addresses. You also
will know the source of the compromise so that you can chastise your friend for
distributing your address in an email chain letter. The typical user is not
exposing their email address multiple times a day to spammers. The typical
user?s email address is revealed to a spammer a finite number of times but it
only takes one exposure to bring on the spam onslaught. This explains why a
single security breach at AOL in which more than 90 million email addresses
were sold to spammers was so devastating. Many of those users would have
remained spam free for a prolonged time if it wasn?t for that one breach.
There is of course the situation of having an acquaintance that
unwittingly has malware on their computer that is constantly raiding their
address book and passing your address on to spammers. Now my system is a real
blessing as the problem becomes obvious and corrective action can be taken,
thus saving not only you but everyone else who would have their addresses
entered into your acquaintances address book.
This system is reminiscent of challenge/response ? I thought I did a sufficient
job contrasting this system with challenge/response but obviously I didn?t. My
system allows third party emails to arrive unimpeded. My system issues
challenges in an extraordinarily selective way, only challenging people not
white listed who were given an inactive sub-address. People will need to deal
with my challenge with only a small fraction of the frequency that they would
need to deal with a challenge associated with a traditional challenge/response
system. With my system dealing with a CAPTCHA will be a relatively rare event.
Is there anyone who does not think that this system is profoundly superior to
every other challenge/response system? Again I am surprised; my system makes
every other challenge/response system obsolete and yet it has not sparked real
discussion or enthusiasm. Isn?t this the Anti-Spam Research Group?
Seeing the CAPTCHA requires a system that either allows for a graphics capable
MUA or allows activation of a hyperlink ? True. You would need to access a
system that would allow you to see graphics. A graphics capable MUA is the
most convenient, but all you would really need is a computer with a web browser
so you can paste the link into the browser and view the CAPTCHA. Don?t most
people have access to web browsers?
Typical users can see email graphics. I obviously travel in different circles
since I don?t know a single person who uses an email system that is not
graphics capable. I would argue that most typical users would not worry enough
about the minority of people who cannot access graphics via their mail system.
The incentive to use a system that effectively eliminates spam would outweigh
the need to cater to this minority.
I am not arguing that my system is absolute perfection, or that it suits the
needs of every email user in the world. I only argue that it is vastly
superior to anything else out there. Take for example a typical AOL user.
Almost every AOL user is plagued by tremendous amounts of spam and there is no
hope that any filter will be able to stop the onslaught directed at this highly
lucrative population. No AOL user who uses the system will care on a personal
level that additional bounces are being generated. Almost none of the AOL
users will care that people who can only read a less common language may not be
able to read the bounce; common languages will still be accommodated. Spam is
such a tremendous burden for the average AOL user that few will care that a
small number of people have no ability to view graphics on their system and
thus will be forced to go to another system to view a CAPTCHA.
I ask you: Is there any other system out there that, even when applied to a
hundred million people, could eliminate nearly 100% of spam as my system would
for a typical user (I?m sure once every couple of months or so a single
sub-address will become compromised and the user will suffer a day or two of
spam before the sub-address is cancelled). Is there any other system out there
that can protect so many millions of users who elect to activate it and yet
remain secure? Is there any other comparable system that is as easy to
integrate into current email architecture?
Not challenge/response; it is excessively burdensome and the traditional
challenges are too weak to protect millions of people.
Not sender-ID proposals; no one is even pretending that these proposals will
have anything more than a subtle impact.
Does the fact that as only 30-40% (a wild guess) of people may want to use this
system argue against it?
Before you reject my system can you suggest one that is in any way comparable?
Is the status quo superior? Are you holding out hope for an as of yet unknown
but better system? Have you totally given up any hope for a truly effective
anti-spam system?
I accept your criticisms, but I view them as relatively minor given the likely
efficacy of this system. Many people such as business people may decide to
forgo this system. However, this system would be the FUSSP for the enormous
population of typical users out there for whom the relatively minor detractions
are not important.
Michael G. Kaplan
--
_______________________________________________
Find what you are looking for with the Lycos Yellow Pages
http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg