I noticed at the bottom of your web site the 'Patents Pending' text.
What part of the proposal do you feel is unique and covered by your
patent applications.
Paul
-----Original Message-----
From: asrg-bounces(_at_)ietf(_dot_)org
[mailto:asrg-bounces(_at_)ietf(_dot_)org] On
Behalf Of Michael Kaplan
Sent: Thursday, December 09, 2004 12:02 PM
To: asrg(_at_)ietf(_dot_)org
Subject: [Asrg] A response to the critique of my anti-spam system
I greatly appreciate everyone for their time and
consideration for critiquing the anti-spam system that I
presented earlier this week. I present my response to the critique.
As a reminder my system it is located at:
http://home.nyc.rr.com/spamsolution/An%20Effective%20Solution%
20for%20Spam.htm
First I would like to say a word about efficacy:
One basic tenet of the anti-spam effort has always been that
that is foolish to believe that spammers can't automate
puzzle solving, character recognition, or other hoops that
legitimate users must jump manually. This has always been
true until the development my CAPTCHA. This is the first and
only CAPTCHA developed that is invulnerable to technical
circumvention. I have to admit that I am surprised that this
innovation in and of itself has not generated more discussion.
This CAPTCHA, in combination with my unique application of
it, will likely do what no other system has ever hoped to do:
Allow strangers to communicate with you while preventing
spammers from sending you email with near perfect efficacy.
On occasion a spammer will harvest an address via one of the
usual ways. I'll guess that every three or four months a
TYPICAL user will suffer a day or two of spam and will need
to deactivate a single sub-address. Otherwise this system is
beyond any technical subversion. Is there any other system
existing or proposed that can claim this?
Every anti-spam system has flaws. Many of these flaws would
be tolerated if the system blocked spam with near perfect
efficacy. Any flaws with my system should be evaluated in this light.
I have reviewed the posts and the following represents what I
believe to have been the major issues that were brought up.
I include my responses.
This system is not appropriate for many people - True.
Certain email users such as many business people, people who
must maintain email addresses posted on websites or other
public venues, and countless others will find this system
undesirable and will not be able to use it. This system is
ideal for the typical email user who is plagued by large
amounts of spam. Instead of focusing on who this system
cannot help we should be focusing on the enormous number of
people for who this system will be ideal and who will
experience near total elimination of spam from their lives
after employing it.
The system has flaws - True. This system is not perfect; it
is merely vastly superior to the status quo for most users.
If you have an example of a better system then please speak up.
Bounces - The fact that my system employs bounces seems to
greatly disturb many people. The strongest objection
concerns the additional burden these bounces will put on the
email system. The theoretical maximum increase in email
traffic that this system could generate would be 100% if we
consider an email account that receives emails with invalid
sub-addresses exclusively. The near perfect efficacy of my
system for blocking spam would justify such expenditure. How
would you feel if your email provider said to you "I know you
are overwhelmed by spam and that this system will virtually
eliminate it but doing so could cause a near doubling of your
email traffic so you can't use it and you must live with this
spam burden forever"?
Filters likely increase email traffic to much greater extent,
albeit indirectly, as spammers generate vast quantities of
spam to get around them. Spam filters don't even have
anywhere near the likely efficacy that my system will have.
So a filter is tolerable, but my system isn't?
Another concern with bounces is that spammers will forge
an innocent person's address and then this innocent person
will get flooded with bounces. Some people with easily
guessable email addresses will confront this problem. People
who employ my system will never have to worry about such
bounces since their addresses cannot be guessed. This is a
concern, but not a big enough of a concern to halt such a
highly efficacious system.
Language - There was also a lot of concern over how the
bounces would be managed by recipients who use different
languages. I would respond that most people who correspond
with each other do so in the same language. Also many
web-sites use the common technique of showing icons of
international flags to represent languages, and clicking on
your respective flag will bring up a page with your own
language. This same technique can apply to bounces. This
will cover the vast majority of email users, though I admit
that people who can only read a less commonly used language
may not be accommodated as easily. I am confident that it is
possible to devise methods to further address this issue, but
the aforementioned technique will cover most people.
Spammers will always be able to reacquire some of your
addresses - This obvious truth actually highlights the
strength of this system. Deactivating compromised
sub-addresses becomes progressively less disruptive as more
and more of your correspondents use uniquely generated
sub-addresses. You also will know the source of the
compromise so that you can chastise your friend for
distributing your address in an email chain letter. The
typical user is not exposing their email address multiple
times a day to spammers. The typical user's email address is
revealed to a spammer a finite number of times but it only
takes one exposure to bring on the spam onslaught. This
explains why a single security breach at AOL in which more
than 90 million email addresses were sold to spammers was so
devastating. Many of those users would have remained spam
free for a prolonged time if it wasn't for that one breach.
There is of course the situation of having an
acquaintance that unwittingly has malware on their computer
that is constantly raiding their address book and passing
your address on to spammers. Now my system is a real
blessing as the problem becomes obvious and corrective action
can be taken, thus saving not only you but everyone else who
would have their addresses entered into your acquaintances
address book.
This system is reminiscent of challenge/response - I thought
I did a sufficient job contrasting this system with
challenge/response but obviously I didn't. My system allows
third party emails to arrive unimpeded. My system issues
challenges in an extraordinarily selective way, only
challenging people not white listed who were given an
inactive sub-address. People will need to deal with my
challenge with only a small fraction of the frequency that
they would need to deal with a challenge associated with a
traditional challenge/response system. With my system
dealing with a CAPTCHA will be a relatively rare event. Is
there anyone who does not think that this system is
profoundly superior to every other challenge/response system?
Again I am surprised; my system makes every other
challenge/response system obsolete and yet it has not sparked
real discussion or enthusiasm. Isn't this the Anti-Spam
Research Group?
Seeing the CAPTCHA requires a system that either allows for a
graphics capable MUA or allows activation of a hyperlink -
True. You would need to access a system that would allow you
to see graphics. A graphics capable MUA is the most
convenient, but all you would really need is a computer with
a web browser so you can paste the link into the browser and
view the CAPTCHA. Don't most people have access to web browsers?
Typical users can see email graphics. I obviously travel in
different circles since I don't know a single person who uses
an email system that is not graphics capable. I would argue
that most typical users would not worry enough about the
minority of people who cannot access graphics via their mail
system. The incentive to use a system that effectively
eliminates spam would outweigh the need to cater to this minority.
I am not arguing that my system is absolute perfection, or
that it suits the needs of every email user in the world. I
only argue that it is vastly superior to anything else out
there. Take for example a typical AOL user. Almost every
AOL user is plagued by tremendous amounts of spam and there
is no hope that any filter will be able to stop the onslaught
directed at this highly lucrative population. No AOL user
who uses the system will care on a personal level that
additional bounces are being generated. Almost none of the
AOL users will care that people who can only read a less
common language may not be able to read the bounce; common
languages will still be accommodated. Spam is such a
tremendous burden for the average AOL user that few will care
that a small number of people have no ability to view
graphics on their system and thus will be forced to go to
another system to view a CAPTCHA.
I ask you: Is there any other system out there that, even
when applied to a hundred million people, could eliminate
nearly 100% of spam as my system would for a typical user
(I'm sure once every couple of months or so a single
sub-address will become compromised and the user will suffer
a day or two of spam before the sub-address is cancelled).
Is there any other system out there that can protect so many
millions of users who elect to activate it and yet remain
secure? Is there any other comparable system that is as easy
to integrate into current email architecture?
Not challenge/response; it is excessively burdensome and the
traditional challenges are too weak to protect millions of people.
Not sender-ID proposals; no one is even pretending that these
proposals will have anything more than a subtle impact.
Does the fact that as only 30-40% (a wild guess) of people
may want to use this system argue against it?
Before you reject my system can you suggest one that is in
any way comparable? Is the status quo superior? Are you
holding out hope for an as of yet unknown but better system?
Have you totally given up any hope for a truly effective
anti-spam system?
I accept your criticisms, but I view them as relatively minor
given the likely efficacy of this system. Many people such
as business people may decide to forgo this system. However,
this system would be the FUSSP for the enormous population of
typical users out there for whom the relatively minor
detractions are not important.
Michael G. Kaplan
--
_______________________________________________
Find what you are looking for with the Lycos Yellow Pages
http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.c
om/default.asp?SRC=lycos10
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg