On Jan 08 2005, Michael Kaplan wrote:
If X sends out a weekly newsletter to thousands of people, most of
whom use your system, then X receives thousands of bounce messages
back, requiring individual CAPTCHA decoding, followed by individual
resending of the message, does it not?
It almost sounds as if you expect most newsletters to get bounced.
The newsletter will only get bounced if the specific sub-address used by
the newsletter is deactivated.
Wouldn't the newsletter operator first have to obtain the specific
sub-address from each receiver (assuming your system is widely deployed)
at least once? That's a thousand bounces (ie number of recipients) right
at the start.
But yes, inevitably some users will
deactivate the newsletter sub-address after receiving spam.
I've already guesstimated that commercial businesses could likely have
these CAPTCHA manually decoded in a developing country for about 0.1 cent
a piece. The newsletter operator could spend $10 and pay for processing
10,000 bounces a year.
So you expect newsletters to be sent by commercial operators exclusively?
What about noncommercial list operators?
Also, there are privacy implications in outsourcing the processing of
sensitive email messages to cheap third parties? What happens if a
Nigerian spammer outfit offers 0.1 cent per bounce processing, and
keeps a record of these bounce messages, reads each CAPTCHA and
compiles a clean set of email addresses which are guaranteed to accept
spam messages?
I'm not qualified to say how snooping attacks can be prevented,
but I will say that unlike the current system it is not the end of the
world when an email address is harvested since my system anticipates that
spammers will periodically harvest new addresses. Users will deactivate the
sub-address of any harvested address.
Each such deactivation generates a number of automatic CAPTCHA bounce
messages for people trying to contact that sub-address. The more
snooping occurs, the higher the frequency of deactivation, and the
higher the amount of work on senders. However, snooping implies
guaranteed spam delivery, so is much more valuable than ordinary mail
address harvests, and is easy to do with a distributed infrastructure.
I'm not sure what you are describing when you talk about "fake bounces."
I believe that the nature of the bounce problem is not related to
what you are suggesting.
I'm using bounce in your sense as described in your proposal, namely a
CAPTCHA challenge replied to the sender to verify whether he or she is
human.
The existence of these CAPTCHA messages are an inherent security risk,
because they are allowed to be passed to the receiver's inbox without
checks of any kind, on a priority basis, provided a weak set of
credentials is bundled. This weak set of credentials consists of
a public email address identifying the purported sender, if I understand
your proposal correctly.
The obvious line of attack given the above is as follows: A spammer
writes a CAPTCHA containing an advertisement rather than a
sub-address, and inserts as the sender of this fake CAPTCHA an email
address which is likely to belong to the receiver's whitelist.
Sometimes, this fake CAPTCHA is blocked because the inserted address
is not on the receiver's whitelist, but this doesn't matter to the
spammer as the mail did not cost him much to send. Sometimes, the
inserted address belongs to the receiver's whitelist, in which case the
advertising payload gets priority treatment, bypassing all spam defenses
as it could be a legitimate challenge.
What is the effect of harvesting correct subaddresses by searching for
the replies to the CAPTCHA bounces, wherein the correct subaddress is
visible in the clear?
A person would only decode a CAPTCHA and use that sub-address when
emailing a legitimate contact. I'm not sure how spammers are supposed
to harvest the sub-address from this mundane email correspondence.
Perhaps you are unaware of the fact that email is much like a
postcard, without the stamping security measure. Anybody at any time
can read messages, or in fact modify them in every way, so long as
they are located within the relevant mail path. The honour system
is the only widespread protection in existence.
Valid sub-addresses can also be harvested automatically on users'
computers by spyware. Valid pairs of (sender/receiver) addresses can
be harvested from public archives of mailing lists, and such pairs can
be used to send spam disguised as a fake CAPTCHA challenge as
described above.
What is the effect of bouncing the CAPTCHA bounce back to the CAPTCHA
bouncing recipient, with or without another CAPTCHA attached?
With my system a bounce will never be generated in response to a bounce.
You assume that your system is universal. Consider two competing
incompatible CAPTCHA challenge systems, and the potential for bouncing
back and forth unrecognised challenges.
--
Laird Breyer.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg