ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] Please critique my anti-spam system

2005-01-09 08:05:47
from [Peter J. Holzer] [Permanent Link] 
On 2005-01-09 15:52:57 +1000, Laird Breyer wrote:

On Jan 08 2005, Michael Kaplan wrote:

Wouldn't the newsletter operator first have to obtain the specific
sub-address from each receiver (assuming your system is widely deployed)
at least once?


The address is provided by the recipient when they sign up for the 
newsletter,
just like what is done now.


You mean the sub-address? How many unique sub-addresses do you expect people
to carry in their heads, or do you expect each person to carry around
a sub-address generator everywhere, for such occasions? 


How often do you subscribe to newsletters while away from your computer
(or any computer with internet access)?

If I was using Michael's system I'd probably carry a list of a dozen
pregenerated sub-addresses in my wallet and expect that to last a few
years (Well, actually I'd use the same list to give valid subaddresses
to individuals during face-to-face meetings, so it would be expleted a
lot faster).


Also, there are privacy implications in outsourcing the processing of
sensitive email messages to cheap third parties?


Outsource the CAPTCHA, not the entire message.



The CAPTCHA contains the key to generating the required sub-address. That's
all that is needed. 


No, not necessarily. Although the Michael's example presents the CAPTCHA
together with the invariant parts of the mail address, this isn't
necessarily the case. It would be possible to separate them in such a
way that the recipient could keep the invariant parts secret and pass
only the puzzle to the outsourcing company. So the outsourcing company
would know that the solution of the puzzle is "LUCKY", but they don't
know that the full address is <JOE(_dot_)LUCKY(_at_)DOMAIN(_dot_)COM>. Of 
course they
could try all combinations of addresses and solutions, but that would be
extremely expensive if the system is deployed widely (if it isn't, they
won't bother).


There's also the fact that list messages (such as your own to this
list) often arrive twice, once through the list and once directly.  If
I used your system, I would be sending you a CAPTCHA bounce which
would be clogging your inbox.


No, you wouldn't, unless you had the subaddress already disabled, in
which case you wouldn't receive mails from the mailinglist either
(unless you explicitely whitelisted the mailinglist).

        hp

-- 
   _  | Peter J. Holzer    | Je höher der Norden, desto weniger wird
|_|_) | Sysadmin WSR       | überhaupt gesprochen, also auch kein Dialekt.
| |   | hjp(_at_)hjp(_dot_)at         | Hallig Gröde ist fast gänzlich 
dialektfrei.
__/   | http://www.hjp.at/ |   -- Hannes Petersen in desd

Attachment: pgpLEoqDal0Hm.pgp
Description: PGP signature

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Please critique my anti-spam system, Peter J. Holzer
Next by Date:  Re: [Asrg] Please critique my anti-spam system, Michael Kaplan
Previous by Thread:  Re: [Asrg] Please critique my anti-spam system, Laird Breyer
Next by Thread:  Re: [Asrg] Please critique my anti-spam system, Laird Breyer
Indexes:  [Date] [Thread] [Top] [All Lists]