----- Original Message -----
From: "Peter J. Holzer" <hjp-asrg(_at_)hjp(_dot_)at>
To: asrg(_at_)ietf(_dot_)org
Subject: Re: [Asrg] Please critique my anti-spam system
Date: Sun, 9 Jan 2005 14:32:00 +0100
On 2005-01-09 13:29:41 +1000, Laird Breyer wrote:
On Jan 08 2005, Michael Kaplan wrote:
If X sends out a weekly newsletter to thousands of people, most of
whom use your system, then X receives thousands of bounce messages
back, requiring individual CAPTCHA decoding, followed by individual
resending of the message, does it not?
It almost sounds as if you expect most newsletters to get bounced.
The newsletter will only get bounced if the specific
sub-address used by > the newsletter is deactivated. Wouldn't
the newsletter operator first have to obtain the specific
sub-address from each receiver (assuming your system is widely deployed)
at least once? That's a thousand bounces (ie number of recipients) right
at the start.
Probably not. The User would generate a fresh subaddress and subscribe
that to the newsletter. Since Subaddresses are created in "accept
everything" mode in Michael's proposal, the newsletter would be accepted
without a challenge. Only when the subaddress is deactivated, challenges
will be generated. (On a well-maintained newsletter this will probably
cause the address to be unsubscribed)
However, subscribing to mailinglists may be a bit difficult with
Michael's scheme:
Lets say, Our user Joe tries to subscriben to the mailinglist
<foo(_at_)example(_dot_)net>. So he creates a new subaddress (e.g.,
<joe(_dot_)b0263(_at_)example(_dot_)com>) and enters into a web form or sends
it to
<foo-request(_at_)example(_dot_)net>. Typically, the mailing-list software
will
reply with a confirmation request: from:
<mailinglistsoftware(_at_)example(_dot_)net> to:
<joe(_dot_)b0263(_at_)example(_dot_)com>. When Joe
replies, his software will generate a new unique address, since he never
sent mail to <mailinglistsoftware(_at_)example(_dot_)net> before (e.g.,
<joe(_dot_)26ab0(_at_)example(_dot_)com>). So the Mailinglist-Software will
receive a
confirmation from <joe(_dot_)26ab0(_at_)example(_dot_)com> to subscribe the
address
<joe(_dot_)b0263(_at_)example(_dot_)com>. Some mailinglist software will
refuse the
request if the two addresses don't match.
Even if he manages to subscribe, however, the first time he wants to
send something to the mailinglist, the software will create yet another
unique address (e.g., <joe(_dot_)6d7fc(_at_)example(_dot_)com>), since he
hasn't sent
anything to <foo(_at_)example(_dot_)net> yet. Since most mailinglists only
allow
postings from subscribed addresses, his message won't get through
(Some, but not all mailing lists allow you to specify alternate
addresses).
So at the very least, any software implementing Michael's proposal needs
to allow the user to override the automatic generation of new
subaddresses. (This of course means user interaction and it means user
errors - I know that I often make errors of that kind when I first post
to a new mailinglist)
Perhaps you are unaware of the fact that email is much like a
postcard, without the stamping security measure. Anybody at any time
can read messages, or in fact modify them in every way, so long as
they are located within the relevant mail path. The honour system
is the only widespread protection in existence.
That and the sheer number of mail paths. A spammer is probably not in a
position where he can intercept a significant number of mails.
hp
--
_ | Peter J. Holzer | Je höher der Norden, desto weniger wird
|_|_) | Sysadmin WSR | überhaupt gesprochen, also auch kein Dialekt.
| | | hjp(_at_)hjp(_dot_)at | Hallig Gröde ist fast gänzlich
dialektfrei.
__/ | http://www.hjp.at/ | -- Hannes Petersen in desd
<< 1.2.dat >>
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
--
_______________________________________________
Find what you are looking for with the Lycos Yellow Pages
http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg