On Jan 09 2005, Peter J. Holzer wrote:
How often do you subscribe to newsletters while away from your computer
(or any computer with internet access)?
There are a few cases depending on the amount of roaming involved.
I can be away from my computer while being on some computer with
reduced resources (think publicly provided terminal and telnet(!) ),
I also can have several computer accounts used separately and
simultaneously for mail, with widely varying software/OS environments.
(On occasion, I've had four or five such mail accounts used as convenient,
although currently I use one mail address, but several computers)
I can also be subscribed by someone else as a service (e.g. by office
staff etc.), in which case I need not be physically at a computer at all.
I can subscribe by talking to someone and writing an address on a
piece of paper. I can subscribe by browsing the net while on someone
else's computer.
That said, I actually like your paper based solution quite a lot, and
it is much less cumbersome than looking for a sub-address generator
on some remote computer while roaming.
So I think I now agree with you that most initial list subscriptions
would involve a sub-address, and no CAPTCHA bounce for the list
operator.
Also, there are privacy implications in outsourcing the processing of
sensitive email messages to cheap third parties?
Outsource the CAPTCHA, not the entire message.
The CAPTCHA contains the key to generating the required sub-address. That's
all that is needed.
No, not necessarily. Although the Michael's example presents the CAPTCHA
together with the invariant parts of the mail address, this isn't
necessarily the case. It would be possible to separate them in such a
way that the recipient could keep the invariant parts secret and pass
only the puzzle to the outsourcing company. So the outsourcing company
would know that the solution of the puzzle is "LUCKY", but they don't
know that the full address is <JOE(_dot_)LUCKY(_at_)DOMAIN(_dot_)COM>. Of
course they
could try all combinations of addresses and solutions, but that would be
extremely expensive if the system is deployed widely (if it isn't, they
won't bother).
Hmm. This would work I think, but to be safe from related attacks the
customer who receives the CAPTCHA would have to remain anonymous to
the outsourcing company.
There's also the fact that list messages (such as your own to this
list) often arrive twice, once through the list and once directly. If
I used your system, I would be sending you a CAPTCHA bounce which
would be clogging your inbox.
No, you wouldn't, unless you had the subaddress already disabled, in
which case you wouldn't receive mails from the mailinglist either
(unless you explicitely whitelisted the mailinglist).
Either you're confused or I am. Michael sends me two messages, once as
Michael (which is unsolicited, and he's not whitelisted, so gets a CAPTCHA),
and once as asrg(_at_)ietf(_dot_)org, which is whitelisted since I've
subscribed to
the list.
--
Laird Breyer.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg