ietf-asrg
[Top] [All Lists]

[Asrg] Re: Asrg Digest, Vol 11, Issue 12

2005-03-25 11:20:52
Markus Stumpf said,
This is the thing I like most about it.
a) C/R systems currently work, as there is no standard (which is also
   the crux, so they cannot be processed automatically)
b) as soon as there is some kind of standard, C/R systems will become
   useless, as spammers will approve the R.
c) sending the C/R to the machine that emitted the suspicious messages
   makes it even simpler for the spammer to ACK the C/R, even if the
   sender address is faked.

I'm not in favor of C/R systems because they require the sender to put a
lot more work into what should be a casual communication.  For businesses
which get a lot of inquiries, the possiblilty that even a few prospective
customers will feel like some do on this forum (hell, I'll just go
someplace else where I don't need to jump through hoops to talk to
somebody).  A user subscribing to an automated maillist is doomed never to
receive any mail from the list under a C/R system.

That said, consider the C/R system used in the titankey patent (yes, I
know prior art exists, but that's the system I think everyone here is
aware of); that system presents a problem they believe that only a human
can solve.  If they are correct.  a human must perform the response.
(they've chosen the sample problem of presenting 4 numbers in an image and
requiring the human to send the numbers as characters back in a response;
this is the identical C/R system used by godaddy.com to shield their whois
service, for instance).

Hence, the spammer must hire people to sit in cubes typing responses to
challenges if the purported problem is only human solvable, or must pay a
programmer to solve the problem if the C/R developer lied about the
inability for machines to solve the problem with few resources.

The thing to remember here is that the spammers have tons more compute
power than we do -- they have literally millions of home computers at
their disposal.  So what we think is expensive to them may not be.

I don't think there will ever be a C/R standard; the protocol is simple --
you send me an email, I send you one back containing a problem which is
easy for humans to solve but hard for machines to solve, you respond to
that e-mail with a correct solution, and my mailsystem lets you resend
your mail (or forwards the previous quarantined mail onward).

The interesting thing about the IBM system is that it certainly prevents
the current generation of viral spamservers from delivering their payload.
 They don't even do the outbound SMTP protocol properly, much less process
inbound mail.



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg


<Prev in Thread] Current Thread [Next in Thread>
  • [Asrg] Re: Asrg Digest, Vol 11, Issue 12, Douglas Campbell <=