ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: forged bounces, was [Asrg] A CAPTCHA that automatically detects and neutralizes attacks.

2005-06-02 15:31:37
from [Michael Kaplan] [Permanent Link] 



The next step is to have a special bounce filter on the other end to
stop innocent people from receiving spam induced bounces. The filter
would recognize an incoming bounce and only pass it on to the user's
inbox if that user had recently sent an email to the source of the
bounce.


You've almost reinvented BATV there.  It puts a signature hash in the
bounce address in outgoing mail, and rejects bounces that don't have
the hash.  I've used this for a while and it works very well.  Trying
to match bounce sources is hopeless; if you write to
john(_dot_)smith(_at_)foocorp(_dot_)com you're likely to get responses from
jsmith(_at_)foocorp(_dot_)com or mailer-daemon(_at_)hostingcompany(_dot_)com, 
with no
consistency at all to the addresses.

But I don't see what this has to do with challenges, since they don't
look like bounces.  They're ordinary mail, sent in bulk and (for the
majority due to forgery) unsolicited, i.e. spam.


What I've been referring to as bounces may more appropriately be called 
challenges.  Anyway, what I have been saying is that the challenge (which 
currently looks like an ordinary email) be standardized so that they can be 
universally recognized as a challenge.  I am proposing a filter that could 
recognize this challenge email.  The challenge email would contain the email 
address of the relevant email account in an easily parsable form so that the 
filter can make sure that the challenge is being received by the user who had 
just sent out the corresponding email.

Maybe we can agree on this:
Current anti-spam systems that issue challenges do so in a way that results in 
innocent people being bombarded with spam triggered challenges.

However...
A relatively simple one-time software upgrade to existing filters can easily 
prevent a standardized challenge from erroneously reaching innocent email 
users.  Ergo widespread adoption of a challenge generating anti-spam system is 
practical - at least in regard to the above mentioned issue.

Michael Kaplan

-- 
_______________________________________________
NEW! Lycos Dating Search. The only place to search multiple dating sites at 
once.
http://datingsearch.lycos.com


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] [OT?] CIS Systems wins $1.08 billion in case against spammers, Barry Shein
Next by Date:  Re: [Asrg] host named "mail" that is not an MX, Markus Stumpf
Previous by Thread:  [Asrg] host named "mail" that is not an MX, Markus Stumpf
Next by Thread:  Re: forged bounces, was [Asrg] A CAPTCHA that automatically detects and neutralizes attacks., John Levine
Indexes:  [Date] [Thread] [Top] [All Lists]