[Top] [All Lists]

Re: [Asrg] A CAPTCHA that automatically detects and neutralizes attacks.

2005-06-11 01:58:31
On 2005-06-11 06:15:49 -0000, John Levine wrote:
This can be addressed by holding all incoming challenges and
preventing them from reaching the user's inbox for 10 minutes (or
whatever length of time). The challenge is passed to the user's inbox
once it is clear that the database in up-to-date.

Even assuming this synchronization is practical (in a large system
with many MTAs, it probably isn't) this makes no sense whatsoever.  

If the MTA can tell what incoming mail is a challenge, and it knows
what's in the database (it must, if it knows when all of the updates
have been posted), why is it delivering the challenge to the user at
all rather than just answering it?

It can't, because the challenge contains a CAPTCHA, so only the user can
answer it correctly (at least if the CAPTCHA works as intended).

But the more important question is why bother to create the expensive
giant database and the complex synchronization and the special purpose
challenges when remotely verifiable message signatures a la DK solve
the problem much better, with no database and no challenges.

Do they? I think DK, bounce-verification systems and C/R systems solve
different problems. 

DK (and similar systems) answers the question "was this mail sent by
somebody authorized to use this domain".

The question "was this bounce triggered by by a mail sent by one of our
users or by a mail with a faked return-path?" can be answered by DK-like
schemes only if the bounce contains the information needed to verify the
signature. For DK in particular, this is often not true, because it
signs the body (which is a good thing, IMHO) and the body is often
omitted or trunkated in bounces (which is also a good thing, IMHO). So
to verify if a bounce was triggered by a legitimate mail you need to
include something in your mails which is typically included intact in a
bounce. About the only thing which is guarantueed to work is the
envelope sender. 

Finally, C/R systems answer the question "was this mail sent by somebody
who cares enough about the mail to answer my challenge?" which is a
stronger version of question 1.


   _  | Peter J. Holzer    | Ich sehe nun ein, dass Computer wenig
|_|_) | Sysadmin WSR       | geeignet sind, um sich was zu merken.
| |   | hjp(_at_)hjp(_dot_)at         |
__/   | |    -- Holger Lembke in dan-am

Attachment: pgpTk6UxWT6mL.pgp
Description: PGP signature

Asrg mailing list
<Prev in Thread] Current Thread [Next in Thread>