ietf-asrg
[Top] [All Lists]

Re: [Asrg] A CAPTCHA that automatically detects and neutralizes attacks.

2005-06-13 10:03:05
 
Michael,

... maintain a list of outgoing emails sent by each user ...

... some stuff snipped ...

the info for a message needs to be
available as soon as the message has been sent

... more snipping ...

can be addressed by holding all incoming challenges
and preventing them from reaching the user's inbox
for 10 minutes (or whatever length of time).


This proposed "resolution" to the problem of C-R requiring a record and for
that record to be available straight away would be largely unacceptable to
any mail provider of any magnitude because of the cost of this recording
and buffering, not to mention the operating costs of a highly available
distributed system capable of reconciling the challenges with the
responses.

As I've pointed out to you before the problem of spam is the unacceptable
cost burden placed upon mail infrastructure providers, much more so that
than the inconvenience of individual users. You cannot solve the former if
your proposal has costs of a similar order of magnitude and the same set of
cost drivers, namely the volume of spam.

If the costs of managing genuine mail was high, but resource consumption
decreased because spam was removed from the picture then your solution
would be cost effective. However it still appears that the cost is directly
proportional to the volume of unwanted messages. Not only that but also you
are pushing some of the cost burden onto downstream systems, if a challenge
issued by your system increases costs for other people, people for whom
there is no benefit, it is doomed to failure.

Imagine that I am Yahoo and you are Joe ISP with 1000 mail accounts, how
can you possibly hope to accomodate the unpredictable number of challenges
I send you in response to forged mail? You can't. You are faced with high
running costs and potential DoS to you users, and the financial
consequences to your stock, caused by my legitimate use of your system as
designed.

I'm concerned that you seem hell bent on flogging a dead horse here.

A number of people have raised detailed weaknesses with your proposal.
You seem to prefer to address these in isolation rather than view the big
picture.

You seem to be making the fatal mistake of going round in circles.

d.

Thanks for the feedback,

I will say that I am surprised that so many on this list are perseverating over 
the issue of erroneous challenges.  I suspect that some of the people on this 
list, as opposed to the general public, have very high profile email addresses 
and it is possible that you have been selectively targeted by spammers given 
your role in the anti-spam community.  Some have described responding to 
hundreds of erroneous challenges.  I personally have never received a single 
erroneous challenge and I suspect (but I don't have data) that most email users 
have not either.

I also disagree with the burden that my system will cause to networks.  On 
average email providers will receive a 1000:1 ratio of spam to challenge email 
if 99% of spam is filtered before a challenge is sent, and if 10% of spam uses 
a forged address.  The cost of buffering the challenges will likely be trivial 
relative to the cost of dealing with routine spam.

Many email providers, such as Yahoo and Gmail, routinely keep a copy of every 
outgoing email in your sent message folder.  Thus the data for the challenge 
filter is instaneously available.  A trivial software update can prevent any 
erroneous bounces from ever becoming visible in a user's inbox.  Other email 
providers can briefly buffer incoming challenges if need be to update their 
bounce filter.  I still have trouble seeing how this is a real difficulty, 
especially relative to Bayesian filtering.

I will concede that when the system is initially introduced there will be 
specific individuals and specific small ISP that will be transiently 
disproportionately impacted until they upgrade their software.  Ultimately not 
a single person should ever receive an erroneous bounce.

Would you tell AOL, Hotmail, Yahoo, and every other major email provider that 
there is a convenient system that would result in the near total elimination of 
spam for their users but they should not use it because it would result in an 
average 0.1% increase in spam-like email sent to ISPs that haven't upgraded? 
Yes, some will be affected disproportionately.

I disagree that a number of people have raised detailed weaknesses with my 
proposal that have gone unanswered.  Rather what I do is respond to a 
legitimate query once or twice and then I stop responding when the issue is 
repeatedly brought up.  Examples include:

     The porn proxy attack-  I've had to respond to the practical impossibility 
of this form of attack on two different locations on my website, as well as 
repeatedly on this list.  Please, think about it yourself.  Crunch the numbers. 
 It is beyond trivial.

     Spammers will just pretend to be someone on your whitelist- This is again 
confusing my system with a C/R system, as my system relies on sub-addresses.  
The whitelist as I describe it is of a very personal nature and spammers cannot 
determine it's contents.  If spammer's did determine one or two addresses that 
were on the whitelist then you would just remove those addresses from the 
whitelist and have those correspondents rely on using a sub-address as everyone 
else does.

     Malware will foil this system- As I've described here and on my website 
the existence of malware is an argument for my system as my system is uniquely 
resistant to it.

     I would never bother responding to challenge- If you cared about the email 
then you would.  I think what is trying to be said is that routinely answering 
challenges is too burdensome.   My system would likely only issue challenges 
with no more than 5% of the frequency that a C/R would.  I suspect that the 
vast majority of people would find this acceptable if they could live without 
spam.

Well it goes on and on.  I was going to ignore the last round of posts as they 
did not contain any criticisms that I had not answered.  I'm only responding 
now because I was addressed directly.  I only re-initiated corresponding on 
this list to describe an innovation for web-page based CAPTCHA, but we took a 
quick tangent away from that topic.

I will respond to any criticism that I have not answered.  I appreciate it when 
people point out flaws in the answers I've given, but I'll need more convincing 
before I concede that the difficulties in enacting a challenge filter are so 
great that a system that would otherwise eliminate spam should not be 
considered.

Thank you,
Michael Kaplan
http://home.nyc.rr.com/spamsolution/An%20Effective%20Solution%20for%20Spam.htm

-- 
_______________________________________________
NEW! Lycos Dating Search. The only place to search multiple dating sites at 
once.
http://datingsearch.lycos.com


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>