On Jan 22, 3:17pm, Michael Kaplan wrote:
}
} Thank you for your very insightful commentary.
You're welcome.
} If a trusted domain was not established and the machine email came
} from an reputable business that was sending an important email then
} I would hope that the reputable business would spend the absolutely
} trivial amount of expense need to decode the CAPTCHA and return the
} email.
Many reputable businesses send very large volumes of email. If it is
economically infeasible for spammers to decode the CAPTCHAs, why do you
believe it will be feasible for other businesses?
It's true that ideally the reputable businesses start out with a valid
subaddress and only have to deal with revocations. (Never mind that
this will NOT be true during "phase 1".) On the other hand, even for
reputable businesses, one primary motivation for using email is its
extremely low cost compared to postal mail and other communications.
I can't predict the economic consequences, but I would predict that the
need to process CAPTCHAs will be a disincentive for deployment.
} > "phase 1" everyone in the whitelist will receive an automated reply,
} > which is equivalent to a challenge even though they aren't required
} > to respond.
}
} It's more of a Vacation message than a Challenge.
It requires that the recipient take action, or the notification has not
served its purpose. That's much closer to a challenge than to a mere
out-of-office response.
} > spam that forges the address of the whitelisted senders will
} > also continue to be recieved.
}
} How does the spammer figure out who is on your white-list?
By raiding the address books of the people to whom you send mail. This
happens *all* the time, usually (I suspect) via virus or worm or other
compromise of the correspondent's system. I'd expect that subaddress
compromise will most often occur this way as well. I've seen spam that
was directed to VERPed addresses generated by an automated system for
confirmation of hotel reservations; the only possible ways for those
VERPs to have been obtained by the spammer would be network sniffing or
infection of a recipient's PC.
I've also seen "your mail was not delivered" responses sent to those
VERPs from virus filters, sometimes months after the VERP was created.
I have little faith in the statistics that have been collected so far
for systems like zoemail/reflexion/traveler, because I have no evidence
that they are yet in use by the general public. Things that appear to
work sensibly when tested on techies go wrong in all sorts of unexpected
ways when loosed on the less-educated masses and their poorly-secured
home computers.
} > - ISACS challenges containing the spam pour into the mailboxes of the
} > intended victims
}
} The spammer will spam Joe(_at_)domain(_dot_)com knowing that Joe will not
receive a
} single piece of spam?
Yep. "Bounce spamming" is less common now than it was a couple of years
ago, if the examples in my trapped spam archives are representative, but
it's not unheard-of. (Yes, I'm one of those weird people who have the
past month's worth of spam sitting around in gzip'd folders, just in
case my filters went wrong.)
} 95% of this spam will be filtered immediately
So despite the claim of near-perfect performance for ISACS, all domains
are expected to continue using and maintaining their adaptive filters?
Why would I take on the added cost of ISACS for only that remaining 5%
of the problem, if I can't get rid of any other costs?
} If the victims filters are set to filter out ISACS
} bounces that don't correspond to recently sent emails
I'll direct you to the archives of this list for discussions of the
problems of keeping track of recently-sent email and matching it to
arriving bounces. You can't handwave this away.
} If the victims filters have not been updated for ISACS then the
} filters will detect the words "Cheap Viagra!" in the bounce and
} another 95% of the remaining 5% will be filtered. I don't see the
} motivation.
It's already fairly well accepted that the response of spammers to
having a smaller fraction of their mail get through is to send larger
amounts of it.
Further, I'd dispute that applying two 95%-effective spam filters has
a net 99.75% success rate. It's much more likely that the same 5% of
spam that makes it through the first filter will also make it through
the second filter -- the things that both filters are looking for must
be pretty similar, almost by definition.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg