On 1/22/06, Bart Schaefer <schaefer(_at_)brasslantern(_dot_)com> wrote:
On Jan 22, 3:17pm, Michael Kaplan wrote:
Many reputable businesses send very large volumes of email. If it is
economically infeasible for spammers to decode the CAPTCHAs, why do you
believe it will be feasible for other businesses?
On my website I assume that the spammer would spend a tenth of a cent to
manually decode a CAPTCHA and I demonstrate how this would be a crippling
expense.
Let's assume that over the course of a year Amazon.com emails 10 million
customers. I'll say that 5% of these sub-addresses are deactivated without
the customers bothering to notify amazon. I'll say that it costs Amazon 5
cents to decode a CAPTCHA (fifty times as expensive as what I assumed the
spammer would have to pay!). It would cost Amazon $25,000 over the course
of the entire year - and that is for an enormous company.
Not a great example because I'm sure Amazon.com would be a trusted domain
and they would have the software upgrade to automatically resend the
bounces. The same calculations for a small company with 20,000 customers
would be $50 a year.
And another point: You have to purchase Adobe Acrobat but you can get Adobe
Acrobat Reader for free. Likewise you may have to pay to use ISACS to rid
yourself of spam but I'm sure that the software to appropriately process
ISACS bounces will be distributed freely and aggressively for web mail and
email user agents.
} It's more of a Vacation message than a Challenge.
It requires that the recipient take action, or the notification has not
served its purpose. That's much closer to a challenge than to a mere
out-of-office response.
Ultimately once the software upgrade to process bounces is installed (free
of charge I should add) the recipient will take no action of any kind.
} How does the spammer figure out who is on your white-list?
By raiding the address books of the people to whom you send mail. This
happens *all* the time, usually (I suspect) via virus or worm or other
compromise of the correspondent's system.
The following is taken from my website:
"*People will have malware infesting their computers, raiding their
address book and constantly supplying spammers with valid addresses.*
** This is an argument *for*, not against ISACS. All of the
contacts of the person infected with malware will be able to identify the
source of the security breach based on the sub-address. In this case this
system is a true blessing since the situation will become readily apparent
and it can be remedied, saving anyone who would later be added to that
address book. Almost no other anti-spam system aids in the identification
of such malware."
I have little faith in the statistics that have been collected so far
for systems like zoemail/reflexion/traveler, because I have no evidence
that they are yet in use by the general public.
I quote some outside reviews and even a comment from this board supporting
Reflexion on my web page. I know of a lot of anecdotal evidence of email
accounts being spam free for months until one little security breach
resulted in endless spam. You are right, I don't have absolute proof, but
what evidence I do have is suggestive.
Yep. "Bounce spamming" is less common now than it was a couple of years
ago, if the examples in my trapped spam archives are representative, but
it's not unheard-of.
I see how this is possible, but I don't see how this is advantageous to the
spammer. Use of the free ISACS bounce filtering software upgrade will make
this completely futile for the spammer.
} 95% of this spam will be filtered immediately
So despite the claim of near-perfect performance for ISACS, all domains
are expected to continue using and maintaining their adaptive filters?
Why would I take on the added cost of ISACS for only that remaining 5%
of the problem, if I can't get rid of any other costs?
Because ISACS will result in near total elimination of spam (I'll
guesstimated that you'll still get 3 or 4 spams a year - a speculative but I
think reasonable estimate).
} If the victims filters are set to filter out ISACS
} bounces that don't correspond to recently sent emails
I'll direct you to the archives of this list for discussions of the
problems of keeping track of recently-sent email and matching it to
arriving bounces. You can't handwave this away.
Most email systems I have interacted with have a list of sent messages
immediately available. If this is a problem then ISACS bounces can be
cached for one hour or ten hours or one day or for whatever amount of time
is needed to correlate the bounce with the sent email list.
Further, I'd dispute that applying two 95%-effective spam filters has
a net 99.75% success rate.
Very well, but I still don't see why bounce spamming is preferable to
directly spamming users. It only adds a barrier, even if you feel it is not
a great barrier.
Thank you once again,
Michael Kaplan
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg