On Tue, Oct 27, 2009 at 11:34 PM, Danny Angus
Hi Yao Ziyuan,
I see you also posted this to the asrg. I'm shamelessly cross posting
my reply, sorry in advance to *both* lists!
My response is in two parts:
a) I like the fact that the recipient can set up a test which must be
passed by the sender. I also like the fact that the test would be
passive protection when protecting against, for example spam viruses.
In other words the recipient can set up a test, but the test itself
only generates load when the sender considers it worthwhile to take
However I would prefer to see the test administered by the mail
system, rather then via another channel.
Solving the problem of spam by invoking a channel not currently
involved in mail transport is not really a solution, it is both
delegating the problem to another arena, and changing the nature of
There's nothing inherently wrong with this, but if we are to consider
changing the nature of email and channels involved we assume that we
could design out the problem from the outset by introducing a strong
concept of identity to the process.
If we anticipate a design which uses the mail transport the passivity
advantage breaks down as the sender must be notified that a test
exists. In this case it would fail the criteria for not introducing
*more* load (email) in response to spam.
The goal is to find a solution which reduces the load as it becomes
successful, even if faced with increased demand. What I mean is that a
true solution would be completely passive when confronted with spam,
and in reducing the spam transported would result in a net decrease in
A passive test that meets the criteria would be one in which a test is
published in advance at low cost (perhaps by a third party), and for
which the solution is encapsulated in the message when it is sent.
A sender may not think it's necessary to solve a test when sending a
message, but changes his mind later, when he realizes the message is
important and a reply is expected but doesn't arrive in time.
For example the test may be for the sender to publish SPF records, or
use a mark similar to the habeus warrant mark. A recipient domain can
publish the test in the their T's & C's.
If you want to consider CAPTCHA, perhaps the test would be to
pre-solve a CAPTCHA, send the UID of the puzzle and its solution in
the mail headers, but CAPTCHA is not really low cost, and is still
b) the idea of using a CAPTCHA is flawed and has already been
discussed at length by the asrg.
In essence CAPTCHA works where there is less value in solving the
puzzle than it costs to solve.
If you introduce a strong commercial incentive you will start an arms
race which will see people compete to develop systems which can solve
puzzles at a lower cost, and others compete to develop more complex
We must assume that this will happen unless you can describe a test
which can be reasoned to be unable to be solved by a machine.
The fact that CAPTCHA are impractical to solve with current technology
doesn't imply that they are impossible to solve.
This ties in with point a) because it suggests that in operation the
incentive is there for spammers to now not only send spam but also
create additional work for the CAPTCHA component and the quarantine
Even if spammers use systems which can only achieve a low sucess rate
at the test, there is an incentive to attempt the test every time.
This generates additional demand.
On Mon, Oct 26, 2009 at 12:16 AM, Yao Ziyuan <yaoziyuan(_at_)gmail(_dot_)com>
Passive Spam Revocation (PSR)
Currently almost all mail systems (e.g. Hotmail and Gmail) use a spam
filter, which can drop good and important messages.
I propose an optional feature for current mail systems. The main idea
is if a message is considered spam, this spam status can be tracked by
the sender (but not sent to him directly, as the From field can be
faked). The message can be re-marked as "not spam" if the sender can
solve a CAPTCHA.
STEP 1: A is going to send B a message. A's mail client generates a
random code and puts it in a custom field in the outgoing message's
Code: <random code>
STEP 2: A's mail client sends the message, waits 30 seconds, and then visits:
https://spamstatus.<B's mail domain>/?msgid=<Message-ID>&code=<Code>
This page displays one of these possible "spam statuses":
* MESSAGE CONSIDERED SPAM. (A CAPTCHA is also presented below.)
* MESSAGE CONSIDERED NOT SPAM.
* PENDING. PLEASE TRY AGAIN LATER.
* All other responses mean B's mail system doesn't support this feature.
In the first case, A's mail client will report the status and the
CAPTCHA to A. A can choose to solve the CAPTCHA to prove the message
is not spam.
Like the idea? Here is the official Google group for it:
To unsubscribe, e-mail:
For additional commands, e-mail:
Asrg mailing list
Asrg mailing list