It has long been my policy when receiving such emails to always answer
that "yes I sent this email" -- whether or not this is true
In my system, challenge/response methods applicable only for "verified
strangers". When the MAIL FROM says that the mail is coming from
john(_at_)example(_dot_)com, our system going to fetch the MX record and check
whether
the mail is really coming from example.com. Since we are talking about
human-to-human mails here, we are expecting the mail from one of your MX
servers. We also check SPF record and A record. If the mail is not coming
from any of those IP addresses, we actually reject the mail.
So the first step of validation is checking whether the incoming mail is
from a verified stranger.
Only then you are going to get the challenge mail. The whole point of
challenge/response here is to slow down spammers who genuinely buy domains
and send spam.
So the C/R mechanism in my system is not to check whether the mail is from
you. It's to slow down spammers who are sending mails from their MX record
IP addresses.
On Wed, Sep 25, 2019 at 3:33 PM Richard Clayton
<richard(_at_)highwayman(_dot_)com>
wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
In message <04a6670a-a661-7826-e1e6-c7372af8fce7(_at_)tana(_dot_)it>,
Alessandro
Vesely <vesely(_at_)tana(_dot_)it> writes
On Wed 25/Sep/2019 04:06:38 +0200 Viruthagiri Thirumavalavan wrote:
Here is my white paper <https://www.dombox.org/dombox.pdf>I published
in Feb
2019.
Bad guy forge the mail like it’s coming from
president(_at_)whitehouse(_dot_)gov
.
Challenge mails are being sent to president(_at_)whitehouse(_dot_)gov
That's gonna be tagged as yet another witch hunt...
There is also an underlying assumption that when the challenge email is
received then the question it poses will be answered honestly
It has long been my policy when receiving such emails to always answer
that "yes I sent this email" -- whether or not this is true
My hope is that either the person trying out challenge response will
realise that dumping their spam filtering costs onto strangers is unwise
or they will conclude, incorrectly, that I am a spammer and block all
further email "from" me. Either way they don't bother me again and I am
happy, so the effort of responding to them has been worthwhile
- From time to time volumes of challenge response email have been high,
for example when Earthlink used this type of system -- and so I
automated the sending of the responses ... they did have CAPTCHAs to
discourage such automation, but since they only had 31 CAPTCHA images
this didn't slow down the automation all that much
https://www.lightbluetouchpaper.org/2006/02/12/earthlink-has-just-
31-challenge-response-captchas/
<https://www.lightbluetouchpaper.org/2006/02/12/earthlink-has-just-31-challenge-response-captchas/>
- --
richard Richard Clayton
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755
-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1
iQA/AwUBXYs7UDu8z1Kouez7EQJpkwCcDSDn2BnJ8FZ8OxTO5NUQILvUbJQAnidr
4oFkmT0lcYi4hyNALOMZJErv
=ILXD
-----END PGP SIGNATURE-----
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp
--
Best Regards,
Viruthagiri Thirumavalavan
Dombox, Inc.
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp