procmail
[Top] [All Lists]

Re: challenge-response

2005-07-27 00:46:40
Hello All,

Thank several of you for your comments/criticisms of challenge-response.   
Remember I am am still only experimenting with this system, and I may  
decide against using it.

On Mon, 25 Jul 2005 23:06:20 -0600,  
<procmail-request(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE> wrote:

The matter of faked isn't simply INVALID, but rather when the
spammer
chooses to Joe-job someone, or just (as many viruses do these
days) forge
mail using harvested email addresses.

That is certainly a legitimate argument against challenge-response.  What  
you say does happen, but I believe it is very seldom.  I DO have a  
temporary mail refusal log that I am looking at daily.  It lists the  
refused mail as well as the bounces back from the spammers.  It looks like  
nearly every refused (spam) is bounced back.

I plan to set up a test to gather some real statistics on how many spams  
actually have deliverable return addresses.  I think we can assume that  
the only spam with a deliverable return address is that which uses a  
stolen, forged address as return address.  If it turns out that happens  
very often, I will abandon the challenge-response system.


<snip>
... and unloads your mailbox management upon the people
sending you
emails.  Such as responses to discussion list messages.

I routinely DO NOT respond to challenge-response ("PYLM" -
Prove You Love
Me) schemes.  They are not the answer.  I'll more readily
block someone at
my MTA than jump through hoops to get their system to quit
sending me
confirmation requests.  Esp if *I* was taking the time to
answer a question
they sent to me or to a discussion list.

Well, I think it is a matter of implementation.  I am on this list (in  
digest mode), and I make it clear in my email signature that if someone  
wants to email me off-list, my last name should simply be somewhere in the  
message subject or body.  I wouldn't call that "jumping through hoops."   
On the other hand, some implementations of challenge-response, such as  
Earthlink's, ask one to fill out an online FORM to get on someone's  
whitelist.  That is certainly a "hoop" and is very annoying.


<snip>
response spam
<snip>
It isn't just bandwidth.  It is moronic implementations and a
lack of
standards - two PYLM systems could battle it out without
either party
realizing that their communication isn't getting through to
the other.

That is certainly a potential problem.  Due to the lack of standards for  
"challenge" messages, the only way I could think of to deal with this is  
to accept mail (but not whitelist the sender) when I get 2 emails from the  
same sender in under 30 seconds.  The rationale is that the second mail  
might be a challenge email.  So far this has resulted in some 5 spams  
coming in in 3 weeks - the ONLY spam I have received.  I have never  
received a challenge email in response to one of my challenges.

Bottom line: if you use a challenge-response system, you
should be prepared
for a drop in LEGITIMATE correspondance along with your drop
in spam.

I have determined from the mail refusal log that only ONE legitimate email  
was refused in the last 3 weeks since I implemented this, out of some 600  
refusals.  As you can see, I have been very careful to whitelist  
legitimate correspondents, and whitelisting is almost always automatic (no  
keyword necessary), because the vast majority of my correspondents contact  
me first through my website contact form, with puts the sender on the  
whitelist.

Again, I appreciate your views.  I will investigate the incidence of  
forged (stolen) return email addresses in spam.  If this happens often,  
I'll abandon this system.  I don't want to become another spammer.

-- 
Regards, Lloyd
(1st email to me should contain "Standish" in message subject or body.)

____________________________________________________________
procmail mailing list   Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

<Prev in Thread] Current Thread [Next in Thread>