Hello All,
Thank several of you for your comments/criticisms of challenge-response.
Remember I am am still only experimenting with this system, and I may
decide against using it.
On Mon, 25 Jul 2005 23:06:20 -0600,
<procmail-request(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE> wrote:
The matter of faked isn't simply INVALID, but rather when the
spammer
chooses to Joe-job someone, or just (as many viruses do these
days) forge
mail using harvested email addresses.
That is certainly a legitimate argument against challenge-response. What
you say does happen, but I believe it is very seldom. I DO have a
temporary mail refusal log that I am looking at daily. It lists the
refused mail as well as the bounces back from the spammers. It looks like
nearly every refused (spam) is bounced back.
I plan to set up a test to gather some real statistics on how many spams
actually have deliverable return addresses. I think we can assume that
the only spam with a deliverable return address is that which uses a
stolen, forged address as return address. If it turns out that happens
very often, I will abandon the challenge-response system.
<snip>
... and unloads your mailbox management upon the people
sending you
emails. Such as responses to discussion list messages.
I routinely DO NOT respond to challenge-response ("PYLM" -
Prove You Love
Me) schemes. They are not the answer. I'll more readily
block someone at
my MTA than jump through hoops to get their system to quit
sending me
confirmation requests. Esp if *I* was taking the time to
answer a question
they sent to me or to a discussion list.
Well, I think it is a matter of implementation. I am on this list (in
digest mode), and I make it clear in my email signature that if someone
wants to email me off-list, my last name should simply be somewhere in the
message subject or body. I wouldn't call that "jumping through hoops."
On the other hand, some implementations of challenge-response, such as
Earthlink's, ask one to fill out an online FORM to get on someone's
whitelist. That is certainly a "hoop" and is very annoying.
<snip>
response spam
<snip>
It isn't just bandwidth. It is moronic implementations and a
lack of
standards - two PYLM systems could battle it out without
either party
realizing that their communication isn't getting through to
the other.
That is certainly a potential problem. Due to the lack of standards for
"challenge" messages, the only way I could think of to deal with this is
to accept mail (but not whitelist the sender) when I get 2 emails from the
same sender in under 30 seconds. The rationale is that the second mail
might be a challenge email. So far this has resulted in some 5 spams
coming in in 3 weeks - the ONLY spam I have received. I have never
received a challenge email in response to one of my challenges.
Bottom line: if you use a challenge-response system, you
should be prepared
for a drop in LEGITIMATE correspondance along with your drop
in spam.
I have determined from the mail refusal log that only ONE legitimate email
was refused in the last 3 weeks since I implemented this, out of some 600
refusals. As you can see, I have been very careful to whitelist
legitimate correspondents, and whitelisting is almost always automatic (no
keyword necessary), because the vast majority of my correspondents contact
me first through my website contact form, with puts the sender on the
whitelist.
Again, I appreciate your views. I will investigate the incidence of
forged (stolen) return email addresses in spam. If this happens often,
I'll abandon this system. I don't want to become another spammer.
--
Regards, Lloyd
(1st email to me should contain "Standish" in message subject or body.)
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail