on Mon, May 30, 2005 at 01:34:22AM -0700, Ian Greenhoe (ihgreenman@gmail.com) wrote:
> On Mon, 2005-05-30 at 16:34 +1200, Chris Bannister wrote:
> <snip>
> > There has been heated debate on comp.mail.misc about C/R systems.
> >
> > There is a "Fighting email spam and anti-UBE pointers" posting which is
> > posted to comp.mail.misc, comp.answers, news.answers 2 times a month.
> >
> > Excerpt:
> >
> > "Challenge-Response system is based on false assumption that sender's
> > address can be used for authentication. It cannot and thus any C-R
> > system will contribute nothing else by amplifying the spam problem."
>
> And the hidden (and unproven) assumption in this statement is that
> spammers use real email addresses that have been validated. I have seen
> worms do this. I have never seen spammers do this.
Well, given that I wrote the false assumption observation, *and* I've
received challenges based on spoofed spam and viral mail, I'd say the
assumption is neither hidden nor unproven.
> If this (challenge-response) were to become a common system, spammers
> might start using real email addresses.
Wrong problem.
If C-R were to become even marginally prevelant, the volume of bogus
challenge spam would itself be a significant component of all spam. It
would also effectively mask all intentional C-R challenges.
The usual next step in this conversation is that the C-R advocate says
"but my system doesn't do that!". Sorry, you lose. I've got no idea
what your system is, how it works, or what it does, speaking for the
general case of "you". Which once again points at a weakness of C-R:
it relies on both deterministic responses of the challenge recipient,
and trust in a system inherently based on unstrusted data and
unstrustworthy systems and users.
> But since it isn't, they don't.
Actually, if you budget out $20/day (markedly higher than the median
Nigerian daily wage), a 3-4 messages per minute response rate, and a
very modest spam-response conversion rate on spam, manually responding
to spam challenges does become economical. Never understimate the
economics of third world wages.
> Since I strongly disagree with the premise, I do not accept the
> conclusion. In my opinion, C/R is a viable method of combating spam --
> but not the only one, nor should it be used alone.
No. C-R is spam.
Peace.
--
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Where were you last night?
That's so long ago, I don't remember.
Will I see you tonight?
I never make plans that far ahead.
- Casablanca
Attachment:
signature.asc
Description: Digital signature