Re: tmda: Challenge-response is fundamentally broken (RAPNAP)
On Sat, 6 Sep 2003 06:56, david nicol wrote:
> > > Unlike TMDA's distributed profusion of extended addresses, a
> > > central RAPNAP (return address, peer network address pair) database
> > > only needs to send out a challenge when you change your outgoing
> > > SMTP server. In effect, a central server caches challenge responses,
> > > so individual challenges are no required all the time.
> > Interesting idea. A spammer then only has to respond to a challenge once
> > and they can then spam thousands of people.
> But only from an account which is really theirs.
> RAPNAP provides a working minimal verification on
> the return address for sender-pays systems. Sure you can forge
> an e-mail with my return address, but you can't forge an e-mail
> with both my return address and the peer network address of the
> machine I generally send e-mail through, from your connection in
Here's how it works. Spammer creates account firstname.lastname@example.org and sends
their first spam to a C-R system, when the challenge comes in they
acknowledge it and from then on the C-R system does not bother them because
they keep using the same small range of IP addresses. Hotmail cancels their
account pretty quickly, but as the C-R system does not send any changes
unless they change their IP address (and they don't change their IP address
to avoid C-R systems) then it's not a problem for them.
> > For challenge response to work it has to be annoying to lots of people.
> > Anything that stops it being annoying will stop it working. That's why
> > it is broken.
> Challenge-response, BY ITSELF ONLY, suffers from that problem. When
> combined with other methods, CR is useful, and is _less annoying_
> then alternatives, such as requiring all correspondents to install PGP
> for instance.
DNSBL's and spamassasin seem quite good at dealing with spam and are much less
annoying. That combined with some new laws that are being enacted to combat
spam should keep it to a managable level.
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page