Re: tmda: Challenge-response is fundamentally broken (RAPNAP)
On Sat, 2003-09-06 at 08:32, Russell Coker wrote:
> Here's how it works. Spammer creates account firstname.lastname@example.org and sends
> their first spam to a C-R system, when the challenge comes in they
> acknowledge it and from then on the C-R system does not bother them because
> they keep using the same small range of IP addresses. Hotmail cancels their
> account pretty quickly, but as the C-R system does not send any changes
> unless they change their IP address (and they don't change their IP address
> to avoid C-R systems) then it's not a problem for them.
Spammer pays the pay2send infrastructure ten thousand dollars in
advance to send from the return address email@example.com, and
all participating mail gateways bill out of the payment made in advance,
and when the ten thousand runs out, the mail from firstname.lastname@example.org
is no longer relayed.
The C-R system prevents someone who is not using spammer's IP address
from forging email@example.com as a return address and stealing part
of spammer's postage budget.
Don't hate spammers, figure out a way to bill them. They are in
business, they pay for things, they expect to be billed. Everyone
who has considered sender-pays agrees that it provides a better solution