[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: C/R (was: Re: *** bluber *** Re: Male xxxxxx enhancement formula^)

On Sun, 2005-07-17 at 03:22 -0700, Karsten M. Self wrote:
> on Mon, May 30, 2005 at 01:34:22AM -0700, Ian Greenhoe (ihgreenman@gmail.com) wrote:
> > On Mon, 2005-05-30 at 16:34 +1200, Chris Bannister wrote:
> > <snip>
> > > There has been heated debate on comp.mail.misc about C/R systems.
> > > 
> > > There is a "Fighting email spam and anti-UBE pointers" posting which is
> > > posted to comp.mail.misc, comp.answers, news.answers 2 times a month.
> > > 
> > > Excerpt:
> > > 
> > > "Challenge-Response system is based on false assumption that sender's
> > > address can be used for authentication. It cannot and thus any C-R
> > > system will contribute nothing else by amplifying the spam problem."
> > 
> > And the hidden (and unproven) assumption in this statement is that
> > spammers use real email addresses that have been validated.  I have seen
> > worms do this.  I have never seen spammers do this.
> 
> Well, given that I wrote the false assumption observation, *and* I've
> received challenges based on spoofed spam and viral mail, I'd say the
> assumption is neither hidden nor unproven.

This does not follow.  I didn't say that the C/R wouldn't send a
challenge to a faked email addy.  I said that it would prevent a bogus
email from posting.
 
> > If this (challenge-response) were to become a common system, spammers
> > might start using real email addresses.
> 
> Wrong problem.

Um.  No.  Read my other posts.

> If C-R were to become even marginally prevelant, the volume of bogus
> challenge spam would itself be a significant component of all spam.  It
> would also effectively mask all intentional C-R challenges.
> 
> The usual next step in this conversation is that the C-R advocate says
> "but my system doesn't do that!".  Sorry, you lose.  I've got no idea
> what your system is, how it works, or what it does, speaking for the
> general case of "you".  Which once again points at a weakness of C-R:
> it relies on both deterministic responses of the challenge recipient,
> and trust in a system inherently based on unstrusted data and
> unstrustworthy systems and users.

Yes, you are right.  Trying to make a trustworthy system out of email is
a loosing battle.  We're not trying to win that battle.  Today.

With that said, I am a bit miffed, since YOU ADMIT TO NOT EVEN PAYING
ATTENTION TO WHAT I SAID.

> > Since I strongly disagree with the premise, I do not accept the
> > conclusion.  In my opinion, C/R is a viable method of combating spam --
> > but not the only one, nor should it be used alone.
> 
> No.  C-R is spam.

B******t.  It is not.  It can be misused, it can be badly programmed,
but it is not inherently, in and of itself, not spam.

> Peace.

I'd like peace as well, but I am feeling rather burnt out on this.

I gave up on this conversation a month ago, since noone ever bothered to
read or listen to what I was saying.

My proposition was simple:

A C/R directed towards people attempting to post on this list who
weren't on this list.  Nobody on this list would see the C/R.  Only
people it would be directed to would be someone who A) wasn't on the
list, and B) attempted to send mail to this list, and C) hadn't answered
a C/R previously.

Yes, there is at least one big hole.  One that nobody ever bothered
looking at.  Instead, everybody was afraid of this giant bugaboo of "Oh,
it'll increase my mail!". No, it won't, because you won't even see this
as you are already on the list.  Nobody ever bothered listening to what
I said, because that would have required that the respondent would had
to have THOUGHT about what I was saying.

(The hole?  The spammers could fake an address that's on the list.)

*sigh*

Considering the responses I got, I have been seriously thinking about
dropping every Debian list that I'm on, with the exception of the
moderated ones.  Which is a real shame, as I'm a dev with 12 years of
*professional* experience, and a *professional* Unix/Linux sysadmin with
about the same level of experience.  I've used Debian for more than half
that time, and I work with people to get people to use it.  (Support,
local guru, etc.)

I want to give back to the community.  I really do.  I was trying to
answer when time permitted, and there wasn't a good answer already
there.   But, I feel like nobody cares, nobody actually wants to listen
-- to anybody.  That's the point at which I'm ready to check out, which
is, as I said, a real shame.  I'll probably go the direction of becoming
a dev for Debian, but that doesn't help people who are trying to get
things going on their systems.  It doesn't help with the mission of
convincing people that Debian is one of the best (if not the best) Linux
distributions out there.

Yeah, I don't matter.  That much.  I don't answer that many questions.
But ask yourself:  How many other people are ready to leave (or have
left) our mailing lists for exactly the same reasons?

[For those of you who are just tuning in, those reasons are:  A)
excessive spam, B) unwillingness to rationally consider solutions to
spam, and, lastly C) community hostility as represented by this list.]

-Ian
Reply to: