[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Challenge-response mail filters considered harmful

> From clive@clivemenzies.co.uk Tue Aug  5 17:17:05 2003
> 
> 
> On (05/08/03 13:17), Alan Connor wrote:
> > > From clive@clivemenzies.co.uk Tue Aug  5 12:33:25 2003
> > 
> > > As a disinterested observer (who currently has yet to get grips with
> > > filtering spam - I do it manually at present) this argument seems to be
> > > somewhat circular and repetitive .... or maybe I'm missing some subtle
> > > illumination  ... or maybe it is Monty Python ;)
> > > 
> > 
> > No. You are perfectly right. The circularity comes from the fact that there
> > are a lot of people who think they have the right to force others to read
> > any mail they choose to send them, anonymous or not.
> > 
> > So they are dead-set against CR programs. Since most of their arguments have
> > no merit at all, they are forced to continually re-phrase and re-circulate
> > them.
> > 
> > They also simply refuse to face the fact that if you are going to accept
> > anonymous mail, you are going to be vulnerable to spamming and harassment.
> > 
> > A telephone analogy is helpful:
> > 
> > They are saying that they have the right to call anyone they want, without
> > giving their phone number or permitting it to be verified. 
> > 
> > This is completely unreasonable, because the caller
> > obviously has the callee's number and has verified it by calling them with
> > it.
> > 
> > With the telephone you have Caller ID. This doesn't exist on the Internet.
> > The only reasonable equivalent is a CR  program.
> > 
> > Anyone who finds pasting a short string on a mail that is otherwise complete
> > and clicking send , ONCE in a lifetime, in order to correspond with someone,
> > is not a reasonable person. Myself and many others do not WANT such people
> > to have access to their mailbox.
> 
> In my limited acquaintance with Linux (Debian in particular) I have
> learnt there are many ways in which to solve a particular problem and
> the choice of packages or solutions is largely a matter of personal choice 
> (in my case by following much of the guidance from this list).  

Of course, and me too...

> 
> In following this thread I deduce that for some, C-R solutions provide
> effective blocking of unwanted emails (spam, viruses or others).  It
> would however, appear too effective for some, who would prefer to
> exercise more direct control; specifically they want to be able to
> choose whether to accept mail from someone they don't know (which wouldn't
> necessarily be spam).

That doesn't make sense, if I am following you. I accept mail from EVERYONE
(as long as the headers haven't been tampered with). Strangers just have to
return the autoresponse. Hit reply, paste a short string on the subject line
and send it off. If the return address is a valid one, they will get the
response. If it's not, I don't care who it is, I won't read their mail.

As I said above, the only way to block spam and harassment is to refuse to
accept anonymous mail.

Now, and if you will read back through the thread, ignoring the huge amount
of misinformation (basically, read only my  posts....) you will see that
domain addresses, tested for their path and other headers that cannot be
forged easily, belong on one's passlist, as do the addresses of anyone you'd 
like to hear from. There are about a dozen names from this list on my 
passlist, who have never mailed me. If they do, there mail will show up in my 
inbox. You can also just list their names and/or nicknames.. Or even key words
in the body of the mail. I have a bunch of those.


I know that some folks here have said that all the headers can be forged,
but they are either ignorant or lying. I have NEVER gotten spam from a
forged passlisted domain address that got past other tests based on a mail
solicited by me from that domain.

I have almost 3 dozen domains on my passlist. Most have never sent any
mail to me....But I have mailed them and gotten a response that allowed
me to write a simple filter that will dump any mail whose headers don't
reasonably conform to the pattern.

That's the thing about CR systems: You focus on what you WANT, rather than
what you don't want.



  I realise that Challenge Response provides a
> mechanism to allow the correspondent to verify their identity but can
> equally recognise that this may sometimes be inappropriate.
> 
Once again, CR has NOTHING to do with verifying identity. It just requires
strangers to give their real address if they want to talk to you.

IF their domain or address is not already on a person's  passlist.


> The PGP signature issue would seem to be tangential to the discussion
> which is really about filtering (spamassassin etc) versus C-R (MSP
> specifically).  I am sure that for some your Challenge Response program
> will be ideal but for others (and I suspect I will follow this
> approach) spam filtering is the preferred approach.  Both seem to have
> their pros and cons but like so many packages in Debian their existance
> makes the choice richer for us all.


Abso-effing-lutely!


> 
> Thanks for the illuminating discussion ;)
> 


Enjoyed it, Clive.

-- 
      For Linux/Bash users: Eliminate spam with the Mailbox-Sentry-Program. 
         See: http://tinyurl.com/inpd  for the scripts and docs.
Reply to: