[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Challenge-response mail filters considered harmful

On Tue, Aug 05, 2003 at 05:43:58PM -0700, Alan Connor wrote:
> > From clive@clivemenzies.co.uk Tue Aug  5 17:17:05 2003
> > On (05/08/03 13:17), Alan Connor wrote:
> > > > From clive@clivemenzies.co.uk Tue Aug  5 12:33:25 2003

> >>Anyone who finds pasting a short string on a mail that is otherwise complete
> >>and clicking send , ONCE in a lifetime, in order to correspond with someone,
> >>is not a reasonable person. Myself and many others do not WANT such people
> >>to have access to their mailbox.

Correction: Once per e-mail address, per C-R user they wish to initiate
contact with. This is a very different animal from "once in a

> > In my limited acquaintance with Linux (Debian in particular) I have
> > learnt there are many ways in which to solve a particular problem and
> > the choice of packages or solutions is largely a matter of personal choice 
> > (in my case by following much of the guidance from this list).  
> Of course, and me too...

Interesting.  How is it you reconcile agreeing with "there are many
ways in which to solve a particular problem" with your repeated (and
unsupported) bald assertion that C-R systems are "the only way to block

> > choose whether to accept mail from someone they don't know (which wouldn't
> > necessarily be spam).
> That doesn't make sense, if I am following you. I accept mail from EVERYONE
> (as long as the headers haven't been tampered with). 

Never mind the fact that *your own mail* would fail this test, oh you 
of the ever-shifting return address.
And yet you feel qualified to get up on your soapbox and tell everyone
that your way to manage e-mail is the only way.
Curiouser and curiouser.

> Strangers just have to
> return the autoresponse. Hit reply, paste a short string on the subject line
> and send it off. If the return address is a valid one, they will get the
> response. If it's not, I don't care who it is, I won't read their mail.

And, as has been pointed out many times already, receiving the
autoresponse and actually replying to it are two very different things.
There are valid correspondents out there who will take your implication
that they are guilty of being a spammer until proven otherwise as an
insult, and not bother replying.
This is a risk that *most* *reasonable* people will avoid taking if
there are other alternatives.

> As I said above, the only way to block spam and harassment is to refuse to
> accept anonymous mail.

You do, indeed, continue to baldly assert this. Clearly, by "refuse to
accept anonymous mail", you are once again saying that C-R is the only
I continue to wonder whether this position is actually based on
anything.  Several people have produced statistical evidence that
filtering can be as effective as one false negative in many thousands
of processed messages, with zero false positives in many months of
testing.  All of this, using an "autolearning" feature so that the
filters keep themselves updated with little or no user-intervention.
Your response to such evidence seems to be always to either claim
"misinformation" (without providing any information to counter it, of
course) or just go start another thread.

I asked you before, and I ask again: is your commitment to C-R (and
'pure' C-R at that) a religious position, or do you have some kind of
actual reason for it?

> Now, and if you will read back through the thread, ignoring the huge amount
> of misinformation (basically, read only my  posts....) 

Heaven forbid anyone might actually read the other side of the
That might lead to people making their *own* decisions. Maybe even
*informed* decisions.
This is, of course, entirely out of the question: 
All must simply accept the dogma that C-R is the One True Way.

> I know that some folks here have said that all the headers can be forged,
> but they are either ignorant or lying.

This is another point that you keep baldly asserting, but with no
references to back it up. Personally, I neither know nor care how easy
or hard it is to forge Recieved: lines.
I *do* know that it has been mentioned on this list that *your* C-R
system tests on the From: header, which is laughably easy to spoof.
In fact, *your own* mail consistently comes from invalid From:
addresses, which means that you would fail your own test.
And yet you have enough confidence in your expertise to go around
preaching the One True Way of handling e-mail.
That's just funny.

> That's the thing about CR systems: You focus on what you WANT, rather than
> what you don't want.

I don't remember who it was from this group who dubbed your system
"hermitware", but it's terribly apt.
Think on this a moment:  If everyone was using your system, between
your MSP and your consistently broken From: headers -- nobody would
be able to receive e-mail from anybody. 
Way to go.

> It just requires
> strangers to give their real address if they want to talk to you.

Ah, no.  This is simply not true.
It requires anyone not already on your passlist to read a message that
says, in essence "I presume you to be a spammer until you demonstrate
otherwise", cut and paste your little password, and re-send their
Once per e-mail address, per C-R user they want to contact.
Which is an inconvenience you don't demand of them if you use
filtering.  Which works, by the way.

PS to general list members reading this:
I keep hoping that there's an actual conversation going on here, though
I get the nagging feeling that maybe I'm just feeding a troll...
I promise not to post any more on the topic unless Alan actually says
something that's both new and relevant (and thus deserves response).

Hehe!  Look down. The signature was randomly selected from a long list
by the program 'signify'.
>   -ScruLoose-   |     If I had a dog as daft as you, I'd shoot him.     <
>  Please do not  |                   - Scottish Proverb                  <
> reply off-list. |                                                       <

Attachment: pgpiID9uHvN8Y.pgp
Description: PGP signature

Reply to: