[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Challenge-response mail filters considered harmful

> From ay986@chebucto.ns.ca Wed Aug  6 23:57:48 2003

Since these fellows either can't read plain English, or just don't have
any manners, I will get the discussion back on track.

Here's how a decent CR system works:

1) Your focus in on the passlist. Instead of wasting your time trying to
   fight enemies that are legion and unpredictable and always changing
   their appearance, think about which individuals and organizations or
   businesses that you WANT to receive mail from. This is a lot less work
   in the long run, and a lot more fun. 

2)  For people on the passlist, the CR program is invisible, and you don't
    use it all yourself. If they are at an address not on your passlist
    and want to mail you, they just put that address on the subject line.
    Your sig reminds them of this everytime they open a mail from you.

3) When you send the first mail to an address, that address is entered in the 
   temporary section of your passlist, and a password is included at the
   top of that mail with a note asking them to please include the line in
   any responses to the message. It looks like so:

       Please include these lines, intact, in any response. Thank You.

    (it's a randomly generated number)

   The line goes in your passlist too, and any mail that has it anywhere
   in the body will go straight to your inbox. The address is included just to 
   allow for an auto-response and expires in a day. 

   Since including the original mail in any response is standard practice,
   this causes no inconvenience at all. 

    Once again, it is as if the CR program just doesn't exist.

4) This part is all automated (as is most of the above)

   When mail arrives from an address that isn't on your passlist and doesn't
   have a valid password in the body or on the subject line, it is sent to
   the quarantine mailbox and an auto-response is sent to the the return
   address given. The auto-respnse asks them to paste a password 
   (included in the response itself) on  the subject line, and send it back.
   The auto-response says whatever you want  beyond that. You can
   include your favorite poem if you want to...When the person receives
   the auto-response, the subject line says Re: original_subject. The
   From line shows your name and address, and the reply-to header is set
   to your address so they can just hit "Reply" and send it off.

   If the auto-response is not returned in two days, the mail and the
   password/address combo associated with it are deleted. The password
   must be used with the same address it was acquired with. If the
   password comes back from a different address, the mail and password
   are deleted.

   Expirations are handled by a cronjob. If there is no return, you never
   even see the mail. Ever. And they do not build up and consume your
   harddisk. Only the first few hundred lines are saved  to avoid being
   swamped by enormous mails.

Please note that CR systems are actually grossly misnamed. They SHOULD be
called something like:

    "positive gateway/caller-id" mail programs.


      For Linux/Bash users: Eliminate spam with the Mailbox-Sentry-Program. 
         See: http://tinyurl.com/inpd  for the scripts and docs.

Reply to: