Re: Challenge-response mail filters considered harmful
> From firstname.lastname@example.org Wed Aug 6 23:57:48 2003
Since these fellows either can't read plain English, or just don't have
any manners, I will get the discussion back on track.
Here's how a decent CR system works:
1) Your focus in on the passlist. Instead of wasting your time trying to
fight enemies that are legion and unpredictable and always changing
their appearance, think about which individuals and organizations or
businesses that you WANT to receive mail from. This is a lot less work
in the long run, and a lot more fun.
2) For people on the passlist, the CR program is invisible, and you don't
use it all yourself. If they are at an address not on your passlist
and want to mail you, they just put that address on the subject line.
Your sig reminds them of this everytime they open a mail from you.
3) When you send the first mail to an address, that address is entered in the
temporary section of your passlist, and a password is included at the
top of that mail with a note asking them to please include the line in
any responses to the message. It looks like so:
Please include these lines, intact, in any response. Thank You.
(it's a randomly generated number)
The line goes in your passlist too, and any mail that has it anywhere
in the body will go straight to your inbox. The address is included just to
allow for an auto-response and expires in a day.
Since including the original mail in any response is standard practice,
this causes no inconvenience at all.
Once again, it is as if the CR program just doesn't exist.
4) This part is all automated (as is most of the above)
When mail arrives from an address that isn't on your passlist and doesn't
have a valid password in the body or on the subject line, it is sent to
the quarantine mailbox and an auto-response is sent to the the return
address given. The auto-respnse asks them to paste a password
(included in the response itself) on the subject line, and send it back.
The auto-response says whatever you want beyond that. You can
include your favorite poem if you want to...When the person receives
the auto-response, the subject line says Re: original_subject. The
From line shows your name and address, and the reply-to header is set
to your address so they can just hit "Reply" and send it off.
If the auto-response is not returned in two days, the mail and the
password/address combo associated with it are deleted. The password
must be used with the same address it was acquired with. If the
password comes back from a different address, the mail and password
Expirations are handled by a cronjob. If there is no return, you never
even see the mail. Ever. And they do not build up and consume your
harddisk. Only the first few hundred lines are saved to avoid being
swamped by enormous mails.
Please note that CR systems are actually grossly misnamed. They SHOULD be
called something like:
"positive gateway/caller-id" mail programs.
For Linux/Bash users: Eliminate spam with the Mailbox-Sentry-Program.
See: http://tinyurl.com/inpd for the scripts and docs.