Re: Challenge-response mail filters considered harmful
>
> Earlier, someone said that I was wrong because so many people disagreed
> with me.
>
> That's a foolish statement, and I should have called him on it at the
> time.
>
> Facts are facts, and the fact is that traditional spam-blocking strategies
> don't work, and CR programs do.
>
Interesting comment.
I worked on my own Challenge Response process for a year and guess what?
It doesn't work.
Here's why:
Many people who would respond did not have a In-Reference-To tagline in
their HEADER --or-- they managed to delete any referenced keys in the
subject/body. They were never actually confirmed. Now you have
blacklisted valid customers and are loosing business.
Many spammers are using bots to auto-reply to these CR's with perfect
HEADER/BODY contructs, allowing them to instantly access your address and
you get spammed without failure or hesistations.
Even BOUNCE messages are not consistent enough between servers to be able
to use that information as a means of managing these access lists.
In the end I decided to knock off all the challenge-response precesses and
set up a more reasonable process:
Make all the RFC rules apply.
Impliment reverse DNS lookup.
SIMPLE RBL's work. The more aggresive one's are for shit.
spamassassin is your friend.
bogofilter rocks.
Out of 150 spams per day, 3 get accepted by the email server and only 1
every month actually ends up someplace other than my spam-file.
Under the CR process, my statistics were worse than this and I was
knocking out valid accounts in the process. My RFC rules do manage to
clobber a few mail valid servers, but they are typically open to
correction and are now accessable.
Challenge Response is not a valid option in the long run.
Reply to: