[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What would happen to Challenge/Response if ...

on Wed, Oct 22, 2003 at 09:42:31PM -0600, Paul E Condon (pecondon@peakpeak.com) wrote:
> I've been looking at a lot of options for dealing with Swen
> and the next Sobig, soon to arrive. In the discussions here,
> I learned that some people use tmda as a part of their spam
> defense, and looking into it I soon learned that
> TMDA == C/R

Not strictly true, though this is what most people seem to use TMDA for.
There is actually some useful process tracking which can be achieved
through the tagged delivery aspects of TMDA -- TMDA invlves _both_
setting up special-use accounts _and_ filters for automated handling of
reesponses to same.  C-R is actually only one of several functions

> I had already heard that C/R is a bad thing, but I didn't hadn't
> really read much about what it really is. 

I suppose you've looked at the references Steve's pointed out.

> So I read.  And as I read, I thought... You can object to it because
> it puts messages in your mailbox that are themselves spam, when you
> did nothing wrong, and that is at best annoying.  Or, you can object
> to it because it is bad as a matter of public policy. Or, perhaps
> both. And then I thought if it annoys you, why don't you configure
> your MTA to autoreply to the request for confirmation? It seems to me
> that it would be easily recognized by an appropriate filter. The your
> reply would authorize the sender of the challenge to look at the
> spam/swen that is already on his computer. (It annoys you that he
> wants you to authorize him to do something that you care nothing
> about? But by giving him that, he is gone.)  You would never see the
> transaction. You should filter the acknowledgement email that he also
> sends when he recieves your response. For it, you simple send to
> /dev/null. There will be no more followup challenges, because you have
> responded. You should be careful to not include the body of the
> challenge message in your response. That would really add clutter to
> the internet. Instead, craft your response to be as terse as possible.
> What is the downside of doing this? Am I crazy?


  - Any autoresponder is an invitation to abuse from the Internet.
    Spoofed C-R challenges sent to your system could be used to DoS or
    DDoS a targeted account.

  - I'd craft any such system to only respond to spoofed challenges.
    Stuff you know you didn't send.  Which sort of perverts the whole
    response angle of C-R.  I currently do this manually, and the volume
    is low enough it's not much of a hassle.

  - Don't reply to valid challenges.  Only encourages the bastards.

> I don't need it, because I've never been challenged. I'm just thinking
> ahead.

Better:  just drop the challenges on the floor.  That's my style.


Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
   Moderator, Free Software Law Discussion mailing list:

Attachment: signature.asc
Description: Digital signature

Reply to: