Also sprach David Fokkema (Sun 03 Aug 02003 at 08:26:11AM +0200): > On Sun, Aug 03, 2003 at 04:31:10AM +0100, Karsten M. Self wrote: > > on Sat, Aug 02, 2003 at 01:00:53PM -0400, Travis Crump (pretzalz@techhouse.org) wrote: > > > Steve Lamb wrote: > > > > What's worse is that so far noone's told me how two people using C-R > > > > ever > > > >*start* communicating. Person 1 mails person 2. Person 2's C-R sends off > > > >a > > > >challenge to Person 1. Person 1's C-R sends off a challenge to Person 2. > > > >Repeat. > > > > > > I think the theory is that Person 1 automatically whitelists person 2 > > > when he sends him an email. Not that I really see how this helps when > > > person 1 sends email from computer X and receives email on computer Y. > > > Apparently these people only ever use one computer. > > > > Still wrong. > > > > A sends a message to B. A autowhitelists B. > > > > A _receives a challenge not from B, but from B's C-R system. Since B's > > C-R system isn't known, A's C-R system sends a challenge in response. > > > > Rinse, wash, repeat. > > No, please, Karsten. Whatever your thoughts on C-R might be, its > proponents are not _stupid_. Don't you think such a simple situation > would've been thought of? > > A sends message to B. A autowhitelists B. > > A receives challenge from B's C-R system which originates (of course) > from B's e-mail address. Isn't that a shaky assumption? I use eight (8) different email addresses; but, *all* incoming email is grabbed by one (1) fetchmail, processed by one (1) procmail, and inserted into one (1) maildir hierarchy. Yes, I use mutt to automate that email address used, depending on recipient; but, how do you -- or, more properly, your c-r system -- know which email address that I will use for my own c-r challenge? > A's C-R system recognizes B (and thus B's C-R) and dumps the challenge > in A's mailbox. What am I missing? I thought that the *ONLY* way for A to receive email from B is for B to respond to A's challenge with the proper password !?!? Perhaps, c-r is akin to ai, and B's challenge auto-magically includes A's proper password in B's initial challenge? How convenient . . . > A responds to the challenge and the link is set up. As I understand this, A will never see B's challenge -- lacking, obviously, that proper password -- even if B's challenge originates with that initial email address. In my case, there is a 12.5% chance that B's challenge will be from that initial email address ;< Furthermore, if you are right, and the link is setup at this point, then clearly, the password is ubiquitous, and any spammer need only respond by whatever means, and you've delayed receiving your plate of spam, but eat it you must. Frankly, I am not interested in telling spammers that my email address is legitimate. In fact, I much prefer forwarding spam to proper authorities, and ignoring the spammer directly. Do you think that spammers want to know email addresses that will respond to them? What else do you think? -- Best Regards, mds mds resource 877.596.8237 - Dare to fix things before they break . . . - Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . --
Attachment:
pgpe9qNsa62_T.pgp
Description: PGP signature