Re: Look at these update from M$ Corporation.
On Sun, Aug 03, 2003 at 01:45:54AM -0500, Michael D. Schleif wrote:
> Also sprach David Fokkema (Sun 03 Aug 02003 at 08:26:11AM +0200):
> > A receives challenge from B's C-R system which originates (of course)
> > from B's e-mail address.
>
> Isn't that a shaky assumption? I use eight (8) different email
> addresses; but, *all* incoming email is grabbed by one (1) fetchmail,
> processed by one (1) procmail, and inserted into one (1) maildir
> hierarchy. Yes, I use mutt to automate that email address used,
> depending on recipient; but, how do you -- or, more properly, your c-r
> system -- know which email address that I will use for my own c-r
> challenge?
Even if you have one fetchmail running six mail addresses, there's still
the To: header... So, A sends B1 a mail, B1 is auto-whitelisted,
B{1,2,3,4,5,6} is gotten by B's fetchmail and B's C-R sends a challenge
according to the To: header. In this case, the challenge comes from B1.
> > A's C-R system recognizes B (and thus B's C-R) and dumps the challenge
> > in A's mailbox.
>
> What am I missing? I thought that the *ONLY* way for A to receive email
> from B is for B to respond to A's challenge with the proper password
> !?!?
No. Either B has to respond to a challenge (password or alike) or B
has to be whitelisted. If B is whitelisted, he will not get a challenge.
Never. Since A sends B1 a mail, B1 is whitelisted. Indeed, B2 is not,
and would receive a challenge.
> Perhaps, c-r is akin to ai, and B's challenge auto-magically includes A's
> proper password in B's initial challenge? How convenient . . .
If we had AI that good, they would probably read through our mails and
perform the function of a filter just as good (or better) as we would've
done it. C-R is only functional as long as filters aren't perfect, IMHO.
> > A responds to the challenge and the link is set up.
>
> As I understand this, A will never see B's challenge -- lacking,
> obviously, that proper password -- even if B's challenge originates with
> that initial email address. In my case, there is a 12.5% chance that
> B's challenge will be from that initial email address ;<
>
> Furthermore, if you are right, and the link is setup at this point, then
> clearly, the password is ubiquitous, and any spammer need only respond
> by whatever means, and you've delayed receiving your plate of spam, but
> eat it you must.
The password is supplied only once. B is whitelisted, so will never get
a challenge again. Any spammer who uses B as its From: address, will
walk right through your door, I guess... However, I have _never_ gotten
any spam from a person I knew. But, of course, I only get a few spam a
day, not tens or more.
> Frankly, I am not interested in telling spammers that my email address
> is legitimate. In fact, I much prefer forwarding spam to proper
> authorities, and ignoring the spammer directly. Do you think that
> spammers want to know email addresses that will respond to them?
I think they do. There is a lot of HTML spam floating around which
contain links to pictures in the form href
server/3030404ajsj4jsa09303-4j3l3022asjs342j3.gif. The usefulness and
meaning of this particular number is left as an exercise to the reader,
;-)
> What else do you think?
I think that C-R systems really work, except for the irritation and
agitation it can cause. C-R systems are designed to work in both an
internet with almost no C-R systems and an internet with almost every
one using C-R. Links can be set up between C-R systems. However, if a
spammer uses an address that you have whitelisted it won't work. It
might be possible that this is more rare than SA getting a false
negative.
The only disadvantage I see of C-R, is that some people refuse to reply
to a challenge.
David
Reply to: