[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: TMDA and other challenge-response systems considered harmful

Adam Aube wrote:
Paul Johnson wrote:

Now for anybody else considering challenge-response email systems,
this is why they're considered harmful.

How are they any more harmful than autoresponders or list subscription
confirmations (like those used by the Debian lists)?


Subscription Confirmations make sense because they help the mailing list provide an automated confirmation of the email for reasons already discussed. More importantly, they are often times the direct and somewhat expected result of your actions in attempting reach a specific group.

In that light, Challenge Response (CR) are a very rude surprise no matter how well you attempt to phrase it. The most damning thing about them can be shown by this current email. I'm sending it to you personally. I've never contacted you in the past, but we know each other through association (debian-users). But if you have a CR system in place, you will still reject my email and I will simply not bother to fiddle around with the process. I am answering a question you asked and to create an entry barrier is simply not going to be tolerated.

They are also a pain in the neck when you get a CR sent to a mailing list.

But most importantly, and this is from personal experience here, they are not very useful. I played with a CR mechanism for a few months on my own mail server and found that I was severely defeated by one simple mechanism. The spammers would fire off their mail and auto-respond to my CR. That created an entirely automated system to whitelist their spam into my server.

The result was that there was a growing number of senders who gained access through my CR system and then bombed the hell out of my servers with 100's to 1,000's of emails per day. Once discovered, they started spawning "valid" email accounts against my system at a fantastic rate.

All of this cause my CR system to become worthless and only served to confirm the address and effectively whitelist their spam.

Reply to: