Re: TMDA and other challenge-response systems considered harmful
richard lyons <richard@the-place.net> said on Tue, 1 Jun 2004 12:36:59 -0400:
> On Tuesday 01 June 2004 08:29, Tom Allison wrote:
> [...]
> > They are also a pain in the neck when you get a CR sent to a
> > mailing list.
> >
> > But most importantly, and this is from personal experience here,
> > they are not very useful. I played with a CR mechanism for a few
> > months on my own mail server and found that I was severely defeated
> > by one simple mechanism. The spammers would fire off their mail
> > and auto-respond to my CR. That created an entirely automated
> > system to whitelist their spam into my server.
>
> Wow, what nice spammers you meet: give you real addresses. Mine all
> use fake sending addresses, so would never receive any challenge I
> sent.
If challenge response ever becomes ubiquitous, then spammers will
trivially be able to verify the responses without providing their own
email address. They will simply do what the currently do - open up
millions of backdoors on cracked computers, go through the address
books to look for email addresses, then send using a From: of the
current computer. An MTA running via the backdoor will pick up an CR
attempts, respond to them, and voila, send spam to a verified email
address.
--
TimC -- http://astronomy.swin.edu.au/staff/tconnors/
"The thing I love most about deadlines is the wonderful WHOOSHing sound
they make as they go past" - DNA
Reply to: