RE: "Antispam UOL" spam from petsupermarket@uol.com.br?
> From: loos [mailto:loos@qt1.iq.usp.br]
> Sent: Friday, November 18, 2005 8:25 PM
<...>
> Unfortunately, most of their clients are very happy with this
> system: It is very effective for SPAM protection.
>
> In fact for non-list mail it is really a good idea: all you
> correspondents have to respond the challenge one and only one time,
> all subsequent mail is unchallenged.
C/R systems are fundamentally broken as spam protection for the
following simple reason: virtually all spam uses a forged return-path.
The challenge message you send to a purported sender is itself spam, as
that party never sent you a message and your challenge is unsolicited.
In the absence of a means of return-path authentication, sending
challenges to forged address is no different from anti-virus systems
that send "virus notifications" to people who never sent them mail.
This type of email abuse is collectively referred to as backscatter.
SpamCop, for instance, treats backscatter exactly the same as spam and
will list abusers for it. I completely agree with them. Many mail
system maintainers feel the same way and will put MTA's that emit
backscatter on local blacklists.
While it might appear to the users of the C/R system that it is good
because it reduces their spam load, they are probably unaware that their
backscatter is part of the growing spam problem. All they're doing is
shifting the burden to innocent third parties, and that kind of abuse
deserves getting your MTA's blacklisted. While it's unreasonable to
expect the average user to understand this, the ISP _certainly_ should
understand this since they have to deal with everyone else's
backscatter. They know how _exactly_ much it costs the recipients and
they don't care because it is helping them. Knowingly abusing third
parties in order to reduce your own costs is clearly abuse, and they
deserve whatever each receiving system operator dishes out to them.
>
> You just can't use this account for list subscriptions.
And you shouldn't turn on C/R at all, unless you don't care if you abuse
innocent third parties whose addresses spammers decide to forge.
>
> Besides that they are one of the largest and most popular ISP here.
And that makes a difference because ... ? Microsoft if very popular,
yet they produce mostly crap. Popularity does not make something
reasonable. I think it might help get the problem solved if more large
organizations just put a block on their whole ASN. If that doesn't get
their attention, then I don't want their mail anyway.
Losing a large part of their email connectivity might be the event
necessary to encourage a competitor with more clue to come along and eat
their lunch. That's a win-win situation for former UOL users as well as
former victims of UOL abuse. Of course, UOL gets a well-deserved loss.
This is one kind of problem that competition is very good at solving.
In the absence of competition, the users are stuck. That's why it's
actually in your long-term interest for as many services as possible to
ban UOL's mail. Though it is painful in the short run, if you attract
more than one competitor, you may even get lower prices out of the deal.
But the main thing is that you won't be part of the spam problem, and
people will gladly accept your mail.
--
Seth Goodman
Reply to: