Let me start with the following quote:
C/R is just a prong. I will admit to helping this confusion because for the first 5 years or so, C/R was on its own a fully sufficient (and in fact best) anti-spam tool. I never held the illusion you would want to rely on just that forever.
That's Brad Templeton, one of the earliest proponents of C-R and authors of a C-R system. He admits that it's not sufficient on its own, and that the bogus challenge problem (my primary objection) is a serious one. He recommends using C-R as part of a suite of tools. He recommends minimizing bogus challenges. Where we differ is that I feel once you've elimitated viruses, DNSBL sources, obvious spam, and previously whitelisted mail, you've got no need to ask someone else to challenge the remainder -- a bare handful of messages daily.
Assuming that everyone had C-R (which is much of the basis of the article), spammers who wanted to bypass C-R filters would incur huge costs compared - they would actually have to send using legitemate e-mail methods, and would therefore have to actually pay for the bandwidth to send their spam (several times over).
C-R adoption is likely to remain relatively low for a time. However moves by Earthlink, Microsoft, and/or others could change this very rapidly. With as few as 5% of the Net using C-R, you could expect to see spoofed challenges daily or more often, while a legitimate challenge only appears once a month. C-R relies on a nondeterministic function: the response of the person challenged to the challenge. If they either ignore legitimate challenges, or spite you with bogusones, the system fails.
Point 1, is pretty hazy. I don't see how it really applies. As it clearly states "At a practical level, the goal is to minimize the amount of spam received, while ensuring no (or the very minimum) of legitimate mail is lost." My own experience has found that methods which simply ignore spam mean that I lose mail. If I have to manually check all the e-mails in my spam folder, what exactly is the point of having a spam filter? I still waste as much time checking my spam folder as I would deleteing the spam from my Inbox.
First: spam detection != spam tagging. There are many ways of dealing with spam.
It's far easier to quickly scan through a spam folder looking for falsely tagged mail (all of it was spammy in the first place, right) than to look through an uncategorized mailbox and sort out the non-spam stuff.
You can also apply filters or rules within the spam folder. I highlight spam by its score, from green (low spam score) to blue to yellow to red, as the score increases. You could alternatively sort mail into low, middlin', and high spam mailboxes.
As I said: tagging and sorting mail is only one approach. Far better is to simply reject spam at SMTP time by various characteristics (DNSBL, content/context filters, etc.). Legitimate senders immediately know that their mail was rejected (and preferably why). You don't send misdirected bounces or challenges to third parties. And you don't have to sort through the chaff. With suitably tuned filters, your false positive rate is low.
Because you are rejecting the mail, it's not "lost" by the system, but clearly indicated as having tripped an error condition.
Point 2 is wrong. C-R DOES place the burdon on the spammer
No, you are wrong.
C-R places a burden on the presumed spammer. You don't know that a mail is spam, you're accusing the listed sender of spamming. Based on highly spoofable, and unvalidated information.
The likelihood that this reaches a spammer is low.
Spammers can (and are) responding to the problem already. Consider the "$40 Nigerian solution":
Spammer sends out 1 million emails. 1% of recipients use C-R. Spammer gets 10,000 challenges. These go to an ISP in Nigeria which is very happy to be paid the big bucks by the spammer to provide various services. There are five "email validation response technicians" paid the princely wage of $1/hr (160% the national average wage) to respond to four challanges a minute, 60 minutes an hour, eight hours a day. The net increased cost for 1 million spams is $40.
And if more than 1% of email users have C-R, we're all innundated with bogus challenges and blacklisting one another's SMTP servers.
In a world with depressingly cheap labor, highly corrupt countries (Nigeria is among the worst in the world), and companies desperate for cash, C-R loses.
I was first told of this scenario by none other than Earthlink's own abuse manager, Mary Youngblood, personal phone conversation, fall of 2003. She'd gotten it from email marketers themselves.
Point 3 is nonsense. There is no reason why C-R systems need to be on the mail server.
You're intentionally missing the point. For any user of Earthlink, Mailblocks, or a Microsoft C-R system, the whitelist will be on the mailserver. Sure, tech-savvy folks can and do implement their own locally managed C-R systems, but they're going to be overwhelmingly the minority. Sure, there's no need. But the practical necessity is that this will be effectively always the case.
Even if C-R DID have to be done on a mailserver, this would still be nonsense. The mailserver has to queue the e-mail while waiting to deliver it to me even without a C-R filter.
A mail queue is held for a few seconds or minutes. Undeliverable messages may reside for as much as four days under typical configurations.
ISPs aren't in the business of, and have few compelling business reasons to, retain logs for more than a short period of time. A few days or weeks, typically. In general, no more than a billing cycle. By contrast, C-R requires a comprehensive, permanent, subpoenable, crackable list of all your correspondents be kept online. And for 99.99% of C-R users, that will be on their ISP or mail service provider's server.
Brad Templeton's failure to grasp this issue, while he heads the very privacy-conscious EFF, is one of life's delicious ironies.
Point 4 doesn't apply to my setup.
See above. You are, effectively, nobody. In the general case, C-R whitelists are generated by challenges. See above.
You are also directly affected by the general perception of C-R by challenge recipients. If people stop responding as you expect them to, your system breaks. There is no way for you to engineer around this from within the context of C-R. This is the primary reason I state that C-R is broken by design.
Point 5 is irrelevant, as my system chains spamassassin with C-R. Challenges are only sent for messages which are thought to be spam.
Oh, good, so you're only challenging mail that is HIGHLY likely to spoof the sender address, and comprises (if you're typical) 60%+ of your email volume.
I'm so reassured.
And: you're nobody. See above.
And: you're directly contributing to the perceived annoyance factor associated with C-R challenges yourself. See above.
Point 6, while theoretically true, seems practically highly unlikely.
You're not only intentionally missing the point, you're fully ignorant of the facts. SoBig spoofed addresses within a small set of domains, including microsoft.com, msn.com, and ms.com. That last isn't a Microsoft domain, but belongs to Morgan Stanley Dean Whitter. Swen didn't spoof domains from within a small block, but picked arbitrary addresses. MyDoom is doing similarly. Spam likewise spoofs my address with alarming regularity (the first such occurance was the reason I started GPG signing all my email).
If you look at the tmda-users list at the time of the SoBig outbreak, you'll find users bragging, yes, bragging about sending out thousands, or hundreds of thousands of challenges based on SoBig mail.
All of which went to Microsoft and Morgan Stanley.
How is this not a Joe-job?
I could DOS someone by sending out a large amount of spam with their address causing them to be deluged with challenges. But this implies I have the capacity to send out a large amount of spam - I could just DOS them by sending the mail directly to them, or sending out spam to known incorrect addresses with their addresses so they get all the bounces.
So...you're saying a Joe-job isn't a Joe-job if there are more effective ways to accomplish the same task directly. Note that a spammer can effectively multiply their outbound capacity by specifying multiple recipients on a single outbound mail. When sent to a system implementing C-R, each recipient generates a separate challenge mail. C-R is a spam multiplier.
Point 7 is wrong.
It's documented. It's not common in well designed C-R systems. It is possible.
This condition is trivially detected and prevented by not sending multiple challenges to the same address before the first is acknowledged, which is implemented.
This is a case of what I call the "But a well-designed system won't do that" objection. The problem for you, as a C-R user, is that when I get a challenge, I've got no idea if I'm dealing with a well-designed system or not. Nor do I care. Nor, as I point out, do you have any business challenging my mail in the first place, as you've got plenty of basis for determining the legitimacy of my mail and identity.
Point 8 is wrong. What would be the point of making a list of e-mail addresses which have a filter preventing you from spamming them?
I'm shocked, shocked, but you've once again missed the point.
See above: I've no idea if a C-R system is well designed. It's moderately difficult (and at times impossible) to determine if a challenge was legitimately sent to me or not. There's no reason that a spammer wouldn't utilize the social engineering trick of disguising email harvesting mail as C-R challenges, in the same way that current phishing tactics spoof eBay and bank websites, or that viruses emulate MTA bounce messages.
Point 9, possible true I will concede. But then, I was being spuriously blacklisted by spam blacklist services long before I installed this filter, I certainly haven't noticed things getting any worse.
Think about this: if your own spam prevention system is getting you blacklisted, isn't there something seriously wrong with your approach? As I've said, both MailBlocks and Earthlink are showing up on blocklists. The tmda-users list has evidence of people's challenges being forwarded to SpamCop. Justin Mastaler responds by calling SpamCop "overzealous". Yeah. Right.
Point 10, wrong.
You'll be happy to know, I'm sure, that it was an ASK challenge received in response to a mailing list post which triggered my writing that rant in the first place.
So long as the mailing list is properly configured...
See the "But a well-configured system..." objection above.
Point 11, TRUE! But not an argument against C-R.
If C-R doesn't work, has multiple faults, and doesn't shift the balance in the spam war, why is this not an argument against C-R?
Any recipient side filter is exactly the same in this respect.
Wrong. The increase in the amount of obfuscated, misspelled, dyslexic, popcorn, and similar spam mail is a direct response to the increasing effectiveness of Bayesian filters. Most of these tricks don't work. A small fraction have slipped through my filters since I started seeing them on Dec 17, but are trapped by rules which look for structural characteristics of spam that the obfuscation relies on. And any human reader looking at the subject or message simply sees the mail as spam.
If I could, I would address the techno-economic underpinnings of spam, but I can't, so I'm far more interested in being able to use my e-mail.
Teergrubing, DNSBL, SPEWS, QoS rate throttling, SMTP reputation systems, Bayesian and other filters, all do address the underpinnings, directly, with very little negative fallout.
Karsten M. Self
SCO -- backgrounder on Caldera/SCO vs IBM
Support the EFF!!
There is no K5 cabal.
[ Parent ]