[ale] OT: the Penny Black anti-spam proposal

Geoffrey esoteric at 3times25.net
Sat Dec 27 21:29:37 EST 2003


ChangingLINKS.com wrote:
>> It's just a comment that the SMTP protocol is flawed. If SMTP
>> required authentication, we'd probably have a lot less SPAM today.
> 
> OK.
> 
> 
>> Correct me if I'm wrong, by spamarrest is a challenge-response
>> solution, right?  As things stand now (the way software works) I
>> find this does C-R doesn't mix well with mailing lists.
> 
> 
> I registered for a list today. I tell them my email address, they
> send me a task to do that proves I am the owner of the email list.
> Same way for the ALE list right? We can simply add a list that allows
> emails to come from specified email addresses without the
> verification. This way, the list does not have to verify. In the
> current system the receiver has at least some of this functionality
> already.

Totally useless.  I can send you email with any email address as the 
sender.  spoofing email addresses is easier than spoofing ips.


>> Furthermore, since the way C-R usually identifies the sender, it's
>> insecure/unreliable.
> 
> 
> I admit it is not ultra-secure, but I don't think it needs to be
> either. Heck, using credit cards via the Internet could be improved
> as well - and that involves money.
> 
> 
>> You are on drugs. (excuse me.  An emotional reaction.  Do the math)
>> 
> 
> No, you don't have seem to have as much experience in this area.

Experience has nothing to do with it.  Knowledge is required, and you 
don't have it if you think you can control spam based on an email address.

>>> Does anyone see weaknesses in a client-side spamarrest TYPE
>>> solution?
>> 
>> Wasted bandwidth.
> 
> Yes. In the beginning a lot. But, spam would quickly drop off when
> manual verication is needed.
> 
> 
>> Extra work for the innocent.
> 
> Very little. I assume you mean sender verification. Understand that
> you would only need to verify once for each email address you send to
> and then their system can remember you. Also, it is possible to add
> an automated response to the challenge. Receiver can tell sender, "by
> the way the PIN number is . . ." The PIN can be included in the body
> of the text. This is no different than dialing an extension.

A one time verification is useless.  You need authentication per email.

> 
> 
>> AND, like most client-side "hacks"/anti-spam solutions, the
>> spammers are even now finding a way to work around it.
> 
> Yes, the spammers (and porn marketers) seem to be more intelligent
> than those defending against it.

No, the spammers choose to break the law, whereas those defending 
against it don't.

> 
> 
>> It validates my email address to the sender.
> 
> This does not have to be true. A challenge can be returned for EVERY
> email address.
> 
> 
>>> If AOL or M$FT were to implement such an AUTOMATED system (set on
>>> by default), do you think spammers would be able to successfully
>>> send bulk email and profit as they are now?

Yes.  Because they would continue to spoof emails as they do now.

-- 
Until later, Geoffrey	esoteric at 3times25.net

Building secure systems inspite of Microsoft



More information about the Ale mailing list