Re: [exim] Heads up?

Top Page
Delete this message
Reply to this message
Author: Mike Wiebeld
Date:  
To: exim-users
Subject: Re: [exim] Heads up?
Marilyn,
:)
Please don't take this the wrong way, I just found it humorous.

http://www.rhyolite.com/anti-spam/you-might-be.html

senior-IETF-member-5
    The FUSSP won't be effective until it has been deployed at more than 60% of SMTP servers and that's not a problem.


The solutions we implement have to be effective with less than a majority adopting them. If everyone used SPF (correctly) and then everyone also implemented challenge/response (correctly), the spam problem would then be reduced to:
#1. Spammers with their own domains, SPF records and automated responses to c/r requests.
#2. Cracked SMTP boxes.
#3. Open relays.
#4. New and improved zombies.

Spammers may be scum, but some of them are intelligent scum (or they hire intelligent programmers with low ethics). It wouldn't be impossible for them to work around spf + c/r with zombies. All they have to do is:
#1. Have the zombies register themselves with a dynamicDNS service overseas
#2. Have the zombies register their SPF info with the domain name
#3. Have the zombies send out spam and automatically reply to the c/r requests that come back
#4. The zombies then poor TONS of spam into your system that has whitelisted them.

It isn't easy, but the spammers have time and money and thousands upon thousands of zombie machines (not to mention access to ISP's world-wide).

Challenge/response systems work well right now because the people using them are dumping the spam fighting work off on others.

>>> Marilyn Davis <marilyn@???> 03/23/05 10:49AM >>>

On Wed, 23 Mar 2005, John Palmer wrote:

> As far as I am concerned, the SPAM problem is solved.


It seems to me that most of the complaints about CR systems are about
bugs in the implementation. A challenge ought not be sent to a
non-personal address, for example. Duh.

The legitimate complaint is the one about spoofed addresses. But, I
read that 1,000,000 domains have published their data in SPF in less
than a year. So SPF has the potential of closing that hole.

I can understand that people who have devoted a lot of energy to
content-scanning would get hot under the collar about this. CR
systems are spam-deflectors, while the old methods are spam-absorbers.

But, what happens if SFP becomes viable and we all do CR? Isn't the
spam problem then solved?

Marilyn Davis



--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/


*
This e-mail, including attachments, may contain information that is privileged, proprietary, non-public, confidential, trademarked, copyrighted or exempt from disclosure and is intended to be conveyed only to the designated recipients(s). If you are not an intended recipient, please delete this e-mail, including attachments, and do not disseminate, distribute or copy this communication, by e-mail or otherwise. The unauthorized use, dissemination, distribution or reproduction of this e-mail, including attachments, is prohibited and may be unlawful. We reserve the right to monitor and review the content of all messages sent to or from this e-mail address.