On Wed, 23 Mar 2005, Mike Wiebeld wrote:
> Marilyn,
> :)
> Please don't take this the wrong way, I just found it humorous.
>
> http://www.rhyolite.com/anti-spam/you-might-be.html
Cute.
>
> senior-IETF-member-5
> The FUSSP won't be effective until it has been deployed at more than 60% of SMTP servers and that's not a problem.
In this case, the FUSSP will be effective for the 60% that do deploy
it and make things worse for the 40% that don't.
No wonder that 40% are mad!
>
> The solutions we implement have to be effective with less than a majority adopting them. If everyone used SPF (correctly) and then everyone also implemented challenge/response (correctly), the spam problem would then be reduced to:
> #1. Spammers with their own domains, SPF records and automated responses to c/r requests.
> #2. Cracked SMTP boxes.
> #3. Open relays.
> #4. New and improved zombies.
>
> Spammers may be scum, but some of them are intelligent scum (or they hire intelligent programmers with low ethics). It wouldn't be impossible for them to work around spf + c/r with zombies. All they have to do is:
> #1. Have the zombies register themselves with a dynamicDNS service overseas
> #2. Have the zombies register their SPF info with the domain name
> #3. Have the zombies send out spam and automatically reply to the c/r requests that come back
That'll work for the C/R's that only ask you to reply to the email.
That's a broken idea. If you are going to involve a human in your
anti-spam, you'd better have that human do something that a robot
can't do. Again, duh.
The ones where you have to go to the web and read a hard-to-OCR font
aren't vulnerable to robot attack -- if done right.
John Palmer's is a simple reply-to type. And it didn't even remember
me when I sent a second message to him as an experiment. And yep,
that was too much for me and I didn't reply a second time.
So my question is, were you not aware that there are C/R's that ask
you to go to the web and decipher a hard-to-OCR font?
Why are you guys citing bugs as design flaws?
Marilyn
> #4. The zombies then poor TONS of spam into your system that has whitelisted them.
>
> It isn't easy, but the spammers have time and money and thousands upon thousands of zombie machines (not to mention access to ISP's world-wide).
>
> Challenge/response systems work well right now because the people using them are dumping the spam fighting work off on others.
>
> >>> Marilyn Davis <marilyn@???> 03/23/05 10:49AM >>>
> On Wed, 23 Mar 2005, John Palmer wrote:
>
> > As far as I am concerned, the SPAM problem is solved.
>
> It seems to me that most of the complaints about CR systems are about
> bugs in the implementation. A challenge ought not be sent to a
> non-personal address, for example. Duh.
>
> The legitimate complaint is the one about spoofed addresses. But, I
> read that 1,000,000 domains have published their data in SPF in less
> than a year. So SPF has the potential of closing that hole.
>
> I can understand that people who have devoted a lot of energy to
> content-scanning would get hot under the collar about this. CR
> systems are spam-deflectors, while the old methods are spam-absorbers.
>
> But, what happens if SFP becomes viable and we all do CR? Isn't the
> spam problem then solved?
>
> Marilyn Davis
>
>
>
>
--
