Author: Marilyn Davis Date: To: Marc Sherman CC: exim-users Subject: Re: [exim] Heads up?
On Thu, 24 Mar 2005, Marc Sherman wrote:
> [Please keep this thread on the list, Marilyn.]
My sent-mail says I did. I guess you saw the copy to you first.
>
> Marilyn Davis wrote:
> >
> > The Reply-To: C/R's are broken anyway. I was thinking of embedding a
> > url in the error message.
>
> Ok. What you're proposing is radically different enough from all
> existing C/R systems that it's not really the same thing; you should be
> more explicit next time that you're proposing something so different.
> That's why Fred and I got so confused.
I didn't have it in mind when we started talking. I was just fishing
for ideas and understanding.
>
> As I mentioned earlier, I really don't think it'll work.
>
> > Yeh. I suppose. But the people who received messages from my system
> > that their mail was suspected spam did read them, and had their
> > feelings hurt. It would certainly be better to offer a URL to get
> > their mail through than to just reject them.
>
> Well, you probably should tune your filters, then. My site, for
> example, uses spam assassin. I filter at a score of 4, auto-learn at
> 12, but only reject at 20; anything between 4 and 12 ends up in a spam
> bin read by a human. The highest false positive ever reported so far
> had a score of 8, so there's plenty of margin of error between 8 and 20.
>
> > But then, can't we use bounce_message_file to customize the message
> > so that it is as friendly as a regular challenge?
>
> No, because if you're responding with a 5xx to reject the message, you
> don't generate any bounce; the _only_ text you get to specify is in the
> 5xx reason string. If a bounce is generated, it will be generated by
> the originating MTA.
>
> > But the sender doesn't see the delay necessarily -- am I right? And
> > the message just gets sent again.
>
> Yes, graylisting is fully automatic. I don't like it myself, either; I
> was just trying to figure out what you were proposing.
>
> > Yes but, my understanding is that the callout makes a new smtp
> > connection to the address' host. Now, if the address was spoofed in
> > the first place, isn't it true that we've only verified the
> > existence of the address, not that the mail came from the address?
> > And then we've only verified that the challenge will go to a victim.
>
> Well, my point when bringing up callouts was that of the three cases
> that traditional (reply-based) C/R presented, 2 were annoying and only 1
> was effective, and callouts were _just_ as effective without the 2
> annoying cases. I was _not_ proposing callouts + c/r together, but
> rather callouts instead of c/r.
>
> Your 550-based challenge system, on the other hand, would send the
> challenge to the right person, but obfuscated in a way that I'm
> convinced would be too difficult for most people to respond to. If you
> used it, you'd likely lose much legitimate mail, both from confused
> clueless users, and from grumpy clueful users. If, for example, you
> were using this system when you contacted me for help on the exim
> mailing list, and I couldn't reach you without reading a cryptic bounce
> message and clicking on an embedded URL, I'd just curse, assume you
> didn't really want my help all that badly after all, and delete your
> message. That sentiment is quite common on many technical lists.
> Perhaps it's because C/R has such a bad reputation for collateral spam,
> and perhaps it's unfair of me to paint your 550-based system with the
> same brush, but there it is.
>
> > Thanks for straightening me out on this. My brains are feeling like
> > spaghetti here.
>
> My pleasure. It's refreshing to see a broken system being proposed by
> someone who's interested in learning why it's broken, for a change. :)
