Tuesday, 20. May 2003
A Response to a Challenging Response to Challenge-Response
Edward Felten has a pice on anti-SPAM CR systems which I consider less sharp than his usual writing.
First some empirical Data: I have deployed the TMDA CR system last month on a adress used for about 6 years on the web and on Usenet. It reduced SPAM mails from about 150 per day to about one per week. I would not call this "a modest benefit". But trying to send all that challances to the incredibly broken adresses used by spammers put a considerable load on my mailserver. The outgoing queue now usually contains several hundred messages.
About spammers responding to the challanges: This could be done, but would dramatically change the
Also the concern on Alice having to open a loophole for reciving Bob's challange seems overrated to me: Alice has a way to communicate a individual loophole to Bob in the first place, since she is actually sending mail to him. Keep in mind, that this loophole does only be 'secure' enough to make spamming as expensive as ... say US$ 1 per Mail. So we don't have to fear about Eve sniffing th mails and other sophisticated attacks.
An obvious way to fix the loophole problem is Alice whitelisting all adresses she is sending mail to (I do that). An alternative would be that Alice uses a special adress only valid for some time or in conjunction with a certain Message-ID in the References header or the like. People more experienced in security protocol design than me would find dozends of elegant ways to implement 'secure' loopholes.
But: surly CR - like other spam defence mechanism - destroy email as a universal communication medium. And by setting up any kind of spam defense system you must be aware that you make people sending you mails hop through certain loops. Mayby you keep them from using he subject lines they like or prohibit certain words in the message body. Maybe you set rigrid rules on the connfiguration and placement of their mailserver. Maybe you make them answer challanges.
All this makes running mailinglists more and more complicated. This is nothing new: For now a long time AOL forced a contract on you, if you wanted to distribute a mailinglist (meaning more than N messages per hour) to AOL customers.
But in one thin Felten is certainly right: CR and other spam filtering techniques will produce unexpected interactions for a long time.
disLEXia, a research project by Maximillian Dornseif
 |  |  | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 |
   |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 |  |  | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||