[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] Please critique my anti-spam system

To: "Matt Schneider" <matt at spamhaus.org>
Subject: Re: [Asrg] Please critique my anti-spam system
From: "Michael Kaplan" <mkaplansolution at lycos.com>
Date: Sun, 05 Dec 2004 14:21:41 -0500
Cc: asrg at ietf.org
List-archive: <http://www1.ietf.org/pipermail/asrg>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
Sender: asrg-bounces at ietf.org

----- Original Message -----
From: "Matt Schneider" <matt at spamhaus.org>
To: asrg at ietf.org
Subject: Re: [Asrg] Please critique my anti-spam system
Date: Sun,  5 Dec 2004 18:28:10 +0000 (GMT)

Almost every criticism you have is answered in my article, but I will repeat the points.

> 
> 
> Hello, there is a standardized reply form out there for these sorts 
> of things, but I couldn't find it right away.
> 
> Anyway, I see several problems with this:
> 
> - the sub-address doesn't add anything, it's no different than 
> making up a new email address

If you made up a new email address then people who use your old address cannot contact you.  With my system you never fear losing contact because of an address change.

> - without using this system, you can already set up an 
> autoresponder on old addresses to let people know where to find you

A spammer could easily harvest your new adddress from the autoresponder.  Spammers don't bother since so few people do this now.  My system is designed to be used by a billion people and still remain secure.

> - I don't like that you're supposed to spam everyone you know and 
> they're supposed to immediately drop everything and go change you 
> in their address book (and this expects that grandmothers that are 
> just getting the hang of their AOL will be able to figure this out 
> or even understand what this all means).

Each individual can decide for themselves whether to activate this system or not.  I assume you are talking about what happens the first time someone activates this system.  Everyone on your contact list is sent your new email address, but you can elect not to have this initial mass mailing.  Remember, these people are white listed so their emails will get through even without a sub-address.  Grandma can send you email using your old address, she'll just be sent a reminder to update her address when she sends you an email without a sub-address.

> - white listing is nothing new

Whitelisting in this context is completely new.  

> - challenge/response is nothing new

This is not challenge/response, this is far superior.  I clearly contrast these two systems in my article.

> - if you want to not burden your friends with an initial 
> challenge.. instead of spamming them to change the email address 
> they have for you (still a burden) then why not add everyone in 
> your address book to the "already passed the challenge procedure" 
> list ?

The only people who ever need to decode a CAPTCHA are people who are not using a valid sub-ddress and who are not on the white list.  

> - CAPTCHA assumes everyone using this system speaks English.

My CAPTCHA usuable across all languages.  People almost always communicate via email with people who can read the same language.  Correspond with someone who has Chinese as their default language and the instructions for the CAPTCHA will be in Chinese.  There are additional logical ways that the language issue will be addressed.

> - As soon as a spammer starts getting CAPTCHA responses, they will 
> fire these off to a sweatshop in China or India to have them 
> solved, then they will have live, valid e-mail address, with 
> complete sub-address, that they can now sell to other spammers at a 
> premium.

See the second yellow highlighted text block in my article to understand why this is not feasible.

> - Nobody's going to upgrade their own SMTP servers to process 
> bounces from every anti-spam system out there.

No upgrade is needed.  The upgrade I proposed was for convenience.  Servers today are already fully compatible with my system.

> 
> Let's say I send out 2 inquiries to sales departments about buying 
> something.  If one of them sent back this CAPTCHA thing, I probably 
> wouldn't even bother jumping through all the hoops, I'd just go buy 
> from the other place.  The moral of this story is, this system 
> can't be used by anyone who places any sort of value on receiving 
> email from non-spammers.

I highly doubt that a sales department would routinely distribute an email address with a deactivated sub-address.  Remember, my system intergrates perfectly into the current email system.  Traditional email addresses will still function, and an email address with a valid sub-address will function exactly like an ordinary email address.

Michael G. Kaplan

P.S.  Can someone let me know the proper way to respond to these emails.  I've been hitting reply and then I've CC'd asrg at ietf.org but when I do this I notice when I got to the discussion board archive thread index that you can't tell which email I'm responding to.

-- 
_______________________________________________
Find what you are looking for with the Lycos Yellow Pages
http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10

_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

Follow-Ups:
- Re: [Asrg] Please critique my anti-spam system
  - From: Tripp Cox

Prev by Date: Re: [Asrg] Please critique my anti-spam system
Next by Date: Re: [Asrg] SMTP AUTH
Previous by thread: Re: [Asrg] Please critique my anti-spam system
Next by thread: Re: [Asrg] Please critique my anti-spam system
Index(es):
- Date
- Thread