[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Asrg] A response to the critique of my anti-spam system

To: asrg at ietf.org
Subject: [Asrg] A response to the critique of my anti-spam system
From: "Michael Kaplan" <mkaplansolution at lycos.com>
Date: Thu, 09 Dec 2004 15:01:30 -0500
List-archive: <http://www1.ietf.org/pipermail/asrg>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
Sender: asrg-bounces at ietf.org

I greatly appreciate everyone for their time and consideration for critiquing the anti-spam system that I presented earlier this week. I present my response to the critique.

As a reminder my system it is located at:
http://home.nyc.rr.com/spamsolution/An%20Effective%20Solution%20for%20Spam.htm

First I would like to say a word about efficacy:
One basic tenet of the anti-spam effort has always been that that is foolish to believe that spammers can't automate puzzle solving, character recognition, or other hoops that legitimate users must jump manually. This has always been true until the development my CAPTCHA. This is the first and only CAPTCHA developed that is invulnerable to technical circumvention. I have to admit that I am surprised that this innovation in and of itself has not generated more discussion.
This CAPTCHA, in combination with my unique application of it, will likely do what no other system has ever hoped to do: Allow strangers to communicate with you while preventing spammers from sending you email with near perfect efficacy. On occasion a spammer will harvest an address via one of the usual ways. I?ll guess that every three or four months a TYPICAL user will suffer a day or two of spam and will need to deactivate a single sub-address. Otherwise this system is beyond any technical subversion. Is there any other system existing or proposed that can claim this?
Every anti-spam system has flaws. Many of these flaws would be tolerated if the system blocked spam with near perfect efficacy. Any flaws with my system should be evaluated in this light.

I have reviewed the posts and the following represents what I believe to have been the major issues that were brought up. I include my responses.

This system is not appropriate for many people ? True. Certain email users such as many business people, people who must maintain email addresses posted on websites or other public venues, and countless others will find this system undesirable and will not be able to use it. This system is ideal for the typical email user who is plagued by large amounts of spam. Instead of focusing on who this system cannot help we should be focusing on the enormous number of people for who this system will be ideal and who will experience near total elimination of spam from their lives after employing it.

The system has flaws ? True. This system is not perfect; it is merely vastly superior to the status quo for most users. If you have an example of a better system then please speak up.

Bounces ? The fact that my system employs bounces seems to greatly disturb many people. The strongest objection concerns the additional burden these bounces will put on the email system. The theoretical maximum increase in email traffic that this system could generate would be 100% if we consider an email account that receives emails with invalid sub-addresses exclusively. The near perfect efficacy of my system for blocking spam would justify such expenditure. How would you feel if your email provider said to you ?I know you are overwhelmed by spam and that this system will virtually eliminate it but doing so could cause a near doubling of your email traffic so you can?t use it and you must live with this spam burden forever??
Filters likely increase email traffic to much greater extent, albeit indirectly, as spammers generate vast quantities of spam to get around them. Spam filters don?t even have anywhere near the likely efficacy that my system will have. So a filter is tolerable, but my system isn?t?

Another concern with bounces is that spammers will forge an innocent person?s address and then this innocent person will get flooded with bounces. Some people with easily guessable email addresses will confront this problem. People who employ my system will never have to worry about such bounces since their addresses cannot be guessed. This is a concern, but not a big enough of a concern to halt such a highly efficacious system.

Language ? There was also a lot of concern over how the bounces would be managed by recipients who use different languages. I would respond that most people who correspond with each other do so in the same language. Also many web-sites use the common technique of showing icons of international flags to represent languages, and clicking on your respective flag will bring up a page with your own language. This same technique can apply to bounces. This will cover the vast majority of email users, though I admit that people who can only read a less commonly used language may not be accommodated as easily. I am confident that it is possible to devise methods to further address this issue, but the aforementioned technique will cover most people.

Spammers will always be able to reacquire some of your addresses ? This obvious truth actually highlights the strength of this system. Deactivating compromised sub-addresses becomes progressively less disruptive as more and more of your correspondents use uniquely generated sub-addresses. You also will know the source of the compromise so that you can chastise your friend for distributing your address in an email chain letter. The typical user is not exposing their email address multiple times a day to spammers. The typical user?s email address is revealed to a spammer a finite number of times but it only takes one exposure to bring on the spam onslaught. This explains why a single security breach at AOL in which more than 90 million email addresses were sold to spammers was so devastating. Many of those users would have remained spam free for a prolonged time if it wasn?t for that one breach.

There is of course the situation of having an acquaintance that unwittingly has malware on their computer that is constantly raiding their address book and passing your address on to spammers. Now my system is a real blessing as the problem becomes obvious and corrective action can be taken, thus saving not only you but everyone else who would have their addresses entered into your acquaintances address book.

This system is reminiscent of challenge/response ? I thought I did a sufficient job contrasting this system with challenge/response but obviously I didn?t. My system allows third party emails to arrive unimpeded. My system issues challenges in an extraordinarily selective way, only challenging people not white listed who were given an inactive sub-address. People will need to deal with my challenge with only a small fraction of the frequency that they would need to deal with a challenge associated with a traditional challenge/response system. With my system dealing with a CAPTCHA will be a relatively rare event. Is there anyone who does not think that this system is profoundly superior to every other challenge/response system? Again I am surprised; my system makes every other challenge/response system obsolete and yet it has not sparked real discussion or enthusiasm. Isn?t this the Anti-Spam Research Group?

Seeing the CAPTCHA requires a system that either allows for a graphics capable MUA or allows activation of a hyperlink ? True. You would need to access a system that would allow you to see graphics. A graphics capable MUA is the most convenient, but all you would really need is a computer with a web browser so you can paste the link into the browser and view the CAPTCHA. Don?t most people have access to web browsers?
Typical users can see email graphics. I obviously travel in different circles since I don?t know a single person who uses an email system that is not graphics capable. I would argue that most typical users would not worry enough about the minority of people who cannot access graphics via their mail system. The incentive to use a system that effectively eliminates spam would outweigh the need to cater to this minority.

I am not arguing that my system is absolute perfection, or that it suits the needs of every email user in the world. I only argue that it is vastly superior to anything else out there. Take for example a typical AOL user. Almost every AOL user is plagued by tremendous amounts of spam and there is no hope that any filter will be able to stop the onslaught directed at this highly lucrative population. No AOL user who uses the system will care on a personal level that additional bounces are being generated. Almost none of the AOL users will care that people who can only read a less common language may not be able to read the bounce; common languages will still be accommodated. Spam is such a tremendous burden for the average AOL user that few will care that a small number of people have no ability to view graphics on their system and thus will be forced to go to another system to view a CAPTCHA.

I ask you: Is there any other system out there that, even when applied to a hundred million people, could eliminate nearly 100% of spam as my system would for a typical user (I?m sure once every couple of months or so a single sub-address will become compromised and the user will suffer a day or two of spam before the sub-address is cancelled). Is there any other system out there that can protect so many millions of users who elect to activate it and yet remain secure? Is there any other comparable system that is as easy to integrate into current email architecture?

Not challenge/response; it is excessively burdensome and the traditional challenges are too weak to protect millions of people.

Not sender-ID proposals; no one is even pretending that these proposals will have anything more than a subtle impact.

Does the fact that as only 30-40% (a wild guess) of people may want to use this system argue against it?

Before you reject my system can you suggest one that is in any way comparable? Is the status quo superior? Are you holding out hope for an as of yet unknown but better system? Have you totally given up any hope for a truly effective anti-spam system?

I accept your criticisms, but I view them as relatively minor given the likely efficacy of this system. Many people such as business people may decide to forgo this system. However, this system would be the FUSSP for the enormous population of typical users out there for whom the relatively minor detractions are not important.

Michael G. Kaplan

--
_______________________________________________
Find what you are looking for with the Lycos Yellow Pages
http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10

_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

Follow-Ups:
- Re: [Asrg] A response to the critique of my anti-spam system
  - From: der Mouse
- Re: [Asrg] A response to the critique of my anti-spam system
  - From: Seth Breidbart

Prev by Date: Re: [Asrg] Re: "worm spam" and SPF
Next by Date: Re: [Asrg] A response to the critique of my anti-spam system
Previous by thread: [Asrg] Looking for a writer to write spam for Free Software Magazine?
Next by thread: Re: [Asrg] A response to the critique of my anti-spam system
Index(es):
- Date
- Thread