[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Asrg] A response to the critique of my anti-spam system
I noticed at the bottom of your web site the 'Patents Pending' text.
What part of the proposal do you feel is unique and covered by your
patent applications.
Paul
> -----Original Message-----
> From: asrg-bounces at ietf.org [mailto:asrg-bounces at ietf.org] On
> Behalf Of Michael Kaplan
> Sent: Thursday, December 09, 2004 12:02 PM
> To: asrg at ietf.org
> Subject: [Asrg] A response to the critique of my anti-spam system
>
> I greatly appreciate everyone for their time and
> consideration for critiquing the anti-spam system that I
> presented earlier this week. I present my response to the critique.
>
> As a reminder my system it is located at:
> http://home.nyc.rr.com/spamsolution/An%20Effective%20Solution%
> 20for%20Spam.htm
>
>
> First I would like to say a word about efficacy:
> One basic tenet of the anti-spam effort has always been that
> that is foolish to believe that spammers can't automate
> puzzle solving, character recognition, or other hoops that
> legitimate users must jump manually. This has always been
> true until the development my CAPTCHA. This is the first and
> only CAPTCHA developed that is invulnerable to technical
> circumvention. I have to admit that I am surprised that this
> innovation in and of itself has not generated more discussion.
> This CAPTCHA, in combination with my unique application of
> it, will likely do what no other system has ever hoped to do:
> Allow strangers to communicate with you while preventing
> spammers from sending you email with near perfect efficacy.
> On occasion a spammer will harvest an address via one of the
> usual ways. I'll guess that every three or four months a
> TYPICAL user will suffer a day or two of spam and will need
> to deactivate a single sub-address. Otherwise this system is
> beyond any technical subversion. Is there any other system
> existing or proposed that can claim this?
> Every anti-spam system has flaws. Many of these flaws would
> be tolerated if the system blocked spam with near perfect
> efficacy. Any flaws with my system should be evaluated in this light.
>
> I have reviewed the posts and the following represents what I
> believe to have been the major issues that were brought up.
> I include my responses.
>
>
> This system is not appropriate for many people - True.
> Certain email users such as many business people, people who
> must maintain email addresses posted on websites or other
> public venues, and countless others will find this system
> undesirable and will not be able to use it. This system is
> ideal for the typical email user who is plagued by large
> amounts of spam. Instead of focusing on who this system
> cannot help we should be focusing on the enormous number of
> people for who this system will be ideal and who will
> experience near total elimination of spam from their lives
> after employing it.
>
>
> The system has flaws - True. This system is not perfect; it
> is merely vastly superior to the status quo for most users.
> If you have an example of a better system then please speak up.
>
>
> Bounces - The fact that my system employs bounces seems to
> greatly disturb many people. The strongest objection
> concerns the additional burden these bounces will put on the
> email system. The theoretical maximum increase in email
> traffic that this system could generate would be 100% if we
> consider an email account that receives emails with invalid
> sub-addresses exclusively. The near perfect efficacy of my
> system for blocking spam would justify such expenditure. How
> would you feel if your email provider said to you "I know you
> are overwhelmed by spam and that this system will virtually
> eliminate it but doing so could cause a near doubling of your
> email traffic so you can't use it and you must live with this
> spam burden forever"?
> Filters likely increase email traffic to much greater extent,
> albeit indirectly, as spammers generate vast quantities of
> spam to get around them. Spam filters don't even have
> anywhere near the likely efficacy that my system will have.
> So a filter is tolerable, but my system isn't?
>
> Another concern with bounces is that spammers will forge
> an innocent person's address and then this innocent person
> will get flooded with bounces. Some people with easily
> guessable email addresses will confront this problem. People
> who employ my system will never have to worry about such
> bounces since their addresses cannot be guessed. This is a
> concern, but not a big enough of a concern to halt such a
> highly efficacious system.
>
>
> Language - There was also a lot of concern over how the
> bounces would be managed by recipients who use different
> languages. I would respond that most people who correspond
> with each other do so in the same language. Also many
> web-sites use the common technique of showing icons of
> international flags to represent languages, and clicking on
> your respective flag will bring up a page with your own
> language. This same technique can apply to bounces. This
> will cover the vast majority of email users, though I admit
> that people who can only read a less commonly used language
> may not be accommodated as easily. I am confident that it is
> possible to devise methods to further address this issue, but
> the aforementioned technique will cover most people.
>
>
> Spammers will always be able to reacquire some of your
> addresses - This obvious truth actually highlights the
> strength of this system. Deactivating compromised
> sub-addresses becomes progressively less disruptive as more
> and more of your correspondents use uniquely generated
> sub-addresses. You also will know the source of the
> compromise so that you can chastise your friend for
> distributing your address in an email chain letter. The
> typical user is not exposing their email address multiple
> times a day to spammers. The typical user's email address is
> revealed to a spammer a finite number of times but it only
> takes one exposure to bring on the spam onslaught. This
> explains why a single security breach at AOL in which more
> than 90 million email addresses were sold to spammers was so
> devastating. Many of those users would have remained spam
> free for a prolonged time if it wasn't for that one breach.
>
> There is of course the situation of having an
> acquaintance that unwittingly has malware on their computer
> that is constantly raiding their address book and passing
> your address on to spammers. Now my system is a real
> blessing as the problem becomes obvious and corrective action
> can be taken, thus saving not only you but everyone else who
> would have their addresses entered into your acquaintances
> address book.
>
>
> This system is reminiscent of challenge/response - I thought
> I did a sufficient job contrasting this system with
> challenge/response but obviously I didn't. My system allows
> third party emails to arrive unimpeded. My system issues
> challenges in an extraordinarily selective way, only
> challenging people not white listed who were given an
> inactive sub-address. People will need to deal with my
> challenge with only a small fraction of the frequency that
> they would need to deal with a challenge associated with a
> traditional challenge/response system. With my system
> dealing with a CAPTCHA will be a relatively rare event. Is
> there anyone who does not think that this system is
> profoundly superior to every other challenge/response system?
> Again I am surprised; my system makes every other
> challenge/response system obsolete and yet it has not sparked
> real discussion or enthusiasm. Isn't this the Anti-Spam
> Research Group?
>
>
> Seeing the CAPTCHA requires a system that either allows for a
> graphics capable MUA or allows activation of a hyperlink -
> True. You would need to access a system that would allow you
> to see graphics. A graphics capable MUA is the most
> convenient, but all you would really need is a computer with
> a web browser so you can paste the link into the browser and
> view the CAPTCHA. Don't most people have access to web browsers?
> Typical users can see email graphics. I obviously travel in
> different circles since I don't know a single person who uses
> an email system that is not graphics capable. I would argue
> that most typical users would not worry enough about the
> minority of people who cannot access graphics via their mail
> system. The incentive to use a system that effectively
> eliminates spam would outweigh the need to cater to this minority.
>
>
>
> I am not arguing that my system is absolute perfection, or
> that it suits the needs of every email user in the world. I
> only argue that it is vastly superior to anything else out
> there. Take for example a typical AOL user. Almost every
> AOL user is plagued by tremendous amounts of spam and there
> is no hope that any filter will be able to stop the onslaught
> directed at this highly lucrative population. No AOL user
> who uses the system will care on a personal level that
> additional bounces are being generated. Almost none of the
> AOL users will care that people who can only read a less
> common language may not be able to read the bounce; common
> languages will still be accommodated. Spam is such a
> tremendous burden for the average AOL user that few will care
> that a small number of people have no ability to view
> graphics on their system and thus will be forced to go to
> another system to view a CAPTCHA.
>
> I ask you: Is there any other system out there that, even
> when applied to a hundred million people, could eliminate
> nearly 100% of spam as my system would for a typical user
> (I'm sure once every couple of months or so a single
> sub-address will become compromised and the user will suffer
> a day or two of spam before the sub-address is cancelled).
> Is there any other system out there that can protect so many
> millions of users who elect to activate it and yet remain
> secure? Is there any other comparable system that is as easy
> to integrate into current email architecture?
>
> Not challenge/response; it is excessively burdensome and the
> traditional challenges are too weak to protect millions of people.
>
> Not sender-ID proposals; no one is even pretending that these
> proposals will have anything more than a subtle impact.
>
> Does the fact that as only 30-40% (a wild guess) of people
> may want to use this system argue against it?
>
> Before you reject my system can you suggest one that is in
> any way comparable? Is the status quo superior? Are you
> holding out hope for an as of yet unknown but better system?
> Have you totally given up any hope for a truly effective
> anti-spam system?
>
> I accept your criticisms, but I view them as relatively minor
> given the likely efficacy of this system. Many people such
> as business people may decide to forgo this system. However,
> this system would be the FUSSP for the enormous population of
> typical users out there for whom the relatively minor
> detractions are not important.
>
> Michael G. Kaplan
>
>
>
>
>
>
> --
> _______________________________________________
> Find what you are looking for with the Lycos Yellow Pages
> http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.c
> om/default.asp?SRC=lycos10
>
>
> _______________________________________________
> Asrg mailing list
> Asrg at ietf.org
> https://www1.ietf.org/mailman/listinfo/asrg
>
_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg