[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] A response to the critique of my anti-spam system

To: asrg at ietf.org
Subject: Re: [Asrg] A response to the critique of my anti-spam system
From: der Mouse <mouse at Rodents.Montreal.QC.CA>
Date: Thu, 9 Dec 2004 15:22:18 -0500 (EST)
In-reply-to: <20041209200131.068A5CA08B@ws7-4.us4.outblaze.com>
List-archive: <http://www1.ietf.org/pipermail/asrg>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
References: <20041209200131.068A5CA08B@ws7-4.us4.outblaze.com>
Sender: asrg-bounces at ietf.org

[The message I'm replying to was marked charset=iso-8859-1 but
contained various octets that are not 8859-1 text characters.  I've
replaced them with my best guesses at what they are meant to be, in
[brackets].  Michael Kaplan, I'd suggest you fix/replace whatever
brokenware generated that message and incorrectly marked it as
Content-Type: text/plain; charset="iso-8859-1"
.]

> I present my response to the critique.

My resposnes below assume you haven't changed it since the version I
read.

> This is the first and only CAPTCHA developed that is invulnerable to
> technical circumvention.  I have to admit that I am surprised that
> this innovation in and of itself has not generated more discussion.

Maybe it's because more people agree with me, that it can be and will
be defeated technically, than with you, that it can't and won't?
There's a lot of very good work being done by computer vision people,
solving basically this very problem - and with difficult noisy
real-world images, not the nice clean synthetic ones you use.

> I[']ll guess that every three or four months a TYPICAL user will
> suffer a day or two of spam and will need to deactivate a single
> sub-address.  Otherwise this system is beyond any technical
> subversion.  Is there any other system existing or proposed that can
> claim this?

Sure.  Any of them.  And in most cases, with about as much truth.

> Bounces [-] The fact that my system employs bounces seems to greatly
> disturb many people.  The strongest objection concerns the additional
> burden these bounces will put on the email system.

Perhaps strongest to you.  The strongest to me is that the
challenge/bounce messages will spam anyone whose address gets forged
into the from-line of spam to an early adopter.  Committing abuse in
the name of fighting abuse is hypocritical - and unacceptable.

> The theoretical maximum increase in email traffic that this system
> could generate would be 100% if we consider an email account that
> receives emails with invalid sub-addresses exclusively.

Not quite.  There is no real limit to the maximum increase when two
implementations start challenging one another's challenges - it's a
classic bounce laser.

> The near perfect efficacy of my system for blocking spam would
> justify such expenditure.  How would you feel if your email provider
> said to you ["]I know you are overwhelmed by spam and that this
> system will virtually eliminate it but doing so could cause a near
> doubling of your email traffic so you can[']t use it and you must
> live with this spam burden forever["]?

I'd feel my email provider was grossly incompetent, both for mistaking
your system for being as effective as you think it is and for thinking
that those two alternatives are the only ones available.

> Filters likely increase email traffic to much greater extent, albeit
> indirectly, as spammers generate vast quantities of spam to get
> around them.

And why won't the same be true with your system?

> Spam filters don[']t even have anywhere near the likely efficacy that
> my system will have.  So a filter is tolerable, but my system
> isn[']t?

Filters don't generate spam to forgery victims.  (Usually, at least.
Some do, and they deserve to get slapped down for it.)

> Language [-] There was also a lot of concern over how the bounces
> would be managed by recipients who use different languages.  I would
> respond that most people who correspond with each other do so in the
> same language.

Yes - but how is your system going to know what language that is?

> Also many web-sites use the common technique of showing icons of
> international flags to represent languages, and clicking on your
> respective flag will bring up a page with your own language.  This
> same technique can apply to bounces.

I'll believe it when I see it.  You appear to have mistaken email,
which is a static technology, for the Web, which is interactive to at
least the minimal extent necessary to support the sort of user
interface you describe.

> The typical user is not exposing their email address multiple times a
> day to spammers.

No; the typical user is exposing others' email addresses multiple times
a day to spammers.

Okay, that's a slight exaggeration.  The proportion of zombied Windows
boxen out there has not yet reached 50%, so "the typical user" still
isn't zombied.  But any zombied machine's address book is available to
spammers in full, including any address using your system that may be
in it.

> Is there anyone who does not think that this system is profoundly
> superior to every other challenge/response system?

As I would hope is obviously by now:  Yes.  Me.

> Again I am surprised; my system makes every other challenge/response
> system obsolete and yet it has not sparked real discussion or
> enthusiasm.  Isn[']t this the Anti-Spam Research Group?

It doesn't make anything obsolete until it's implemented and deployed.
Do that and I, for one, will pay a lot more attention.

> Seeing the CAPTCHA requires a system that either allows for a
> graphics capable MUA or allows activation of a hyperlink [-] True.
> You would need to access a system that would allow you to see
> graphics.

Which kills it right there, as far as I'm concerned.  (As if it needed
further killing for me.)

> A graphics capable MUA is the most convenient, but all you would
> really need is a computer with a web browser so you can paste the
> link into the browser and view the CAPTCHA.

No.  A computer with a *graphics-capable* web browser.

> Don[']t most people have access to web browsers?

Most people?  Certainly.  And if you can arrange that only those people
ever send mail to your system, you're fine - in that respect.

> Typical users can see email graphics.  I obviously travel in
> different circles since I don[']t know a single person who uses an
> email system that is not graphics capable.

Your system needs more than graphics capable; it needs graphics
convenient.  I can, if I need to, extract an image frokm a webpage or
email and look at it.  It is not a convenient process, and I most
certainly would not bother to do it to answer a C/R challenge.

> I would argue that most typical users would not worry enough about
> the minority of people who cannot access graphics via their mail
> system.  The incentive to use a system that effectively eliminates
> spam would outweigh the need to cater to this minority.

Quite possibly.  Provided your challenges are easily mechanically
identifiable, so I can reject them automatically, this then won't be a
problem for me personally (except for the extra bandwidth used).

> Does the fact that as only 30-40% (a wild guess) of people may want
> to use this system argue against it?

Yes, because the rest will get spammed by your challenges every time
their addresses get forged int the fromlines of spam sent to that 30-40
percent.

> Before you reject my system can you suggest one that is in any way
> comparable?

There are lots of vapourware FUSSPs out there.  So far I see no reason
to think yours is anything else.

Implement your system.  Deploy it on a small scale.  *Then* I'll be
interested in hearing more - in particular, I very much want to hear
your experiences - the *actual* percentages of this and that, rather
than the wild guesses I've seen on both sides.  The *actual* end-user
reactions.

I'm not interested in implementing it because I believe it will be far
less effective and more problematic than you think, and I am not
inclined to sink effort into something I think will be useless.

Unless you want to pay me to implement it, in which case contact me
off-list and we can discuss my consulting rates.

> Is the status quo superior?

Yes, in at least one way: it doesn't have a third of the net spamming
the other two-thirds with challenge blowback.

> Have you totally given up any hope for a truly effective anti-spam
> system?

If you mean a purely technical system - yes.  Spam is not a
fundamentally technical problem; fundamentally technical approaches
will not eradicate it.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse at rodents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

References:
- [Asrg] A response to the critique of my anti-spam system
  - From: Michael Kaplan

Prev by Date: RE: [Asrg] A response to the critique of my anti-spam system
Next by Date: RE: [Asrg] A response to the critique of my anti-spam system
Previous by thread: Re: [Asrg] A response to the critique of my anti-spam system
Next by thread: RE: [Asrg] A response to the critique of my anti-spam system
Index(es):
- Date
- Thread