[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] A response to the critique of my anti-spam system]

To: "Fridrik Skulason" <frisk at f-prot.com>
Subject: Re: [Asrg] A response to the critique of my anti-spam system]
From: "Michael Kaplan" <mkaplansolution at lycos.com>
Date: Mon, 13 Dec 2004 19:55:22 -0500
Cc: asrg at ietf.org
List-archive: <http://www1.ietf.org/pipermail/asrg>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
Sender: asrg-bounces at ietf.org

Once again I appreciate any and all constructive criticism.

> I have several objections to your system, which I have not seen you
> respond to.
> 
> 1) I am in charge of a fairly popular web-accessible database, which requires
>     a password for access.  Sometimes people will forget their password, but
>     then they can type in their ID number and have the password sent to the
>     e-mail addresss they provided when they registered.  This is a fully
>     automatic process.  If those users were using your system, my mail to
>     their address might well bounce, as the address hight have become
>     invalid.  I am not willing to accept the extra burden of processing
>     those bounces, and I assume the same will be true for many others who
>     maintain a similar system, and this might mean a significant
>     inconvenience for anyone actually using the system - a system which
>     involves brealing a number of existing systems will not be popular.

The automatic generation of sub-addresses makes it less likely that the address that was given to your site will be deactivated but yes, your concern is justified.  If someone deactivates the sub-address and if they have not white-listed you then the reminder email you send them will bounce.  One can accept this as an inherent flaw with the system or you can address it in one of the following ways:

-When they are typing in their ID number you can have a clear reminder posted such as: WE WILL NOT HANDLE BOUNCES AT THIS SITE.  IF YOU DEACTIVATED THE SUB-ADDRESS THAT YOU GAVE US THEN YOU MUST ADD REMINDER at DATABASE.COM TO YOUR WHITE-LIST BEFORE REQUESTING A REMINDER FOR YOUR PASSWORD.

-I imagine that if my system became very popular then there would be services in the developing world that would process these bounces for maybe a tenth of a cent a piece.  So if you are willing to spend $50 then you can get 50,000 bounces decoded by this service.  I imagine that these services will become very popular with businesses that do transactions over the internet.  Of course if you are a spammer and you want to decode 100 million bounces a day then this same service will cost you $100,000 every day.


> 2) Your mails might look like spam to some spam filters - there are
>     filters that notice the transmission of a large number of substantially
>     identical messages and attachments, and automatically learn to
>     identify those mails spam.   This will happen quicker if your
>     system ever responds to a forged mail address which happens to be
>     a spam trap.  There are systems that will consider anyone who mails
>     to a spam trap to be a spammer, and censor all future mail from that
>     user/server combination.  Basically, what I am saying is that your
>     system is just not compatible with some existing anti-spam solutions.

This is a good point but I admit that I am not qualified to respond to this criticism.  Many large companies such as Ebay, Paypal, and Amazon send out mass mailings and filters allow these emails through.

Maybe someone out there with knowledge of these filters can either suggest the appropriate workaround for this issue, or barring that maybe they can confirm that this is a problem with no reasonable solution.  I would like to know.

I will say that if you are actually using my system then this will not be a problem since email sent with the correct sub-address will bypass content filters.

> 3) Your system does not work at all for addresses which people expect to
>     find like "postmaster", "webmaster", "sales", "support", "info",
>     "abuse" and so on.  People are just not going to appreciate a message
>     telling them to use a different addres - in particular if it arrives as
>     a graphical attachment.

I assume you are asking what happens when you send email to, say, the computer support department of Dell computer.  I really can't imagine that Dell would use this system to guard their support department.  This system is more suited for email accounts belonging to individuals.

> 4) Old e-mail addresses never die.  I am still receiving the occasional
>     spam to an address I used ONCE to post a Usenet message back in '89.
>     That address is now redirected to a spamtrap and working nicely as
>     such.  Now, if I started constantly switching e-mail addresses, I would
>     eventually be receiving multiple copies of every spam message - one
>     or more to each address.  This would just mean increased load for my
>     server, and as I have to pay for my incoming traffic, I do not
>     appreciate tht increase.

I guess this is a general argument against the concept of any temporary or disposable email address.  This could be directed against Zoemail, Reflexion, Yahoo's AddressGuard, Spam Gourmet....  It would also apply to the email address I'm using now since I did not want to use my primary email address in a public forum.

You may be right, but so far there has not been an uproar over the concept of disposable addresses.  Some people question if spammers would ever try to prune their list of expired addresses.  I suspect that if 99% of a spammers list was made up of clearly expired addresses then they would be motivated to prune the list - but I admit that this is just speculation on my part. 

> > You also asked what I meant by a typical user.  Some people cannot use this=
> > system such as certain business people, people who insist on keeping an ac=
> > tive email address in an easily harvested form on website, or people who ar=
> > e afraid of being cut off from correspondents who use a graphics incapable =
> > email system.
> 
> Also include everyone wanting to participate in a public discussion board,
> Usenet group or any other similar servide which publishes your e-mail.
> 
> In fact, just about the only ones who could use the syetem are those who
> can keep their e-mail address secret - but even that does not work in
> practice unless they never send out mail.  E-mails will get out and
> spammers will harvest them.....no matter what.

I don't have to speculate as to if the automated generation of sub-addresses will be an effective tool against spam.  Services such as Zoemail and Reflexion are used successfully by many people. My system is an expansion and improvement of their proven technology.


Thank you,

Michael Kaplan
-- 
_______________________________________________
Find what you are looking for with the Lycos Yellow Pages
http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10


_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

Prev by Date: Re: [Asrg] A response to the critique of my anti-spam system
Next by Date: Re: BCP suggestion, port 25 control RE: [Asrg] BCP suggestion: port-b locking by ISPs
Previous by thread: Re: [Asrg] A response to the critique of my anti-spam system]
Next by thread: [Asrg] Where I think we are...
Index(es):
- Date
- Thread