[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] Please critique my anti-spam system

To: asrg at ietf.org
Subject: Re: [Asrg] Please critique my anti-spam system
From: Laird Breyer <laird at lbreyer.com>
Date: Sat, 8 Jan 2005 15:37:49 +1000
In-reply-to: <20050108045142.DC522C611D@ws7-5.us4.outblaze.com>
List-archive: <http://www1.ietf.org/pipermail/asrg>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
Mail-followup-to: asrg at ietf.org
References: <20050108045142.DC522C611D@ws7-5.us4.outblaze.com>
Reply-to: laird at lbreyer.com
Sender: asrg-bounces at ietf.org
User-agent: Mutt/1.5.6+20040523i

On Jan 07 2005, Michael Kaplan wrote:

> To once again clarify how erroneous bounces will be filtered: Any
> email system that allows a user to generate a white list will be
> able to readily generate a 'bounce white list' composed of all
> addresses that the user had sent mail to within the past few hours.
> The bounces generated by my system will be identified as bounces by
> a universally recognized tag.  The user will only see the bounces
> that are contained on the bounce white list.

The mail transport system will see, store, and analyse all the bounce
traffic regardless. Who are the beneficiaries? Individual mail
users. Who are affected indifferently or negatively? ISPs, admins,
software developers intending support. Who is in a position to
implement the proposal?  The latter group. Who does need convincing?

>  I believe that this human interaction is as limited and as
> non-disruptive as it can possibly be while still maintaining an
> extreme degree of efficacy.  A solution that provides similar
> efficacy while requiring zero human interaction would be far
> superior, but this "solution" just doesn't seem to exist.

What are the prospects for user-side automation? 

If X sends out a weekly newsletter to thousands of people, most of
whom use your system, then X receives thousands of bounce messages
back, requiring individual CAPTCHA decoding, followed by individual
resending of the message, does it not?

> Anyway the world would be a better place if a standard was adopted
> so that every bounce-like message (such as my system, traditional
> C/R systems, vacation messages) came with a universally recognized
> tag.  Then my bounce white list filtering system would prevent
> everyone from getting any kind of erroneous bounce.

Emails are sent through SMTP servers in the clear.

How does your system fare against snooping attacks, wherein any
relevant information such as sender + receiver's email addresses are
routinely harvested from archives, hacked and proxied servers, and
spyware infested computers, and fake bounces are sent back to each
identified sender, containing a spamvertizement? These fake bounces
are always whitelisted, are they not?

What is the effect of harvesting correct subaddresses by searching for
the replies to the CAPTCHA bounces, wherein the correct subaddress is 
visible in the clear?

What is the effect of bouncing the CAPTCHA bounce back to the CAPTCHA
bouncing recipient, with or without another CAPTCHA attached?

-- Laird Breyer.

_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

References:
- Re: [Asrg] Please critique my anti-spam system
  - From: Michael Kaplan

Prev by Date: Re: [Asrg] Please critique my anti-spam system
Next by Date: Re: [Asrg] Please critique my anti-spam system
Previous by thread: Re: [Asrg] Please critique my anti-spam system
Next by thread: Re: [Asrg] Please critique my anti-spam system
Index(es):
- Date
- Thread