Re: [Asrg] Please critique my anti-spam system

[Laird Breyer <laird at lbreyer.com>]

On Jan 09 2005, Peter J. Holzer wrote:

> How often do you subscribe to newsletters while away from your computer
> (or any computer with internet access)?

There are a few cases depending on the amount of roaming involved.

I can be away from my computer while being on some computer with
reduced resources (think publicly provided terminal and telnet(!) ), 

I also can have several computer accounts used separately and
simultaneously for mail, with widely varying software/OS environments.
(On occasion, I've had four or five such mail accounts used as convenient,
although currently I use one mail address, but several computers)

I can also be subscribed by someone else as a service (e.g. by office
staff etc.), in which case I need not be physically at a computer at all.

I can subscribe by talking to someone and writing an address on a
piece of paper. I can subscribe by browsing the net while on someone
else's computer.

That said, I actually like your paper based solution quite a lot, and 
it is much less cumbersome than looking for a sub-address generator 
on some remote computer while roaming. 

So I think I now agree with you that most initial list subscriptions
would involve a sub-address, and no CAPTCHA bounce for the list
operator.

> > > > Also, there are privacy implications in outsourcing the processing of
> > > > sensitive email messages to cheap third parties?
> > > 
> > > Outsource the CAPTCHA, not the entire message.
> > > 
> > 
> > The CAPTCHA contains the key to generating the required sub-address. That's
> > all that is needed. 
> 
> No, not necessarily. Although the Michael's example presents the CAPTCHA
> together with the invariant parts of the mail address, this isn't
> necessarily the case. It would be possible to separate them in such a
> way that the recipient could keep the invariant parts secret and pass
> only the puzzle to the outsourcing company. So the outsourcing company
> would know that the solution of the puzzle is "LUCKY", but they don't
> know that the full address is <JOE.LUCKY at DOMAIN.COM>. Of course they
> could try all combinations of addresses and solutions, but that would be
> extremely expensive if the system is deployed widely (if it isn't, they
> won't bother).

Hmm. This would work I think, but to be safe from related attacks the
customer who receives the CAPTCHA would have to remain anonymous to
the outsourcing company. 

> 
> > There's also the fact that list messages (such as your own to this
> > list) often arrive twice, once through the list and once directly.  If
> > I used your system, I would be sending you a CAPTCHA bounce which
> > would be clogging your inbox.
> 
> No, you wouldn't, unless you had the subaddress already disabled, in
> which case you wouldn't receive mails from the mailinglist either
> (unless you explicitely whitelisted the mailinglist).

Either you're confused or I am. Michael sends me two messages, once as
Michael (which is unsolicited, and he's not whitelisted, so gets a CAPTCHA),
and once as asrg at ietf.org, which is whitelisted since I've subscribed to 
the list. 

-- 
Laird Breyer.

_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg