Re: [Asrg] A CAPTCHA that automatically detects and neutralizes attacks.

[Danny Angus <Danny_Angus at slc.co.uk>]

Michael,

> ... maintain a list of outgoing emails sent by each user ...

... some stuff snipped ...

> the info for a message needs to be
> available as soon as the message has been sent

... more snipping ...

> can be addressed by holding all incoming challenges
> and preventing them from reaching the user's inbox
> for 10 minutes (or whatever length of time).


This proposed "resolution" to the problem of C-R requiring a record and for
that record to be available straight away would be largely unacceptable to
any mail provider of any magnitude because of the cost of this recording
and buffering, not to mention the operating costs of a highly available
distributed system capable of reconciling the challenges with the
responses.

As I've pointed out to you before the problem of spam is the unacceptable
cost burden placed upon mail infrastructure providers, much more so that
than the inconvenience of individual users. You cannot solve the former if
your proposal has costs of a similar order of magnitude and the same set of
cost drivers, namely the volume of spam.

If the costs of managing genuine mail was high, but resource consumption
decreased because spam was removed from the picture then your solution
would be cost effective. However it still appears that the cost is directly
proportional to the volume of unwanted messages. Not only that but also you
are pushing some of the cost burden onto downstream systems, if a challenge
issued by your system increases costs for other people, people for whom
there is no benefit, it is doomed to failure.

Imagine that I am Yahoo and you are Joe ISP with 1000 mail accounts, how
can you possibly hope to accomodate the unpredictable number of challenges
I send you in response to forged mail? You can't. You are faced with high
running costs and potential DoS to you users, and the financial
consequences to your stock, caused by my legitimate use of your system as
designed.

I'm concerned that you seem hell bent on flogging a dead horse here.

A number of people have raised detailed weaknesses with your proposal.
You seem to prefer to address these in isolation rather than view the big
picture.

You seem to be making the fatal mistake of going round in circles.

d.



***************************************************************************
The information in this e-mail is confidential and for use by the addressee(s) only. If you are not the intended recipient (or responsible for delivery of the message to the intended recipient) please notify us immediately on 0141 306 2050 and delete the message from your computer. You may not copy or forward it or use or disclose its contents to any other person. As Internet communications are capable of data corruption Student Loans Company Limited does not accept any  responsibility for changes made to this message after it was sent. For this reason it may be inappropriate to rely on advice or opinions contained in an e-mail without obtaining written confirmation of it. Neither Student Loans Company Limited or the sender accepts any liability or responsibility for viruses as it is your responsibility to scan attachments (if any). Opinions and views expressed in this e-mail are those of the sender and may not reflect the opinions and views of The Student Loans Company Limi!
 ted.

This footnote also confirms that this email message has been swept for the presence of computer viruses.

**************************************************************************

_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg