Re: [Asrg] A CAPTCHA that automatically detects and neutralizes attacks.

["Michael Kaplan" <mkaplansolution at lycos.com>]

> Michael,
> 
> > ... maintain a list of outgoing emails sent by each user ...
> 
> ... some stuff snipped ...
> 
> > the info for a message needs to be
> > available as soon as the message has been sent
> 
> ... more snipping ...
> 
> > can be addressed by holding all incoming challenges
> > and preventing them from reaching the user's inbox
> > for 10 minutes (or whatever length of time).
> 
> 
> This proposed "resolution" to the problem of C-R requiring a record and for
> that record to be available straight away would be largely unacceptable to
> any mail provider of any magnitude because of the cost of this recording
> and buffering, not to mention the operating costs of a highly available
> distributed system capable of reconciling the challenges with the
> responses.
> 
> As I've pointed out to you before the problem of spam is the unacceptable
> cost burden placed upon mail infrastructure providers, much more so that
> than the inconvenience of individual users. You cannot solve the former if
> your proposal has costs of a similar order of magnitude and the same set of
> cost drivers, namely the volume of spam.
> 
> If the costs of managing genuine mail was high, but resource consumption
> decreased because spam was removed from the picture then your solution
> would be cost effective. However it still appears that the cost is directly
> proportional to the volume of unwanted messages. Not only that but also you
> are pushing some of the cost burden onto downstream systems, if a challenge
> issued by your system increases costs for other people, people for whom
> there is no benefit, it is doomed to failure.
> 
> Imagine that I am Yahoo and you are Joe ISP with 1000 mail accounts, how
> can you possibly hope to accomodate the unpredictable number of challenges
> I send you in response to forged mail? You can't. You are faced with high
> running costs and potential DoS to you users, and the financial
> consequences to your stock, caused by my legitimate use of your system as
> designed.
> 
> I'm concerned that you seem hell bent on flogging a dead horse here.
> 
> A number of people have raised detailed weaknesses with your proposal.
> You seem to prefer to address these in isolation rather than view the big
> picture.
> 
> You seem to be making the fatal mistake of going round in circles.
> 
> d.

Thanks for the feedback,

I will say that I am surprised that so many on this list are perseverating over the issue of erroneous challenges.  I suspect that some of the people on this list, as opposed to the general public, have very high profile email addresses and it is possible that you have been selectively targeted by spammers given your role in the anti-spam community.  Some have described responding to hundreds of erroneous challenges.  I personally have never received a single erroneous challenge and I suspect (but I don't have data) that most email users have not either.

I also disagree with the burden that my system will cause to networks.  On average email providers will receive a 1000:1 ratio of spam to challenge email if 99% of spam is filtered before a challenge is sent, and if 10% of spam uses a forged address.  The cost of buffering the challenges will likely be trivial relative to the cost of dealing with routine spam.

Many email providers, such as Yahoo and Gmail, routinely keep a copy of every outgoing email in your sent message folder.  Thus the data for the challenge filter is instaneously available.  A trivial software update can prevent any erroneous bounces from ever becoming visible in a user's inbox.  Other email providers can briefly buffer incoming challenges if need be to update their bounce filter.  I still have trouble seeing how this is a real difficulty, especially relative to Bayesian filtering.

I will concede that when the system is initially introduced there will be specific individuals and specific small ISP that will be transiently disproportionately impacted until they upgrade their software.  Ultimately not a single person should ever receive an erroneous bounce.

Would you tell AOL, Hotmail, Yahoo, and every other major email provider that there is a convenient system that would result in the near total elimination of spam for their users but they should not use it because it would result in an average 0.1% increase in spam-like email sent to ISPs that haven't upgraded? Yes, some will be affected disproportionately.

I disagree that a number of people have raised detailed weaknesses with my proposal that have gone unanswered.  Rather what I do is respond to a legitimate query once or twice and then I stop responding when the issue is repeatedly brought up.  Examples include:

     The porn proxy attack-  I've had to respond to the practical impossibility of this form of attack on two different locations on my website, as well as repeatedly on this list.  Please, think about it yourself.  Crunch the numbers.  It is beyond trivial.

     Spammers will just pretend to be someone on your whitelist- This is again confusing my system with a C/R system, as my system relies on sub-addresses.  The whitelist as I describe it is of a very personal nature and spammers cannot determine it's contents.  If spammer's did determine one or two addresses that were on the whitelist then you would just remove those addresses from the whitelist and have those correspondents rely on using a sub-address as everyone else does.

     Malware will foil this system- As I've described here and on my website the existence of malware is an argument for my system as my system is uniquely resistant to it.

     I would never bother responding to challenge- If you cared about the email then you would.  I think what is trying to be said is that routinely answering challenges is too burdensome.   My system would likely only issue challenges with no more than 5% of the frequency that a C/R would.  I suspect that the vast majority of people would find this acceptable if they could live without spam.

Well it goes on and on.  I was going to ignore the last round of posts as they did not contain any criticisms that I had not answered.  I'm only responding now because I was addressed directly.  I only re-initiated corresponding on this list to describe an innovation for web-page based CAPTCHA, but we took a quick tangent away from that topic.

I will respond to any criticism that I have not answered.  I appreciate it when people point out flaws in the answers I've given, but I'll need more convincing before I concede that the difficulties in enacting a challenge filter are so great that a system that would otherwise eliminate spam should not be considered.

Thank you,
Michael Kaplan
http://home.nyc.rr.com/spamsolution/An%20Effective%20Solution%20for%20Spam.htm

-- 
_______________________________________________
NEW! Lycos Dating Search. The only place to search multiple dating sites at once.
http://datingsearch.lycos.com


_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg