On Mon, 26 Oct 2009, Yao Ziyuan wrote:
Passive Spam Revocation (PSR)
Currently almost all mail systems (e.g. Hotmail and Gmail) use a spam
filter, which can drop good and important messages.
<snark>
People who expect to receive important messages shouldn't be using
Hotmail.
</snark>
I propose an optional feature for current mail systems. The main idea
is if a message is considered spam, this spam status can be tracked by
the sender (but not sent to him directly, as the From field can be
faked). The message can be re-marked as "not spam" if the sender can
solve a CAPTCHA.
STEP 1: A is going to send B a message. A's mail client generates a
random code and puts it in a custom field in the outgoing message's
header:
Code: <random code>
I'd suggest a more-verbose header name; "PSR-Code" perhaps?
STEP 2: A's mail client sends the message, waits 30 seconds,
Assuming the recipient will have processed the message within 30 seconds
is unduly optimistic. You don't know how many hops are involved, or the
delay in each, or whether some parts of the chain are temporarily
unreachable.
and then visits:
https://spamstatus.<B's mail domain>/?msgid=<Message-ID>&code=<Code>
This page displays one of these possible "spam statuses":
* MESSAGE CONSIDERED SPAM. (A CAPTCHA is also presented below.)
* MESSAGE CONSIDERED NOT SPAM.
* PENDING. PLEASE TRY AGAIN LATER.
* All other responses mean B's mail system doesn't support this feature.
I'd also suggest a response for Message-ID/PSR-Code mismatch.
I'd suggest that the status might be checked once every five minutes for
24-48 hours (with possible extension if requested by the user), or until a
response is received, and that the sender must explicitly ask that the
message be tracked rather than it being automatic. (The code header
generation can be automatic, the webserver queries should not be.)
This assumes the domain has a webserver, and that the webserver can
communicate with the email infrastructure. That may not be the case.
In the first case, A's mail client will report the status and the
CAPTCHA to A. A can choose to solve the CAPTCHA to prove the message
is not spam.
CAPTCHAs are far from a panacaea:
http://www.google.com/search?&q=captcha+cracked
You are also expecting the recipient to keep a copy of all received spams
for an arbitrary period of time to allow the sender to check the delivery
status and solve the CAPTCHA, and that the seen Message-IDs be remembered
for even longer. That's yet more burden on an already overburdened email
system.
You also need to have a status "MESSAGE CONSIDERED SPAM, CAPTCHA NOT
SOLVED WITHIN GRACE PERIOD, MESSAGE DISCARDED."
Like the idea?
It sounds interesting. A variant on DSNs, but passive. I can see it having
some appeal in business settings.
Here's a variant: the spamstatus website returns a random code, and if
within the quarantine period that random code appears on a Paypal money
transfer to the recipient (the minimum amount is, of course, configurable,
and may be related to the overall spam score) the message is released from
quarantine. If the recipient feels the message was valid, they can refund
the money. This avoids all the weaknesses of relying on a CAPTCHA.
Here is the official Google group for it:
http://groups.google.com/group/passive-spam-revocation
Good luck with that.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
[email protected] FALaholic #11174 pgpk -a [email protected]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
North Korea: the only country in the world where people would risk
execution to flee to communist China. -- Ride Fast
-----------------------------------------------------------------------
16 days since President Obama won the Nobel "Not George W. Bush" prize
