Udhay,
> >> You're not creating extra traffic. You're sending unsolicited
> >> bulk email.
> > My on average, my confirm challenge is about 800 bytes.
> > Your reply will cost a few bytes too. Let's be generous,
> > and say the whole thing adds up to 1k bytes. Thus, I'm
> > generating about 300-400k bytes of traffic, total. That's
> > about the same amount of traffic you'd generate by looking
> > about about 5 extra news articles, or about 10 seconds of
> > a steaming video.
> >
> > While there was a day when the "wasted bandwidth" argument against
> > challenge/response was legitimate, that day has long past. There's
> > plenty of bandwidth to go around.
>
> Bandwidth is not the scarce commodity. Attention is.
That's exactly my point.
I'm assuming you'll agree that in a game theoretic sense,
if anybody has to "pay", it should be the sender, not the
passive recipient. However, most of the time, nobody has
to "pay" at all.
Here's my take on what the real issues are:
o Total cost of attention of all parties ("global costs")
o Situation-specific fairness of costs to each party
o Amortized opportunity costs for each party
Knocking on a door does not seem objectionable to most folks,
especially if they're approaching the home of a stranger.
In the case of a physical door, you've got to knock every
single time in order to be considered polite, even if you
are *not* strangers.
In contrast, TMDA only asks you to knock once, and after that
you can come right in for the remainder of your online life,
and when you do, you'll stand a better chance of getting
my attention because I won't be distracted by real spam.
> Devdas alluded to this in his response as well - imagine if every one
> of the ~1k names in my address book issued a challenge.
Even the cost of this worst-case would be amortized very quickly, but
the critical point to realize is that you don't need to experience
this worst case scenario at all... nor do your friends. All that's
required is a small amount of effort on your part up front to bootstrap
TMDA manually (an hour or two at the most). Here's how:
Prior to using TMDA I grepped all the email I've ever sent
(and "non-spam" email I've ever received) for email addresses.
From this, you can easily create a sorted/unique list of
addresses that form the basis of your initial whitelist.
When I started using TMDA, *none* of the people who have ever
corresponded with me realized the new system was in place.
Thus, the bootstrapping objection is moot, as long as you are
a considerate person (which certainly appears to be the case),
and your friends are too. If your friends don't know how to
bootstrap TMDA, or are too lazy, the options are to write them
a program to make it easier for them, or to forgive them.
If you (or they) would abandon your relationship over such a
triviality, it seems likely that you'll be wasting eachother's
time no matter what the email contains.
> Or any one of the ~50k subscribers of the various lists I read.
> I wouldn't be able to get anything done, let alone read the
> actual mail that I receive.
This is overcome very easily.
TMDA has two different challenge-free solutions for mailing lists:
temporary addresses and tagged addresses. Read the TMDA FAQ for
more info on these topics.
You could also go low-tech and do either of the following:
o Throw challenges to your list's email away.
This means that people who didn't want to
whitelist your list won't get it. Of course,
they might have forgotten, but that's not
your problem, it's theirs (which is appropriate).
If they have made a mistake, it's easy for them
to fix, because TMDA does not throw away the
article you mailed to them -- it's in a "pending"
folder. Upon realizing they didn't get the email,
they could grep the pending folder, read the email
and fix their mistake by adding you to the whitelist.
o Set up an autoresponder for the tagged address address
you use for your list. This will help naive users
who neglected to whitelist you to receive your email
regardless. Your email address will end up in their
TMDA "confirmed" list (which is separate from "whitelist").
If you were actually an evil spammer, they could just
move you to the "blacklist" later.
You'd think that spammers would all just adopt the second
"low tech" strategy and autorespond. In fact, they hardly
ever do so (about 12 spammers autorespond to me per year).
Spammers are focused on delivering mail in order to sell their
product/scam, and that means steering you to their website.
They could care less about replying to your email. Besides,
they want to use random/fake email addresses, not recycle them.
Spamers rely upon scale, and scale drives spam agents to be
as stateless as possible when it comes to the bulk part of
the operation. Also, replying to the trivial challenge TMDA
produces would mean they'd have to give away information about
the source of their spam (or their infected spam-delivering mule).
Spammers are very reluctant to do so.
TMDA has worked magnificently for several years now, so even if
you don't find this theoretical argument completely convincing
(which is understandable), the evidence if its effectiveness
is quite compelling. It really works.
> Challenge response systems are an attempt to make *your*
> spamfiltering someone else's problem
This does not follow.
You'll have more time to devote to to those you've whitelisted,
and to those online strangers considerate enough to hit reply as
once-in-a-lifetime cost for emailing you out of the blue.
Thus, your friends should *thank* you for creating a system
that prioritizes them over the needs of online strangers that
lack the trivial level of motivation required to participate
in the group of contacts that you *do* serve efficiently.
If you bootstrap using the procedure described above,
the only people who have to hit "reply" to a challenge
are those that satisfy *all* of the conditions below:
o Online "strangers"
Those who have never sent/gotten email from you
before, in your entire pre-bootstrapping phase
(for me, that's nearly 20 years).
o Those not in a whitelisted domain
This takes care of in-house mail from folks
in your company even if you're too lazy to set
up a script to mine LDAP periodically.
o Those not using a challenge-free temporary address
This takes care of most mailing lists and
ephemeral contacts such as online commerce.
> and that is my problem with them.
If you were whitelisted in advance, this problem would be moot.
Similarly, as you would be a courteous manual TMDA bootstrapper
yourself, your friends would not have a problem with you either.
TMDA may not be a perfect fit for all people in all situations,
but my experience with it for the past several years has been
nothing short of splendid.
I think you'll end up liking TMDA once you read the docs
and experiment with it a bit. If not, I hope that at least
some of my reasoning makes sense to you, and that my concept
of fairness (initiator/stranger "pays" the attention cost)
seems justifiable. If not, perhaps we'll just have to
"agree to disagree" on this one.
Cheers,
-Jon
