Constraining Bogus challenges.

Wed, 17 Sep 2003 10:43:06 -0700 

> Robin Lynn Frank <[EMAIL PROTECTED]> writes:

> > The major objection I see being raised by opponents to
> > challenge/response is that if someone spoofs their address in
> > spam, that they may get "thousands" of challenge messages to mail
> > they never sent.

> > Is it possible to do the following:

> For the most part, each one
> of those thousands of SPAMs is going to a different person.  If each
> person who receives one of those SPAMs has code to do the above, each
> person (1000s) will send one challenge to the forged address.  That
> means the forged address will still receive thousands of challenges,
> even though each SPAM recipient running a C/R system like TMDA only
> sent one.

Hi,

        I've been having some thoughts like this recently.

        What if:

(1) There was a standard for all the C/R vendors to use that did the
following:

(2) The C/R software sticks a cryptographic message header in all
outgoing mail.  Something like X-TMDA-Message-ID.  The message id
would be cryptographically tagged, just the way the email addressess
are (although perhas with more than the default 24 bits of hash).

(3) Any sender that did not want to receive these bogus challenges
could start using a C/R solution to tag outgoing messages.  Challenges
sent in response to spam would have either no or bogus
X-TMDA-Message-IDs's and could be automatically filtered out.

        Does that make sense?

        Relatedly, I think for C/R to be a viable long term solution,
C/R has to thing about being deployed not on a user basis, but on a
ISP by ISP basis, or even on global basis.

        This means that there would have to be a minimal level of
standardization across C/R so that legitimate challenges could be
recognized and responded to automatically.  This would let mailing
lists respond to C/R challenges.

        This would also make it easier for spammers to automatically
respond to challenges, of course.  But if enough people start using
C/R, spammers will correctly respond to challenges, even if each C/R
software has its own protocol.

        Responses appreciated.  Sorry if I'm rehashing old ideas.  I'm
new to C/R and to the list.

        -Matthew.
______________________________________________________________________
                                                     [EMAIL PROTECTED]
_____________________________________________
tmda-users mailing list ([EMAIL PROTECTED])
http://tmda.net/lists/listinfo/tmda-users

Reply via email to