The simple fix for the individual receiving the 1000s of bogus challenges (they're not really bogus, just mis-directed) is for the individual to get a C/R protected email account.
Such an account user would never see the challenges since the sender wouldn't be on their white list. Further a with a properly setup C/R account the challenge would stop right there since the original challenge would be sent out with a bulk precedence, and the receiving C/R protected email account would simply quarantine the incoming challenge without creating a challenge of it's own. In this way the challenge would not be seen by the spoofed sender, and the spam would not be seen by the spam recipient since neither user would receive a challenge that actually makes it into their inbox. In the end Spammers who are spoofing return email addresses are going to be one of the driving forces behind users getting C/R protected addresses. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Parke Bostrom Sent: Wednesday, September 17, 2003 10:44 AM To: [EMAIL PROTECTED] Subject: Constraining Bogus challenges. > Robin Lynn Frank <[EMAIL PROTECTED]> writes: > > The major objection I see being raised by opponents to > > challenge/response is that if someone spoofs their address in > > spam, that they may get "thousands" of challenge messages to mail > > they never sent. > > Is it possible to do the following: > For the most part, each one > of those thousands of SPAMs is going to a different person. If each > person who receives one of those SPAMs has code to do the above, each > person (1000s) will send one challenge to the forged address. That > means the forged address will still receive thousands of challenges, > even though each SPAM recipient running a C/R system like TMDA only > sent one. Hi, I've been having some thoughts like this recently. What if: (1) There was a standard for all the C/R vendors to use that did the following: (2) The C/R software sticks a cryptographic message header in all outgoing mail. Something like X-TMDA-Message-ID. The message id would be cryptographically tagged, just the way the email addressess are (although perhas with more than the default 24 bits of hash). (3) Any sender that did not want to receive these bogus challenges could start using a C/R solution to tag outgoing messages. Challenges sent in response to spam would have either no or bogus X-TMDA-Message-IDs's and could be automatically filtered out. Does that make sense? Relatedly, I think for C/R to be a viable long term solution, C/R has to thing about being deployed not on a user basis, but on a ISP by ISP basis, or even on global basis. This means that there would have to be a minimal level of standardization across C/R so that legitimate challenges could be recognized and responded to automatically. This would let mailing lists respond to C/R challenges. This would also make it easier for spammers to automatically respond to challenges, of course. But if enough people start using C/R, spammers will correctly respond to challenges, even if each C/R software has its own protocol. Responses appreciated. Sorry if I'm rehashing old ideas. I'm new to C/R and to the list. -Matthew. ______________________________________________________________________ [EMAIL PROTECTED] _____________________________________________ tmda-users mailing list ([EMAIL PROTECTED]) http://tmda.net/lists/listinfo/tmda-users _____________________________________________ tmda-users mailing list ([EMAIL PROTECTED]) http://tmda.net/lists/listinfo/tmda-users
