on Thu, Sep 18, 2003 at 09:11:37AM +0200, Ole Wolf ([EMAIL PROTECTED]) wrote:
> Call me arrogant,
I see you and raise you. You're arrogant, ignorant, rude, and you can't
do math.
> but in my opinion, if a person doesn't consider his emails to me
> important enough for him to confirm that he really wants to send them,
That's not the situation, however.
The situation is this:
- You've received an email. You can't figure out who it came from (or
can't be bothered to figure this out). So, given that you don't
know who the mail came from, you send it to the address it says it
came from.
- Multiply that out a few times. 600 million email addresses. 1% of
them use C-R. 13 trillion emails sent annually (about 60 per user
per day), 40% of which are spam. That's rough numbers, but its
about accurate.
Now suppose that most of that spam spoofs legitimate email addresses
(not historically true, but becoming more so). 6 million C-R users
send challenges to 150 million spams, every day. With a uniform
distribution, the average email user gets a challenge based on a
spoofed header once every four days.
Increase the number of users on C-R, the total amount of spam, or
individuals with multiple or long-lived and well-known email addresses
and you've got the start of a real problem.
A local research university got hit with 500k SoBig.F viruses in three
days, according to a friend. If these had resulted in a half million
challenges mailed to the wrong address, the recipients would have had
every right to blackhole the school. Note that that's a half-million
mailings during summer recess -- during the school year the number would
likely have been far higher.
Similarly, with 1.5m Swen/Gibe infections reported, and 'ms.com' among
the spoofed sender addresses, I'm sure Morgan Stanley have a few choice
words to say about broken MTA bounce messages, virus autoresponders, and
C-R spam.
> then the messages aren't important enough for me to read them.
No, you're propagating an inherently unscalable and harmful spam
mitigation system. In fact it doesn't mitigate spam, it propagates it.
The majority of challenges go out to someone who didn't send the
message. What's made C-R bearable until now has been the fact that so
few undesired mails had valid sender addresses. This is no longer the
case.
The propagation problem is only one of several that C-R has. Others
include
- Joe-jobs -- for which the list consensus appears to be that users
are "stupid" for attempting to run mail services on dialup.
- An inherent reliance on user-response. This isn't an attribute you
can program around while preserving the fundamental characteristic
of C-R.
- Use within spam-harvest systems by attacking both C-R users and
persons acculturated to responding to anything looking like a
challenge.
> Sorry to use a cliche here, but almost any kind of person can be
> expected to exist, and you can't satisfy everyone. Not receiving mail
> from people who act "on principle" and won't bend their own rules
> seems like a fair trade to me.
The unstated assumption is that alternative spam mitigations don't
work.
This is, however, patently untrue. The bulk of current unsolicited mail
is viral. This is trivially filtered by scanning for MSFT executable
attachments[1].
The bulk of remaining mail is spam, most of it readily detected by
existing spam filtering tools: SpamAssassin, SpamBayes, Bogofilter,
among them, which can be deployed client or server side, and provide for
user-specific whitelisting and Bayesian filtering preferences. Typical
results are a minimum of 90% effective filtering, with rates upwards of
98% attainable at very low false-positive rates -- less than 0.02%.
I would find C-R systems such as TMDA far less objectionable if they
mandated C-R only as a last recourse:
- Mail that isn't viral in origin.
- Mail that isn't clearly spam.
- Mail that isn't otherwise accounted for (whitelist, passkey, or
other system).
What I fail to understand, though, is why you'd need a C-R system to
handle the very small handful of messages what do come through such
filtering. I use a well-known, well-publicized email address I've had
for seven years. I use a whitelist (locally maintained), Spamassassin,
and some local filtering rules. The results are highly satisfactory.
--------------------
Notes:
1. The list of extensions posted here recently is incomplete. I'd
recommend the list here:
http://www.linuxquestions.org/questions/archive/8/2003/03/4/51848j
--
Karsten M. Self <[EMAIL PROTECTED]> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Windows Refund Day II: fight for your right to refund
http://www.windowsrefund.net/
signature.asc
Description: Digital signature
_____________________________________________ tmda-users mailing list ([EMAIL PROTECTED]) http://tmda.net/lists/listinfo/tmda-users
