on Thu, Sep 18, 2003 at 01:55:21AM -0700, JLM ([EMAIL PROTECTED]) wrote: > >> This is semantic silliness. As I'm sure you realize, the author > >> simply pointed out that it is the "human test" provided by TMDA that > >> allows us to block spam. Blocking spam is the goal; Turing tests are > >> the means. While not the only method, TMDA is quite effective > >> despite its inherent shortcomings. > > > > But TMDA does not just rely on a "turing test". TMDA also > > rely's on the fact that spammers forge From addresses, that the path > > of spam is often one directional. > > I really don't see how TMDA relies on spammers spoofing their > addresses.
Spammers typically list an address in the 'From:' header that they
don't respond to. In some cases, it's an invalid, undeliverable,
non-resolving address. In others, the domain resolves or the mailbox
actually exists and is deliverable.
If spammers simply used non-resolving domains, there'd be few issues --
you could test whether or not the address was legitimate and refuse mail
where it wasn't. C-R in this case would be overkill, but would
determine that the address was not deliverable. Of course, this makes
spam rejection too easy, from the spammers perspective. Better to
impersonate a live domain.
In the case where the domain does resolve, you are at a minimum sending
mail to the mailserver, where it is either rejected immediately as
non-deliverable, or (depending on forward rules and chains), bounces
around internally for a while before coming up non-deliverable. In the
latter case, you're likely causing at least a log entry, and possibly
postmaster mail, on account of your failed delivery attempt.
If the poor sap does exist, then depending on how many spams carried
that address, you are one of tens, hundreds, thousands, or millions of
people cramming an invalid C-R challenge into their mailbox.
What makes your spam better than the original spammer's?
> The latter is unfortunate, but TMDA hardly relies on it. It's more of
> a grudging acceptance of reality. Most challenges are sent to spoofed
> addresses, but there's not much anyone can do about that.
Bollux. There are existing content/context based filters which
discriminate between spam and non spam with better than 98% accuracy,
and less than 0.02% false positive rates.
> It's more important to make sure that (a) recipient in-boxes aren't
> inundated,
How do you plan to coordinate the actions of your personal C-R node with
that of tens, hundreds, thousands, or millions of other C-R users? Last
I checked, this was technically infeasible.
> and (b) valid correspondents are able to get through
Of course.
> (albeit after going through the challenge).
If they're valid in the first place, and you can determine this, why
challenge them? Ego-stroking on your part?
> > He refuses to respond to them on principle. He claims he is not
> > alone.
>
> I'm sure he is not alone. But I personally have little desire to
> accommodate obstinate folks. That type of response sounds to me like:
> "Sorry, but my time is more important than your time."
No, it sounds to me like a perfectly valid reaction. Your reason for
sending a challenge is that you can't determine that a given sender is
valid. What's your basis then for deciding that I am the person who has
to solve this problem for you?
I receive a fair amount of spam for spam mitigation systems. I suppose
by your logic that these are acceptably legitimate mails, as they are
spam in the name of reducing spam. That's what C-R challenges to
spoofed addresses are, after all.
> As has been said by others many times before, I refuse (on principle)
> to allow my in-box to become a hell-hole
If you're swallowing the line that TMDA/C-R is the only way to keep your
inbox clean, you're sadly deluded.
> just because a few curmudgeons can't take five seconds out of their
> day to do a one-time confirmation that they're human.
How many of those five second decisions are going to be based on spoofed
challenges? Again: what makes your spam more valid than the original
spammer's?
> Nobody questions whether C/R is annoying. But to shun it on principle
> is to deny us the one truly useful weapon we have in this war.
Again, wrong. What is your basis for determining that all other methods
fail? Where is your empirical proof?
> If you're not part of the solution...
...then TMDA is part of the problem. Couldn't have said it better
myself.
> We would all like to live in a world where TMDA and its ilk are not
> needed.
Surprise! You do. Mind taking note of this?
http://freshmeat.net/articles/view/852/
http://freshmeat.net/articles/view/964/
http://lwn.net/Articles/9185/
Peace.
--
Karsten M. Self <[EMAIL PROTECTED]> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Comic tragedy: MobiliX sued by Asterix publisher over 'iX' trademark
http://tuxmobil.org/mobilix_asterix.html
signature.asc
Description: Digital signature
_____________________________________________ tmda-users mailing list ([EMAIL PROTECTED]) http://tmda.net/lists/listinfo/tmda-users
