On Sunday 21 September 2003 07:11 pm, Karsten M. Self wrote: > on Thu, Sep 18, 2003 at 01:55:21AM -0700, JLM ([EMAIL PROTECTED]) wrote: > > >> This is semantic silliness. As I'm sure you realize, the author > > >> simply pointed out that it is the "human test" provided by TMDA that > > >> allows us to block spam. Blocking spam is the goal; Turing tests are > > >> the means. While not the only method, TMDA is quite effective > > >> despite its inherent shortcomings. > > > > > > But TMDA does not just rely on a "turing test". TMDA also > > > rely's on the fact that spammers forge From addresses, that the path > > > of spam is often one directional. > > > > I really don't see how TMDA relies on spammers spoofing their > > addresses. > > Spammers typically list an address in the 'From:' header that they > don't respond to. In some cases, it's an invalid, undeliverable, > non-resolving address. In others, the domain resolves or the mailbox > actually exists and is deliverable. > > If spammers simply used non-resolving domains, there'd be few issues -- > you could test whether or not the address was legitimate and refuse mail > where it wasn't. C-R in this case would be overkill, but would > determine that the address was not deliverable. Of course, this makes > spam rejection too easy, from the spammers perspective. Better to > impersonate a live domain. > > In the case where the domain does resolve, you are at a minimum sending > mail to the mailserver, where it is either rejected immediately as > non-deliverable, or (depending on forward rules and chains), bounces > around internally for a while before coming up non-deliverable. In the > latter case, you're likely causing at least a log entry, and possibly > postmaster mail, on account of your failed delivery attempt. > > If the poor sap does exist, then depending on how many spams carried > that address, you are one of tens, hundreds, thousands, or millions of > people cramming an invalid C-R challenge into their mailbox. > > What makes your spam better than the original spammer's? > > > The latter is unfortunate, but TMDA hardly relies on it. It's more of > > a grudging acceptance of reality. Most challenges are sent to spoofed > > addresses, but there's not much anyone can do about that. > > Bollux. There are existing content/context based filters which > discriminate between spam and non spam with better than 98% accuracy, > and less than 0.02% false positive rates. > > > It's more important to make sure that (a) recipient in-boxes aren't > > inundated, > > How do you plan to coordinate the actions of your personal C-R node with > that of tens, hundreds, thousands, or millions of other C-R users? Last > I checked, this was technically infeasible. > > > and (b) valid correspondents are able to get through > > Of course. > > > (albeit after going through the challenge). > > If they're valid in the first place, and you can determine this, why > challenge them? Ego-stroking on your part? > > > > He refuses to respond to them on principle. He claims he is not > > > alone. > > > > I'm sure he is not alone. But I personally have little desire to > > accommodate obstinate folks. That type of response sounds to me like: > > "Sorry, but my time is more important than your time." > > No, it sounds to me like a perfectly valid reaction. Your reason for > sending a challenge is that you can't determine that a given sender is > valid. What's your basis then for deciding that I am the person who has > to solve this problem for you? > > I receive a fair amount of spam for spam mitigation systems. I suppose > by your logic that these are acceptably legitimate mails, as they are > spam in the name of reducing spam. That's what C-R challenges to > spoofed addresses are, after all. > > > As has been said by others many times before, I refuse (on principle) > > to allow my in-box to become a hell-hole > > If you're swallowing the line that TMDA/C-R is the only way to keep your > inbox clean, you're sadly deluded. > > > just because a few curmudgeons can't take five seconds out of their > > day to do a one-time confirmation that they're human. > > How many of those five second decisions are going to be based on spoofed > challenges? Again: what makes your spam more valid than the original > spammer's? > > > Nobody questions whether C/R is annoying. But to shun it on principle > > is to deny us the one truly useful weapon we have in this war. > > Again, wrong. What is your basis for determining that all other methods > fail? Where is your empirical proof? > > > If you're not part of the solution... > > ...then TMDA is part of the problem. Couldn't have said it better > myself. > > > We would all like to live in a world where TMDA and its ilk are not > > needed. > > Surprise! You do. Mind taking note of this? > > > http://freshmeat.net/articles/view/852/ > http://freshmeat.net/articles/view/964/ > http://lwn.net/Articles/9185/ > > > Peace.
I've come to the conclusion that peace is not something that is likely to happen on this topic. Just as there are folks on spam-l that hate c/r because they are too stupid to control what enters their mail box, there are folks here who don't care if they generate 1000 challenges to people who never sent them mail in the first place. I'm currently working on a scheme to either hold or redirect mail if the DNS doesn't match the host/domain in an effort to reduce the chance that I will challenge someone who didn't actually mail me. But just as I've given up discussing c/r on span-l, I am dropping the subject here as well. -- Robin Lynn Frank | Director of Operations | Paradigm-Omega, LLC Email acceptance policy: http://paradigm-omega.com/email_policy.html Our current s$p%a&m-t*r#a^p: [EMAIL PROTECTED] _____________________________________________ tmda-users mailing list ([EMAIL PROTECTED]) http://tmda.net/lists/listinfo/tmda-users
