> C-R as a pure-play spam mitigation is fundamentally flawed. I've
> pointed this out.
To be fair (oh, and pardon me for chipping in) I think Karsten has a
point here, if we assume that:
(i) people start using TMDA (or some other C/R) because of spam;
(ii) spammers always forge envelope-From, Reply-To: or whatever.
Almost by definition, a challenge will only get through to those
people who we don't mind getting email from in the first place.
I'm running TMDA post-SpamAssassin since TMDA provides nice tools for
looking through the SA-tagged messages. I'm challenging (rather than
just holding) since a percentage of spam outfits do actually use their
own domains and return addresses (in which case they should get their
spam back), and partly so I have to worry less about false-positives.
This does mean, of course, a lot of challenges being sent to bogus
addresses. This is unfortunate for a variety of reasons, but it
doesn't generate much more traffic than all the bounce messages my MTA
already generates for bad addresses at my domain (and all the spam to
email addresses I've not used for over a decade). Does it
inconvenience users whose email address has been forged? Probably, but
I'd say it's no worse than the bounces they're going to get from the
bogus destination addresses for the spam in the first place. (Of
course, widespread TMDA adoption might change this demographic.)
Right now, my domain is being used in a couple of spam attacks - I'm
getting hundreds of double-bounce messages (since the From: line is a
no-such-user at my domain). If any of the victims are using a C/R
system they're being protected and I'm never seeing the
challenges. Even if my true email address were forged (as happens from
time to time), I'd suspect the challenges would (currently) be swamped
by the non-delivery messages.
In short, I'm now using TMDA because content filtering tools are
fundamentally flawed, and at the very least need constant monitoring
and maintenance (so I disagree with Karsten here). Spammers are
constantly using new tricks to obfuscate their content, poison Bayes
filters, and so on. And there are a HUGE number of broken content
filters out there. I'd rather wrap SpamAssassin (doing triage, in
effect) in TMDA as a reliable-by-design (if annoying) catch-all than
trust a content filter on its own, and I'd much rather live in a world
of C/R mail systems (and the traffic they might generate) than faulty
content filters - at least my mail won't get silently lost.
--
nick rothwell -- composition, systems, performance -- http://www.cassiel.com
_____________________________________________
tmda-users mailing list ([EMAIL PROTECTED])
http://tmda.net/lists/listinfo/tmda-users
