On Saturday 13 March 2004 02:06, Simon Waters wrote:
Isn't the bigger problem what to put into the C/R challenge.
The current TMDA scheme of a digitally secured email addresses doesn't work, as the spammer will immediately use this to send a confirmation (assuming it is widely enough used to be worth their while) assuming their spambot is directly connected.
We've only seen one instance of this in two months.
I've seen too, only once, but it was not due to a spammer replying to my challenge. It was due to some poor joe-jobbed machine which had a mis-configured MTA. Basicly this happened:
- Spammer sent with envelope of <[EMAIL PROTECTED]>.
- TMDA sent challenge to that envelope.
- The MTA at poorguy.domain.com sent a "There is no such user joe" reply, but instead of properly sending to the envelope of my challenge, it improperly sent to the reply-to address.
- Thus the spammer's original message was released.
I actually get more spam these days from spammers abusing the Habaes warrant mark than because any mail released via challenge responses.
It is my hope that something like SPF (http://spf.pobox.com) will eventually cut down on the joe-jobs on the internet in general, and this will solve many more problems than just the one I've mentioned above.
-- Jim Ramsay "Me fail English? That's unpossible!"
_____________________________________________ tmda-users mailing list ([EMAIL PROTECTED]) http://tmda.net/lists/listinfo/tmda-users
