Dave Pooser wrote:
I think CR can perhaps work quite well for an individual user with the
technical insight & time to spare, but such individual users are only
an small part of the picture.
No it doesn't. It foists the recipients burden on others, usually due
to the *lack* of technical insight. Otherwise they'd realize they are
only making the problem worse.
Actually I've seen one C/R variant that addresses the backscatter C/R issue
quite nicely; it dropped the suspected spam in a quarantine folder and
issued an SMTP fakereject after DATA that included a link to a website where
the sender could release the spam from quarantine. So no backscatter
spamming innocent third parties, but you still get a chance for the sender
to verify sending a message. The backend might be a little involved to set
up, but the final system looked secure and easy to use.
If you return a 5xx error, what is to prevent the spammer from clicking
to release? CAPTCHA? What if this system was in widespread use? It could
be a serious single point of failure.
--
Ken Anderson
Pacific.Net
