Ken A wrote:
Dave Pooser wrote:
I think CR can perhaps work quite well for an individual user with the
technical insight & time to spare, but such individual users are only
an small part of the picture.
No it doesn't. It foists the recipients burden on others, usually due
to the *lack* of technical insight. Otherwise they'd realize they are
only making the problem worse.
Actually I've seen one C/R variant that addresses the backscatter C/R
issue
quite nicely; it dropped the suspected spam in a quarantine folder and
issued an SMTP fakereject after DATA that included a link to a website
where
the sender could release the spam from quarantine. So no backscatter
spamming innocent third parties, but you still get a chance for the
sender
to verify sending a message. The backend might be a little involved to
set
up, but the final system looked secure and easy to use.
I think that's the first non-backscatter form of C/R I've seen.
However, it still leaves the problems of:
1) A user sends me a technical question. I answer, and get back a
Challenge, forcing me to jump through hoops to get their answer to them.
2) I send email inquiry to a business. They send me a Challenge, making
me jump through hoops in order to give them money.
3) You're still forcing a legitimate sender to do your anti-spam
decision making for you.
All of those are still, IMO, unacceptably rude.
If you return a 5xx error, what is to prevent the spammer from clicking
to release? CAPTCHA?
I'm actually not concerned about that. While that is a quality issue
for the user of the C/R system, it isn't something that pollutes the net.
What if this system was in widespread use? It could
be a serious single point of failure.
Again, that's a quality issue for the user of the C/R system, not for
the rest of us. And, it's an implementation detail that might be
solvable with clustered web servers and databases, so a large scale
implementation might not have a single point of failure.
