On Sat, 13 May 2006 19:26:12 -0400, Stan Brown wrote:
> I know nothing about that particular package, but
> challenge-response systems are not just a flawed
> implementation, they are a bad idea from the get-go.
Spam exists because all that a spammer needs is a valid email
address, which can be gotten from a spambot reading your address
from an internet posting, or an email virus attack on someone
that has your address in their address book, or by just brute
force guessing at email addresses.
Keyword filtering programs fail at killing spam because the
spammers stay one step ahead of the regular expressions in them.
In short, they succeed by being smarter than rule-based computer
programs. They're even getting better at beating bayesian
systems.
Challenge-response tries to fix this by turning the one-step
delivery of mail into a two-step process, but it suffers from the
defect of header spoofing.
Louie R. Orbeta had a novel (though poorly implemented) concept
for controlling spam years ago. It was called "PureMail", and
would scan an inbound message for a key (NOT just the senders
email address) and determine from that key whether the inbound
message came from a trusted source. Key's location to be
determined.
His idea was for a "one to many" approach, where one key would be
known by many / all of your friends. Or you could have many
different keys, all with different (or no) expiration date.
This beats the spammers by forcing them to keep track of not only
a valid receiving email address, but a key to match the inbox of
the recipient.
One problem with this approach is that the address book for the
sender's email program would have to allow for an extra field
for the key of each recipient.
A workaround might be to use the recipient's key in the subject
line on the first message you send, getting your message thru,
and then having a custom header containing YOUR email key, which
the recipient's mail filtering program would read and to a
database of valid keys.
And for possible valid contact attempts for people lacking the
key? You could send an auto-reply directing people to a web
image:
http://www.ncdm.com/purekey.gif
Which a person could read but a bot could not easily read, and
they could resend the message.
Implementing this approach would require us to think about
mailbox access differently, but I really don't think it would be
harder or require more work than existing systems. And it would
compare very favorably in terms of false positives.
--
CL.
+-----------------------------------------+
| Charles Lasitter | Mailing / Shipping |
| 401/728-1987 | 14 Cooke St |
| cl+at+ncdm+dot+com | Pawtucket RI 02860 |
+-----------------------------------------+
|
|
