Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

Re: challenge-response filtering?

  • Subject: Re: challenge-response filtering?
  • From: Charles Lasitter <cl@xxxxxxxx>
  • Date: Mon, 15 May 2006 11:32:05 -0400
  • Newsgroups: news.software.readers
  • Organization: NC Direct Marketing
  • References: <EM7XN04T38849.1904513889@anonymous.poster> <6626010.VpIdBzpJY9@schestowitz.com> <MPG.1ed035249d8e8ba498a4a7@news.individual.net>
  • User-agent: 40tude_Dialog/2.0.15.1 (ab0393ee.262.199)
  • Xref: news.mcc.ac.uk news.software.readers:186506
On Sat, 13 May 2006 19:26:12 -0400, Stan Brown wrote:

> I know nothing about that particular package, but
> challenge-response systems are not just a flawed
> implementation, they are a bad idea from the get-go.

Spam exists because all that a spammer needs is a valid email 
address, which can be gotten from a spambot reading your address 
from an internet posting, or an email virus attack on someone 
that has your address in their address book, or by just brute 
force guessing at email addresses.  

Keyword filtering programs fail at killing spam because the 
spammers stay one step ahead of the regular expressions in them.  
In short, they succeed by being smarter than rule-based computer 
programs.  They're even getting better at beating bayesian
systems.

Challenge-response tries to fix this by turning the one-step 
delivery of mail into a two-step process, but it suffers from the 
defect of header spoofing.
  
Louie R. Orbeta had a novel (though poorly implemented) concept
for controlling spam years ago.  It was called "PureMail", and
would scan an inbound message for a key (NOT just the senders
email address) and determine from that key whether the inbound
message came from a trusted source.  Key's location to be
determined.

His idea was for a "one to many" approach, where one key would be 
known by many / all of your friends.  Or you could have many 
different keys, all with different (or no) expiration date.

This beats the spammers by forcing them to keep track of not only 
a valid receiving email address, but a key to match the inbox of 
the recipient.

One problem with this approach is that the address book for the
sender's email program would have to allow for an extra field
for the key of each recipient.  

A workaround might be to use the recipient's key in the subject 
line on the first message you send,  getting your message thru, 
and then having a custom header containing YOUR email key, which 
the recipient's mail filtering program would read and to a 
database of valid keys.

And for possible valid contact attempts for people lacking the 
key?  You could send an auto-reply directing people to a web 
image:

http://www.ncdm.com/purekey.gif

Which a person could read but a bot could not easily read, and 
they could resend the message.

Implementing this approach would require us to think about 
mailbox access differently, but I really don't think it would be 
harder or require more work than existing systems.  And it would 
compare very favorably in terms of false positives.

-- 

CL.

+-----------------------------------------+
| Charles Lasitter   | Mailing / Shipping |
| 401/728-1987       | 14 Cooke St        |
| cl+at+ncdm+dot+com | Pawtucket RI 02860 |
+-----------------------------------------+

[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index