[LINK] spam spam go away, is the Internet working another day?

Martin marty at supine.com
Fri Dec 31 20:11:25 EST 2004 

$quoted_author = "Adam Todd" ;
> 
> Some linkers may have been affected with mail to or from the LINK list as 
> I've been forwarding mail from my virtual managed account to a test account 
> which is running tmda.
> 
> The "affect" is an email asking you to verify that your posting was 
> legitimate and should be released to me.  Click on a link and you're own 
> email address is put into the white list.
> 
> Such a devastating affect, but it's working very well.  I plan on switching 
> my standard account, which has receive more than 500 spam messages in the 
> last 24 alone, over to tmda at midnight tonight.

"Challenge-Response Anti-Spam Systems Considered Harmful"
http://www.linuxmafia.com/faq/Mail/challenge-response.html

Challenge response systems are broken by design:

1. They rely on From not being forged, which is trivially easy to do.
   Spoofing the From to an address on your whitelist will get it through
   (which is not trivial but not impossible). This also opens the door to
   Joe-Job attacks from CR systems as well as the usual User Unknowns
   etc.etc.
2. High false positive rate by assuming all email is spam until proven
   otherwise. Systems that make no such presumption allow for greymail which
   can be left for the user to catergorise when the system can't.
3. Shifts the burden of whitelisting _your_ mail system onto others. This
   might not be so arduous for those that want to send you mail, but imagine
   someone sending to a mailing list for the first time confronted with a CR
   from all the subscribers.
4. Fails for email sent with invalid return addresses or from automated
   systems. Think about all those order conformations, system alerts and
   message autoresponses.
5. CR <-> CR deadlock. Fred sends email to Wilma. Wilma's CR system sends C
   to Fred. Fred's CR system sends C to Wilma... etc.etc.

cheers
marty

-- 
Tanuki:		What is the collective term for more-than-one ninja?
Matt S Trout:	Not right, but "a silence of ninjas" appeals to me somehow.
Tanuki:		Or maybe a "stealth" of Ninjas?
Mike Andrews:	I believe that the correct answer is: A       of ninjas.
Tanuki:		I sense deep wrongness here: is it not Zen-axiomatic that
		any Ninja who announces himself as such is _not_ a Ninja?
Joe Block:	So the perfect disguise would be for the ninja to walk around
		in a ninja suit, trying not to hide, then?
Tanuki:		Ah, the old argument that sometimes the best way to truly hide
		something is to put it where it will be obvious.
		From now on this will be known as "Security by Blatancy"

alt.sysadmin.recovery usenet thread - start at <LOd8IKA8msYBFw$v at demon.co.uk>

More information about the Link mailing list