[LINK] Fwd: Please confirm your message

Craig Sanders cas at taz.net.au
Mon Dec 4 20:14:46 AEDT 2006 

On Mon, Dec 04, 2006 at 03:01:13PM +1100, Ivan Trundle wrote:
> Linkers
> 
> Does anyone else find this kind of behaviour tiresome, frustrating,  
> and pointless?

yes. challenge-response (C-R) systems are not just as bad as spam, they
ARE spam.

what they do is spam the sender-address of any email received with
a challenge - in theory, a legitimate sender will respond to the
challenge, and the email will be allowed through. that's annoying,
but it's not a serious problem - it only affects the sender and the
recipient.

what IS a problem is that the entire reason for such a system is to deal
with spam, and spam typically does not have a legitimate sender address
- if the address is real, then it will be forged by the spammer.

so the challenge goes to a forged sender address, spamming an uninvolved
third party....and the more people who use C-R, the worse the problem
gets. if some spammer joe-jobs you and forges your address on a few
million spams, your mailbox would be swamped under the load of incoming
challenges if even a tiny fraction of 1 percent of users used C-R
systems.

C-R is not just a bad solution to the spam problem (in that it doesn't
work), it is a cretinous solution (in that it makes the problem worse by
sending more spam itself - it is a spam multiplier).

in other words: it's broken, it doesn't work, it makes the problem
worse, and it doesn't scale.


> I don't particularly care that this activity is meant to reduce the  
> recipient's spam levels: I'm not at all interested in bouncing  
> messages back and forth.

and, given that it's such a cretinous idea, it's likely to be badly
implemented too - resulting in C-R systems sending challenges back and
forth to each other until someone manually intervenes and stops the
loop.

craig

ps: my way of dealing with spam from C-R systems is to process them with
procmail and either email back the required response or extract the URL
from the message and fetch it with wget or something - if some stupid
bastard is going to spam me with their crappy C-R system because they're
too lazy to deal with their own spam, then i'll make sure that my system
automatically sends the appropriate response so that they get to eat all
their spam.

-- 
craig sanders <cas at taz.net.au>           (part time cyborg)

More information about the Link mailing list