Challenge-Response Systems
Alan Connor
Challenge-Response Systems
The first thing you need to understand about these systems
is that anyone who has a vested interest in keeping the
spam flowing into your mailboxes, from the spammers themselves
to those that hire them, to those who make a living via their
expertise in out-moded and ineffective spamfighting tools,
will do and say _anything_ to keep you from using one.
They have entire websites devoted to lies and distortions
about these systems.
Because they can't beat them, spammers HATE them, and we all know
that spammers have no morals whatsoever.
And that _anyone_ can put up a website that says _anything_.
Anyone can say anything on the Usenet.
An amazing number of spammers don't even consider themselves to
be spammers. It's the _other_person's UBCE (Un-solicited Bulk
Commercial Email) that's spam, not theirs. They are "legitimate
businesspersons engaged in commerce".
Right.
Are Challenge-Response systems okay to use on the Internet?
Earthlink, one of the largest ISPs in the world, seems to think
so, and offers them as a part of their standard spamfighting
package. That ought to tell you something.
I've been using one for years and know hundreds of people who use
them, and not one of us has ever received a complaint from anyone
but a spammer, and those are quite rare because spammers seldom
include a return address that is valid.
There are spammers pretending to be spamfighters post on this
group that will claim otherwise, but when you demand documented
evidence they somehow always fail to come up with it.
What they do present here is the result of them _deliberately_
soliciting Challenge-Responses from people and organizations that
use C-R systems, which proves nothing but the fact that they have
no morals and no real evidence.
What C-R Systems do is eliminate anonymous mail.
If someone wants to mail a C-R System user, they have to include
a real return address that is monitored by a live human being.
Party A mails Party B, and because they have never mailed Party B
before, and are not Passlisted, they receive a Challenge-Response
That asks them to paste a password on the Subject line and send
it back.
(A Passlist is a list of addresses from which mail is accepted
without further filtering. This is the first stage of a modern
C-R System.)
The C-R itself is a tiny note that does not include the body of
the original mail but does include the original Subject as in:
Re: Original_Subject
After the Passlist stage, incoming mail is sent to a Spamfilter
that dumps the obvious spam. This is important, because there
is no point in sending a C-R to a spammer. It's just a waste of
bandwidth and processor time.
The vast majority of spammers take great pains to include false
return addresses that are _not_ likely to belong to a real person
or organization, because this would really anger people and
inspire themto take serious steps to track down the spammer.
We've taken the mail you _know_ you want to receive off the top,
and sent most of the spam to /dev/null (the bit bucket) at this
point in the processing of the incoming mail.
The very small percentage that's left over are sent a C-R.
If the C-R System receives a bounce (No Such Address), the
address is blocklisted for a configurable length of time.
The blocklist is included the second stage (Spamfilter) of the
C-R System.
Passlist --> Spamfilter --> Challenge-Response
| | |
| | |
YES NO MAYBE
If a particular address fails to return a C-R twice, it is
blocklisted for a configurable length of time.
Blocklisted mail is sent to /dev/null.
All of the above is done by the C-R System itself, silently.
You won't even know a spammer or troll _tried_ to get their
garbage into your mailboxes.
The only personal involvement is adding or deleting addresses
from your Passlist.
Complete freedom from spam and abusive mail, because spammers and
trolls do not use their real return addresses: they don't want to
be tracked.
I wouldn't even consider using any of the pathetic and
ineffective filters that the spammers promote on this group
because they CAN beat them.
I have better things to do with my time than constantly updating
complex filter recipes and looking through hundreds of possible
spams for mail from a friend or business connection that the
filter couldn't properly classify. And I will not tolerate a
mailbox with spam in it staring me in the face because the
spammers have once again figured out how to beat the latest
filter recipes.
Spam is no longer a part of my life. And good riddance to it.
I don't need spam. I have Google. I can find better deals for
anything, from trustworthy sources, after 5 minutes on Google,
than _ever_ came to me via spam.
AC
D. Stussy
> Challenge-Response Systems
> What C-R Systems do is eliminate anonymous mail.
Wrong. What C-R systems do is eliminate legitimate mail by making legitimate
senders "jump through the hoops" of the C-R system, thus HARRASSING these
legitimate senders and delaying their mail, while DOING NOTHING TO THE SPAMMERS
that other anti-spam systems don't already do (such as rejecting or
auto-deleting the spam).
If a mail server has already determined that a message is not likely to be
spam, then why does it ever need to be challenged in the first place? AC has
never answered that question.
C-R is a harassment tool for harassing the legitimate non-spammer sender.
That's all it does. It's that simple.
It also triples the bandwidth (or more)! For the message, there's:
1) The message itself,
2) The challenge, and
3) The response (if ever issued).
[An improperly set up C-R system may even challenge its own responses!] While
all that is happening, the original mail is held in limbo - and it had better
not be a time-critical message.
> If someone wants to mail a C-R System user, they have to include
> a real return address that is monitored by a live human being.
No, they don't. All they have to do (especially for Earthlink's C-R) is
automate a response to the URL that is given in the challenge message. As more
and more C-R systems are set up, their parameters in the challenge messages
will become known, and responses will become automatic, thus gaining NOTHING.
> Party A mails Party B, and because they have never mailed Party B
> before, and are not Passlisted, they receive a Challenge-Response
> That asks them to paste a password on the Subject line and send
> it back.
Which is the nature of the harassment since Party B's server has already
determined that Party A's message isn't spam when it decides to challenge it.
What's the point of challenging it if you know it's not spam? There is no
point, except to harass.
Alan Connor
<kd6...@bde-arc.ampr.org> wrote:
> On Thu, 23 Dec 2004, Alan Connor wrote:
>
>> Challenge-Response Systems What C-R Systems do is eliminate
>> anonymous mail.
>
> Wrong. What C-R systems do is eliminate legitimate mail by
> making legitimate senders "jump through the hoops" of the C-R
> system, thus HARRASSING these legitimate senders and delaying
> their mail, while DOING NOTHING TO THE SPAMMERS
Trolls. Miscreants who send anonymous mails and posts, really
don't like C-R systems because they have to use their real
return addresses.
These dickless cowards like to stab people in the back and
run and hide in the bushes.
I don't allow such people in my mailboxes. They are human scum,
like spammers.
Sorry "D. Stussy". If you want to get one of your twisted mails
to me, you'll have to use your real address and return a C-R.
If you don't like it, feel free to write your duly elected
representative.
If _they_ want to talk to me, they will have to return a C-R.
But because they are normal, mentally-balanced people who
don't object to taking 5 seconds to return a C-R, they will
be able to communicate with me.
Headcases like you are just out of luck.
Any mail program that keeps scum like you out of the
users mailboxes has something going for it.
<snip>
AC
--
Pro-Active Spam Fighter
Pass-list --> Block-list --> Challenge-Response
http://tinyurl.com/2t5kp
D. Stussy
> On Sun, 26 Dec 2004 23:25:32 GMT, D. Stussy <kd6...@bde-arc.ampr.org> wrote:
> > On Thu, 23 Dec 2004, Alan Connor wrote:
> >
> >> Challenge-Response Systems What C-R Systems do is eliminate
> >> anonymous mail.
> >
> > Wrong. What C-R systems do is eliminate legitimate mail by
> > making legitimate senders "jump through the hoops" of the C-R
> > system, thus HARRASSING these legitimate senders and delaying
> > their mail, while DOING NOTHING TO THE SPAMMERS
>
> Trolls. Miscreants who send anonymous mails and posts, really
> don't like C-R systems because they have to use their real
> return addresses.
Nowhere was I talking about anonymously sent mail. Your spam filter should be
catching all the invalid, faked addresses anyway. Only mail from valid,
resolvable domains are even considered (other spam tests notwithstanding).
> Sorry "D. Stussy". If you want to get one of your twisted mails
> to me, you'll have to use your real address and return a C-R.
Dude: If you remember what happened a year ago, I did send you an e-mail that
was meant to be a comment about one of your posts that I didn't want to put to
the group, and you thought someone else had sent it misusing my mailbox. BTW,
your wonderful C-R system back then did NOT send a challenge. I had used a
real and resolvable mailbox. Your system failed, and it's just like you, a
failure at life.
BTW, if your C-R system works so well, then you have no need to use a munged or
otherwise faked address. You never told the group why you do use an obviously
faked address for your newsgroup posts.
> If _they_ want to talk to me, they will have to return a C-R.
That's not a problem. No one really wants to talk to you. Go away and play
by (or should that be with) yourself.
> But because they are normal, mentally-balanced people who
> don't object to taking 5 seconds to return a C-R, they will
> be able to communicate with me.
Wrong again. Normal, mentally-balanced people report your challenge as spam
because they recognize your attempt to harass them. (By reporting it, their
ISP then blacklists you for them).
Alan Connor
>
>
> On Sun, 26 Dec 2004, Alan Connor wrote:
>> On Sun, 26 Dec 2004 23:25:32 GMT, D. Stussy <kd6...@bde-arc.ampr.org> wrote:
>> > On Thu, 23 Dec 2004, Alan Connor wrote:
<snip>
Fine....fine.
What I want to know is this: I use and promote a mail filter
that uses C-Rs.
What are you going to do about it?
Besides kiss my ass, I mean?
:-))
Oh! And stay out of my mailboxes. That's an order.
D. Stussy
> On Mon, 27 Dec 2004 00:46:34 GMT, D. Stussy <kd6...@bde-arc.ampr.org> wrote:
> >
> >
> > On Sun, 26 Dec 2004, Alan Connor wrote:
> >> On Sun, 26 Dec 2004 23:25:32 GMT, D. Stussy <kd6...@bde-arc.ampr.org> wrote:
> >> > On Thu, 23 Dec 2004, Alan Connor wrote:
>
> <snip>
>
> Fine....fine.
>
> What I want to know is this: I use and promote a mail filter
> that uses C-Rs.
>
> What are you going to do about it?
Blacklist every system that uses one, just like the rest of the world is doing.
>
> Oh! And stay out of my mailboxes. That's an order.
Dude: You had asked me to mail you that time.
Sam
> On Mon, 27 Dec 2004 00:46:34 GMT, D. Stussy <kd6...@bde-arc.ampr.org> wrote:
>>
>>
>> On Sun, 26 Dec 2004, Beavis wrote:
>>> On Sun, 26 Dec 2004 23:25:32 GMT, D. Stussy <kd6...@bde-arc.ampr.org> wrote:
>>> > On Thu, 23 Dec 2004, Beavis wrote:
>
> <snip>
>
> Fine....fine.
Translation: "I cannot refute this logical argument, so I'll ignore it."
> What I want to know is this: I use and promote a mail filter
> that uses C-Rs.
You use and promote E-mail abuse.
> What are you going to do about it?
I'm going to make fun of you.
> Besides kiss my ass, I mean?
If you're looking for something like this, I'm sure there's a geographical
area somewhere near you where you may hire someone for that purpose.
> Oh! And stay out of my mailboxes. That's an order.
And you stay out of my mailbox too, Beavis. I'm not kidding. That's an
order to you too.
Jari
|
| Sorry "D. Stussy". If you want to get one of your twisted mails
| to me, you'll have to use your real address and return a C-R.
What would you call this one:
Alan Connor <zzz...@xxx.yyy>
And would you explain what happens in C-R system to a message
that is sent in somebody else's name and address?
Jari
Alan Connor
wrote:
Spammers and trolls REALLY hate C-R systems, because they have
to use their real return addresses on their mails and these
cowardly petty criminals don't want to do that.
Sam
> On Thu, 30 Dec 2004 18:23:07 +0200, Jari <jari....@cante.net>
> wrote:
>
>
>> Alan Connor <zzz...@xxx.yyy> writes:
>>
>>| Sorry "D. Stussy". If you want to get one of your twisted
>>| mails to me, you'll have to use your real address and return a
>>| C-R.
>>
>> What would you call this one:
>>
>> Alan Connor <zzz...@xxx.yyy>
>>
>> And would you explain what happens in C-R system to a message
>> that is sent in somebody else's name and address?
>>
>> Jari
>
> Spammers and trolls REALLY hate C-R systems, because they have
> to use their real return addresses on their mails and these
> cowardly petty criminals don't want to do that.
Very nice, Beavis. Now how about answering the original pair of questions?
Come on, it's not hard! Even Bigfoot knows the answer!
D. Stussy
> Spammers and trolls REALLY hate C-R systems, because they have
> to use their real return addresses on their mails and these
> cowardly petty criminals don't want to do that.
Since your C-R system is front-ended by a spam filter that presumedly
identifies a spammer's message as spam and therefore doesn't challenge it, how
is the spammer to know that you even have a C-R system and not just spam filter
or identifier by itself?
For them to "hate" it, they have to know that you have one first.
You still haven't explained why mail that passes your spam filter (and is
therefore presumedly NOT SPAM) needs to be challenged....
NetworkElf
>
> Very nice, Beavis. Now how about answering the original pair of questions?
> Come on, it's not hard! Even Bigfoot knows the answer!
>
Xena knows, but she won't tell me!
--
_________________________________________
NetworkElf: Super Genius, Computer Guy, Harley Owner!
Blindly serving the covert purposes of the
criminal-minded maniac behind Spews since 2003.