Mail Filters That Use Challenge-Responses (CRs)
Alan Connor
This paragraph will explain the bizarre responses to this post:
Mail filters that use Challenge-Responses (CRs) are the only truly effective
way to take control of your mailbox(es) back from the spammers, which is
why they are hated by spammers, the people that hire them, and professional
spam fighters.
For an overview of the topic, see:
For the seminal work of the master, Professor Timo Salmi, see:
http://www.uwasa.fi/~ts/info/spamfoil.html
For my simple but effective program, see:
AC
Alexander Arlt
> ... Professor Timo Salmi ...
Only one thing in your stupid spam-posting here is of any interest to
me: Does this poor guy know, that a moron like you is misusing his
academical reputation and his name? Or is this your true identity and
you're just bored to death at this lonely finish University?
In the first case, stop it.
... and yes, I know, I just fed the troll ...
Jonathan de Boyne Pollard
AA> academical reputation and his name?
I can answer this one for Alan: No, he doesn't. That's not for the
obvious reason, though. It's not because he's unaware that Alan is
his number one fan. It's because apparently Alan _isn't_ mis-using
his reputation and name.
<URL:http://groups.google.com/groups?selm=c21gde%249hs%40poiju.uwasa.fi>
<URL:http://groups.google.com/groups?selm=slrnc1v43c.151.bignose-hates-spam%40rose.localdomain.fake>
<URL:http://groups.google.com/groups?selm=bes55o%243fc%40poiju.uwasa.fi>
Alan Connor
Andrzej Adam Filip
Unlike you Timo does not claim that his proposal is "good in every
situation" and that it is "the only way". He is aware about some
disadvantages *he* is willing to accept in handling
*his personal mailbox*. What he writes implies that it can be used
in many but not all situations.
a) <quote>Especially, casual users who used to send in the strangest of
questions and requests usually do not always bother to work through the
email password system</quote>. *Timo likes it in his mailbox* but it is
fundamentally wrong in handling messages addressed to postmaster, abuse,
info or messages addressed to a sales representative.
[ Has Timo classified you as "casual user" ? ;-) ]
<quote>I am certainly not claiming that my arrangement is without
disadvantages. Some potentially useful contacts might be put off by my
system.</quote>
b) Timo writes nothing about effects of "mass implementation" of his
idea on busy commercial server (handling extra messages). AFAIR you
simply ignored such questions/considerations.
c) Let us know what makes you think your program is better than proposal
of Professor Timo Salmi.
URL(s):
http://www.uwasa.fi/~ts/info/spamfoil.html
Foiling Spam with an Email Password System
[ Last Modification: 2004-02-21 ]
--
Andrzej [en:Andrew] Adam Filip an...@priv.onet.pl an...@xl.wp.pl
http://anfi.homeunix.net/ http://slashdot.org/~anfi
*Random Epigram* :
I didn't fight with honor. I fought to win.
-- Ender in "Ender's Game" by Orson S. Card
Frank Slootweg
Google Groups; strange]
[I probably shouldn't be jumping into this controversy, but here it goes
anyway.]
So now we know how we can send all the spam we want to Alan! :-) (I
tried and AFAICT it worked. However I can of course not prove it without
either of the parties admitting it.)
But in fairness, I 'know' Timo as a gentle and sane person who has
done, and still does, a lot for 'the Net'. See for example
comp.archives.msdos.*, and some other PC-related groups. I 'know' Timo
from the time that my only way to get software was through
comp.binaries.ibm.pc, ftpmail, etc., and he has always been very helpful
and gentle. I have seen your other pointer to his harsh position on the
problems which his methods creates for "paid administrators"
(<news:40792A49...@Tesco.NET>), but I *think* that in actual
*practice* he will be not that harsh. All in all, I think that Timo and
Alan are two *totally* different types of people. Why Timo (somewhat)
supports Alan is very strange/confusing for me.
Just my EUR 0.02.
Alan Connor
<snip>
That's complete nonsense. You need to do a little homework.
Here's a link for the first hundred hits on "challenge-response" from Google:
AC
--
Pass-List -----> Block-List ----> Challenge-Response
The key to taking control of your mailbox.
http://www.uwasa.fi/~ts/info/spamfoil.html
http://tinyurl.com/3c3ag
Frank Slootweg
> On 11 Apr 2004 19:11:45 GMT, Frank Slootweg <th...@ddress.is.invalid> wrote:
>
> <snip>
>
> That's complete nonsense.
As always, unspecific. *What* is complete nonsense? That Timo is a
gentle and sane person? That he did/does a lot for 'the Net'? That he is
helpful? That his webpage says what it says? That he will not be harsh
in practice? That you are two totally different types of people? That
Timo (somewhat) supports you? That the Euro is 'my' currency?
Alexander Arlt
> AA> Does this poor guy know, that a moron like you is misusing his
> AA> academical reputation and his name?
>
> I can answer this one for Alan: No, he doesn't. That's not for the
> obvious reason, though. It's not because he's unaware that Alan is
> his number one fan. It's because apparently Alan _isn't_ mis-using
> his reputation and name.
If anybody was "promoting" my ideas and development in the way Mr.
Connor does, I certainly would feel abused.
Alexander Arlt
> On 11 Apr 2004 19:11:45 GMT, Frank Slootweg <th...@ddress.is.invalid> wrote:
>
> Here's a link for the first hundred hits on "challenge-response" from Google:
Wisdom is not a matter of democracy. You could show me thousands of hits
from Google and I would think of C/R as a stupid spam-generating system.
A million idiots are *not* a proof of concept.
Sam
[ drivelectomy ]
Running total of Beavis's new spam:
1 <O8fec.5658$A_4....@newsread1.news.pas.earthlink.net>
1 <2Bhec.5774$A_4....@newsread1.news.pas.earthlink.net>
2 <N5iec.5810$A_4....@newsread1.news.pas.earthlink.net>
---
4 total Beavis BI in one day's of work.
At this rate, Beavis's new spew will become cancellable spam within a week.
Neil Woods
> On 11 Apr 2004 19:11:45 GMT, Frank Slootweg <th...@ddress.is.invalid> wrote:
>
><snip>
>
>
> That's complete nonsense. You need to do a little homework.
Please try to provide some context for the position you are
refuting. Or are you deliberatly trying to invoke a straw man
argument? But see below...
> Here's a link for the first hundred hits on "challenge-response" from Google:
>
> http://tinyurl.com/yrfjb
I followed the link. Leaving aside for the moment the broken links
created by cutting and pasting in a google search result, there were
some interesting results from the search -- most notably *against*
using challenge-response as a way of preventing spam.
A couple in particular grabbed my attention:
<http://www.politechbot.com/p-04746.html>
is an interesting article by John Levine, entitled "Challenge-response
systems are as harmful as spam". A small extract:
But the real damage from challenge systems will come when spammers
start attacking them. Challenge systems all have user whitelists so
that each correspondent only gets one challenge, then mail goes
through directly. So spammers will start trying to send spam with
forged sender addresses that are on the recipients' whitelists.
That's not so hard, sign up for a mailing list, scrape addresses from
the list traffic, then send NxN copies of spam, to each list address
from each list address. Similarly with addresses scraped in groups
from web pages, usenet groups, and anywhere else scrapage happens.
The second is from Karsten M. Self, entitled "Challenge-Response
Anti-Spam Systems Considered Harmful":
<http://kmself.home.netcom.com/Rants/challenge-response.html>
Both articles are well worth reading.
So yes Alan, some very useful links.
Neil.
--
"During times of universal deceit, telling the truth becomes a
revolutionary act." -- George Orwell
Timo Salmi
> created by cutting and pasting in a google search result, there were
> some interesting results from the search -- most notably *against*
> using challenge-response as a way of preventing spam.
Indeed. It is sociologically interesting that there is a hard-core
verbal opposition to using spam foiling methods, given the simple
fact that it is the user's own decision and privilege what s/he
employs (or doesn't) to protect one's mailbox.
> A couple in particular grabbed my attention:
> <http://www.politechbot.com/p-04746.html>
> is an interesting article by John Levine, entitled "Challenge-response
> systems are as harmful as spam". A small extract:
Yes, this is a familiar one (with the link already included). Of
course one indeed should look at both sides of the arguments. This
one does to some small extent.
> But the real damage from challenge systems will come when spammers
> start attacking them. Challenge systems all have user whitelists so
> that each correspondent only gets one challenge, then mail goes
> through directly. So spammers will start trying to send spam with
> forged sender addresses that are on the recipients' whitelists.
At a quick reading that argument extract misses some crucial
features of at least some C-R systems. There are other aspects, but
most trivially, the users will not all have the same white list.
Anyway, looked more fully, the Levine argument really is directed at
badly designed C-R systems. There it is easy to agree. However, the
C-R implementations are not _all_ constructed quite as reads in the
above.
> The second is from Karsten M. Self, entitled "Challenge-Response
> Anti-Spam Systems Considered Harmful":
> <http://kmself.home.netcom.com/Rants/challenge-response.html>
Also familiar from before. This one mostly is a "rant" (as also its
path indicates) looking at only the downsides in quite an
unbalanced, subjective way.
That obvious characteristics aside, the actually passive tense
expression "considered harmful" is interesting from a linguistic
point of view. It tries to convey the feeling of a community-wide
credentials to the author's subjective opinions expressed. A neat
little trick, even if in fact an unauthoritative one.
One (other) small "endearing" part on that page is the one about
"High type II error (beta)". Using statistics parlance on a page
that so obviously is statistically slanted in its own arguments
choices.
> Both articles are well worth reading.
Yes, why not. Some of the bias aside.
All the best, Timo
--
Prof. Timo Salmi ftp & http://garbo.uwasa.fi/ archives 193.166.120.5
Department of Accounting and Business Finance ; University of Vaasa
mailto:t...@uwasa.fi <http://www.uwasa.fi/~ts/> ; FIN-65101, Finland
Spam foiling in effect http://www.uwasa.fi/~ts/info/spamfoil.html
Alan Connor
>
>
> On Sun, 11 Apr 2004 20:08:30 GMT, Alan Connor <zzz...@xxx.yyy> wrote:
>> On 11 Apr 2004 19:11:45 GMT, Frank Slootweg <th...@ddress.is.invalid> wrote:
>>
>><snip>
>>
>>
>> That's complete nonsense. You need to do a little homework.
>
> Please try to provide some context for the position you are
> refuting. Or are you deliberatly trying to invoke a straw man
> argument? But see below...
>
>> Here's a link for the first hundred hits on "challenge-response" from Google:
>>
>> http://tinyurl.com/yrfjb
>
> I followed the link. Leaving aside for the moment the broken links
> created by cutting and pasting in a google search result, there were
> some interesting results from the search -- most notably *against*
> using challenge-response as a way of preventing spam.
You are lying. Again. But then, no one is surprised when a spammer
lies, so who cares?
The page is straight from google with this command, with a few links
*obviously* added by me at the top and bottom.
Anyone is welcome to try it themselves:
wget -U msie -O $HOME/goog.html \
"http://www.google.com/search?q=${ss}&num=100"
Where ${ss} is the search string, just as if you were to have
typed it in on a google homepage yourself. 100 at a time is
the most that google allows.
You are a truly disgusting human being.
And stupid too. Anyone can look at the HTML source and see that
there are no broken links to *other* sites than google there.
I deliberately chose to not edit the page of links so that
assholes like you couldn't accuse me of being biased, but
does that stop you? No.
You have the morals of a spammer.
And you can't get in my mailbox, nor those of anyone who
uses a program similar to mine.
Too bad. Maybe you could, like, find honest work.
Neil Woods
> On Sun, 11 Apr 2004 22:24:24 -0000, Neil Woods <ne...@suespammers.org> wrote:
>>
>>
>> On Sun, 11 Apr 2004 20:08:30 GMT, Alan Connor <zzz...@xxx.yyy> wrote:
>>> On 11 Apr 2004 19:11:45 GMT, Frank Slootweg <th...@ddress.is.invalid> wrote:
>>>
>>><snip>
>>>
>>>
>>> That's complete nonsense. You need to do a little homework.
>>
>> Please try to provide some context for the position you are
>> refuting. Or are you deliberatly trying to invoke a straw man
>> argument? But see below...
>>
>>> Here's a link for the first hundred hits on "challenge-response" from Google:
>>>
>>> http://tinyurl.com/yrfjb
>>
>> I followed the link. Leaving aside for the moment the broken links
>> created by cutting and pasting in a google search result, there were
>> some interesting results from the search -- most notably *against*
>> using challenge-response as a way of preventing spam.
>
> You are lying. Again. But then, no one is surprised when a spammer
> lies, so who cares?
>
> The page is straight from google with this command, with a few links
> *obviously* added by me at the top and bottom.
Two points. First, in the terms of contract published on google
it clearly states, and I quote:
You may not take the results from a Google search and reformat and
display them, or mirror the Google home page or results pages on your
Web site.
<http://www.google.com/terms_of_service.html>
Secondly, there *are* broken links, on the right-hand side (the ads),
causing a HTTP 404 response to occur from the earthlink server
(http://home.earthlink.net/url?q= and so forth).
>
> Anyone is welcome to try it themselves:
>
> wget -U msie -O $HOME/goog.html \
> "http://www.google.com/search?q=${ss}&num=100"
>
> Where ${ss} is the search string, just as if you were to have
> typed it in on a google homepage yourself. 100 at a time is
> the most that google allows.
There's quite a useful set of scripts in the package "surfraw" which
automates this sort of thing. But I digress.
> You are a truly disgusting human being.
>
> And stupid too. Anyone can look at the HTML source and see that
> there are no broken links to *other* sites than google there.
See above.
> I deliberately chose to not edit the page of links so that
> assholes like you couldn't accuse me of being biased, but
> does that stop you? No.
And you are to congratulated for taking an unbiased approach. However,
I do think it was wrong to *publish* the results, for the reasons I've
stated above.
Neil.
--
Calm down, it's only ones and zeroes.
Neil Woods
> Neil Woods <ne...@suespammers.org> wrote:
>> created by cutting and pasting in a google search result, there were
>> some interesting results from the search -- most notably *against*
>> using challenge-response as a way of preventing spam.
>
> Indeed. It is sociologically interesting that there is a hard-core
> verbal opposition to using spam foiling methods, given the simple
> fact that it is the user's own decision and privilege what s/he
> employs (or doesn't) to protect one's mailbox.
Agreed. It does appear to be a very emotive issue.
>
>> The second is from Karsten M. Self, entitled "Challenge-Response
>> Anti-Spam Systems Considered Harmful":
>> <http://kmself.home.netcom.com/Rants/challenge-response.html>
>
> Also familiar from before. This one mostly is a "rant" (as also its
> path indicates) looking at only the downsides in quite an
> unbalanced, subjective way.
I don't think it was intended as anything else (though I stand to be
corrected!). In the interests of objectivity, Brad Templeton has
written a fairly positive white paper on challenge response, while
also pointing out some of the pitfalls.
>
> That obvious characteristics aside, the actually passive tense
> expression "considered harmful" is interesting from a linguistic
> point of view. It tries to convey the feeling of a community-wide
> credentials to the author's subjective opinions expressed. A neat
> little trick, even if in fact an unauthoritative one.
Indeed. The sociological history of the term is quite interesting, see
for example the jargon entry at:
<http://www.catb.org/~esr/jargon/html/C/considered-harmful.html>
> One (other) small "endearing" part on that page is the one about
> "High type II error (beta)". Using statistics parlance on a page
> that so obviously is statistically slanted in its own arguments
> choices.
>
>> Both articles are well worth reading.
>
> Yes, why not. Some of the bias aside.
>
> All the best, Timo
>
Cheers,
Neil.
--
"I love deadlines. I like the whooshing sound they make as they fly
by." -- Douglas Adams
Alan Connor
<snip>
I'm not reading your post, Neil. Heard all your bullshit before.
But the page of links at
is straight from Google, and un-edited except for two obvious additions
by me at the top and bottom, which are clearly demarcated in the HTML
source.
It's just the first 100 hits, and includes a number of spammer-sponsored
anti-challenge-response propaganda sites.
People should read those so that they can spot the same garbage when
it comes up here and on other newsgroups.
If the simple facts distress you, take a pill.
AC
--
Pass-List -----> Block-List ----> Challenge-Response
The key to taking control of your mailbox.
http://www.uwasa.fi/~ts/info/spamfoil.html
http://tinyurl.com/3c3ag Challenge-Response links -- http://tinyurl.com/yrfjb
Neil Woods
> On Mon, 12 Apr 2004 05:13:40 GMT, Alan Connor <zzz...@xxx.yyy> wrote:
>
><snip>
>
>
> I'm not reading your post, Neil. Heard all your bullshit before.
The facts as I presented them were valid. You are contravening the
terms and conditions set out by google by including the results on
your web site. Not that I really care -- but you should.
Neil.
Alexander Arlt
Good try, Neil. But he is sitting in front of his PC, with closed eyes
mumbling 'I won't read your mail, Nail!' and trying to find the
scrollbar to get away from your postings.
Timo Salmi
challenge response. From the point of view of foiling spam this,
however, is somewhat a narrow view of what spam foiling can be. I prefer
to look at it (at least the system I use) in a bit wider context as
follows.
First divide the senders of email (from my perspective) into two
categories:
1. Those who I already know.
2. Those who I do not know (in advance)
Then subdivide the first set into two subcategories:
1a. Those I wish to hear from. Whitelist.
1b. Those I do not wish to hear from. Blacklist.
The whitelisted will not even know that that they are whitelisted nor do
they ever have to "jump through any hoops". The blacklisted will either
just be ignored or bounced, depending on the further blacklist
subcategory.
Only after this consider the category #2, i.e. those who I do not know
in advance. From them I require that they
- Have my proper address
- Include my public email password into the subject header
Now, and only now, the question becomes how the senders in category #2
can get to know my public email key. Here, and only first here, C-R
comes into play. If a sender belongs to this category, s/he gets sent by
email the password (or its location). If the sender's address is forged,
s/he'll never even get to know that that such a system is required to
reach me.
Of course there are pros and cons to the handling of category #2, which
could be (and have been) discussed individually. But the system is not
easily circumnavigated by spam. While my own email address stays fixed,
my public email keyword is very easy to change by just editing a single
environment variable on the computer. However, since I started using
this system in 1997, I have not needed to change my public email
password a single time. The essence, anyway, is that an unknown sender
needs to know the two things. My email address AND my public email key.
Clearly, the desirability of the entire system depends on how the
senders are divided between categories 1(a/b) and 2. If the emphasis is
on 1 (mine is), then this system is very efficient. On the other hand,
if the emphasis is on 2 (as e.g. in the case of a sales department),
then this is not a good system for initiating new contacts. However,
there are options for that eventuality, too. One is to use www-page
forms for, say, customer feedback, since email through them is easily
distinguished from other email. Also I have a www-page induced email
option installed. It is seldom abused (and easily turned off, if need
be).
Morely 'I drank what?' Dotes
in news:c5facv$g...@poiju.uwasa.fi right after begin :
> Now, and only now, the question becomes how the senders in category #2
> can get to know my public email key. Here, and only first here, C-R
> comes into play. If a sender belongs to this category, s/he gets sent
> by email the password (or its location). If the sender's address is
> forged, s/he'll never even get to know that that such a system is
> required to reach me.
However, some unknown-to-you third party *may* get the password.
My policy is to *always* reply to challenges, thus ensuring that whoever
is sending me unsolicited challenges gets the spam that has my address
forged into the headers.
Oh, and I block future emails from that sender (the C/R operator, or in
some cases, the entire IP space of the ISP who allows such abusive
systems to operate).
Enjoy your Intranet, Doc. You've contributed a lot in the past, too bad
you decided to join the Dark Side.
--
Want a custom-built PC designed by gamers, for gamers?
Visit http://kryptonite.pc-gamereview.com
Tired of spam in your mailbox?
Come to http://www.spamblocked.com
Vernon Schryver
> ...
>can get to know my public email key. Here, and only first here, C-R
>comes into play. If a sender belongs to this category, s/he gets sent by
>email the password (or its location). If the sender's address is forged,
>s/he'll never even get to know that that such a system is required to
>reach me.
>
>Of course there are pros and cons to the handling of category #2, which
>could be (and have been) discussed individually. But the system is not
>easily circumnavigated by spam.
That is mistaken. Any system simple enough for most people who
do not know you to handle is easily circumvented by spammmers:
- You must assume that whatever CR system you use will be functional
idential to the system used by millions of other people. This
implies that if it is fairly easy to write a program to circumvent
your system, some spammer will do it.
- Unless you want to exclude those who are deaf, do not speak your
language very well, or who do not have computers that play sounds,
your password or whatever must not involve spoken words.
- Unless you want to exclude the blind or those who do not have the
same display hardware as you do, it must not involve very fancy
pictures.
- Unless you want to exclude everyone some of the time and many
people all of the time, it will not require any real thinking
or puzzle solving. We are all drunk, tired, inattentive,
foolish, or silling at least some of the time. Any mechanism
that does not involve real thinking or puzzle solving can be
automated with software.
> While my own email address stays fixed,
>my public email keyword is very easy to change by just editing a single
>environment variable on the computer. However, since I started using
>this system in 1997, I have not needed to change my public email
>password a single time. The essence, anyway, is that an unknown sender
>needs to know the two things. My email address AND my public email key.
> ...
That does not imply that your system is widely useful. Any individual
or several thousand individuals using a CR system do not make an
attractive target for spammers.
On the other hand, if CR systems were not fatally flawed for other
reasons so that few people use it, Earthlink's CR system would be an
attractive target.
What is happening with Earthlink's CR system? How many Earthlink
customers are using it? Is my claim that few use it wrong?
Vernon Schryver v...@rhyolite.com
Giblet - USA Resident
>
> Of course there are pros and cons to the handling of category #2,
> which could be (and have been) discussed individually. But the system
> is not easily circumnavigated by spam.
Imagine you have this in place right now.
Now, go try to sign up for a newsletter, bank account, etc. You'll soon find
that places that follow the industry-standard closed-loop unique-token
confirmed opt-in process will not work with CR, unless you know where the
confirmation is going to come from.
CR fundamentally breaks the confirmed opt-in signup procedures of legit
mailers. The more people use CR, the less incentive legit bulk mailers have
for doing things the right way.
--
Gib
Timo Salmi
> In article <c5facv$g...@poiju.uwasa.fi>, Timo Salmi <t...@UWasa.Fi> wrote:
> >Of course there are pros and cons to the handling of category #2, which
> >could be (and have been) discussed individually. But the system is not
> >easily circumnavigated by spam.
> That is mistaken. Any system simple enough for most people who
> do not know you to handle is easily circumvented by spammmers:
Mine isn't easily foiled as shown by the empirical evidence with the
system over the span of eigth years. However, you are right in the
sense that at least my system would not easy enough as such for
probably a majority of users. (But then why should it? I am not
selling it to any quarters.)
Timo Salmi
> Timo Salmi wrote:
> > Of course there are pros and cons to the handling of category #2,
> > which could be (and have been) discussed individually. But the system
> > is not easily circumnavigated by spam.
> Imagine you have this in place right now.
No imagining necessary in this case. Have had it for eight years.
> Now, go try to sign up for a newsletter, bank account, etc. You'll soon find
> that places that follow the industry-standard closed-loop unique-token
> confirmed opt-in process will not work with CR, unless you know where the
> confirmation is going to come from.
Stricly speaking, right. But in practice this has not been a
problem. And I've done a fair share of exactly what you describe.
Done that, been there.
Alan Connor
>
>
> Timo Salmi wrote:
>>
>> Of course there are pros and cons to the handling of category #2,
>> which could be (and have been) discussed individually. But the system
>> is not easily circumnavigated by spam.
>
>
> Imagine you have this in place right now.
>
He does.
> Now, go try to sign up for a newsletter, bank account, etc. You'll soon find
> that places that follow the industry-standard closed-loop unique-token
> confirmed opt-in process will not work with CR, unless you know where the
> confirmation is going to come from.
>
None of those things are a problem. If nothing else you can just do it
once, read the return address from your mail logs then do it again.
After passlisting the address.
Most such sites have contact addresses and they usually can give you
the address to passlist or some unique string that will be in the
headers or body that can be passlisted.
These auto-responses are usually pretty quick and one can also just
drop one's filter for a bit and respond to it.
Often, none of the above is necessary because all you need is right
on the web page itself.
> CR fundamentally breaks the confirmed opt-in signup procedures of legit
> mailers. The more people use CR, the less incentive legit bulk mailers have
> for doing things the right way.
>
Hogwash.
You really need to do some homework. See the links URL in my sig.
The only "legit bulk mailers" are the ones that I have subscribed to
out of conscious choice.
No one has a right to send mail to me. My mailbox is mine alone.
I decide who has access and who doesn't. Period.
Andrzej Adam Filip
Make it "current C/R implementations I know about" and I will agree.
Some remedies are possible:
a) crosschecking References: of incoming messages and Message-ID: of
sent messages [it does not solve "subscribe via www"]
b) special standard for X-No-Challenges-Please: header
You have raised a hew valid objections against mass implementation of
C/R systems "as they are" in e-mail world "as it is". Please do not
suggest they can be fixed somehow. These and *other fixes necessary* for
"mass implementation reediness" may put C/R subjective cost
effectiveness at level unacceptable for most people/postmasters.
--
Andrzej [en:Andrew] Adam Filip an...@priv.onet.pl an...@xl.wp.pl
http://anfi.homeunix.net/ http://slashdot.org/~anfi
*Random Epigram* :
And the only rules of the game are what you can do to him [the enemy]
and what you can stop him from doing to you.
-- Mazer in "Ender's Game" by Orson S. Card
Andrzej Adam Filip
>> While my own email address stays fixed,
>>my public email keyword is very easy to change by just editing a single
>>environment variable on the computer. However, since I started using
>>this system in 1997, I have not needed to change my public email
>>password a single time. The essence, anyway, is that an unknown sender
>>needs to know the two things. My email address AND my public email key.
>>...
>
> That does not imply that your system is widely useful. Any individual
> or several thousand individuals using a CR system do not make an
> attractive target for spammers.
It is sad that it is true.
[Implementation base not big enough to to make spammers "care"].
> On the other hand, if CR systems were not fatally flawed for other
> reasons so that few people use it, Earthlink's CR system would be an
> attractive target.
Can anyone post any example of bigger email site using C/R system ?
Timo's system has been available since 1997 (6+ years). Lack of mass
implementations of C/R systems can not be ignored but it is not "the
final proof".
> What is happening with Earthlink's CR system? How many Earthlink
> customers are using it? Is my claim that few use it wrong?
--
Andrzej [en:Andrew] Adam Filip an...@priv.onet.pl an...@xl.wp.pl
http://anfi.homeunix.net/ http://slashdot.org/~anfi
*Random Epigram* :
The game of life is not so much in holding a good hand
as playing a poor hand well.
-- H. T. Leslie
Alan Connor
>
>
> Giblet - USA Resident wrote:
>> Timo Salmi wrote:
>>
>>>Of course there are pros and cons to the handling of category #2,
>>>which could be (and have been) discussed individually. But the system
>>>is not easily circumnavigated by spam.
>>
>> Imagine you have this in place right now.
>>
>> Now, go try to sign up for a newsletter, bank account, etc. You'll soon find
>> that places that follow the industry-standard closed-loop unique-token
>> confirmed opt-in process will not work with CR, unless you know where the
>> confirmation is going to come from.
>>
>> CR fundamentally breaks the confirmed opt-in signup procedures of legit
>> mailers. The more people use CR, the less incentive legit bulk mailers have
>> for doing things the right way.
>
> Make it "current C/R implementations I know about" and I will agree.
>
> Some remedies are possible:
> a) crosschecking References: of incoming messages and Message-ID: of
> sent messages [it does not solve "subscribe via www"]
> b) special standard for X-No-Challenges-Please: header
>
> You have raised a hew valid objections against mass implementation of
> C/R systems "as they are" in e-mail world "as it is". Please do not
> suggest they can be fixed somehow. These and *other fixes necessary* for
> "mass implementation reediness" may put C/R subjective cost
> effectiveness at level unacceptable for most people/postmasters.
>
Well...Despite all the garbage posted by you and others on the Usenet
and the WWW, mail filters that use CRs are becoming more and more common.
What are you going to do about it?
The answer, of course, is: Nothing at all.
There isn't one single thing you can do about it.
Frank Slootweg
> Vernon Schryver <v...@calcite.rhyolite.com> wrote:
>> In article <c5facv$g...@poiju.uwasa.fi>, Timo Salmi <t...@UWasa.Fi> wrote:
>> >Of course there are pros and cons to the handling of category #2, which
>> >could be (and have been) discussed individually. But the system is not
>> >easily circumnavigated by spam.
>
>> That is mistaken. Any system simple enough for most people who
>> do not know you to handle is easily circumvented by spammmers:
>
> Mine isn't easily foiled as shown by the empirical evidence with the
> system over the span of eigth years. However, you are right in the
> sense that at least my system would not easy enough as such for
> probably a majority of users. (But then why should it? I am not
> selling it to any quarters.)
Hi, Timo. I think your system "isn't easily foiled ...", because
no-one really *tried*.
I think it is very easily foiled and AFAICT I *have* foiled it (at
least Alan's system). If I did *not* foil Alan's system, then you should
have a challenge (from Alan) for my April 9 message
<200404091023...@smtp4.wanadoo.nl>. If you got this challenge,
then please post it (with complete headers) here (but remove the
mentioned sneakemail.com address from the headers). If you have it but
do not want to post it, then please say so, so I can contact you by
e-mail :-) and get a copy of the challenge that way. Thanks.
Ronald D. Edge
>
...
>
>Only after this consider the category #2, i.e. those who I do not know
>in advance. From them I require that they
>
> - Have my proper address
> - Include my public email password into the subject header
>
>Now, and only now, the question becomes how the senders in category #2
Public password? What is a "public password", pray tell? Something anyone can
get to begin sending you email? I assume you are not talking public PGP key or
something?
$DEITY forbid the spammers would ever do such a thing. Oh, wait, these are the
same criminals who are now reportedly hiring people in the third world nations
to work at low wages to read and answer graphic challenge response software
generated emails. So maybe it would not be beyond them.
Your defenses as described are among the most bizarre I have seen to date.
--
Ron.
http://edgeinfotech.com
http://mainsleazespam.com
http://iuhoosiers.com
Bruce Barnett
> Only after this consider the category #2, i.e. those who I do not know
> in advance. From them I require that they
>
> - Have my proper address
> - Include my public email password into the subject header
This may be fine for one-to-one mailings. But mailing lists add a wrinkle.
They send mail to a list, and don't care about you.
But you receive it.
--
Sending unsolicited commercial e-mail to this account incurs a fee of
$500 per message, and acknowledges the legality of this contract.
Bruce Barnett
> None of those things are a problem. If nothing else you can just do it
> once, read the return address from your mail logs then do it again.
Unless the site keeps track of subscription attempts, and refuses to
send more than one request to opt-in.
>> After passlisting the address.
>
> Most such sites have contact addresses and they usually can give you
> the address to passlist or some unique string that will be in the
> headers or body that can be passlisted.
But not all - such as non-digest multiple sender lists that don't
modify the header and allows users to send to the list using BCC:
(Example - the BugTraq mailing list).
Andrzej Adam Filip
Alan, could you once post *facts* ?
Which bigger email site uses C/R system to protect all mailboxes?
[I know Timo uses it successfully to protect his mailbox]
Could you post a google link to my posting about C/R you consider a
garbage ?
[ let other people know what to think about *your opinions* about what
"garbage" is if they have not found out themselves so far ]
> What are you going to do about it?
>
> The answer, of course, is: Nothing at all.
>
> There isn't one single thing you can do about it.
I do not care which system/method is going to stop SPAM.
Spammers have proved they can learn and adapt. You have proved to be
unable to *discuss* in polite way about how to fix problems created by
C/R systems.
Hardly any idea is born perfect. Almost everything can be improved.
If you think that there are no problems at all then most frequently
posted short and descriptive opinion about your IQ must be right.
Could you address Vermon's assumption that once C/R is widespread
spammers will quite easily write special C/R auto-responders ?
If you apply your conspiracy theory to yourself:
Alan Connor must be at spammers pay. He is highly effective in using
rude insults to discourage many people from using wonderful C/R idea.
;-)
--
Andrzej [en:Andrew] Adam Filip an...@priv.onet.pl an...@xl.wp.pl
http://anfi.homeunix.net/ http://slashdot.org/~anfi
*Random Epigram* :
He who has been bitten by a snake fears a piece of string.
-- Persian Proverb
Alan Connor
I repeat the above and fart in your general direction, CLOWNS.
Get a life.
Giblet - USA Resident
> I repeat the above and fart in your general direction, CLOWNS.
>
> Get a life.
>
Looks like getting slapped with a dose of real-world reality hurt.
Is that you, Moris?
Giblet - USA Resident
>
> Most such sites have contact addresses and they usually can give you
> the address to passlist
...and the spammers won't forge that address because....?
Thor Kottelin
Frank Slootweg wrote:
>
> Timo Salmi <t...@uwasa.fi> wrote:
> > Vernon Schryver <v...@calcite.rhyolite.com> wrote:
> >> Any system simple enough for most people who
> >> do not know you to handle is easily circumvented by spammmers:
> >
> > Mine isn't easily foiled as shown by the empirical evidence with the
> > system over the span of eigth years.
> I think your system "isn't easily foiled ...", because
> no-one really *tried*.
I'm certain anyone who reads this will be able to "foil" also the CR
solution I use. I can live with that.
The important point is that *bulk* mail senders seldom bother trying. For
me, false negatives occur less often than weekly.
Thor
Thor Kottelin
Bruce Barnett wrote:
>
> Alan Connor <zzz...@xxx.yyy> writes:
>
> > None of those things are a problem. If nothing else you can just do it
> > once, read the return address from your mail logs then do it again.
>
> Unless the site keeps track of subscription attempts, and refuses to
> send more than one request to opt-in.
You can also "quarantine" the messages for a few hours. This allows you to
"restore" any messages erroneously considered junk.
Thor
Thor Kottelin
Giblet - USA Resident wrote:
>
It's not the end of the world if they do. They could forge the address of a
large-volume list, such as the Apache announcement list, and still reach
only those CR users who actually subscribe to that specific list.
Thor
Thor Kottelin
Andrzej Adam Filip wrote:
> Could you address Vermon's assumption that once C/R is widespread
> spammers will quite easily write special C/R auto-responders ?
Once pigs learn to fly, we will need to adjust our air defenses and ATC
procedures accordingly. :-)
Thor
Vernon Schryver
> ...
>> I think your system "isn't easily foiled ...", because
>> no-one really *tried*.
>
>I'm certain anyone who reads this will be able to "foil" also the CR
>solution I use. I can live with that.
>
>The important point is that *bulk* mail senders seldom bother trying. For
>me, false negatives occur less often than weekly.
There is nothing wrong with using a spam filter that works only for
you and only as long as 30,000,000 other people don't copy it. One
can argue against a filter being used by 30,000,000 people based on
likely spammer responses, but until 30,000,000 people join you, predicted
spammer responses (including mine) are merely theoretical. However,
advocating any filter that generates lots of network abuse during wide
spread use is wrong and evil.
Challenge-Response systems do generate lots of network abuse because
lots of spam carries forged sender addresses. The network abuse sent
by Challenge-Responses systems to any single innocent mailbox is a
linear function of the number of people using them. That is equivalent
to saying "DSN based CR systems don't scale." Anyone who advocates
the widespread use of Challenge-Resonse systems that use DSNs instead
of SMTP status codes (i.e. all Challenge-Response systems in significant
use today and all currently likely CR systems) is advocating network abuse.
Remember that CR challenges are substantially identical. If your
system sends more than a few of them, it is sending bulk mail. If any
of your CR system's challenges go to people who have not solicited or
provoked them, then your system sends unsolicited bulk mail or spam.
Spammers are those who value their own self-image, profit, and convenience
above all and who contribute to the tragedy of the commons. They are
people who define spam as "that which I don't do."
Before advocating Challenge-Response systems, think about whether you
want to be a spammer. The first rule of fighting spam for people who
aren't spamemrs is "don't become a spammer in the name of fighting spam."
Vernon Schryver v...@rhyolite.com
Thor Kottelin
Vernon Schryver wrote:
> Remember that CR challenges are substantially identical. If your
> system sends more than a few of them, it is sending bulk mail. If any
> of your CR system's challenges go to people who have not solicited or
> provoked them, then your system sends unsolicited bulk mail or spam.
No, it does not.
If one non-promotional autoreply per message received, not repeated more
often than (say) twice weekly for any single address, would be considered
"spam", then every MTA, every opt-in mailing list operator, and a lot of
abuse ticketing systems would become "spammers" overnight.
Thor
Laurence F. Sheldon, Jr.
Nice stretch.
How does sending "challenges" to persons other than the sender of
the mail in question fit in your rosy picture.
--
Requiescas in pace o email
Frank Slootweg
That 'solves' [1] the problem for the person running the C/R system,
not for the person running the (opt-in) mail-list.
[1] It does not really solve anything because the user of the C/R system
has to check his logs, quarantine area, etc., so he might as well *just*
do that and run no C/R system at all. In short, he *could* act like a
sane person.
Andrzej Adam Filip
> Andrzej Adam Filip wrote:
>>Could you address Vermon's assumption that once C/R is widespread
>>spammers will quite easily write special C/R auto-responders ?
>
> Once pigs learn to fly, we will need to adjust our air defenses and ATC
> procedures accordingly. :-)
Spammers can fly - they are rich enough to buy air tickets :-)
--
Andrzej [en:Andrew] Adam Filip an...@priv.onet.pl an...@xl.wp.pl
http://anfi.homeunix.net/ http://slashdot.org/~anfi
*Random Epigram* :
There are 40 kinds of lunacy, but only one kind of common sense.
-- African Proverb
Andrzej Adam Filip
> In article <407C0E54...@anta.net>, Thor Kottelin <th...@anta.net> wrote:
>>...
>>>I think your system "isn't easily foiled ...", because
>>>no-one really *tried*.
>>
>>I'm certain anyone who reads this will be able to "foil" also the CR
>>solution I use. I can live with that.
>>
>>The important point is that *bulk* mail senders seldom bother trying. For
>>me, false negatives occur less often than weekly.
>
>
> There is nothing wrong with using a spam filter that works only for
> you and only as long as 30,000,000 other people don't copy it. One
> can argue against a filter being used by 30,000,000 people based on
> likely spammer responses, but until 30,000,000 people join you, predicted
> spammer responses (including mine) are merely theoretical. However,
> advocating any filter that generates lots of network abuse during wide
> spread use is wrong and evil.
>
> Challenge-Response systems do generate lots of network abuse because
> lots of spam carries forged sender addresses. The network abuse sent
> by Challenge-Responses systems to any single innocent mailbox is a
> linear function of the number of people using them. That is equivalent
> to saying "DSN based CR systems don't scale." Anyone who advocates
> the widespread use of Challenge-Resonse systems that use DSNs instead
> of SMTP status codes (i.e. all Challenge-Response systems in significant
> use today and all currently likely CR systems) is advocating network abuse.
The main advantage of C/R system "as they are" is that they require
customized software only at one end.
There are may ways to solve problems mentioned by Vermon but all
solutions I can think of require some custom software at *both* ends.
--
Andrzej [en:Andrew] Adam Filip an...@priv.onet.pl an...@xl.wp.pl
http://anfi.homeunix.net/ http://slashdot.org/~anfi
*Random Epigram* :
The denunciation of the young is a necessary part of the hygiene of older
people, and greatly assists in the circulation of the blood.
-- Logan Pearsall Smith
Vernon Schryver
>> Remember that CR challenges are substantially identical. If your
>> system sends more than a few of them, it is sending bulk mail. If any
>> of your CR system's challenges go to people who have not solicited or
>> provoked them, then your system sends unsolicited bulk mail or spam.
>
>No, it does not.
If your CR system sends more than a few challenges, then any efforts
to define spam as that which you don't do are irrelevant.
>If one non-promotional autoreply per message received, not repeated more
>often than (say) twice weekly for any single address, would be considered
>"spam", then every MTA, every opt-in mailing list operator, and a lot of
>abuse ticketing systems would become "spammers" overnight.
Whether a message is "non-promotional" or "autoreply" is irrelevant.
All that matters is whether a bunch of messages are substantially
identical and whether you cannot say in good faith that all of your
targets solicited or otherwise provoked all of the copies, then you
are sending spam.
You might say that DSNs from MTAs and subscription confirmations sent
to forged senders are spam. However, they are generally given an
historical exemption on grounds that their transmissions are good faith
efforts to send to the originator of messages. The fact that so many
DSNs are misdirected is why not avoiding DSNs as much as possible is
now seen as wrong. To minimize bogus subscription confirmations is
why competently run mailing list systems use effective spam filters
on their subscription request mailboxes.
None of that applies to Challenge-Response challenges, because no one
who is neither too ignorant or stupid to be allowed to configure a
mail system nor willing uninformed about the current situation can
honestly claim that most challenges go to mail senders. I suspect
that unlike real DSNs and mailing list subscription messages, most
Challenge-Response challenges go to innocent people.
A design goal of every Challenge-Response system is to send most
challenges to people that do not want to send legitimate mail. Since
much spam has forged return addresses, it is a design goal of
Challenge-Response systems using DSN to send mail to innocent people.
In other words, Challenge-Response systems are designed and intended
to send unsolicited bulk email or spam. If you think that most spam
has forged return addresses, then if you are honest, you must agree
that Challenge-Response systems are designed and intended to send
mostly spam. I'm not sure whether most spam today is forged, so I
personally can't say C-R systems are intended to send more than a lot
of spam.
Vernon Schryver v...@rhyolite.com
Vernon Schryver
Frank Slootweg <th...@ddress.is.invalid> wrote:
> ...
>> You can also "quarantine" the messages for a few hours. This allows you to
>> "restore" any messages erroneously considered junk.
> ...
>[1] It does not really solve anything because the user of the C/R system
>has to check his logs, quarantine area, etc., so he might as well *just*
>do that and run no C/R system at all. In short, he *could* act like a
>sane person.
And in fact people running ISPs with C/R systems reported last year
in the ASRG mailing list that most of their users are almost "sane"
in that sense. They reported that the majority of challenges are not
answered by mail senders but that the senders are whitelisted by
recipients checking quarantine folders.
Thus, a sane C/R system that would serve most users could be constructed
by disabling the challenge sending machinery.
Vernon Schryver v...@rhyolite.com
Thor Kottelin
"Laurence F. Sheldon, Jr." wrote:
>
> Thor Kottelin wrote:
> > If one non-promotional autoreply per message received, not repeated more
> > often than (say) twice weekly for any single address, would be considered
> > "spam", then every MTA, every opt-in mailing list operator, and a lot of
> > abuse ticketing systems would become "spammers" overnight.
> How does sending "challenges" to persons other than the sender of
> the mail in question fit in your rosy picture.
How does any autoresponse sender know whether the sender addresses on the
original message are forged or not?
Thor
Thor Kottelin
Vernon Schryver wrote:
> Whether a message is "non-promotional" or "autoreply" is irrelevant.
It is certainly relevant, since the promotional aspect (cf. "UCE") is the
prime motive for what is usually called spam.
Thor
McWebber
news:407C41C6...@anta.net...
>
>
> Vernon Schryver wrote:
>
> > Whether a message is "non-promotional" or "autoreply" is irrelevant.
>
> It is certainly relevant, since the promotional aspect (cf. "UCE") is the
> prime motive for what is usually called spam.
>
Spam is generally regarded as UBE, not UCE. It's about consent, not content.
--
McWebber
"Richter points to the lack of legal action against his company as proof
that he's operating appropriately."
Information Week, November 10, 2003
Timo Salmi
> t...@UWasa.Fi (Timo Salmi) writes:
> > Only after this consider the category #2, i.e. those who I do not know
> > in advance. From them I require that they
> >
> > - Have my proper address
> > - Include my public email password into the subject header
> This may be fine for one-to-one mailings. But mailing lists add a wrinkle.
> They send mail to a list, and don't care about you.
> But you receive it.
(Either you lost me, or missed how the system works.)
No, I don't. It fullfils neither of the requirements, when both are
needed for me to receive the email. And is it is a mailing list I
want, then I have it whitelisted, i.e. we still are in catogry #1.
All the best, Timo
--
Prof. Timo Salmi ftp & http://garbo.uwasa.fi/ archives 193.166.120.5
Department of Accounting and Business Finance ; University of Vaasa
mailto:t...@uwasa.fi <http://www.uwasa.fi/~ts/> ; FIN-65101, Finland
Spam foiling in effect http://www.uwasa.fi/~ts/info/spamfoil.html
Laurence F. Sheldon, Jr.
> How does any autoresponse sender know whether the sender addresses on the
> original message are forged or not?
After thinking long and hard, I have reached the conclusion that the
autobot can not know and because of that, should not send any
challenges.
Timo Salmi
> Timo Salmi <t...@uwasa.fi> wrote:
> > Vernon Schryver <v...@calcite.rhyolite.com> wrote:
> >> That is mistaken. Any system simple enough for most people who
> >> do not know you to handle is easily circumvented by spammers:
> > Mine isn't easily foiled as shown by the empirical evidence with the
> > system over the span of eight years. However, you are right in the
> Hi, Timo. I think your system "isn't easily foiled ...", because
> no-one really *tried*.
Hello Frank,
(Nice to hear from you. It's been awhile.) You are right, of course.
My system is not foolproof against harassment that would be directed
specifically at me. But that's not what spammers do. Spamming is a
mass activity, where the spammer has no interest in trying or the
facilities to to get at a single individual given his/her mailing
list of some 10 million addresses. That's why so few spammers
actually respond to the challenge and use the email password even if
it is public. At the moment I can recall only two cases over all
these years, one of them having been the Nigerian advance-fee scam.
I have taken up this aspect in the item "Isn't the system password
ineffective once the spammers get to know your password?" of
http://www.uwasa.fi/~ts/info/spamfoil.html#comments
Yes, I understand that you also must mean that were my method copied
without individualizing it by a lot of users, then spammers might
take counter action. At the moment they have no reason to do so. In
fact, given that most of the spam cames from forged addresses, only
a tiny fraction of spammers know about what I do.
All the best, Timo
--
Prof. Timo Salmi ftp & http://garbo.uwasa.fi/ archives 193.166.120.5
Department of Accounting and Business Finance ; University of Vaasa
mailto:t...@uwasa.fi <http://www.uwasa.fi/~ts/> ; FIN-65101, Finland
Timo's procmail tips at http://www.uwasa.fi/~ts/info/proctips.html
N1POP
> [same spam, nothing new or informative]
So, in essence, Connor, you really haven't a clue how to answer the
technical questions posed to you, nor how to respond to the
challenges. You seem to have no idea how to carry on a thoughtful
discussion about C-R. You have given no reference for any of your
claims (I've made none I cannot substantiate). And your only retort
has been insults (or more of the same drivel). Anyone who challenges
your precious little hackjob, it seems, is a "clown" that needs to
"get a life."
Or did I misread your posts?
Timo Salmi
> In article <c5facv$g...@poiju.uwasa.fi>, t...@UWasa.Fi says...
> > - Have my proper address
> > - Include my public email password into the subject header
> Public password? What is a "public password", pray tell? Something anyone can
> get to begin sending you email? I assume you are not talking public PGP key or
Rather than customizing the obvious answer please let me refer to "I
don't quite understand the structure of your email password logic.
Please elaborate" in http://www.uwasa.fi/~ts/info/spamfoil.html#comments
> Your defenses as described are among the most bizarre I have seen to date.
Excellent! Perhaps that's why practically no spam reaches my
mailbox, while I get my work related email exchanges done without
the extra hassles.
All the best, Timo
--
Prof. Timo Salmi ftp & http://garbo.uwasa.fi/ archives 193.166.120.5
Department of Accounting and Business Finance ; University of Vaasa
mailto:t...@uwasa.fi <http://www.uwasa.fi/~ts/> ; FIN-65101, Finland
Useful script files and tricks ftp://garbo.uwasa.fi/pc/link/tscmd.zip
McWebber
news:c5hidv$d...@poiju.uwasa.fi...
> Ronald D. Edge <Inacti...@hotmail.com> wrote:
>
> > Your defenses as described are among the most bizarre I have seen to
date.
>
> Excellent! Perhaps that's why practically no spam reaches my
> mailbox, while I get my work related email exchanges done without
> the extra hassles.
>
And it's why I get challenges/spam to my often forged email address. You can
be sure I will look up your info to make sure the spam gets through to you
should your system send me a C/R.
Frank Slootweg
Indeed, and that is the big difference between your stance and Alan's.
*You* realize that your system is not perfect and is not for general
consumption, and hence you do not try to 'sell' it to anyone. Alan OTOH
says 'his' system is unbreakable, tries to force it upon everybody
(of course without much, if any, success) and calls anybody who
disagrees (with *any* aspect of it) an idiot/liar/etc.. Time to adjust
your whitelist? :-)
Frank "Proud to be an 'idiot'!" :-) Slootweg
Alan Connor
>
<snip>
What you really need to do is to TRY one of them mail filters. You'll never go back,
believe me.
It is so FINE to be in control of one's own mailbox and to not even have to work at it.
There are all sorts of useful links at the site in sig.
Andrzej Adam Filip
Could you post some links to the most credible of such reports (in your
opinion) in the mailing list archive ?
[for future reference]
--
Andrzej [en:Andrew] Adam Filip an...@priv.onet.pl an...@xl.wp.pl
http://anfi.homeunix.net/ http://slashdot.org/~anfi
*Random Epigram* :
US is not us.
-- 2004
DWT
t...@UWasa.Fi (Timo Salmi) wrote in <c5hidv$d...@poiju.uwasa.fi>:
| Perhaps that's why practically no spam reaches my
| mailbox, while I get my work related email exchanges done without
| the extra hassles.
Pracitcally none? Alan Connor says he gets absolutely none.
Today I received a challenge from a member of a mailing list where I had
posted; flawed whitelisting like that does not help the image of C/R.
--
David W. Tamkin
The reply address may be invalid after midnight US Central Time on 20Apr2004.
Vernon Schryver
> ...
>> How does sending "challenges" to persons other than the sender of
>> the mail in question fit in your rosy picture.
>
>How does any autoresponse sender know whether the sender addresses on the
>original message are forged or not?
If you cannot say in good faith that essentially all of your messages
are being sent to people who requested, solicited, or somehow provoked
them, then they are unsolicited. Anything about your motives or the
contents of your messages is irrelevant.
Vernon Schryver v...@rhyolite.com
Vernon Schryver
>> Whether a message is "non-promotional" or "autoreply" is irrelevant.
>
>It is certainly relevant, since the promotional aspect (cf. "UCE") is the
>prime motive for what is usually called spam.
In practice, most unsolicited bulk mail is also commercial, because
commercial motives are most common for sending substantially identical
copies of messages to many people. However, unsolicited bulk mail
urging you to save your soul by believing in a god is also spam.
Conversely, practically no unsolicited promotional mail is not bulk.
It rarely makes sense to send promotional mail except in bulk.
Then there is the large quantity of perfectly legitimate unsolicited
commercial email. Anyone who does business on the Internet is likely
to receive mail is commercial but solicited by nothing more than the
existence of a working mailbox. There is no explicit request or
solicitation for commercial email among the pages at http://www.rhyolite.com/
so work proposals sent to v...@rhyolite.com would be both commercial
and unsolicited. They would be spam only if many substantially identical
copies were sent.
There are compelling reasons to not define spam by message contents
except whether "bulk." If you define spam as only unsolicited commercial
email, then you will have arguments about whether messages containing
non-commercial as well as commercial content are primarily commercial.
You will also have arguments about whether messages from nominally
non-profit organizations are commercial. Think about not only all of
the legitimate charities that want your money, but the supposedly
non-profit outfits eager to help you "reduce your monthly payments."
Then there is political spam. If spam must be commercial, is
unsolicited bulk mail urging you to vote commercial? Given the
fact that the point of such mail is always at least the control of
wealth, you could convince me political spam is commerical, but I
suspect others would disagree.
Vernon Schryver v...@rhyolite.com
Vernon Schryver
Andrzej Adam Filip <an...@priv.onet.pl> wrote:
> ...
>> And in fact people running ISPs with C/R systems reported last year
>> in the ASRG mailing list that most of their users are almost "sane"
>> in that sense. They reported that the majority of challenges are not
>> answered by mail senders but that the senders are whitelisted by
>> recipients checking quarantine folders.
>>
>> Thus, a sane C/R system that would serve most users could be constructed
>> by disabling the challenge sending machinery.
>
>Could you post some links to the most credible of such reports (in your
>opinion) in the mailing list archive ?
>[for future reference]
I'm sorry, but the most I can offer is the location of the archives at
https://www1.ietf.org/mail-archive/working-groups/asrg/current/maillist.html
and suggest you look in the first half of 2003. That seems to be
https://www1.ietf.org/mail-archive/working-groups/asrg/current/mail200.html
and larger numbers.
Reading the bald faced lies among that stuff irks me even more than
the rantings of clue-proof usenet e-spurts, perhaps because the e-spurts
such as the Verislime spokeslime in that mailing list have worse (esp.
commercial) motives for the nonsense.
I'd better go do something else to cool off after sampling some of
those old lies and distortions.
Vernon Schryver v...@rhyolite.com
Timo Salmi
> > > Your defenses as described are among the most bizarre I have seen to
> > Excellent! Perhaps that's why practically no spam reaches my
> > mailbox, while I get my work related email exchanges done without
> > the extra hassles.
> And it's why I get challenges/spam to my often forged email address. You can
> be sure I will look up your info to make sure the spam gets through to you
> should your system send me a C/R.
As I indicated in the very recent the discussion Frank (Slootweg) my
system has been very effective as such against the (mass) spam.
Countering personal harassment against me (which is what you
hypothetically describe) requires more customizing at my end. The
first (likewise hypothetical) step would be to blacklist your email
address and/or your name so that anything that comes from you would
here go to /dev/null without any notice or further ado. Thus you
would not know whether your revenge tactics would have any effect.
Likewise, should you decide to bomb me from forged addresses, then
the autoresponses would again not reach you. You'd be in the dark as
to the success of your hypothetical revenge tactics.
Please let me repeat that the above indeed all is hypothetical for
the sake of the current exercise, just as what you wrote obviously
and hopefully is.
However, as a matter of a serious curiosity, an extract about email
stalking from http://www.uwasa.fi/~ts/info/spamfoil.html
"I originally installed my system a few years before the Internet
deluge of spam (unsolicited commercial email) started. As it
happens, I was targeted and persistently stalked by a mentally ill
Canadian former student who kept on trying to bomb my mailbox with
strangely sick messages using alternating forged sources under
several guises. The filter system was quite effective against the
harassment. In a way the situation later turned out to be a blessing
in disguise. When the current spam deluge started, I was much better
equipped than the average user."
Thus, I've already been there, too. I have been fortunate enough to
have had the privilege of being on the net practically from its
outset. So, I have seen and experienced a thing or two on this
medium. Sadly, the abuse ratio of the net just seems to get worse
and worse.
All the best, Timo
--
Prof. Timo Salmi ftp & http://garbo.uwasa.fi/ archives 193.166.120.5
Department of Accounting and Business Finance ; University of Vaasa
mailto:t...@uwasa.fi <http://www.uwasa.fi/~ts/> ; FIN-65101, Finland
Timo Salmi
> [Newsgroups: line narrowed to just comp.mail.misc.]
Why?
> t...@UWasa.Fi (Timo Salmi) wrote in <c5hidv$d...@poiju.uwasa.fi>:
>
> | Perhaps that's why practically no spam reaches my
> | mailbox, while I get my work related email exchanges done without
> | the extra hassles.
> Pracitcally none? Alan Connor says he gets absolutely none.
Alan speks for his situation, I speak for mine.
As I wrote a couple of postings ago, I can recall off-hand two
instances where the spammer has taken up the challenge, that is used
my public email password. Also, I have made occasional mistakes in
updating, which has created temporary holes. My ~/.procmailrc is not
exactly a small or simple one as it should be were its exact details
for the public consumption. They are not, just the outline of the
method.
Furthermore, I do not have an incentive to write an absolutely
bullet-proof system. Please recall that my main purpose is to do my
actual email related work in peace. The tightness of my foiling
system as such is far secondary to that.
All the best, Timo
--
Prof. Timo Salmi ftp & http://garbo.uwasa.fi/ archives 193.166.120.5
Department of Accounting and Business Finance ; University of Vaasa
mailto:t...@uwasa.fi <http://www.uwasa.fi/~ts/> ; FIN-65101, Finland
Timo Salmi
> In article <407C41C6...@anta.net>, Thor Kottelin <th...@anta.net> wrote:
> >It is certainly relevant, since the promotional aspect (cf. "UCE") is the
> >prime motive for what is usually called spam.
> Then there is the large quantity of perfectly legitimate unsolicited
> commercial email. Anyone who does business on the Internet is likely
> to receive mail is commercial but solicited by nothing more than the
> Then there is political spam. If spam must be commercial, is
> unsolicited bulk mail urging you to vote commercial? Given the
> fact that the point of such mail is always at least the control of
> wealth, you could convince me political spam is commerical, but I
> suspect others would disagree.
It is an interesting semantic exercise, but what is essential is if
it is unsolicited and unwanted by the receiver. What exactly is, is
up to the individual, and certainly will vary from person to person.
But whatever one's exact definition, the current area under
discussion is how can one autoavoid such choking email.
Morely 'spam is theft' Dotes
> (Either you lost me, or missed how the system works.)
>
> No, I don't. It fullfils neither of the requirements, when both are
> needed for me to receive the email. And is it is a mailing list I
> want, then I have it whitelisted, i.e. we still are in catogry #1.
OK, here's the scenario:
- I run a mailing list. To subscribe to it, you visit a Web page and fill
in a "mailto" link.
- My mailing list manager software generates a subscription confirmation
request which is sent to you.
- Your C/R software sends a challenge to my mailing list manager.
- My mailing list manager sees that your challenge is *not* from an
authorized user (you have not yet finished subscribing), and is not a
confirmation.
- Your challenge is ignored.
- Your subscription is not confirmed.
Where did you determine what address to whitelist?
--
Tired of spam in your mailbox?
Come to http://www.spamblocked.com
Don't spam <A HREF="mailto:remote-printer.Mary_Higgins/Investor_Relations@
12029429634.iddd.tpc.int">this.</a>
Morely 'spam is theft' Dotes
@anfi.homeunix.net:
> The main advantage of C/R system "as they are" is that they require
> customized software only at one end.
That's an advantage to the (ab)user running the C/R system, NOT to the
Internet.
Alan Connor
<chortle>
And because they have to return a Challenge-Response if they ever expect
you too read one of their mails, they have to use an address that actually
belongs to them, which can then be blocked. (and can be traced to them)
Over and over if necessary. A simple script and a couple of keystrokes.
They'll run out of email addresses before you run out of 3 seconds here
and there to blocklist them. And each time they use a new one, the trail
back to them becomes that much clearer.
I save copies of all returned CRs and the mail that accompanies them,
storing them in compressed archives with the logrotate utility. Automatically.
(This will be included in the next version of my little program....)
<snicker>
I think we have inadvertantly stumbled on to another positive aspect
of mail filters that use Challenge-Responses:
Keeping spammers/trolls busy harassing us (and bouncing off) so that
they don't have the time to harass and spam (excuse the redundancy)
those that do not have our impregnable defenses.
And keeping a record of any harassment which can be turned over to
the proper authorities when warranted.
A genuine public service.
Duncan McNiven
(Vernon Schryver) wrote:
>Then there is the large quantity of perfectly legitimate unsolicited
>commercial email. Anyone who does business on the Internet is likely
>to receive mail is commercial but solicited by nothing more than the
>existence of a working mailbox. There is no explicit request or
>solicitation for commercial email among the pages at http://www.rhyolite.com/
>so work proposals sent to v...@rhyolite.com would be both commercial
>and unsolicited. They would be spam only if many substantially identical
>copies were sent.
So if I send a work proposal to v...@rhyolite.com and ask for a quote,
that is OK, but if I also send substantially identical messages to your
competitors, that becomes spam? I see no sense in that. Obtaining
comparative quotations is a legitimate thing to do, and I see no reason
why it should not be done by email. I support it both as a customer and
as a supplier. Don't you? Or do you only want to quote for work when
your competitors are excluded from the process?
--
Duncan
Timo Salmi
> t...@UWasa.Fi (Timo Salmi) wrote in news:c5hge0$b...@poiju.uwasa.fi:
> > want, then I have it whitelisted, i.e. we still are in catogry #1.
> OK, here's the scenario:
(snip)
> Where did you determine what address to whitelist?
At least two options:
1) When I decided whether to subcribe to your fine list in the first
place, and took a look whether the address (or a part of the
address) is there or deductible. (Also bear in mind that procmail is
good on regular expressions).
2) More importantly. What makes you think that I can't easily,
temporarily whitelist everything for the very brief duration (often
immediate) that it normally takes any good mailing list to respond
to my request? All it takes is changing the value of just one single
environment variable for my ~/.procmailrc. After getting the wanted
response and information it is equally easy and quick to change
back.
Many challengers of my system are repeatedly making the incorrect
implicit assumption that my filtering somehow is fixed in stone,
like a third party program would be more inclided to. This is not
the case, since I have customized the system myself around procmail.
And since it has been in place for so long, so many different
situations have already arisen, where I have had to find a working
solution.
Spambo
> [snip]
>
> So if I send a work proposal to [snipped] and ask for a quote,
> that is OK, but if I also send substantially identical messages to your
> competitors, that becomes spam? I see no sense in that. Obtaining
> comparative quotations is a legitimate thing to do, and I see no reason
> why it should not be done by email. I support it both as a customer and
> as a supplier. Don't you? Or do you only want to quote for work when
> your competitors are excluded from the process?
What part of "unsolicited" is so hard to understand? If you send
email to addresses specified for use when requesting quotes then
the email isn't unsolicited - is it? If no address is specified
for that purpose then you shouldn't assume that the recipient at
whichever address you come up with will be overjoyed to receive
bulk/commercial email from you.
Sam
> On Tue, 13 Apr 2004 22:29:59 +0300, Thor Kottelin <th...@anta.net> wrote:
>>
> <snip>
>
> What you really need to do is to TRY one of them mail filters. You'll never go back,
> believe me.
Beavis: In that case how come you, yourself, went back? After all, if you
are still using those amazing scripts there would be no reason not to use
your “working” E-mail address when posting to Usenet.
Timo Salmi
> Today I received a challenge from a member of a mailing list where I had
> posted; flawed whitelisting like that does not help the image of C/R.
Not that it makes a difference, but that sounds more an inadequate
whitelist database rather than a flaw in the whitelisting system
itself. But indeed, one clear problem with C/R is that the user
should be very careful of creating such false positives.
On the other hand, a reality check. If I get, say, some 200 spam
emails a day, a hefty number on virus generated emails, and one
false C/R once in a blue moon, why should I mind? Unless, of course,
I were on a mission to oppose spam foiling.
All the best, Timo
--
Prof. Timo Salmi ftp & http://garbo.uwasa.fi/ archives 193.166.120.5
Department of Accounting and Business Finance ; University of Vaasa
mailto:t...@uwasa.fi <http://www.uwasa.fi/~ts/> ; FIN-65101, Finland
Vernon Schryver
>Vernon Schryver <v...@calcite.rhyolite.com> wrote:
> ...
>It is an interesting semantic exercise, but what is essential is if
>it is unsolicited and unwanted by the receiver. What exactly is, is
>up to the individual, and certainly will vary from person to person.
>But whatever one's exact definition, the current area under
>discussion is how can one autoavoid such choking email.
That view is valid only in the personal arena, such as when you are
building your own, personal unwanted mail defenses and you don't care
if you to appear abitrary, capricious, unfair, or simply kooky. That's
why my "unwelcome domain list" is beyond reproach. What you do with
your own mail on your own servers is hard to criticise and often
difficult for strangers to know about.
That view is wrong in more public settings such as when you are
thinking about
- arresting or suing someone
- entries public blacklists
- terminating an account
- firing a salescritter that sent some mail
- designing mechanisms to autoavoid choking mail at an ISP,
in potentially popular open source, or public standards or
recommendations from the IETF
- advocating an autoavoid anti-choking mechanism for many people
It's even a poor point of view when you merely want to talk about your
autoavoid anti-choking mechanisms. Insisting on saying "tomato" when
everyone else says "potato" complicates conversation.
Finally, insisting on some definitions of "spam" will cause some
people or listeners to doubt your good will. The Direct Marketing
Association's definition of spam excludes actions of members of
that organization. The sample applies to the definitions from
politicians and advocates of Challenge-Response systems that send
unsolicited bulk mail. It's only human but not admirable to prefer
to define spam as "that which I don't do."
Vernon Schryver v...@rhyolite.com
Vernon Schryver
>> Today I received a challenge from a member of a mailing list where I had
>> posted; flawed whitelisting like that does not help the image of C/R.
>
>Not that it makes a difference, but that sounds more an inadequate
>whitelist database rather than a flaw in the whitelisting system
>itself.
In Challenge-Response theory, all outgoing mail creates whitelist
entries for returnin mail.
Practice differs, because in real life people often send mail from
different systems than where they receive mail. In addition, people
(and computers) often reply with return addresses that differ from
those at which they received the messages prompting the replies.
For example, I think some mailing lists have submission addresses
that differ from their sending addresses. Then there are mailing
list owner and -request addresses.
Vernon Schryver v...@rhyolite.com
Vernon Schryver
Duncan McNiven <dun...@mcniven.net> wrote:
>So if I send a work proposal to v...@rhyolite.com and ask for a quote,
>that is OK, but if I also send substantially identical messages to your
>competitors, that becomes spam? I see no sense in that. Obtaining
>comparative quotations is a legitimate thing to do, and I see no reason
>why it should not be done by email. I support it both as a customer and
>as a supplier. Don't you? Or do you only want to quote for work when
>your competitors are excluded from the process?
If you send "unsolicited bulk" RFQs, then you can and should expect
to have your ISP account terminated and your domain name and IP addresses
blacklisted. How many copies of an RFQ are required to make it "bulk"
and which mailboxes "solicit" it are determined by the canonical
reasonable person.
"Unsolicited" and "bulk" are intentionally as imprecisely defined as
"burglary." Burglary is being somewhere without permission and with
bad intentions. Permission and bad intentions are not spelled out in
the law but left to the judgement of what the legal system considers
"reasonable people" in the persons of police, prosecutors, judges, and
juries.
It make not make sense that being caught in a locked building tonight
can be perfectly innocent while being caught in the same building at the
same time and place tomorrow night can send you to jail for 3 to 5 years,
but that's how the system works. All known alternatives are worse.
Vernon Schryver v...@rhyolite.com
axlq in California
>McWebber <mcwe...@my-deja.com> wrote:
>> And it's why I get challenges/spam to my often forged email
>> address. You can be sure I will look up your info to make sure
>> the spam gets through to you should your system send me a C/R.
>
>As I indicated in the very recent the discussion Frank (Slootweg)
>my system has been very effective as such against the (mass)
>spam. Countering personal harassment against me (which is what you
>hypothetically describe) requires more customizing at my end.
Hold it right there. He wasn't proposing harassing you. His
position is that YOU would be harassing HIM with challenges that
he didn't initiate. That is, when your software sends a bogus
challenge as a result of a spammer forging his address, he will
respond to the challenge to ensure that you receive the spam, and
any further spam with his address forged therein.
That's not harrassment. That's simply DEFENSE against the harasser
(you and your C/R system); a way to avoid further bogus challenges.
That a spammer tricked you into harassing him is beside the point.
>The first (likewise hypothetical) step would be to blacklist your
>email address and/or your name so that anything that comes from you
>would here go to /dev/null without any notice or further ado. Thus
>you would not know whether your revenge tactics would have any
>effect.
That assumes you know his address. I have several addresses, on
different domains, any of which could be forged in a spam. I will
respond to any bogus challenges I get, to avoid receiving more.
>Likewise, should you decide to bomb me from forged addresses, then
>the autoresponses would again not reach you. You'd be in the dark
>as to the success of your hypothetical revenge tactics.
Why would he bomb you? The spammer is already doing that job,
sending you spam with his email forged. All he did was perform the
courtesy of allowing you to receive that spam, as a way to avoid
further bogus challenges.
>Please let me repeat that the above indeed all is hypothetical for
>the sake of the current exercise, just as what you wrote obviously
>and hopefully is.
In my case, I will respond to any challenge your C/R system might
send me as a result of a spammer forging one of my addresses.
Simple policy of self-defense, that's all. Not hypothetical.
>"I originally installed my system a few years before the Internet
>deluge of spam (unsolicited commercial email) started. As it
>happens, I was targeted and persistently stalked by a mentally ill
>Canadian former student who kept on trying to bomb my mailbox with
>strangely sick messages using alternating forged sources under
>several guises.
If those forged sources were real addresses, all you did was
transfer the abuse to innocent 3rd parties by sending them
challenges.
-A
Vernon Schryver
axlq in California <ax...@spamcop.net> wrote:
> ...
>In my case, I will respond to any challenge your C/R system might
>send me as a result of a spammer forging one of my addresses.
>Simple policy of self-defense, that's all. Not hypothetical.
> ...
There are other non-hypothetical cases that urge responding to all
challenges. The last non-bogus challenge I received turned out to be
from an unfamiliar address used by someone to whom I had sent mail.
I had sent a message to a role account concerned a stream of many 100K
requests/day sent to the public DCC servers. In my mailbox the next
day I found first a challenge from an unfamiliar source, which I
answered according to my policy of helping strangers who ask me whether
they want to their eat spam. Next I found a proper response to my
message from the same sender as the CR challenge. That demonstrated
- the need to respond to all challenges, whether the result of spam
or not,
- the hopelessness of whitelisting according using outgoing mail,
- the foolishness of expecting people to answer challenges when
you want them to,
- the foolishiness of expecting people to not answer challenges when
you don't want them to,
- the fact that most CR users act as if their challenges were never sent.
Vernon Schryver v...@rhyolite.com
Vernon Schryver
> ...
>2) More importantly. What makes you think that I can't easily,
>temporarily whitelist everything
I'm equally confident that you can and 99.9% of retail users can't.
> for the very brief duration (often
>immediate) that it normally takes any good mailing list to respond
>to my request? ...
That is a significantly longer duration than it was a few years ago.
I think a "good mailing list" should use greylisting to filter junk
that would otherwise trigger sending more junk to innocent mailboxes.
Were you among those of us blessed with 100K missives from majordomo
servers saying that every "line" of a virus is an invalid command?
>Many challengers of my system are repeatedly making the incorrect
>implicit assumption that my filtering somehow is fixed in stone,
>like a third party program would be more inclided to. This is not
>the case, since I have customized the system myself around procmail.
>And since it has been in place for so long, so many different
>situations have already arisen, where I have had to find a working
>solution.
Which is equivalent to saying that your filtering situation is irrelevant
to that of more than 99.999% of the population. Your filtering situation
and observations of interest only to the very few people who have the
faintest idea of the meanings of "procmail" and "regular expression."
There are plenty of us around here, but most of us have our own
idiosyncratic spam solutions and so don't have much interest. In other
words, there are obvious reasons why you've not been pushing details
of your mechanisms.
Vernon Schryver v...@rhyolite.com
Ben Finney
> McWebber <mcwe...@my-deja.com> wrote:
>> You can be sure I will look up your info to make sure the spam gets
>> through to you should your system send me a C/R.
>
> hypothetically describe) requires more customizing at my end.
It's a strange definition of "personal harrassment" you use.
Under the above-described scenario: Your system sends an unsolicited,
automated "challenge" to McWebber regarding a message he never sent. He
replies to it, as specifically requested in the "challenge". You then
claim this is "personal harrassment".
--
\ "I must say that I find television very educational. The minute |
`\ somebody turns it on, I go to the library and read a book." -- |
_o__) Groucho Marx |
Ben Finney <http://bignose.squidly.org/>
Richard Howlett
> A genuine public service.
A genuine pain in the ass more like.
--
Richard Howlett
Alan Connor
Only to spammers and trolls and neurotics.
Takes about 5 seconds, once in a lifetime, to return one of my
Challenge-Responses.
So which are you?
:-)
Alan Connor
Sam, you are an idiot troll that will run his mouth about anything and
nothing, that runs around the Usenet abusing *anyone* that says *anything*.
Your opionion on this or any other subject has zero credibiltity.
I don't read your posts, for the 50th time, nor those of any of your
dozens of sock puppets.
Your mother should whup your pathetic ass and take away your computer priveleges.
AC
DevilsPGD
Connor <zzz...@xxx.yyy> did ramble:
>It is so FINE to be in control of one's own mailbox and to not even have to work at it.
But you aren't in control, the sender is in control.
--
HTML email should be treated in the same manner as sexual acts between
consenting adults. Only done in private places where willing parties,
whom agreed upon such an act BEFOREHAND, will see it.
Timo Salmi
> In article <c5hmp3$f...@poiju.uwasa.fi>, Timo Salmi <t...@UWasa.Fi> wrote:
> >Vernon Schryver <v...@calcite.rhyolite.com> wrote:
> >discussion is how can one autoavoid such choking email.
>
> That view is valid only in the personal arena, such as when you are
> building your own, personal unwanted mail defenses and you don't care
> if you to appear abitrary, capricious, unfair, or simply kooky. That's
> why my "unwelcome domain list" is beyond reproach.
So you have blacklisted domains, which you wish to avoid? Fine. That
is exactly what I do, too. Start by discarding all email from
certain quarters. Recall my rough, general order of actions
whitelisting
blacklisting
password requirement only after those
Timo Salmi
> >McWebber <mcwe...@my-deja.com> wrote:
> >> And it's why I get challenges/spam to my often forged email
> >> address. You can be sure I will look up your info to make sure
> >> the spam gets through to you should your system send me a C/R.
> >
> >my system has been very effective as such against the (mass)
> >spam. Countering personal harassment against me (which is what you
> >hypothetically describe) requires more customizing at my end.
> Hold it right there. He wasn't proposing harassing you. His
> position is that YOU would be harassing HIM with challenges that
> he didn't initiate. That is, when your software sends a bogus
> challenge as a result of a spammer forging his address, he will
Not to him, since (hypothetically) I would by now have "him"
excluded, whether forged or genuine. Recall that the password
request is only sent after the whitelisting and blacklisting.
> That's not harrassment. That's simply DEFENSE against the harasser
> (you and your C/R system); a way to avoid further bogus challenges.
Whatever it is, he won't need it, since we won't meet. Yes, we do
have a dilemma here would we want to make a first contact, but since
I am not e.g. a sales person why would I want to? I have several
time openly admitted that this system does not suit many situations
such as e.g. a global customer service with a lot of customers not
known in advance.
On the other hand should we absolutely need to talk privately (we
don't!) then we would either need to be on each other's whitelists
or know each other's email passwords.
> That assumes you know his address. I have several addresses, on
> different domains, any of which could be forged in a spam. I will
> respond to any bogus challenges I get, to avoid receiving more.
Which just means that I would have to add to my /dev/null list as
the situations arise.
All the best, Timo
--
Prof. Timo Salmi ftp & http://garbo.uwasa.fi/ archives 193.166.120.5
Department of Accounting and Business Finance ; University of Vaasa
mailto:t...@uwasa.fi <http://www.uwasa.fi/~ts/> ; FIN-65101, Finland
Timo Salmi
> In article <c5hp4m$g...@poiju.uwasa.fi>, Timo Salmi <t...@UWasa.Fi> wrote:
> There are plenty of us around here, but most of us have our own
> idiosyncratic spam solutions and so don't have much interest.
You don't? Then how come such an intense debate if there isn't any
interest? And how come
[264] Timo's procmail tips and recipes
http://www.uwasa.fi/~ts/info/proctips.html
[84] Foiling Spam with an Email Password System
http://www.uwasa.fi/~ts/info/spamfoil.html
had just yesterday the indicated [..] number of visits?
> In other
> words, there are obvious reasons why you've not been pushing details
> of your mechanisms.
An unwarranted, negative stance. While I am not e.g. disclosing the
exact contents of my whitelists and blacklists (that is who exactly
or which domains are there) the building blocks and the system
outline are amply covered in the material referred to in the above.
> Which is equivalent to saying that your filtering situation is irrelevant
> to that of more than 99.999% of the population. Your filtering situation
Let's get at least this one straight. I've nether claimed that it is
easy to adopt for everyone. On the contrary I have openly admitted
on several occasions that as I use it the system requires skill
levels that probably the majority (but not your off-the-cuff
99.999%) of users do not have. My claim has all along been and is
that is that the system gives a very effective protection. I've also
emphasized that I decide how I protect my own mailbox, just as you
decide how you protect yours, or leave it unprotected.
What I am doing is publicly giving the information (the http
references) so that those who might be interested have access to it.
(As I wrote, a number of users yet seem to, despite of what you say,
as one can see from the figures). I am not saying to anyone that
they _should_ use it, just making the information public. If that is
not to some users' liking or to their interest, I am easily
killfiled (the news equivalent of blacklisting) since I use constant
addresses (and a constant subject header in my regular reference
posting).
All the best, Timo
--
Prof. Timo Salmi ftp & http://garbo.uwasa.fi/ archives 193.166.120.5
Department of Accounting and Business Finance ; University of Vaasa
mailto:t...@uwasa.fi <http://www.uwasa.fi/~ts/> ; FIN-65101, Finland
Timo's FAQ materials at http://www.uwasa.fi/~ts/http/tsfaq.html
McWebber
news:u1po70d2upn0hd222...@4ax.com...
If everyone on your list solicits RFQ's by email then it can't be spam no
matter how many you send.
--
McWebber
"Richter points to the lack of legal action against his company as proof
that he's operating appropriately."
Information Week, November 10, 2003
McWebber
> McWebber <mcwe...@my-deja.com> wrote:
> > "Timo Salmi" <t...@UWasa.Fi> wrote in message
> > > Ronald D. Edge <Inacti...@hotmail.com> wrote:
> > > > Your defenses as described are among the most bizarre I have seen to
>
> > > Excellent! Perhaps that's why practically no spam reaches my
> > > mailbox, while I get my work related email exchanges done without
> > > the extra hassles.
>
can
> > be sure I will look up your info to make sure the spam gets through to
you
> > should your system send me a C/R.
>
> system has been very effective as such against the (mass) spam.
> Countering personal harassment against me (which is what you
> first (likewise hypothetical) step would be to blacklist your email
> address and/or your name so that anything that comes from you would
> here go to /dev/null without any notice or further ado. Thus you
> would not know whether your revenge tactics would have any effect.
> the autoresponses would again not reach you. You'd be in the dark as
> to the success of your hypothetical revenge tactics.
>
> the sake of the current exercise, just as what you wrote obviously
> and hopefully is.
It's only hypothetical as far as you are concerned. I have received numerous
C/R messages due to my address being forged and I follow the steps so the
spam gets through on each of them. That they may blacklist my address after
that is a plus.
Ben Finney
> Vernon Schryver <v...@calcite.rhyolite.com> wrote:
>> idiosyncratic spam solutions and so don't have much interest.
>
> You don't? Then how come such an intense debate if there isn't any
> interest?
Because we don't want people to adopt measures that harm the email
system for others, as C-R does by sending unsolicited mail to third
parties.
Interest in avoiding making the situation worse does not equate to
interest in exploring your system.
--
\ "The basic fact about human existence is not that it is a |
`\ tragedy, but that it is a bore." -- Henry L. Mencken |
_o__) |
Ben Finney <http://bignose.squidly.org/>
DWT
| Not that it makes a difference, but that sounds more an inadequate
| whitelist database rather than a flaw in the whitelisting system itself.
Yes, of course it was the user's mistake. Where did you get the notion
that I was blaming the C/R software author?
| On the other hand, a reality check. If I get, say, some 200 spam
| emails a day, a hefty number on virus generated emails, and one
| false C/R once in a blue moon, why should I mind?
Where does the idea of "minding" come in? Do you think my point was to wail
and whine over one false challenge? I'm not that easily wounded.
I regularly receive false challenges, not once in a blue moon but about three
or four a week, for messages on which my address is forged (and I take them
in stride). Those are the fault of the forgers. But a challenge for a post
to a mailing list that the challenger has joined is the fault of the challen-
ger.
--
David W. Tamkin
The reply address may be invalid after midnight US Central Time on 20Apr2004.
Vernon Schryver
>> That view is valid only in the personal arena, such as when you are
>> building your own, personal unwanted mail defenses and you don't care
>> if you to appear abitrary, capricious, unfair, or simply kooky. That's
>> why my "unwelcome domain list" is beyond reproach.
>
>So you have blacklisted domains, which you wish to avoid? Fine. That
>is exactly what I do, too. Start by discarding all email from
>certain quarters. Recall my rough, general order of actions
> ...
That's irrelevant to the proximate point, which is that the definition
of "spam" matters and is not arbitrary. What each of us does with
mail we individually consider objectionable does not affect the
definition of "spam." 11 has always seemed struck me as a pecular
number even for a prime, so I may someday blacklist or whitelist IP
addresses that are multiples of 11. Either or neither will be fine
and dandy, provided I didn't claim that I'm talking about "spam."
Spam is any and all unsolicited bulk email, regardless of whether it
is "promotional," "commerical," "obscene," "forged," "public spirited,"
"non-profit", "free," "informative," or anything else.
Vernon Schryver v...@rhyolite.com
Alan Connor
>
>
> On 14 Apr 2004 07:39:15 +0300, Timo Salmi wrote:
>> Vernon Schryver <v...@calcite.rhyolite.com> wrote:
>>> There are plenty of us around here, but most of us have our own
>>> idiosyncratic spam solutions and so don't have much interest.
>>
>> You don't? Then how come such an intense debate if there isn't any
>> interest?
>
> Because we don't want people to adopt measures that harm the email
> system for others, as C-R does by sending unsolicited mail to third
> parties.
>
> Interest in avoiding making the situation worse does not equate to
> interest in exploring your system.
>
And the fact that you SAY that C-R systems frequently send unsolicited
mail to third parties does not make it so.
If you had any documentation to back up your claim, you would surely
have posted it on these groups, over and over.
A well-designed mail filter using CRs sends almost no CRs, and I have
never received on complaint from anyone about a mis-directed CR.
(the only complaint I have gotten was from a spamming domain on the dnsbl,
and the CR to them was NOT mis-directed)
My address is clear on the CR, so if anyone wanted to complain to anyone,
they could do it without a problem.
The mails that invoke a CR response are saved in a quarantine directory,
and it says on my CR that if it is mis-directed, I have a copy of the
mail for them if they want it.
In short, Ben, you are lying through your teeth, and you know it.
Now I will sit back and watch you parade your sockpuppets by to take
potshots at me...Popcorn anyone?
Thor Kottelin
Vernon Schryver wrote:
>
> In article <407C41C6...@anta.net>, Thor Kottelin <th...@anta.net> wrote:
>
> >> Whether a message is "non-promotional" or "autoreply" is irrelevant.
> >
> >It is certainly relevant, since the promotional aspect (cf. "UCE") is the
> >prime motive for what is usually called spam.
> If you define spam as only unsolicited commercial
> email, then you will have arguments about whether messages containing
> non-commercial as well as commercial content are primarily commercial.
> You will also have arguments about whether messages from nominally
> non-profit organizations are commercial. Think about not only all of
> the legitimate charities that want your money, but the supposedly
> non-profit outfits eager to help you "reduce your monthly payments."
>
> Then there is political spam.
This is why I would like for the term "unsolicited promotional email" to
gain acceptance.
Thor
Thor Kottelin
Vernon Schryver wrote:
> insisting on some definitions of "spam" will cause some
> people or listeners to doubt your good will. The Direct Marketing
> Association's definition of spam excludes actions of members of
> that organization. The sample applies to the definitions from
> politicians and advocates of Challenge-Response systems that send
> unsolicited bulk mail. It's only human but not admirable to prefer
> to define spam as "that which I don't do."
Spammers seem to be doing rather well despite years of effort on the part of
the anti-junk community to shut them down. If you now prefer to instead go
after CR operators, spam victims, who admittedly are an easier target, that
is your right.
It is however my opinion that it would be better to continue fighting the
root of the problem, IOW junk mail origination. If and when we (tinw)
succeed, CR will no longer be of no account.
Thor
Thor Kottelin
Spambo wrote:
>
> Duncan McNiven wrote:
> > So if I send a work proposal to [snipped] and ask for a quote,
> > that is OK, but if I also send substantially identical messages to your
> > competitors, that becomes spam? I see no sense in that. Obtaining
> > comparative quotations is a legitimate thing to do, and I see no reason
> > why it should not be done by email. I support it both as a customer and
> > as a supplier. Don't you? Or do you only want to quote for work when
> > your competitors are excluded from the process?
>
> What part of "unsolicited" is so hard to understand? If you send
> email to addresses specified for use when requesting quotes then
> the email isn't unsolicited - is it? If no address is specified
> for that purpose then you shouldn't assume that the recipient at
> whichever address you come up with will be overjoyed to receive
> bulk/commercial email from you.
Even when an address is dedicated to e.g. job applications, its operator is
unlikely to welcome irrelevant, bulk-mailed CVs from all over the globe. Not
everything is black and white.
Thor