[FAQ] Anti-C/R Disinformation Campaign
Alan Connor
Are you wondering what's happenned to comp.mail.misc?
-----------------------------------------------------
Nothing to worry about. It's just the yearly anti-challenge-response
disinformation campaign put on by that segment of the pro-spam crowd
that lack anything resembling integrity. What they DO have, howoever,
are VERY big mouths.
Ever since it became obvious that pure content filters (spamassassin et al)
in isolation can't deal with the spam problem, the obvious solution has been
to add a pass list to one's mail program BEFORE the content filter, assuring
that mail from known contacts gets through.
Then, after obvious spam has been sent to the bit bucket by a relatively simple
content filter, mail that may or may not be spam (a small percentage of the
total received in a given batch) trigger challenge-responses.
These are small notes, sent automatically to the return address on the
suspect mail while it is held in quarantine. The note asks the recipient
to paste a password found in the body onto the subject line and send it back.
If it is returned, then it and the quarantined mail show up in the user's
inbox.
If it isn't, then the address was phoney, or no one reads the mail there.
Each C-R has the subject of the original message Re: Whatever, and a footnote
informing the person that if they received the C-R from an address that they
did not send mail to, then it is being used by a spammer and they should
immediately notify their sysadmin or abuse at their ISP.
Thus C-Rs also serve the important purpose of notifying people that their
address is is being forged by spammers or other criminals, which can cause
BIG problems if it isn't dealt with in a timely fashion.
The above rarely occurs, fortunately.
The pass-list/content-filter/challenge-response strategy is not perfect, but
it is the best one around, by far.
To learn more about them just google "challenge-response" and be aware that
the same anti-C/R propagandists that you see here also have a number of
websites that are anything but objective. To say the least.....
Spammers and others with a vested interest in keeping the spam flowing into
your mailbox HATE these systems because they can't beat them.
Thus you have the current anti-C/R disinformation campaign, the latest in
a long line of repetive and obnoxious attempts to keep people from using
them by telling lies about them.
AC
Norman Miller
zzz...@xxx.yyy says...
> The pass-list/content-filter/challenge-response strategy is not perfect, but
> it is the best one around, by far.
Your religious belief is not a fact.
--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint
wayne
> Ever since it became obvious that pure content filters (spamassassin et al)
Since when is SpamAssassin a "pure content filter"? You don't know
what you are talking about.
> If [the challenge message] isn't [returned], then the address was
> phoney, or no one reads the mail there.
Bull. As you have been told many times, the percentage of people who
will complain about receiving UBE (spam) is very small. You don't
know what you are talking about.
> [...] a footnote
> informing the person that if they received the C-R from an address that they
> did not send mail to, then it is being used by a spammer and they should
> immediately notify their sysadmin or abuse at their ISP.
Since when has your challenge message contained such a footnote? It
didn't just a few hours ago.
> Thus C-Rs also serve the important purpose of notifying people that their
> address is is being forged by spammers or other criminals, which can cause
> BIG problems if it isn't dealt with in a timely fashion.
There are far better ways of detecting that your email address is
being forged. Getting massive amounts of bogus bounces and
unsolicited challenge messages is not an "important purpose". You
don't know what you are talking about.
> The above rarely occurs, fortunately.
You have been told many times that for most people, the vast majority
of challenge messages that they have received have been bogus.
Spammer's lists may contain a large percentage of invalid (or no
longer valid) email addresses, but bogus challenge messages are not
rare. You don't know what you are talking about.
-wayne
-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----
Morely Dotes
news:x4ekvay...@footbone.midwestcs.com:
> In <Hc5Cb.10372$rP6....@newsread2.news.pas.earthlink.net> Alan Connor
> <zzz...@xxx.yyy> writes:
>
>> Ever since it became obvious that pure content filters (spamassassin
>> et al)
>
> Since when is SpamAssassin a "pure content filter"? You don't know
> what you are talking about.
You're "talking" to Alan Connor, Usenet spammer and world's champion know-
nothing.
--
Want SPEWS-filtered and SBL-filtered email?
http://www.spamblocked.com/index.html
"Mammals are far more intellectually advanced than most people think.
A gopher gave me the finger once." - Cynthia of Syracuse
wayne
> You're "talking" to Alan Connor, Usenet spammer and world's champion know-
> nothing.
True. I should not feed the troll.
Sam
>
> Are you wondering what's happenned to comp.mail.misc?
> -----------------------------------------------------
BEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEP!!!!!!!
============================================================================
THIS IS A TEST OF USENET'S EMERGENCY TROLL BROADCAST SYSTEM
THIS IS ONLY A TEST
============================================================================
Had this been an actual troll, a posting claiming to be a “FAQ” would've
actually contained at least one question and an answer.
Jonathan de Boyne Pollard
A. No. It's still here with traffic flowing normally,
as far as I can tell.
Norman L. DeForest
On Thu, 11 Dec 2003, Alan Connor wrote:
[snip]
> Ever since it became obvious that pure content filters (spamassassin et al)
> in isolation can't deal with the spam problem, the obvious solution has been
> to add a pass list to one's mail program BEFORE the content filter, assuring
> that mail from known contacts gets through.
>
> Then, after obvious spam has been sent to the bit bucket by a relatively simple
> content filter, mail that may or may not be spam (a small percentage of the
> total received in a given batch) trigger challenge-responses.
>
> These are small notes, sent automatically to the return address on the
> suspect mail while it is held in quarantine. The note asks the recipient
> to paste a password found in the body onto the subject line and send it back.
>
> If it is returned, then it and the quarantined mail show up in the user's
> inbox.
>
> If it isn't, then the address was phoney, or no one reads the mail there.
I notice that you only allow 72 hours for a response to arrive. I know
a number of people with Internet accounts that have no computer and go
to the public library once a week to access their accounts from a public
access terminal there. If one of those persons sent you an email, they
wouldn't see your challenge until after a week (168 hours) has gone by.
Your statement, "If it isn't, then the address was phoney, or no one reads
the mail there." would be incorrect in their case.
What do you do with responses that arrive after the 72-hour deadline?
Challenge them again?
--
Norman De Forest http://www.chebucto.ns.ca/~af380/Profile.html
af...@chebucto.ns.ca [=||=] (A Speech Friendly Site)
"...in this froup...attacks are impersonal. Think of them as recreational
mayhem." -- Morely Dotes in news.admin.net-abuse.email, March 14, 2002
Alan Connor
Kevin S. Wilson
>Are you wondering what's happenned to comp.mail.misc?
>-----------------------------------------------------
>
>Nothing to worry about. It's just the yearly anti-challenge-response
>
>disinformation campaign put on by that segment of the pro-spam crowd
>
>that lack anything resembling integrity. What they DO have, howoever,
>
>are VERY big mouths.
>
>
>Ever since it became obvious that pure content filters (spamassassin et al)
>in isolation can't deal with the spam problem, the obvious solution has been
^^^^^^^
That's right about the point I stopped reading.
>to add a pass list to one's mail program BEFORE the content filter, assuring
>that mail from known contacts gets through.
>
How many times are you going to post this rant?
--
Kevin S. Wilson
Tech Writer at a University Somewhere in Idaho
"Whose teenage nephew designed that pair of clown pants?"
--Giblet reviews http://freespeechstore.com in NANAE.
Werehatrack
have said:
>In <Hc5Cb.10372$rP6....@newsread2.news.pas.earthlink.net> Alan Connor <zzz...@xxx.yyy> writes:
>
>> Ever since it became obvious that pure content filters (spamassassin et al)
>
>Since when is SpamAssassin a "pure content filter"? You don't know
>what you are talking about.
Just my opinions here...
Reading anything posted by Connor is a waste of time.
Responding to it beyond the fewest possible words (essentially beyond
"plonk"] is a waste of bandwidth.
--
My email address is antispammed; pull WEEDS if replying via e-mail.
Yes, I have a killfile. If I don't respond to something,
it's also possible that I'm busy.
Words processed in a facility that contains nuts.
Werehatrack
have said:
>In <Xns944EA23671E98mo...@216.99.211.247> Morely Dotes <secu...@loopback.localhost> writes:
>
>> You're "talking" to Alan Connor, Usenet spammer and world's champion know-
>> nothing.
>
>
>True. I should not feed the troll.
Unless you have some strychnine to lace its kibble with.
John Thompson
On 2003-12-11, Alan Connor <zzz...@xxx.yyy> wrote:
> Ever since it became obvious that pure content filters (spamassassin et al)
> in isolation can't deal with the spam problem,
To whom (besides you) has this become obvious? The vast majority of people
here seem to prefer content-based filtering. I know it has been working
very well here for me.
> The pass-list/content-filter/challenge-response strategy is not perfect, but
> it is the best one around, by far.
The "pass-list/content-filter/challenge-response strategy is not perfect"
and the reasons many people are hesitant to employ them have already been
discussed here at great length. If you are satisfied with how it works
with your mail, fine, be happy. But there's no reason to abuse those of
us who feel content based filtering is working well and have made it clear
why they are not willing to employ your challenge-response system.
--
-John (JohnTh...@new.rr.com)
Morely 'I drank what?' Dotes
<jo...@starfleet.os2.dhs.org> wrote in
news:slrnbtmpi...@starfleet.os2.dhs.org right after begin :
> ["Followup-To:" header set to comp.mail.sendmail.]
> On 2003-12-11, Alan Connor <zzz...@xxx.yyy> wrote:
>
>> Ever since it became obvious that pure content filters (spamassassin
>> et al) in isolation can't deal with the spam problem,
>
> To whom (besides you) has this become obvious? The vast majority of
> people here seem to prefer content-based filtering. I know it has
> been working very well here for me.
I dunno where "here" is from your POV, but if you mean NANAE, I would say
you're probably wrong.
C/R however is inherently abusive, and Alan Connor is a known fruitcake, as
well as a coward, and a Usenet spammer.
--
Want a custom-built PC designed by gamers, for gamers?
Visit http://kryptonite.pc-gamereview.com
Tired of spam in your mailbox?
Come to http://www.spamblocked.com
Dan Oetting
> C/R however is inherently abusive.
What would be abusive about using C/R to protect the signup to a mailing
list and how would that differ from confirmed opt-in?
Rev. Beergoggles
> "Morely 'I drank what?' Dotes" wrote:
>
>> C/R however is inherently abusive.
>
> What would be abusive about using C/R to protect the signup to a mailing
> list and how would that differ from confirmed opt-in?
Off hand I would say because there are far fewer mailing lists/opt-ins
than email boxes.
But yes, opt-in mechanisms could be and have been abused for mailbombing.
--
rbg
Alan Connor
IS there a difference? I belong to a lot of mailing lists and they all use
C/Rs. If they have a different name, I've never heard it. But they are
still C/Rs.
Wouldn't consider belonging to one that didn't.
The best ones assign a password that you have to include as the last line
of your sig, which is stripped off before posting to the list.
If the From line and the password don't match, it isn't posted.
AC
wayne
Direct answer:
Mailing list confirmations *can* be abusive for the same reason that
C/R systems generally *are* abusive. I, and quite a few others who
post to the spamcop newsgroups, have had someone use mailing list
confirmations to send UBE our way. Fortunately, for several reasons,
mailing list signup email addresses just aren't forged as often as
users of C/R systems.
The following is a longer rant on the subject that I recently posted
to the SpamCop newsgroup. Not all of it applies to what you said, but...
> [description of mailing list confirmation UBE deleted]
This subject has come up several times before. UBE in the form of
confirmation emails is often used as an example of either "good" UBE
or at least UBE that isn't spam.
Personally, I consider it pretty much a red-herring. The volume of
confirmation UBE is far smaller than email worms and their fall out.
Bring it up is an attempt to divert attention, and therefore a
red-herring.
I consider all UBE to be spam. There is no such thing as "good" UBE,
but not all UBE is equally bad, nor must all UBE be treated exactly
the same way. Spam is theft. Stealing a penny is still theft,
however, stealing a few pennies from a few people is not going cause
many people to get very worked up. You have to steal a heck of a lot
more than a few pennies before you have committed a felony.
That being said, I do consider confirmation UBE to be spam and like
all UBE, it has the potential to cause problems. Mailing list admins
*must* take steps to make sure that they are not sending out
significant quantities of UBE, including confirmation UBE. The
confirmation emails generally are far larger than the emails needed to
trigger a confirmation email, so confirmation UBE can be used to
amplify a DoS attack. Confirmation emails that contain ads are little
better than most other UCE.
There are some people who will use an "appeal to authority" argument
to claim that confirmation UBE is "good", whoever such authorities as
http://mail-abuse.org/manage.html explicitly discuss the fact that
mailing list operators must limit the amount of confirmation UBE that
gets sent and even suggests ways to do this.
> Not all "bulk" is spam, and not all unsolcited messages are spam.
All UBE is spam. Solicited bulk (such as mailing lists), and
unsolicited non-bulk are not a threat to the usefulness of email.
Andrew DeFaria
--
Some people are like Slinkies . . not really good for anything, but you still can't help but smile when you see one tumble down the stairs.
Morely 'I drank what?' Dotes
<dan_o...@qwest.net> wrote in
news:dan_oetting-E8DE...@news.uswest.net right after begin
:
It is impossible to programmatically determine if the from header is
forged or valid; ergo, *all* C/R systems *will* be used to send
usolicited email to innocent third parties, just as open (non-confirmed)
mailing lists have been used in the past.
Confirmed opt-in (when properly implemented) will not send a second
confirmation request to any address until at least the first one has
expired (requiring a second subscription request). What's more, if the
recipient does not reply, a blackout period may be implemented to
prevent further subscription attempts.
Alan Connor
>
>
> In article <dan_oetting-E8DE...@news.uswest.net>,
> readable.
>
> C/R challenges are usually designed explicitly _not_ to be easily machine-
> readable: that's why they're often distorted images of text rather than
> plain ASCII text (the distortion is necessary to defeat OCR programs).
>
> Without addressing whether they're abusive or not, that's how they differ.
>
> --
I've never seen a C/R that was anything but plain ascii.
The thing that makes them "non-machine readable" is the diversity of
of text and password formats, making it very hard to write a program that
can pick the passwords out of the rest of the text for any but a single user,
and then only for the present.
There isn't a format for passwords, such as there is for email addresses,
which would allow a regular expression to be written to identify them.
The kind you are talking about, which I have seen on webforms, requires the
user to type the password in, rather than cut and paste, which I would avoid
if at all possible.
AC
Uncle StoatWarbler
> What would be abusive about using C/R to protect the signup to a mailing
> list and how would that differ from confirmed opt-in?
Signing into a mailing list puts the listee onto a stream of ongoing
traffic.
It's the difference between "please confirm that you want to receive mail
from us" and "please confirm you want to send mail to me"
NormanM
zzz...@xxx.yyy says...
> I've never seen a C/R that was anything but plain ascii.
I have; the impression I got from the system promotion in the challenge was
that images where what made C/R work. I will concede that is a wrong
impression, but that was the only kind of C/R I had met, until your
religious ranting.
D. Stussy
Because potential list participants are generally told on the web page that
contains the sign-up form that they WILL get an e-mail (i.e. the challenge) that
they must reply to in order to complete their acceptance into the list. A C/R
deployment for a private mailbox that is sendable from anywhere often carries no
such warning.
Dan Oetting
"Morely 'I drank what?' Dotes" <morel...@spamblocked.com> wrote:
> >> C/R however is inherently abusive.
> >
> > What would be abusive about using C/R to protect the signup to a
> > mailing list and how would that differ from confirmed opt-in?
>
> It is impossible to programmatically determine if the from header is
> forged or valid;
It is only impossible if you limit yourself to local knowledge.
> ergo, *all* C/R systems *will* be used to send
> usolicited email to innocent third parties, just as open (non-confirmed)
> mailing lists have been used in the past.
If a spammer forges your address as the sender you could receive
responses from C/R systems as well as confirmation requests from opt-in
lists, replies from auto responders and MTAs reporting "Invalid
recipient". We don't try to eliminate all mailing lists. And we don't
call all of these responses abuse. Though it would be nice if automatic
responses to forged sender addresses could be filtered out.
> Confirmed opt-in (when properly implemented) will not send a second
> confirmation request to any address until at least the first one has
> expired (requiring a second subscription request). What's more, if the
> recipient does not reply, a blackout period may be implemented to
> prevent further subscription attempts.
Those are good points. And I would like to expand on them to lay out the
best practices for setting up any C/R system (or any auto responder) to
limit damage and allow the unsolicited responses to be filtered.
Morely Dotes
> Those are good points. And I would like to expand on them to lay out the
> best practices for setting up any C/R system (or any auto responder) to
> limit damage and allow the unsolicited responses to be filtered.
I have a very simple rule: If I get a challenge response to my email, the
addressee goes into my MTA's "deny" list.
Alan Connor
I use two basic strategies to keep the number of pointless C/Rs down:
1) Send any mails that are not from pass-listed sources and are not addressed
specifically to me to /dev/null
(my address is alone on the To: line)
2) If a given return-address fails twice to return a C/R, then send any
future mails from that given return-address to /dev/null
These are automated and I don't even know they've taken place unless I
deliberately search my logs.
AC
Etaoin Shrdlu
> Nothing to worry about. It's just the yearly anti-challenge-response
If you repeat a lie often enough, people will start believing it...
--
** Remove Lamie_ and _Loser to e-mail me **
When Darth Mc Bride talks, everybody laughs.
Jamie "Lamie" Baillie wins the Assclown award:
http://etaoin.sosdg.org/Jamie
Alan Connor
>
>
> Le 12 Dec 2003, Alan Connor <zzz...@xxx.yyy> a écrit :
>
>> Nothing to worry about. It's just the yearly anti-challenge-response
>
> If you repeat a lie often enough, people will start believing it...
>
Isn't a lie at all.
Everyone with a vested interest in keeping the spam flowing hates mail
programs that use C/Rs because they can't beat them.
2+2=4
At least it does in my world.
AC
Norman L. DeForest
On Tue, 16 Dec 2003, Alan Connor wrote:
[snip]
>
> 1) Send any mails that are not from pass-listed sources and are not addressed
> specifically to me to /dev/null
>
> (my address is alone on the To: line)
>
For some people, that would have a lot of false positives.
>
> 2) If a given return-address fails twice to return a C/R, then send any
> future mails from that given return-address to /dev/null
So, if a spammer forges my address as the sender of spam and I respond to
the challenge to let the spam through (even though I didn't send the
spam), I get blacklisted for spamming when you see the spam but if I
*fail* to respond to the challenges, I get permanently blacklisted for
spamming anyway.
It sounds like a lose-lose situation for any forgery victim.
Especially if you get two spams with the forgery-victim's address before
he/she even gets to see the challenges and send a denial.
If your C/R system became popular, joe-jobbers would have a field day.
Alan Connor
>
>
>
> On Tue, 16 Dec 2003, Alan Connor wrote:
> [snip]
>> I use two basic strategies to keep the number of pointless C/Rs down:
>>
>> 1) Send any mails that are not from pass-listed sources and are not addressed
>> specifically to me to /dev/null
>>
>> (my address is alone on the To: line)
>>
>
> For some people, that would have a lot of false positives.
>
That makes no sense at all.
I don't get any spam and I don't lose any mail I want to receive. That's
a fact.
The fact that facts don't seem to mean anything to you just about tells
the whole story, doesn't it?
The rest of this post deleted unseen.
I am only interested in intelligent and honest discourse.
AC
Dan Oetting
Morely Dotes <secu...@loopback.localhost> wrote:
> Dan Oetting <dan_o...@qwest.net> wrote in news:dan_oetting-
> 20E7D4.020...@news.uswest.net:
>
> > Those are good points. And I would like to expand on them to lay out the
> > best practices for setting up any C/R system (or any auto responder) to
> > limit damage and allow the unsolicited responses to be filtered.
>
> I have a very simple rule: If I get a challenge response to my email, the
> addressee goes into my MTA's "deny" list.
That takes care of the solicited responses :)
But the unsolicited responses when spammers forge our addressees are
more damaging. Here is my first cut at the rules for any form of auto
responder:
- Be easily identifiable as an auto response to aid filtering and
preventing loops
- Copy identifying information from the original message so the
recipients can automatically determine that a response message is a
valid reply.
- Copy tracing information from the original message to prevent the auto
responders from being used as an anonymizing attack relay.
- Remove the original message content so spammers won't look for auto
responders to relay spam.
PS: I don't think I like C/R either. It might just be a gag response to
the personalities pushing C/R in this newsgroup. But I also see C/R as
further breaking what used to be a great tool for communications.
Alan Connor
>
>
> Dan Oetting <dan_o...@qwest.net> wrote in news:dan_oetting-
> 20E7D4.020...@news.uswest.net:
>
>> Those are good points. And I would like to expand on them to lay out the
>> best practices for setting up any C/R system (or any auto responder) to
>> limit damage and allow the unsolicited responses to be filtered.
>
> I have a very simple rule: If I get a challenge response to my email, the
> addressee goes into my MTA's "deny" list.
>
The purpose of a mail filter is to keep un-desirable mail out of your mailbox.
One of the benefits of using C/Rs is that they force neurotic, hate-filled,
whining, and dishonest people to blocklist themselves, saving you the trouble.
I am not joking. If my mail filter keeps people like this out of my mailbox,
then it is working very well indeed.
AC
Alan Connor
I am not "pushing" C/Rs. Please take a look at the threads before you run
your mouth.
C/Rs are being attacked by a bunch of pro-spam people, and I am trying to
keep them from spreading disinformation about them.
Pro-spam people hate mail systems that use C/Rs because they can't beat them.
It is as simple as that.
I don't care whether you use C/Rs or not. But people should have accurate
information on ANY subject, wouldn't you agree?
I don't even like to call them C/Rs. RAV (Request-for-Address-Validation)
is a much more accurate label. They are really just the Internet equivalent
of caller-ID on your telephone.
I don't want to talk to someone who is hiding their telephone number and
I don't want to listen to a recording.
RAVs eliminate both of these equivalents from my mailbox, which is more
than caller-ID does for my phone.
I have no problem with any of your suggestions for auto-responses above.
There should be some standardization.
They should also be short and to the point but contain all the information
that people need to deal with them, however they choose.
RAVs that go to addresses that spammers have forged are mainly the fault
of poor content-filters before the RAV part of the program.
AC
NetworkElf
"Etaoin Shrdlu" <LAMIE_...@sosdg.org_LOSER> wrote in message
news:Xns9453A48B...@207.35.177.135...
> Le 12 Dec 2003, Alan Connor <zzz...@xxx.yyy> a écrit :
>
> > Nothing to worry about. It's just the yearly anti-challenge-response
>
> If you repeat a lie often enough, people will start believing it...
>
I am thin and sexy.
I am thin and sexy.
I am thin and sexy.
I am thin and sexy.
I am thin and sexy.
I am thin and sexy.
I am thin and sexy.
I am thin and sexy.
I am thin and sexy.
Anybody now available Friday night??? :)
Morely Dotes
Alan Clifford
DO> But the unsolicited responses when spammers forge our addressees are
DO> more damaging. Here is my first cut at the rules for any form of auto
DO> responder:
DO>
DO> - Be easily identifiable as an auto response to aid filtering and
DO> preventing loops
DO>
I have DAEMON in the from headers, Precedence: junk, the word
"Autoresponder" in a header, and an X-loop: header.
DO> - Copy identifying information from the original message so the
DO> recipients can automatically determine that a response message is a
DO> valid reply.
DO>
DO> - Copy tracing information from the original message to prevent the auto
DO> responders from being used as an anonymizing attack relay.
DO>
DO> - Remove the original message content so spammers won't look for auto
DO> responders to relay spam.
DO>
I respond with most of the headers and 10 lines of the message as text.
Alan
( If replying by mail, please note that all "sardines" are canned.
There is also a password autoresponder but, unless this a very
old message, a "tuna" will swim right through. )
David Cheatham
It doesn't, dumbass. They block *you*. Usually after replying and
'passlisting' themselves, thus letting the spam through. Nothing stops
them from sending to you, especially when, duh, they just got
'passlisted'. (What the fuck is 'passlisted', anyway?) Of course, you
can then manually reblock everyone who's done that, but that makes your
system seem rather stupid, doesn't it?
Which, BTW, everyone should do to C/R as a matter of principle, they
should respond to all bogus requests sent their way, letting the spam
through. And then report the sender as a spammer.
Alan, of course, is going to call me pro-spam, but *according to him*,
people hardly ever receive C/R requests if they didn't send the mail
anyway. The fact he doesn't like my suggestion *proves* he knows that
large amounts of C/R is misdirected.
Anyway, let the misdirected C/R flow!
--
Remove the hostname part directly after the @ to respond.
David Cheatham
>
> Especially if you get two spams with the forgery-victim's address
> before he/she even gets to see the challenges and send a denial.
Where the hell are you supposed to issue these 'denials', anyway? Sure,
you can do it here, but end users, who are presumable who Alan's aiming
at, don't read here.
I love the fact that Alan seems to think you can and should do
something about joe-jobs. There is absolutely nothing you can do, and
getting 'notified' (like you already didn't know) is not a bonus.
Alan Connor
Hardly know what to say. You obviously don't know anything about how "my"
system works.
If he mails me and has used his real return address, then the RAV/C-R
is sent and he is given a ONE-TIME password.
He is not passlisted. And the RAV/C-R has to come back from the same
address and the body must not be altered except for ordinary quoting.
If it is, it and the mail will be dumped. The RAV itself warns about
this
The mail he sent would have been truncated to 50 lines or less and put
in quarantine. If he returned the RAV/C-R, then I would have his actual
email address for starters. If the email address doesn't match the password
the mail is deleted unseen. Wouldn't even know it came in the first place.
You presume to denigrate a program that features pass-listing, yet admit
in your post that you don't even know what it is.
Funny.
> Which, BTW, everyone should do to C/R as a matter of principle, they
> should respond to all bogus requests sent their way, letting the spam
> through. And then report the sender as a spammer.
Knock yourself out.
>
> Alan, of course, is going to call me pro-spam, but *according to him*,
> people hardly ever receive C/R requests if they didn't send the mail
> anyway. The fact he doesn't like my suggestion *proves* he knows that
> large amounts of C/R is misdirected.
>
I won't call you a spammer. You are much too ignorant of how mail and
related programs work. You couldn't possibly be a spammer .
AC
Etaoin Shrdlu
> Anybody now available Friday night??? :)
Please state your sex:
[ ] Yes
[ ] No
David Cheatham
> On 17 Dec 2003 22:21:12 GMT, David Cheatham <da...@tg.creeknet.com>
> wrote:
> >
> >
> > Alan Connor wrote:
> >
> >> On Tue, 16 Dec 2003 18:42:23 GMT, Morely Dotes
> >> <secu...@loopback.localhost> wrote:
> >> >
> >> >
> >> > Dan Oetting <dan_o...@qwest.net> wrote in news:dan_oetting-
> >> > 20E7D4.020...@news.uswest.net:
> >> >
> >> >> Those are good points. And I would like to expand on them to lay
> >> out the >> best practices for setting up any C/R system (or any
> auto >> responder) to >> limit damage and allow the unsolicited
> responses to >> be filtered.
> >> >
> >> > I have a very simple rule: If I get a challenge response to my
> >> > email, the addressee goes into my MTA's "deny" list.
> >> >
> >>
> >>
> >> The purpose of a mail filter is to keep un-desirable mail out of
> >> your mailbox.
> >>
> >>
> >> One of the benefits of using C/Rs is that they force neurotic,
> >> hate-filled, whining, and dishonest people to blocklist themselves,
> >> saving you the trouble.
> >>
> >>
> >> I am not joking. If my mail filter keeps people like this out of my
> >> mailbox, then it is working very well indeed.
> >
> > It doesn't, dumbass. They block you. Usually after replying and
> > 'passlisting' themselves, thus letting the spam through. Nothing
> > stops them from sending to you, especially when, duh, they just got
> > 'passlisted'. (What the fuck is 'passlisted', anyway?) Of course,
> > you can then manually reblock everyone who's done that, but that
> > makes your system seem rather stupid, doesn't it?
> >
>
> Hardly know what to say. You obviously don't know anything about how
> "my" system works.
Yes, because I am a complete and utter idiot who can't understand
emailing people passwords if they aren't on your whitelist, which they
then use to get placed on said list. No, I couldn't understand that at
all.
> If he mails me and has used his real return address, then the RAV/C-R
> is sent and he is given a ONE-TIME password.
Well, no. You see, he already *has* the one-time password, because,
with what I suggested, he just responded to one of your misdirected C/R
messages that was sent to him. (I love the one emphasis on 'one-time'
BTW. You're so clever to think of that! No one's ever thought to email
one-time passwords to people that the person then return to confirm
possession of the email address!)
Missing the fact they're already in possession of the password without
emailing you, BTW, is another sympton of the fairly large reading
comprehension problem you apparently possess.
See, you just up and emailed them the password *out of the blue*,
because someone forged their address. They don't need to contact you to
get it, someone *else* already contacted you while forging their
address.
And you already *have* their address from, duh, when you sent them the
password. Duh. Kinda hard to sent email to people you don't have the
address of.
> He is not passlisted. And the RAV/C-R has to come back from the same
> address and the body must not be altered except for ordinary quoting.
> If it is, it and the mail will be dumped. The RAV itself warns about
> this
>
> The mail he sent would have been truncated to 50 lines or less and put
>
> in quarantine. If he returned the RAV/C-R, then I would have his
> actual
>
> email address for starters.
Oh no! Not his actual email address! You'll have the actual email
address of someone you don't want mail from! Nooooo!
I could sit on usenet all day and collect those if I wanted, but I,
personally, don't find that even vaguely useful.
> If the email address doesn't match the
> password
>
> the mail is deleted unseen. Wouldn't even know it came in the first
> place.
Um, yes. *You* wouldn't know it came in, we all realize that.
I have no idea why you think repeating how your system works over and
over is in any way useful. We understand the damn system. Compared to
some antispam system, it's amazingly simple. My postfix config dealing
with access restrictions composes twice as much space as the rest of
the file put together, and it uses a dozen or so external files. And
that's not even getting into the spam assassion weirdness I have going.
It is you who don't understand the fundamental objection that it sends
mail to people who have not contacted you.
> You presume to denigrate a program that features pass-listing, yet
> admit
>
> in your post that you don't even know what it is.
>
> Funny.
No, I, unlike you, am aware that 'passlist' is not a word, and that the
word you are looking for is 'whitelist'. Passlist is some crazyass word
that some mail clients use to mean 'whitelist'. In fact, I'd never even
heard of the damn word until I googled. Looks like Eudora uses it,and I
hate Eudora. Actually, it appears to mainly related to *colleges*.
Here's a fun link:
http://www.google.com/search?q=passlist+%28mail+or+email%29+-%22alan+con
nor%22
Less than three hundred people (beside you, who gives about 20 hits)
have used the term 'passlist' before when talking about email, give or
take people who don't use the term 'email' or 'mail' when discussing
email. If you take out Eudora, the number drops by 50, and most of them
appear to be using the word 'passlist' in some other way.
And google groups has *no* relevant hits, no instances of *anyone*
*ever* using 'passlist' in that way, besides people replying to you.
Your using it indicates you know nothing about email in general. It's
like people who run around calling every sound card a 'Sound Blaster'
or gaffer tape 'duct tape'. It's all well and good, but not if they're
proposing a new PC design or painting the set in a theatre.
Meanwhile, I have almost finished building my 'soundermaker' which will
take electrical impulses and translates them to sound using
electromagnets. In the future, you will be able to hook these to record
players and reproduce sound at higher fidelidism than you can currently
get off those new fangled cee-pee players.
People who invent terminology, or use the wrong term, to mean something
that already has a name usually have no idea what they are doing, and
no idea of what's going on in that field. 'Passlist' is just huge red
flag that you learned how procmail worked and thought you had a great
idea, and when you went to tell the world, got shot down in *flames*.
A *normal* person, in the real world, would be embarrassed when he
presented his super-cool three winged airplane design in front of a
bunch of areospace engineers who laughed at him, but you went into kook
mode instead.
> > Which, BTW, everyone should do to C/R as a matter of principle, they
> > should respond to all bogus requests sent their way, letting the
> > spam through. And then report the sender as a spammer.
>
> Knock yourself out.
Hey,look, everyone, he has no problems with people reporting his
messages as spam.
> > Alan, of course, is going to call me pro-spam, but *according to
> > him*, people hardly ever receive C/R requests if they didn't send
> > the mail anyway. The fact he doesn't like my suggestion proves he
> > knows that large amounts of C/R is misdirected.
> >
>
> I won't call you a spammer. You are much too ignorant of how mail and
>
> related programs work. You couldn't possibly be a spammer .
Well, if that's not the pot calling the lightbulb black. I know a hell
a lot more about email than you do, and what's more, I'm backed up by
others on this group who know a hell of a lot more than *I* do.
Tell me, Mr. Intelligence, what's another way to move email between
MTAs besides SMTP? (No one else answer this.) There are quite a few
valid answers to that, let's see if you get *one*. See, I don't think
you know *anything* about email.
And you're the person sending email to people who don't want it, and
I'm the spammer. Riiiight.
And can *you* please learn how *usenet* works and stop double spacing?
Jesus that's annoying. It completely breaks word wrap in quotes in my
client, and, no, that's not a problem with my client.
And why the hell do you crosspost everything to comp.mail.sendmail? How
are they even vaguely related to this? Even you can't be crazy enough
to actually use sendmail, so what gives?
Mark Crispin
> Here's a fun link:
> http://www.google.com/search?q=passlist+%28mail+or+email%29+-%22alan+connor%22
I can do that one better...read all about Alan Connor and bigfoot:
-- Mark --
http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.
Thor Kottelin
David Cheatham wrote:
> Alan, of course, is going to call me pro-spam, but *according to him*,
> people hardly ever receive C/R requests if they didn't send the mail
> anyway. The fact he doesn't like my suggestion *proves* he knows that
> large amounts of C/R is misdirected.
Of the hundreds of thousands of email messages I have received, I can't
remember a single misdirected challenge. Maybe there have been some, but
obviously not many enough for me to recall them. How large amounts are other
people receiving?
Thor
David Cheatham
>
>
> David Cheatham wrote:
>
> > Alan, of course, is going to call me pro-spam, but *according to
> > him*, people hardly ever receive C/R requests if they didn't send
> > the mail anyway. The fact he doesn't like my suggestion proves he
> > knows that large amounts of C/R is misdirected.
>
> Of the hundreds of thousands of email messages I have received, I
> can't remember a single misdirected challenge. Maybe there have been
> some, but obviously not many enough for me to recall them. How large
> amounts are other people receiving?
Have you ever received misdirected bounces from spam runs?
If not, you're not going to get any misdirected C/R messages. No one's
forging your address.
And part of the reason the ration people are seeing is so low is that
no one is *using* C/R. It probably protects of less than .0001% of all
email addresses at the moment, and thus misidrected challenges are not
in any way a *current problem*, being far outweighed by misdirected
bounces.
But bouncing mail after accepting it is considered *wrong*, and being
phased out, whereas people promoting C/R are trying to get *more*
people to use it. And people *will* use it, and will discover that it
apparently works at first...
Until servers start melting due to all the hidden traffic, and spammers
simply start answering C/R messages, and sending fake C/R messages in
hopes that people can't keep track of all the messages they've sent, or
start list harvesting in pairs, and hope that of two email addresses
that were harvested from the same page, one of them will either already
have the other whitelisted or will be at least know them, so will
mistakenly do it. Etc, etc.
And at which point we've broken email, and it's completely impossible
for anyone to get *any* messages without using C/R on their account,
*because* they receive a ton of C/R messages, fake and otherwise,
whereas it's just *mostly* impossible if they don't have C/R, and thus
we can't undo the corner we painted ourself into.
And in addition to accidental misdirected bounces, there are even quite
a few ways for spammers to *abuse* everyone's C/R system on *purpose*.
For example, you hate a guy? Joe-job his email address to everyone,
just like now. But now, instead of having to cope with tons of bounces
and the occasional person sticking his email address in a 'banned'
list, he now gets a lot of C/R...and if he *doesn't* confirm the faked
message, he *will be automatically blocked from getting any C/R
requested in the future, and thus can never email those people*.
This feature of 'do not send repeated confirmations to people' helps
out with joe-jobs, but all it really does it stop someone who's been
joe-jobbed from interacting with the system at all in the future, which
is helpful in that he won't receive future misdirected C/R requests,
but, then again, he won't receive *legit* ones either. In fact, his
email to everyone he's not already on the whitelist of, and uses C/R,
will just *disappear*.
Likewise, I've heard people talk about sending the first few lines of
the message in the C/R, so people don't accidently confirm messages
they didn't send. Well, that right there is the *textbox* defination of
an 'open relay'. And, yes, even just sending the *subject* will be used
for spam...spammers right now send SMS messages, which are 160 chars.
That's a bit long for a subject line, but it's not illegal, and on the
internet they can send URLs.
Steven M (remove wax to reply)
wrote:
Two or three. Not only did I not write to them, but I don't even know
who they are.
I suspect that they are fellow readers of a mailing list, that puts
the poster's address in the "From" field although the list is posted
from a different server.
--
Steve M - uns...@houston.rrwax.com (remove wax for reply)
Chaos. I can relate to that. My life is chaos most of the time. I
am in tune with the universe. It feels like home. -- Robert Fulghum
Andy Lawson
news:Pine.WNT.4.60.0...@Shimo-Tomobiki.Panda.COM...
> On Wed, 18 Dec 2003, David Cheatham wrote:
> > Here's a fun link:
> >
http://www.google.com/search?q=passlist+%28mail+or+email%29+-%22alan+connor%22
>
> I can do that one better...read all about Alan Connor and bigfoot:
>
>
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=vf79gvknfrfphnqa10r468eshpc5dg60oq%404ax.com&rnum=2&prev=/groups%3Fq%3D%2522alan%2Bconnor%2522%2Bbigfoot%2Bsurvivalism%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3Dvf79gvknfrfphnqa10r468eshpc5dg60oq%25404ax.com%26rnum%3D2
>
Alan Connor
>
>
> On Thu, 18 Dec 2003 07:42:00 +0200, Thor Kottelin <th...@anta.net>
> wrote:
>
>>
>>
>>David Cheatham wrote:
>>
>>> Alan, of course, is going to call me pro-spam, but *according to him*,
>>> people hardly ever receive C/R requests if they didn't send the mail
>>> anyway. The fact he doesn't like my suggestion *proves* he knows that
>>> large amounts of C/R is misdirected.
>>
>>Of the hundreds of thousands of email messages I have received, I can't
>>remember a single misdirected challenge. Maybe there have been some, but
>>obviously not many enough for me to recall them. How large amounts are other
>>people receiving?
>
> Two or three. Not only did I not write to them, but I don't even know
> who they are.
>
> I suspect that they are fellow readers of a mailing list, that puts
> the poster's address in the "From" field although the list is posted
> from a different server.
>
>
>
You are saying that people on a mailing list with you have C/R programs
that don't passlist mail from the list BEFORE it reaches the C/R part?
That's just stupid. I am on a half-dozen mailing lists and mail from
them is sent to it's own mailbox before it even reaches the content-
filter part of the program, and neither of the From* headers are used
to passlist that mail.
AC
David Cheatham
> On Thu, 18 Dec 2003 07:42:00 +0200, Thor Kottelin <th...@anta.net>
> wrote:
>
> >
> >
> > David Cheatham wrote:
> >
> >> Alan, of course, is going to call me pro-spam, but *according to
> him*, >> people hardly ever receive C/R requests if they didn't send
> the mail >> anyway. The fact he doesn't like my suggestion proves he
> knows that >> large amounts of C/R is misdirected.
> >
> > Of the hundreds of thousands of email messages I have received, I
> > can't remember a single misdirected challenge. Maybe there have
> > been some, but obviously not many enough for me to recall them. How
> > large amounts are other people receiving?
>
> Two or three. Not only did I not write to them, but I don't even know
> who they are.
>
> I suspect that they are fellow readers of a mailing list, that puts
> the poster's address in the "From" field although the list is posted
> from a different server.
Well, yes, C/R can do that too, but that's just a *broken* C/R that's
working off the headers instead of the message envelope.
Critizing that would be like complaining about a flat tire on a new
car, at a dealer where none of the cars had engines. The temporary
issue of the flat tire is not incredibly important.
It *does* show how much thought has been put into the average C/R,
though. A lot of them are jury-rigged pieces of junk, not because of
what they are, but because people who actually know things about mail
*don't* write them (because they're a really bad idea), and someone
steps in to fill the void.
There's some sort of law there: All possible software eventually gets
written. If there are no experts to write it, it will just be written
by non-experts.
You can see the same thing with spam software. 90% of that looks like
it's written by someone who saw a SMTP transaction, once, and mostly
understood it.
And, again, that's not a valid complain about C/R in and of itself, the
fact that the software that does it tends to be second rate. But you
have to ask yourself: Where are the professionals? Where are the large
open source projects dedicated to it? It's nowhere near the complexity
of a mail server, and yet that's where all the mail experts choose to
work. Why?
Alan Connor
You ought to try my program. It is just a textmode front end to procmail
comprised of a handful of scripts.
But it works very well indeed, being independent of the rest of the mail
program. Doesn't interfere with anything. Just filters incoming mail.
The next version doesn't even need fetchmail, but retrieves mail from
the server itself.
http://tinyurl.com/l55a but wait for a while if you want to test it.
(even if for no other reason than to tear it to shreds :-)
It suits ME just fine. No UM and anyone I care to hear from can reach me
without any problem.
AC
Norman L. DeForest
On 17 Dec 2003, David Cheatham wrote:
> Norman L. DeForest wrote:
>
> >
> > Especially if you get two spams with the forgery-victim's address
> > before he/she even gets to see the challenges and send a denial.
>
> Where the hell are you supposed to issue these 'denials', anyway? Sure,
> you can do it here, but end users, who are presumable who Alan's aiming
> at, don't read here.
Alan Connor did write:
: > 2) If a given return-address fails twice to return a C/R, then send any
: > future mails from that given return-address to /dev/null
If a spammer only sent one spam to a C/R user such as Alan with someone
else's address forged as the sender, the forgery victim *could* send a
denial to the C/R user and then respond to the challenge for the denial
message. However, if the forgery victim didn't get the challenges until
after the spammer had already hit the challenging address several times,
he/she would end up blacklisted for something he/she didn't do.
> I love the fact that Alan seems to think you can and should do
> something about joe-jobs. There is absolutely nothing you can do, and
> getting 'notified' (like you already didn't know) is not a bonus.
As far as I am concerned, he is free to use whatever system he wants as
long as he doesn't send bogus challenges to me. However, he seems to
think that any mention of any of the real problems with C/R systems
(or any other of his filtering rules) is a conspiracy by spammers to
undermine C/R and everything else he uses as an [alleged] anti-spam
tactic.
I think his tinfoil hat is on too tight.
wayne
> Of the hundreds of thousands of email messages I have received, I can't
> remember a single misdirected challenge. Maybe there have been some, but
> obviously not many enough for me to recall them. How large amounts are other
> people receiving?
I have not received a lot of challenge messages. Of the challenge
messages that I have received, almost every one of them has been
bogus.
-wayne
-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----
David Cheatham
> On 18 Dec 2003 07:38:33 GMT, David Cheatham <da...@tg.creeknet.com>
> wrote:
> >
> >
> > Steven M (remove wax to reply) wrote:
> >
> >> On Thu, 18 Dec 2003 07:42:00 +0200, Thor Kottelin <th...@anta.net>
> >> wrote:
> >>
> >> >
> >> >
> >> > David Cheatham wrote:
> >> >
> >> >> Alan, of course, is going to call me pro-spam, but *according to
> >> him*, >> people hardly ever receive C/R requests if they didn't
> send >> the mail >> anyway. The fact he doesn't like my suggestion
> proves he >> knows that >> large amounts of C/R is misdirected.
> >> >
> >> > Of the hundreds of thousands of email messages I have received, I
> >> > can't remember a single misdirected challenge. Maybe there have
> >> > been some, but obviously not many enough for me to recall them.
> How >> > large amounts are other people receiving?
> >>
> >> Two or three. Not only did I not write to them, but I don't even
> know >> who they are.
> >>
> >> I suspect that they are fellow readers of a mailing list, that puts
> >> the poster's address in the "From" field although the list is
> posted >> from a different server.
> >
> > Well, yes, C/R can do that too, but that's just a broken C/R that's
> > working off the headers instead of the message envelope.
> >
> > Critizing that would be like complaining about a flat tire on a new
> > car, at a dealer where none of the cars had engines. The temporary
> > issue of the flat tire is not incredibly important.
> >
> > It does show how much thought has been put into the average C/R,
> > though. A lot of them are jury-rigged pieces of junk, not because of
> > what they are, but because people who actually know things about
> > mail *don't* write them (because they're a really bad idea), and
> > someone steps in to fill the void.
> >
> >
> > There's some sort of law there: All possible software eventually
> > gets written. If there are no experts to write it, it will just be
> > written by non-experts.
> >
> > You can see the same thing with spam software. 90% of that looks
> > like it's written by someone who saw a SMTP transaction, once, and
> > mostly understood it.
> >
> >
> > And, again, that's not a valid complain about C/R in and of itself,
> > the fact that the software that does it tends to be second rate.
> > But you have to ask yourself: Where are the professionals? Where
> > are the large open source projects dedicated to it? It's nowhere
> > near the complexity of a mail server, and yet that's where all the
> > mail experts choose to work. Why?
> >
> > --
> > Remove the hostname part directly after the @ to respond.
>
> You ought to try my program. It is just a textmode front end to
> procmail comprised of a handful of scripts.
Yes, I've seen it. And, BTW, that's the craziest packaging method in
history. As I don't a) use procmail, and b) don't want to send email
messages to random people, I have chosen not to set it up.
Although I will agree that it's better thought out than some system,
that's like talking about how the dirt in the front yard is tastier
than the dirt in the back yard.
> But it works very well indeed, being independent of the rest of the
> mail program. Doesn't interfere with anything. Just filters incoming
> mail.
..by sending messages to anyone that claims to be the sender.
> The next version doesn't even need fetchmail, but retrieves mail from
> the server itself.
That's featuritus. While I don't really care about your program, you
should reconsider. fetchmail is completely functional for this.
> http://tinyurl.com/l55a but wait for a while if you want to test it.
>
> (even if for no other reason than to tear it to shreds :-)
>
> It suits ME just fine. No UM and anyone I care to hear from can reach
> me
>
> without any problem.
And you went back to double spacing at the end of the message. And it
started off so nice, too.
David Cheatham
> On Thu, 18 Dec 2003 06:33:34 GMT, Steven M (remove wax to reply)
> <uns...@houston.rrwax.com> wrote:
> >
> >
> > On Thu, 18 Dec 2003 07:42:00 +0200, Thor Kottelin <th...@anta.net>
> > wrote:
> >
> > >
> > >
> > > David Cheatham wrote:
> > >
> >>> Alan, of course, is going to call me pro-spam, but *according to
> him*, >>> people hardly ever receive C/R requests if they didn't send
> the mail >>> anyway. The fact he doesn't like my suggestion proves he
> knows that >>> large amounts of C/R is misdirected.
> > >
> > > Of the hundreds of thousands of email messages I have received, I
> > > can't remember a single misdirected challenge. Maybe there have
> > > been some, but obviously not many enough for me to recall them.
> > > How large amounts are other people receiving?
> >
> > Two or three. Not only did I not write to them, but I don't even
> > know who they are.
> >
> > I suspect that they are fellow readers of a mailing list, that puts
> > the poster's address in the "From" field although the list is posted
> > from a different server.
> >
> >
> >
>
> You are saying that people on a mailing list with you have C/R
> programs that don't passlist mail from the list BEFORE it reaches the
> C/R part?
>
> That's just stupid. I am on a half-dozen mailing lists and mail from
> them is sent to it's own mailbox before it even reaches the content-
> filter part of the program, and neither of the From* headers are used
> to passlist that mail.
Mail only has one From header. The other is the envelope.
And I hope you don't *ever* use the first From to send email to. That's
just Wrong. Bounces go to the address in the envelope, and a C/R
message is a form of bounce.
David Cheatham
>
> On 17 Dec 2003, David Cheatham wrote:
>
> > Norman L. DeForest wrote:
> >
> > >
> > > Especially if you get two spams with the forgery-victim's address
> > > before he/she even gets to see the challenges and send a denial.
> >
> > Where the hell are you supposed to issue these 'denials', anyway?
> > Sure, you can do it here, but end users, who are presumable who
> > Alan's aiming at, don't read here.
>
> Alan Connor did write:
>
> : > 2) If a given return-address fails twice to return a C/R, then
> send any : > future mails from that given return-address to
> /dev/null
>
> If a spammer only sent one spam to a C/R user such as Alan with
> someone else's address forged as the sender, the forgery victim could
> send a denial to the C/R user and then respond to the challenge for
> the denial message. However, if the forgery victim didn't get the
> challenges until after the spammer had already hit the challenging
> address several times, he/she would end up blacklisted for something
> he/she didn't do.
Which is a great attack in the future 'utopia' that has everyone with a
C/R. Say you're in, I dunno, the business of writing the CSS 5 specs,
and you have a fight with someone else in the same business, and you
are a petty asshat. So, you go out and collect all the email addresses
of everyone in said business.
Then you grab a handy-dandy spam message, presumably by searching
Usenet archives (Which are now owned by Time Warner-Microsoft-GE since
they purchased Google...wait, wrong dystopia, sorry.) and forge your
enemy's address.
This message makes it through dozens of people's C/R system, as the
user has already been whitelisted. Some idiots block the guy, others
realize he was forged and everything's fine with them, execpt they just
got a spam when spamming was supposed to be impossible, but that's not
that important.
Meanwhile, dozens of people *don't* get the message, because they've
never spoken to the guy before. They instead send a C/R message back to
the guy. And, because this is a magical utopia where everything works
exactly right, he *doesn't* get flooded with bounces, his C/R system
blocks them, recognizes they're misdirected C/R messages, and deletes
them. (Remember, perfect world here. All C/R systems magically know
what other C/R messages look like.)
So, everything's fine. A few people had spam get through their C/R, but
everything's fine, right?
Except the very next day your enemy sends a reply by email to a usenet
post in the CSS group and it never makes it there, getting silently
deleted. He tries to reply to someone on the CSS list off-list and it
doesn't make it there, either. He gets around to emailing that guy with
that novel CSS idea who he was going to work with, and that message is
also silently deleted. Luckily, he's used to C/R systems, and begins
wondering why none of his messages seem to be challenged any more...
And you just sit back and laugh as he tries to figure out what the hell
is going on. The little 'don't send repeated challenges to people',
which attempts to limit abuse, just backfired in a rather spectacular
way.
Hell, you don't even have to make it *spam*, and probably shouldn't.
You just send a rather bland message from the guy. It will make it
through whitelists and no one will be the wiser, unless someone replies
to it (I can always set replies to go to some wacky place, and the
replier probably won't catch it.). And where it's not whitelisted it
will bounce off C/R systems back to his system, which will magically
recognize it as nothing to do with his system and delete it. With the
same result and no outrage from idiots that he's suddenly started
'spamming', which could clue him in that something was going on.
And someone's going to point out that you can do the same thing by
forging spam from people, but the point is that with C/R systems, your
enemy gets blocked *automatically* without anyone at either end knowing
it, whereas only idiots, right now, block email address they receive
spam 'from', unless it's really obvious that's actually a spammer.
C/R Systems Do Not Work, even if they were magically perfect and
everyone used them. This is just one way they don't work.
> > I love the fact that Alan seems to think you can and should do
> > something about joe-jobs. There is absolutely nothing you can do,
> > and getting 'notified' (like you already didn't know) is not a
> > bonus.
>
> As far as I am concerned, he is free to use whatever system he wants
> as long as he doesn't send bogus challenges to me. However, he seems
> to think that any mention of any of the real problems with C/R systems
> (or any other of his filtering rules) is a conspiracy by spammers to
> undermine C/R and everything else he uses as an [alleged] anti-spam
> tactic.
Right. And it's possible to write a C/R system that *doesn't* send
messages to random people, you just do it during the SMTP transaction
and reject the message. Although no one reads the message explaining
why mail was rejected, so it doesn't work in practice, but I still have
no objection to it.
> I think his tinfoil hat is on too tight.
Yup. Everyone hated his idea so he went into full kook mode and decided
everyone hanging out in news.admin.net-abuse.email is a spammer...and,
you know, it doesn't mention 'fight' or 'anti' anything in the group
name. Maybe this is the newsgroup for *promoting* net-abuse through
email, and it's supposed to be filled with spammers!
Larry Kilgallen
I have no way of calculating since the start:
!
! Those using Spamarrest and Mailblocks to challenge spam get filed for answer
!
"*@spamarrest.com" * * O D SPAM_CHALLENGES
"*@mailblocks.com" * * O D SPAM_CHALLENGES
"*aste...@sprynet.com*" * * O D SPAM_CHALLENGES
"*" * "Re: Action required for*" O D SPAM_CHALLENGES
Alan Connor
Sure don't. Reply-To first and From: second.
Thanks.
AC
Alan Connor
>
>
> Alan Connor wrote:
>> You ought to try my program. It is just a textmode front end to
<snip>
>> procmail comprised of a handful of scripts.
>
> Yes, I've seen it. And, BTW, that's the craziest packaging method in
> history. As I don't a) use procmail, and b) don't want to send email
> messages to random people, I have chosen not to set it up.
>
Well. It doesn't send email messages to random people. So you either
didn't read it or don't have the education to understand the scripts.
Or you are lying.
A lot of people use elrav1 and like it a WHOLE bunch.
But pro-spam people certainly do not.
The packaging method IS strange, but it works. The new version will
be just a tarball and config scripts, like a normal package.
AC
Kevin S. Wilson
<snip 59 lines of text that this bozo was too lazy to snip>
>
>Sure don't. Reply-To first and From: second.
Is your delete key b0rken?
--
Kevin S. Wilson
Tech Writer at a University Somewhere in Idaho
"Whose teenage nephew designed that pair of clown pants?"
--Giblet reviews http://freespeechstore.com in NANAE.
Alan Connor
>
>
> On Thu, 18 Dec 2003 20:59:06 GMT, Alan Connor <zzz...@xxx.yyy> wrote:
>
><snip 59 lines of text that this bozo was too lazy to snip>
I've written a little program that no spammer can beat:
Only a pro-spam person would call me a "bozo".
I use ed as my Usenet pager/editor, Kevin.
It allows me to read posts one line at a time.
The rest of your charming article has been deleted unseen.
AC
Kevin S. Wilson
>On Thu, 18 Dec 2003 14:23:44 -0700, Kevin S Wilson <res...@spro.net> wrote:
>>
>>
>> On Thu, 18 Dec 2003 20:59:06 GMT, Alan Connor <zzz...@xxx.yyy> wrote:
>>
>><snip 59 lines of text that this bozo was too lazy to snip>
>
>I've written a little program that no spammer can beat:
>
>http://tinyurl.com/l55a
Sure. Okay. Whatever. You might have better luck if you tell someone
who gives a red rat's ass.
>Only a pro-spam person would call me a "bozo".
GENIUS! What razor-sharp logic!
You're a bozo for full-quoting 60 lines of irrelevant text in your
1-line followup. When I point out that you are drenched in bozocitude,
suddenly I'm pro-spam. GENIUS!
Chuckles, I've done more to educate people about the evils of spam
then you could accomplish if you started yesterday and lived to be
100.
>I use ed as my Usenet pager/editor, Kevin.
>
>It allows me to read posts one line at a time.
Apparently, it also disables your delete key and causes you to switch
spasticly from single-spacing to double-spacing.
>The rest of your charming article has been deleted unseen.
Suuuuuurrrrrre it was. I believe you. But because I'm your friend,
I'll show it to you again. Here is the rest of my post:
CJ Llewellyn
news:rqpEb.9914$0s2....@newsread2.news.pas.earthlink.net...
-snip-
> Only a pro-spam person would call me a "bozo".
>
> I use ed as my Usenet pager/editor, Kevin.
Well are you l33t?
I use Outlook Express but I can still quote properly.
Alan Connor
>
>
> On Thu, 18 Dec 2003 21:58:47 GMT, Alan Connor <zzz...@xxx.yyy> wrote:
>
>>On Thu, 18 Dec 2003 14:23:44 -0700, Kevin S Wilson <res...@spro.net> wrote:
>>>
>>>
>>> On Thu, 18 Dec 2003 20:59:06 GMT, Alan Connor <zzz...@xxx.yyy> wrote:
>>>
>>><snip 59 lines of text that this bozo was too lazy to snip>
>>
>>I've written a little program that no spammer can beat:
>>
>>http://tinyurl.com/l55a
>
> Sure. Okay. Whatever. You might have better luck if you tell someone
> who gives a red rat's ass.
Well, fool. I published it to the Usenet and the Archives, and then
you did both again, and I just did them again.
Thanks for your help.
The rest of this message deleted unseen.
AC
Morely Dotes
88577.news.uni-berlin.de:
> Well, yes, C/R can do that too, but that's just a *broken* C/R that's
> working off the headers instead of the message envelope.
>
David, do you know how difficult it is to forge the envelope-from?
I'll give you a free clue: I can do it in telnet.
--
Want SPEWS-filtered and SBL-filtered email?
http://www.spamblocked.com/index.html
"Mammals are far more intellectually advanced than most people think.
A gopher gave me the finger once." - Cynthia of Syracuse
Morely Dotes
88577.news.uni-berlin.de:
> See, you just up and emailed them the password *out of the blue*,
> because someone forged their address. They don't need to contact you to
> get it, someone *else* already contacted you while forging their
> address.
On this note: I just "confirmed" to spamarrest.com that the address some
virus is forging is really trying to send them email.
C/R systems are inherently abusive. Period.
And Alan Connor is a well-known kook and a Usenet spamemr.
Steve Thornton
says...
It's not the tool, it's the carpenter (flipside of 'it's a poor workman
blames his tools').
Our Alan obviously missed school the day of the "how to not be hated in
usenet" class.
Steve Thornton
zzz...@xxx.yyy says...
> It doesn't send email messages to random people.
No, not random -- just people whose addresses have been forged into
Reply-tos or Froms.
Seems a bit rude to me. Since these messages are "substantially
identical", it seems like spam as well.
wayne
> "David Cheatham" <da...@tg.creeknet.com> wrote in news:brrlhn$6ka95$1@ID-
> 88577.news.uni-berlin.de:
>
>> Well, yes, C/R can do that too, but that's just a *broken* C/R that's
>> working off the headers instead of the message envelope.
>>
>
> David, do you know how difficult it is to forge the envelope-from?
I'm not David, but I suspect that he is very much aware of how easy it
is to forge most things with email, including the envelope-from. He
is right that C/R systems *should* be sending to the envelope-from
instead of the From: header, but as he says in his next paragraph:
"Critizing that would be like complaining about a flat tire on a
new car, at a dealer where none of the cars had engines. The
temporary issue of the flat tire is not incredibly important."
> I'll give you a free clue: I can do it in telnet.
You mean like this?
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&c2coff=1&selm=x4vfonxgp4.fsf%40footbone.midwestcs.com
Morely Dotes
news:bl64uvcp0eqal4do9...@4ax.com:
> On Thu, 18 Dec 2003 20:59:06 GMT, Alan Connor <zzz...@xxx.yyy> wrote:
>
> <snip 59 lines of text that this bozo was too lazy to snip>
>>
>>Sure don't. Reply-To first and From: second.
>
> Is your delete key b0rken?
Maybe he wrote the code for the delete key after he wrote his C/R
abuseware.
David Cheatham
> "David Cheatham" <da...@tg.creeknet.com> wrote in
> news:brrlhn$6ka95$1@ID- 88577.news.uni-berlin.de:
>
> > Well, yes, C/R can do that too, but that's just a broken C/R that's
> > working off the headers instead of the message envelope.
> >
>
> David, do you know how difficult it is to forge the envelope-from?
>
> I'll give you a free clue: I can do it in telnet.
Oh, sure, I know how easy it is to *forge* it. I was talking about
mailing lists.
C/R should *never* send to the header From line, as someone was talking
about it apparently doing for a message with an envelope from the list
and a header from the original sender.
In other words, normal C/R is abusive, but mailing C/R to the From
address is a hell of a lot more than that, it's completely insane. It
completely breaks everything *in addition* to abusing random people.
Bounces do currently, have always, and will always go to the envelope.
David Cheatham
> > And I hope you don't ever use the first From to send email to.
> > That's just Wrong. Bounces go to the address in the envelope, and a
> > C/R message is a form of bounce.
> >
> > --
> > Remove the hostname part directly after the @ to respond.
>
> Sure don't. Reply-To first and From: second.
Um, no. That's completely wrong. MAIL FROM *only*. You *never* send
notifications of failure to accept a message to Reply-To *or* From.
Hey, I just realized I can sign you up for some mailing lists! If you
send a C/R to the 'reply to this message to confirm' and use the reply
address, and leave the subject the same...you'll automagically confirm
any mailling list subscription! I guess I know when I get your C/R
tomorrow.
You guys remember what I said about him not knowing anything about
email because he used the term 'passlist' to mean 'whitelist'? Cancel
that, apply it to this instead.
David Cheatham
> On 18 Dec 2003 15:38:11 GMT, David Cheatham <da...@tg.creeknet.com>
> wrote:
> >
> >
> > Alan Connor wrote:
> >> You ought to try my program. It is just a textmode front end to
>
> <snip>
>
> >> procmail comprised of a handful of scripts.
> >
> > Yes, I've seen it. And, BTW, that's the craziest packaging method in
> > history. As I don't a) use procmail, and b) don't want to send email
> > messages to random people, I have chosen not to set it up.
> >
>
> Well. It doesn't send email messages to random people. So you either
> didn't read it or don't have the education to understand the scripts.
>
> Or you are lying.
Alright, let's test this theory. Using my amazing forgery ability, I
will send a message from my email server, bounce it off yours, and get
the C/R to hit my brand new hotmail account,
alanconnor...@hotmail.com. (Heh, I did all this with a
different username, and sent it off, and flipped back to hotmail only
to discover said name was taken. Some poor sap actually *is* going to
get a forged message. That's what happens when you have 'test' in your
username, I guess.)
Using my amazing google abilities, I found your earthlink email
address, which I will not post. I'll assume that's what the C/R is
hooked up to.
$telnet localhost smtp
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 creeknet.com ESMTP Postfix
HELO localhost
250 creeknet.com
MAIL FROM: <alanconnor...@hotmail.com>
250 Ok
RCPT TO: <MUN...@earthlink.net>
250 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
From: "David Cheatham" <alanconnor...@hotmail.com>
To: "Alan Connor" <MUN...@earthlink.net>
Subject: C/R test message
This is a test of the 'send messages to forged system' C/R. If this had
been an actual forgery, some innocent person will have gotten the C/R.
.
250 Ok: queued as 840985182B4
QUIT
221 Bye
Connection closed by foreign host.
And you haven't sent me anything in 20 minutes, so I will assume said
system only works when you are online. I'll followup tomorrow.
And if it *doesn't* send a C/R, I'll be demanding to know why I didn't
get a C/R when I used my webmail interface on one computer to get a
legitimate C/R message at another account.
See, basically, you're screwed either way. So don't go around meddling
in your software to try to catch my message and discard it.
And tomorrow, *after* alanconnor...@hotmail.com checks his
email and discards the wacky-ass C/R message he knows nothing about,
because someone else sent it, he's going to head over to google groups,
read your tittilating messages, and send you an email. And that email
is going to fall off the face of the earth.
Alan Connor
Are you wondering what's happenned to comp.mail.misc?
-----------------------------------------------------
Nothing to worry about. It's just the yearly anti-challenge-response
disinformation campaign put on by that segment of the pro-spam crowd
that lack anything resembling integrity. What they DO have, howoever,
are VERY big mouths.
Ever since it became obvious that pure content filters (spamassassin et al)
in isolation can't deal with the spam problem, the obvious solution has been
to add a pass list to one's mail program BEFORE the content filter, assuring
that mail from known contacts gets through.
Then, after obvious spam has been sent to the bit bucket by a relatively simple
content filter, mail that may or may not be spam (a small percentage of the
total received in a given batch) trigger challenge-responses.
These are small notes, sent automatically to the return address on the
suspect mail while it is held in quarantine. The note asks the recipient
to paste a password found in the body onto the subject line and send it back.
If it is returned, then it and the quarantined mail show up in the user's
inbox.
If it isn't, then the address was phoney, or no one reads the mail there.
Each C-R has the subject of the original message Re: Whatever, and a footnote
informing the person that if they received the C-R from an address that they
did not send mail to, then it is being used by a spammer and they should
immediately notify their sysadmin or abuse at their ISP.
Thus C-Rs also serve the important purpose of notifying people that their
address is is being forged by spammers or other criminals, which can cause
BIG problems if it isn't dealt with in a timely fashion.
The above rarely occurs, fortunately.
The pass-list/content-filter/challenge-response strategy is not perfect, but
it is the best one around, by far.
To learn more about them just google "challenge-response" and be aware that
the same anti-C/R propagandists that you see here also have a number of
websites that are anything but objective. To say the least.....
Spammers and others with a vested interest in keeping the spam flowing into
your mailbox HATE these systems because they can't beat them.
Thus you have the current anti-C/R disinformation campaign, the latest in
a long line of repetive and obnoxious attempts to keep people from using
them by telling lies about them disguised as intelligent discourse on
the subject.
Challenge-Response is not even a very accurate name for this useful tool.
RAV (Request-for-Address-Validation) is much more descriptive of its
actual function in a mail filtering program.
AC
David Cheatham
> In <Xns9455684C137AFmo...@216.99.211.247> Morely Dotes
> <secu...@loopback.localhost> writes:
>
> > "David Cheatham" <da...@tg.creeknet.com> wrote in
> > news:brrlhn$6ka95$1@ID- 88577.news.uni-berlin.de:
> >
> >> Well, yes, C/R can do that too, but that's just a broken C/R that's
> >> working off the headers instead of the message envelope.
> >>
> >
> > David, do you know how difficult it is to forge the envelope-from?
>
> I'm not David, but I suspect that he is very much aware of how easy it
> is to forge most things with email, including the envelope-from. He
> is right that C/R systems should be sending to the envelope-from
> instead of the From: header, but as he says in his next paragraph:
>
> "Critizing that would be like complaining about a flat tire on a
> new car, at a dealer where none of the cars had engines. The
> temporary issue of the flat tire is not incredibly important."
Apparently I was wrong in discarding this as a critism for C/R, because
Alan's amazing system does this *also*. He thinks he's clever because
it sends to Reply-To: first, and then From: if that doesn't exist.
Anyway, I think I've been making a mistake by restricting myself to
critisizing the ideal C/R system, because C/R systems are being coded
*shittily*, and we must accept that, and criticize the implimentation
in addition to criticizing the concept.
Which, you know, is exactly what I said about these systems being
designed by people who do not understand email, because people who *do*
understand email know it won't work, and people who understand the
subset of email that is spam *really* know it won't work.
To make a wack analogy, C/R systems are basically the apparently great
idea, for people who don't know anything about fire: You can blow out a
candle, why don't we blow out other fires, like kitchen fires? People
who understand fires think that is a stupid idea. People who understand
wildfires think that is possibly the dumbest idea in the history of
firefighting, and get very upset when hucksters drive up and down the
mountains in California, selling huge fans, when a big brush fire
threatens yet again.
In fact, I kinda like that analog...C/R is basically blowing out fires.
It works in very small amounts, but it's not an incredibly great
concept for anything bigger than a candle, and in fact will just cause
the fire to spread.
David Cheatham
> Alan Connor wrote:
>
> > On 18 Dec 2003 15:38:11 GMT, David Cheatham <da...@tg.creeknet.com>
> > wrote:
> > >
> > >
> > > Alan Connor wrote:
> > >> You ought to try my program. It is just a textmode front end to
> >
> > <snip>
> >
> > >> procmail comprised of a handful of scripts.
> > >
> > > Yes, I've seen it. And, BTW, that's the craziest packaging method
> > > in history. As I don't a) use procmail, and b) don't want to send
> > > email messages to random people, I have chosen not to set it up.
> > >
> >
> > Well. It doesn't send email messages to random people. So you either
> > didn't read it or don't have the education to understand the
> > scripts.
> >
> > Or you are lying.
>
> Alright, let's test this theory. Using my amazing forgery ability, I
> will send a message from my email server, bounce it off yours, and get
> the C/R to hit my brand new hotmail account,
> alanconnor...@hotmail.com. (Heh, I did all this with a
> different username, and sent it off, and flipped back to hotmail only
> to discover said name was taken. Some poor sap actually is going to
From Hotmail (I don't know how to get the headers):
**********************************************************************
From : <MUN...@earthlink.net>
Reply-To : MUN...@earthlink.net
Sent : Friday, December 19, 2003 2:30 AM
To : alanconnor...@hotmail.com
Subject : Re: C/R test message
---------------------------------------------
this is a computer-generated response
---------------------------------------------
Greetings....
Your address is unknown to this program.
Please take a moment to verify that it
is being used by a real human being
that wants to communicate with me, and
not some spammer's computer.
Just hit Reply, paste
i3H2a229201657K
anywhere on the Subject line, and send it off.
[ this is a one-time thing ]
Thanks for your patience,
Alan Connor.
P.S. If you did NOT mail me, then your address
is being forged by a spammer or some other
criminal. Notify your network administrator or
abuse at your ISP immediately.
----------------------------------------------
If this is not returned within 72 hours, the
mail that triggered it will be deleted, unseen,
by elrav1, the program that sent it to you.
----------------------------------------------
elrav1 -- http:/tinyurl.com/l55a
----------------------------------------------
**********************************************************************
Gee...it sure looks like you send them to random people. You don't even
send the person's IP, so I have no idea what utter bastard forged my
email address.
Oh, and speaking of that subject line, it's only fair to warn you that,
if I ever feel petty towards you, I'm going to find some mailing lists
and stick your email address in the subscribe box...and you will send
the message *right back* to them with the same subject, causing you to
subscribe to whatever list I chose.
And then you, because you are an idiot who challenges Reply-To, will
either start challenging every poster on the list, or will just
challenge the entire list once.
Of course, you won't ever see this, unless you challenge the entire
list and someone follows your rules and gets whitelisted, but it would
be funny never-the-less.
You know, with that subject line like that, it would be fairly easy to
send SMS spam though a mail relay, too.
And who should I send a forgery to next? Anyone want one? Anyone feel
free to send *me* one, be sure to unmunge my address before doing so.
You can get his address by googling for '"Alan Connor" passlist', and
please don't post here out of spite.
D. Stussy
> ...
> If a spammer forges your address as the sender you could receive
> responses from C/R systems as well as confirmation requests from opt-in
> lists, replies from auto responders and MTAs reporting "Invalid
> recipient". We don't try to eliminate all mailing lists. And we don't
> call all of these responses abuse. Though it would be nice if automatic
> responses to forged sender addresses could be filtered out.
Just because the response itself isn't an abuse by itself, the item that
generated the auto-response may be. Follow the "origin of the claim."
> > Confirmed opt-in (when properly implemented) will not send a second
> > confirmation request to any address until at least the first one has
> > expired (requiring a second subscription request). What's more, if the
> > recipient does not reply, a blackout period may be implemented to
> > prevent further subscription attempts.
>
> Those are good points. And I would like to expand on them to lay out the
> best practices for setting up any C/R system (or any auto responder) to
> limit damage and allow the unsolicited responses to be filtered.
Confirmations to mailing list subscriptions only came about to handle abuse by
some of signing others up on a list without their permission.
D. Stussy
> Dan Oetting <dan_o...@qwest.net> wrote in news:dan_oetting-
> 20E7D4.020...@news.uswest.net:
> > Those are good points. And I would like to expand on them to lay out the
> > best practices for setting up any C/R system (or any auto responder) to
> > limit damage and allow the unsolicited responses to be filtered.
>
> addressee goes into my MTA's "deny" list.
Just remember that this was posted by someone whose signature line makes people
believe that SPEWS is an anti-spammer RBL. (It's not - SPEWS is actually a
spammer-friendly-ISP IP address space list that does include non-spammers' IP
addresses as well).
However, I agree: No matter how "friendly" a challenge may be worded, its
existence is almost as hostile and offensive as spam itself. It implies:
"Since I don't know you or don't trust you, I'm going to assume that you're a
spammer regardless of what you sent me unless you can prove that you're not."
D. Stussy
> On Tue, 16 Dec 2003 21:09:54 GMT, Etaoin Shrdlu <LAMIE_...@sosdg.org_LOSER> wrote:
> > Le 12 Dec 2003, Alan Connor <zzz...@xxx.yyy> a écrit :
> >> Nothing to worry about. It's just the yearly anti-challenge-response
> >
>
> Isn't a lie at all.
>
> Everyone with a vested interest in keeping the spam flowing hates mail
> programs that use C/Rs because they can't beat them.
There are also plenty of spam-fighters who also hate C/R systems.
Jonathan de Boyne Pollard
TK> I can't remember a single misdirected challenge.
I can. I (and quite a few other people) had a whole spate of them a couple of
months ago. And they were indeed the result of someone else sending messages
in my name to a challenge-response system. (It wasn't malicious, by all
appearances. The person sending the messages was running a broken
POP3-to-SMTP transport agent, MDaemon, that foolishly reinjected messages
after having replaced their envelopes with their headers.)
Jonathan de Boyne Pollard
<URL:http://tmda.net./>
<URL:http://smarden.org./qconfirm/>
D. Stussy
> On Tue, 16 Dec 2003 23:19:15 -0400, Norman L. DeForest <af...@chebucto.ns.ca> wrote:
> > On Tue, 16 Dec 2003, Alan Connor wrote:
> > [snip]
> >> I use two basic strategies to keep the number of pointless C/Rs down:
> >>
> >> 1) Send any mails that are not from pass-listed sources and are not addressed
> >> specifically to me to /dev/null
> >>
> >> (my address is alone on the To: line)
> >>
> >
> > For some people, that would have a lot of false positives.
> >
>
> That makes no sense at all.
Some people may have friends who send to multiple recipients, and those friends
haven't been pass-listed yet. Those messages would get bit-bucketed under the
above procedure - yet are clearly not spam. What's not sensical about calling
those "false positives?"
It could be that some friend FORGOT to notify you of his change in e-mail
address, so his new address isn't in the pass-list.
Then again, common sense seems to be lacking here.....
> I don't get any spam and I don't lose any mail I want to receive. That's
> a fact.
>
> The fact that facts don't seem to mean anything to you just about tells
> the whole story, doesn't it?
If you don't sometimes scan (just to check for compliance) that which your
system filters out as "undesirable," then how can you verify your statement?
> The rest of this post deleted unseen.
> I am only interested in intelligent and honest discourse.
Yet you dare post to usenet? :-)
D. Stussy
> > Dan Oetting <dan_o...@qwest.net> wrote in news:dan_oetting-
> > 20E7D4.020...@news.uswest.net:
> >
> >> Those are good points. And I would like to expand on them to lay out the
> >> best practices for setting up any C/R system (or any auto responder) to
> >> limit damage and allow the unsolicited responses to be filtered.
> >
> > I have a very simple rule: If I get a challenge response to my email, the
> > addressee goes into my MTA's "deny" list.
>
>
> One of the benefits of using C/Rs is that they force neurotic, hate-filled,
> whining, and dishonest people to blocklist themselves, saving you the trouble.
It can also turn away plenty of honest and/or confused people (including those
who have no idea of what a C/R system is - and think it's a spammer's attempt to
verify their e-mail address).
> I am not joking. If my mail filter keeps people like this out of my mailbox,
> then it is working very well indeed.
Given enough time, only AC will be able to e-mail AC; a perfect world for him.
D. Stussy
> > In article <Xns94536BBE8A9EAmo...@216.99.211.247>,
> > Morely Dotes <secu...@loopback.localhost> wrote:
> >
> >> Dan Oetting <dan_o...@qwest.net> wrote in news:dan_oetting-
> >> 20E7D4.020...@news.uswest.net:
> >>
> >> > Those are good points. And I would like to expand on them to lay out the
> >> > best practices for setting up any C/R system (or any auto responder) to
> >> > limit damage and allow the unsolicited responses to be filtered.
> >>
> >> I have a very simple rule: If I get a challenge response to my email, the
> >> addressee goes into my MTA's "deny" list.
> >
> >
> > But the unsolicited responses when spammers forge our addressees are
> > more damaging. Here is my first cut at the rules for any form of auto
> > responder:
> >
> > - Be easily identifiable as an auto response to aid filtering and
> > preventing loops
> >
>
> > - Copy identifying information from the original message so the
> > recipients can automatically determine that a response message is a
> > valid reply.
> >
> > - Copy tracing information from the original message to prevent the auto
> > responders from being used as an anonymizing attack relay.
> >
> > - Remove the original message content so spammers won't look for auto
> > responders to relay spam.
> >
> >
> > PS: I don't think I like C/R either. It might just be a gag response to
> > the personalities pushing C/R in this newsgroup. But I also see C/R as
> > further breaking what used to be a great tool for communications.
>
> I am not "pushing" C/Rs. Please take a look at the threads before you run
> your mouth.
>
> C/Rs are being attacked by a bunch of pro-spam people, and I am trying to
> keep them from spreading disinformation about them.
If you were paying attention, your C/R system is also being attacked by
anti-spam people too....
> Pro-spam people hate mail systems that use C/Rs because they can't beat them.
>
> It is as simple as that.
Anti-spam people hate it because:
1) It burdens them by making them have to "jump through a hoop." (ANY action
beyond the simple dispatch of a legitimate e-mail is a burden.) Make the
SPAMMERS, who caused the problem, jump through hoops, not the honest people.
2) It increases the "noise floor" in the worldwide e-mail system.
3) It does not sufficiently protect against the future possibility of spammers
misusing the C/R system by sending fake challenges to people (especially those
who don't use C/R), getting them to verify their e-mail addresses to the
spammers when they respond.
> I don't care whether you use C/Rs or not. But people should have accurate
> information on ANY subject, wouldn't you agree?
...And that includes YOU too.
> I don't even like to call them C/Rs. RAV (Request-for-Address-Validation)
> is a much more accurate label. They are really just the Internet equivalent
> of caller-ID on your telephone.
No. Looking up the incoming IP address of the client to your SMTP server is the
equivalent of "caller ID" in telco systems. If I were to relay my phone call to
you via several private PBX's and such (an old 1980's phreaker's trick - assume
that it would still work today), what you would see is the number of the final
link that connects to you. So much for your "accurate information" request.
> I don't want to talk to someone who is hiding their telephone number and
> I don't want to listen to a recording.
Then UNPLUG your telephone. :-)
> RAVs eliminate both of these equivalents from my mailbox, which is more
> than caller-ID does for my phone.
Get your analogies straight before you make conclusions based on them.
> I have no problem with any of your suggestions for auto-responses above.
> There should be some standardization.
Before one standardizes, one needs a WORKING system that takes care of ALL
possibilities. You have been informed of some of the deficiencies in your
system, yet have failed to address them (or at least notify us of how you
planned to). Address the failures - or be one (a failure, that is).
> They should also be short and to the point but contain all the information
> that people need to deal with them, however they choose.
>
> RAVs that go to addresses that spammers have forged are mainly the fault
> of poor content-filters before the RAV part of the program.
Or that some spammer has managed to get himself pass-listed on your system.
Doesn't that also bypass your filters?
D. Stussy
> On Wed, 17 Dec 2003, Dan Oetting wrote:
> DO> But the unsolicited responses when spammers forge our addressees are
> DO> more damaging. Here is my first cut at the rules for any form of auto
> DO> responder:
> DO>
> DO> - Be easily identifiable as an auto response to aid filtering and
> DO> preventing loops
> DO>
>
> I have DAEMON in the from headers, Precedence: junk, the word
^^^^^^^^^^^^^^^^
That sort of thing will kill it right there on some mail systems. So would
"Precedence: Bulk".
> "Autoresponder" in a header, and an X-loop: header.
>
> DO> - Copy identifying information from the original message so the
> DO> recipients can automatically determine that a response message is a
> DO> valid reply.
> DO>
> DO> - Copy tracing information from the original message to prevent the auto
> DO> responders from being used as an anonymizing attack relay.
> DO>
> DO> - Remove the original message content so spammers won't look for auto
> DO> responders to relay spam.
> DO>
>
> I respond with most of the headers and 10 lines of the message as text.
That would only require spammers to cram their messages into the first 10 lines,
and let the rest be the unimportant payload that they now use to try to fool
spam filters. You should probably not return any of the body of the original
message.
D. Stussy
> >> <secu...@loopback.localhost> wrote:
> >> > Dan Oetting <dan_o...@qwest.net> wrote in news:dan_oetting-
> >> > 20E7D4.020...@news.uswest.net:
> >> >
> >> >> Those are good points. And I would like to expand on them to lay
> >> out the >> best practices for setting up any C/R system (or any auto
> >> responder) to >> limit damage and allow the unsolicited responses to
> >> be filtered.
> >> >
> >> > I have a very simple rule: If I get a challenge response to my
> >> > email, the addressee goes into my MTA's "deny" list.
> >>
> >> your mailbox.
> >>
> >> One of the benefits of using C/Rs is that they force neurotic,
> >> hate-filled, whining, and dishonest people to blocklist themselves,
> >> saving you the trouble.
> >>
> >> mailbox, then it is working very well indeed.
> >
> > 'passlisting' themselves, thus letting the spam through. Nothing stops
> > them from sending to you, especially when, duh, they just got
> > 'passlisted'. (What the fuck is 'passlisted', anyway?) Of course, you
> > can then manually reblock everyone who's done that, but that makes your
> > system seem rather stupid, doesn't it?
>
> Hardly know what to say. You obviously don't know anything about how "my"
> system works.
>
> If he mails me and has used his real return address, then the RAV/C-R
> is sent and he is given a ONE-TIME password.
Or your recipient, who originated the message under "verification," trashes your
challenge as noise, a perceived spammer trick, etc., because he doesn't know
what it is.
> He is not passlisted. And the RAV/C-R has to come back from the same
> address and the body must not be altered except for ordinary quoting.
That will not account for mailbox forwarding and other USEFUL parts of the
overall mail system. Mail sending, at the mailbox level, can be just as
assymetrical as some mail server configurations at ISPs (where different systems
handle inbound and outbound traffic). Do I even need to go into domain name
aliasing?
Also, I don't see where you have said to WHICH address you send, in the case
that the envelope sender differs from the "From:" header, and a "Reply-To:"
header is present as well, let alone other headers such as the "Resent-*:"
group. For some people, simply ignoring a reply-to address may result in your
challenge feeding their SPAM-TRAP.
I guess it's time that your abusive challenge also use DSN to verify that the
originating sender actually GETS your challenge? :-) As long as you're doing
that, why not ping every server along the way to make certain that none of them
crash and therefore lose your challenge..... 2x :-)
> If it is, it and the mail will be dumped. The RAV itself warns about
> this
>
> The mail he sent would have been truncated to 50 lines or less and put
> in quarantine. If he returned the RAV/C-R, then I would have his actual
> email address for starters. If the email address doesn't match the password
> the mail is deleted unseen. Wouldn't even know it came in the first place.
> You presume to denigrate a program that features pass-listing, yet admit
> in your post that you don't even know what it is.
Why is it necessary to truncate the mail under verification?
> > Which, BTW, everyone should do to C/R as a matter of principle, they
> > should respond to all bogus requests sent their way, letting the spam
> > through. And then report the sender as a spammer.
>
> Knock yourself out.
>
> > Alan, of course, is going to call me pro-spam, but *according to him*,
> > people hardly ever receive C/R requests if they didn't send the mail
> > anyway. The fact he doesn't like my suggestion *proves* he knows that
> > large amounts of C/R is misdirected.
>
> I won't call you a spammer. You are much too ignorant of how mail and
> related programs work. You couldn't possibly be a spammer .
D. Stussy
> In <3FE13E28...@anta.net> Thor Kottelin <th...@anta.net> writes:
> > Of the hundreds of thousands of email messages I have received, I can't
> > remember a single misdirected challenge. Maybe there have been some, but
> > obviously not many enough for me to recall them. How large amounts are other
> > people receiving?
>
> messages that I have received, almost every one of them has been
> bogus.
In contrast, I never even received the one that I should have gotten from AC the
first time I sent him mail.
You get bogus ones.
I don't get legitimate ones.
100% failure in my book!
D. Stussy
> Alan Connor wrote:
> > <uns...@houston.rrwax.com> wrote:
> > >
> > >
> > > On Thu, 18 Dec 2003 07:42:00 +0200, Thor Kottelin <th...@anta.net>
> > > wrote:
> > >
> > > >
> > > >
> > > > David Cheatham wrote:
> > > >
> > him*, >>> people hardly ever receive C/R requests if they didn't send
> > knows that >>> large amounts of C/R is misdirected.
> > > >
> > > > can't remember a single misdirected challenge. Maybe there have
> > > > been some, but obviously not many enough for me to recall them.
> > > > How large amounts are other people receiving?
> > >
> > > know who they are.
> > >
> > > I suspect that they are fellow readers of a mailing list, that puts
> > > the poster's address in the "From" field although the list is posted
> > > from a different server.
> > >
> > >
> > >
> >
> > You are saying that people on a mailing list with you have C/R
> > programs that don't passlist mail from the list BEFORE it reaches the
> > C/R part?
> >
> > That's just stupid. I am on a half-dozen mailing lists and mail from
> > them is sent to it's own mailbox before it even reaches the content-
> > filter part of the program, and neither of the From* headers are used
> > to passlist that mail.
>
> Mail only has one From header. The other is the envelope.
Not functionally true. See "Resent-From:", and the classification of the RHS of
"Reply-To:" and the depreciated but still used "Errors-To:" headers. Those are
all functionally identified as headers referencing the sender, and all indicate
alternative places where your challenge might want to go.
> And I hope you don't *ever* use the first From to send email to. That's
> just Wrong. Bounces go to the address in the envelope, and a C/R
> message is a form of bounce.
So, if a listserv rewrites the envelope sender to be the mailing list itself, as
replies should be directed to the list, your system will happily send the first
challenge it makes after you subscribe to the list (assuming it comes in before
you "passlist" the list address - for you can't necessarily passlist the ENTIRE
LIST for often, such lists don't reveal their entire contents except to its
admin) to EVERY MEMBER of the list?
If the server doesn't do such a rewrite but keeps the envelope sender as the ID
of the original message sender to the list, then do you then force all new list
members to meet your C/R system? It sounds as if you do, but why - haven't they
already validated themselves to the list via the list's own subscription
verification process (assume that it has one)?
If you exclude mailing lists (before you can manually add them to the "passlist"
function), then what is there that you can use that a spammer cannot fake?
...Or don't you even believe in legitimate mailing lists?
Alan Connor
<snip: the whole boring thing, without being seen>
No. I didn't read one word of any of your posts. They are basically just
slightly modified versions of the same articles you posted here a few
months back and contain the same lies, exaggerations, and distortions.
Pro-spam people hate C-R/RAV mail programs because they can't spam people
that use them, or hire someone to do it for them, as is often the case.
Professional spam-fighters hate them because they render their services
obsolete.
Just thought you'd like to know that you have inspired me to work very
hard at the new release of my program and to make sure that I announce
it in my signature.
I'll be vising every UNIX/Linux group that exists so that people can have
the opportunity to learn how to keep people like you out of their mailboxes.
How to eliminate spam and other un-desirable mail from their lives, once and
for all, no muss or fuss.
It's a simple program to install, configure, and use. Even a newbie can
handle it without any help beyond the manual/webpage.
The current version is here: http://tinyurl.com/l55a
But I strongly urge folks to wait for the next version, which will be
significantly improved in many ways, although the current release does
exactly what it says it will do.
Want Caller-ID for your computer's mailbox? This is as close as you can
get without installing some very complex software.
AC
Jonathan de Boyne Pollard
This does indeed appear, through your sole efforts, to be turning into a
frequently asked question. However, the answer (your posting not actually
containing an answer to the question at all) remains the same:
A. No. It's still here with traffic flowing normally,
as far as I can tell.
Jonathan de Boyne Pollard
I'm half expecting to hear "clankswerks" at this point.
AC> RAV (Request-for-Address-Validation) is a much more
AC> accurate label. They are really just the Internet
AC> equivalent of caller-ID on your telephone.
Wrong. Challenge-response sender authentication isn't actually an equivalent
to PSTN caller ID at all. Indeed, it is nothing like caller ID. The
"security" of caller ID (for most callers - see further on) relies upon the
trustworthiness of the intermediate third parties, the telephone companies.
One trusts the telephone companies to provide the correct caller ID (for those
callers that do not control it themselves). This is entirely different to the
situation with challenge-response electronic mail sender authentication, which
has no such third parties trusted to authenticate senders.
It's also worth noting that an analogy to caller ID presumes that caller ID
provides valid information in the first place. But, of course, as anyone
familiar with telephony will tell you, it doesn't. In the PSTN the caller, if
in posession of suitable equipment, can set caller ID (CNI) to whatever he/she
wants.
<URL:http://catless.ncl.ac.uk./Risks/22.46.html#subj12.1>
Challenge-response is simply "Halt! Who goes there?", of course, not "the
equivalent of caller ID" at all.
Morely Dotes
88577.news.uni-berlin.de:
> Using my amazing google abilities, I found your earthlink email
> address, which I will not post.
Isn't that alanc...@earthlink.net ? I didn't look it up, it just seems
likely based on Connor's demonstrated total ignorance of how email works.
Richard Hausenfeldt
Alan Connor wrote:
>
>
>
>
> Are you wondering what's happenned to comp.mail.misc?
> -----------------------------------------------------
>
> Nothing to worry about. It's just the yearly anti-challenge-response
>
> disinformation campaign put on by that segment of the pro-spam crowd
>
> that lack anything resembling integrity. What they DO have, howoever,
>
> are VERY big mouths.
We aren't stupid, Mr. Connor. These fools have been around before, as you
note. C-R programs aren't my cup of tea, but they certainly have their
place in a world festering with desperate spammers and the people that
hire them.
rmh
Alan Clifford
DC> To make a wack analogy, C/R systems are basically the apparently great
DC> idea, for people who don't know anything about fire: You can blow out a
DC> candle, why don't we blow out other fires, like kitchen fires? People
DC> who understand fires think that is a stupid idea. People who understand
DC> wildfires think that is possibly the dumbest idea in the history of
DC> firefighting, and get very upset when hucksters drive up and down the
DC> mountains in California, selling huge fans, when a big brush fire
DC> threatens yet again.
DC>
On the face of it, a good analogy. But if falls down because you should
not be thinking huge fans, you should be thinking hurricanes.
--
Alan
( If replying by mail, please note that all "sardines" are canned.
There is also a password autoresponder but, unless this a very
old message, a "tuna" will swim right through. )
Alan Clifford
DS> > I respond with most of the headers and 10 lines of the message as text.
DS>
DS> That would only require spammers to cram their messages into the first
DS> 10 lines, and let the rest be the unimportant payload that they now
DS> use to try to fool spam filters. You should probably not return any
DS> of the body of the original message.
DS>
Or make the spam a few very long lines. Or put the payload in the
headers. And if they can be bothered to tailor-make their spam to use my
autoresponder, then I will have to react and change it. But I'm just one
little personal mail account.
I reckon the key to beating this stuff is heterogenity. Once there are ten
billon subscribers at an ISP using the same defensive mechanism, we are
doomed. Are rather, they are. Individuals are not. The spammers' response
to Baysian filtering is a case in point. All the emails starting coming
with embedded html comments to beat the Baysian filter. Thank you very
much Mr. Spammer, you made it easier to filter.
David Cheatham
You want one? I can get Alan's system to send you one.
David Cheatham
Yes, I aware of TMDA. I was asking *him*. ;)
For some reason I've never heard anyone talk about TMDA's C/R messages.
Either TMDA have some vaguely useful system for not sending most
misdirected C/R messages, or just no one uses it, I do not know.
David Cheatham
Errors-To would be the place to send errors, except there isn't such a
thing anymore. So no.
Bounces go to the envelope, period. No exceptions. Sending them
anywhere else can result in mail loops, bounces posted to mailing lists
instead of returning the result to the list software, all sorts of
random badness.
> > And I hope you don't ever use the first From to send email to.
> > That's just Wrong. Bounces go to the address in the envelope, and a
> > C/R message is a form of bounce.
>
> So, if a listserv rewrites the envelope sender to be the mailing list
> itself, as replies should be directed to the list, your system will
> happily send the first challenge it makes after you subscribe to the
> list (assuming it comes in before you "passlist" the list address -
> for you can't necessarily passlist the ENTIRE LIST for often, such
> lists don't reveal their entire contents except to its admin) to
> EVERY MEMBER of the list?
Well, no. You are very very confused. Mailing lists make the envelope
be *an address where they collect bounces*, not the mailing list
posting address. Replying to the envelope never goes out on the list.
If it did, every single bounce would go to the list.
In fact, this is one of the *reasons* that you bounce to the envelope.
If the envelope differs from the From, the *purpose* of that is to make
errors end up somewhere different than replies.
And C/R messages are functional equivalent to bounces.
> If the server doesn't do such a rewrite but keeps the envelope sender
> as the ID of the original message sender to the list, then do you
> then force all new list members to meet your C/R system? It sounds
> as if you do, but why - haven't they already validated themselves to
> the list via the list's own subscription verification process (assume
> that it has one)?
*All* mailing lists rewrite the sender.
Otherwise if any address on the list bounced, the bounces would go to
the poster, and the list would blithely keep sending every new post to
that address.
> If you exclude mailing lists (before you can manually add them to the
> "passlist" function), then what is there that you can use that a
> spammer cannot fake?
Um, for C/R? Nothing, that's the point.
> ...Or don't you even believe in legitimate mailing lists?
No, I don't believe in C/R.
David Cheatham
> "David Cheatham" <da...@tg.creeknet.com> wrote in
> news:brtnee$7cmbt$2@ID- 88577.news.uni-berlin.de:
>
> > Using my amazing google abilities, I found your earthlink email
> > address, which I will not post.
>
> Isn't that alanc...@earthlink.net ? I didn't look it up, it just
> seems likely based on Connor's demonstrated total ignorance of how
> email works.
Yes, it is. Anyone want to send me a C/R through it? Feel free,
remember to unmunge.
David Cheatham
> On Fri, 19 Dec 2003, David Cheatham wrote:
>
> DC> To make a wack analogy, C/R systems are basically the apparently
> great DC> idea, for people who don't know anything about fire: You
> can blow out a DC> candle, why don't we blow out other fires, like
> kitchen fires? People DC> who understand fires think that is a stupid
> idea. People who understand DC> wildfires think that is possibly the
> dumbest idea in the history of DC> firefighting, and get very upset
> when hucksters drive up and down the DC> mountains in California,
> selling huge fans, when a big brush fire DC> threatens yet again.
> DC>
>
> On the face of it, a good analogy. But if falls down because you
> should not be thinking huge fans, you should be thinking hurricanes.
Except that hurricanes put out fires by *water*, not wind, so that
analogy makes no sense at all.
Oh, and that the hurricane will probably cause just as much property
danger. Hey, wait, that *is* a good analogy.
D. Stussy
> D. Stussy wrote:
> > On Thu, 18 Dec 2003, David Cheatham wrote:
> > > Mail only has one From header. The other is the envelope.
> >
> > Not functionally true. See "Resent-From:", and the classification of
> > the RHS of "Reply-To:" and the depreciated but still used
> > "Errors-To:" headers. Those are all functionally identified as
> > headers referencing the sender, and all indicate alternative places
> > where your challenge might want to go.
>
> Errors-To would be the place to send errors, except there isn't such a
> thing anymore. So no.
It may be officially depreciated, but that doesn't mean that it's gone. There
could be sites that still recognize it....
> Bounces go to the envelope, period. No exceptions. Sending them
> anywhere else can result in mail loops, bounces posted to mailing lists
> instead of returning the result to the list software, all sorts of
> random badness.
I don't see how this would avoid any mail loops. The sender could have been set
to anything. [Now, if you mean such things as DOUBLE BOUNCES, I may agree.]
> > > And I hope you don't ever use the first From to send email to.
> > > That's just Wrong. Bounces go to the address in the envelope, and a
> > > C/R message is a form of bounce.
> >
> > So, if a listserv rewrites the envelope sender to be the mailing list
> > itself, as replies should be directed to the list, your system will
> > happily send the first challenge it makes after you subscribe to the
> > list (assuming it comes in before you "passlist" the list address -
> > for you can't necessarily passlist the ENTIRE LIST for often, such
> > lists don't reveal their entire contents except to its admin) to
> > EVERY MEMBER of the list?
>
> Well, no. You are very very confused. Mailing lists make the envelope
> be *an address where they collect bounces*, not the mailing list
> posting address. Replying to the envelope never goes out on the list.
Some lists don't work that way. Some lists preserve the envelope sender to be
the list member that originated the mail. I note that some SMTP MTAs will
OVERRIDE the receipt of a message to a list where the envelope sender is "<>",
but that's at the receiving MTA, not the sending one as would be the case above.
> If it did, every single bounce would go to the list.
That has happened for some lists in some early list programs.
> In fact, this is one of the *reasons* that you bounce to the envelope.
> If the envelope differs from the From, the *purpose* of that is to make
> errors end up somewhere different than replies.
And the original purpose of the "Errors-To:" header was because some MTAs
couldn't figure that out.
> And C/R messages are functional equivalent to bounces.
Some feel that C/R messages are equivalent to SPAM.
> > If the server doesn't do such a rewrite but keeps the envelope sender
> > as the ID of the original message sender to the list, then do you
> > then force all new list members to meet your C/R system? It sounds
> > as if you do, but why - haven't they already validated themselves to
> > the list via the list's own subscription verification process (assume
> > that it has one)?
>
> *All* mailing lists rewrite the sender.
>
> Otherwise if any address on the list bounced, the bounces would go to
> the poster, and the list would blithely keep sending every new post to
> that address.
Which has been known to happen.
> > If you exclude mailing lists (before you can manually add them to the
> > "passlist" function), then what is there that you can use that a
> > spammer cannot fake?
>
> Um, for C/R? Nothing, that's the point.
Exactly. That's why in the long run, C/R systems will not work to solve the
spam problem - and should be DISMISSED.
> > ...Or don't you even believe in legitimate mailing lists?
>
> No, I don't believe in C/R.
Neither do I, but don't you see where one can cause problems for the other?