Famous Hacker Uses Challenge-Responses
Alan Connor
http://spamarrest.com/pressoffice/news/index.jsp
Famed hacker endorses Spam Arrest
Toronto Star - August 4, 2003
So what does [Kevin] Mitnick, former
hacker supremo, use to guard against
spam? "I use Spam Arrest," he told
The Guardian. "Any legitimate person
who wants to send me a message has to
jump through hoops before they can be
added to my opt-in list." Read
more...
(thanks to J. for mailing this to me)
AC
--
Pass-List -----> Block-List ----> Challenge-Response
The key to taking control of your mailbox. Design Parameters:
http://tinyurl.com/2t5kp || http://tinyurl.com/3c3ag
Challenge-Response links -- http://tinyurl.com/yrfjb
Peter Köhlmann
>
>
>
>
>
> http://spamarrest.com/pressoffice/news/index.jsp
>
>
>
> Famed hacker endorses Spam Arrest
> Toronto Star - August 4, 2003
> So what does [Kevin] Mitnick, former
> hacker supremo, use to guard against
> spam? "I use Spam Arrest," he told
> The Guardian. "Any legitimate person
> who wants to send me a message has to
> jump through hoops before they can be
> added to my opt-in list." Read
> more...
>
Well, he does not use Elrav, that infamous Joe-Job tool from netkook Alan
Connor
--
I say you need to visit Clues 'R' Us. They are having a special on
slightly used clues.
John Wingate
> http://spamarrest.com/pressoffice/news/index.jsp
Mitnick is not the only famous person using challenge-response. Dan
Bernstein does also. About a month ago I received a challenge for some
piece of spam using my address sent to him. Unlike elrav1, which (as
others have noted before) under the same circumstances would present me
with the dilemma of choosing between
a) responding, and thereby letting spam into Alan's system, and
b) not responding, and thereby locking myself out from ever
writing to Alan,
Dan's qsecretary discourages a response except for legitimate mail:
If you reply to this notice, you are (1) acknowledging that Professor
Bernstein does not want to receive bulk mail; (2) confirming that your
message is not part of a bulk mailing; and (3) agreeing to pay Professor
Bernstein $250 if your message is part of a bulk mailing.
Suggestions I have seen for resolving the elrav1 dilemma amount to
either choosing a) as a kind of sabotage, or choosing b) because
being unable to write to Alan would be no great loss. As the designer
of elrav1, Alan, what would you suggest?
--
John Wingate Mathematics is the art which teaches
joh...@worldpath.net one how not to make calculations.
--Oscar Chisini
Vernon Schryver
John Wingate <joh...@worldpath.net> wrote:
>Dan's qsecretary discourages a response except for legitimate mail:
>
> If you reply to this notice, you are (1) acknowledging that Professor
> Bernstein does not want to receive bulk mail; (2) confirming that your
> message is not part of a bulk mailing; and (3) agreeing to pay Professor
> Bernstein $250 if your message is part of a bulk mailing.
I'm not a lawyer, but I doubt that kooky contract would survive in court.
My response to papers from his lawyers after I followed my practice
of responding to all C/R challenges would be to have my laywers do two
things. The first would be to respond formally saying that none of
my mail is part of a bulk mailing that he did not ask for, but that
as far as I can know the message being challenged was one I sent to
some other address such as an IETF mailing list or have otherwise
forgotten. Some of the legitiate C/R challenges I've received have
involved addresses that I did not send to, but were where my messages
were eventually forwarded.
The second task I'd give my lawyers would be to sue Dan for libel,
slander, body odor, bad hair, and a general history of violations of
IETF standards and other vexatious nonsense in qmail, TAP, and so
forth. I'd also have my lawyers investigate an action under the
CAN-SPAM Act, since Dan's challenge would be an advertisement of his
system and my response would be the only way to opt-out of additional
advertisements. Whichever of us ran out of money to pay lawyers first
would sue for peace.
Vernon Schryver v...@rhyolite.com
Alan Connor
>
>
> Alan Connor <zzz...@xxx.yyy> wrote:
>> http://spamarrest.com/pressoffice/news/index.jsp
>
> Mitnick is not the only famous person using challenge-response. Dan
> Bernstein does also. About a month ago I received a challenge for some
> piece of spam using my address sent to him. Unlike elrav1, which (as
> others have noted before) under the same circumstances would present me
> with the dilemma of choosing between
>
> a) responding, and thereby letting spam into Alan's system, and
To my knowledge, this has never happenned with my program. The
challenge-response stage is preceded by a passlist AND a very effective
spam filter, the latter which sends 99.9%+ of the spam straight to /dev/null.
No C-Rs are sent in response to those mails.
The program also learns, and automatically blocklists addresses that fail
to return a C-R twice, for a configurable length of time, so the number
of C-Rs sent decreases with time.
Nor would I see any spam if you returned this improbable mis-directed
C-R you have hypothesized. Read on.
Here's what anyone can see if they go to my website, which you either
have not done, or are pretending that you have not done. A copy of
one of my C-Rs:
---------------------------------------------
this is a computer-generated response
---------------------------------------------
Greetings....
Your address is unknown to this program.
Please take a moment to verify that it
is being used by a real human being
that wants to communicate with me, and
not some spammer's computer.
Just hit Reply, paste
< password >
anywhere on the Subject line, and send it off.
[ this is a one-time thing ]
Thanks for your patience,
Alan Connor.
P.S. If you did NOT mail me, then your address
is being forged by a spammer or some other
criminal. Notify your network administrator or
abuse at your ISP immediately. I have the
original mail and will be happy to send it
to you.
My apologies. If you will send this back with a
string of big XXXXXXXX's in the body, I will
blocklist your address to make sure it doesn't
happen again. I have no way to tell whether
someone is using their real address other than
this...
----------------------------------------------
NOTE: If you sent anything but plain text with-
out attachments, the mail was deleted and you'll
have to re-send it. Sorry. Any mail over 20k
is deleted on the server, so keep it down.
If this is not returned within 72 hours, the
mail that triggered it will be deleted, unseen,
by elrav1, the program that sent it to you.
----------------------------------------------
elrav1 -- http://tinyurl.com/3c3ag
----------------------------------------------
As you can see, I take as much responsibility as I can for
any possible mis-directions caused by spammers.
The XXXXXXX is the body would alert my program and the spam
would not be retrieved from quarantine.
> b) not responding, and thereby locking myself out from ever
> writing to Alan,
>
No. The XXXXXXXX in the body would tell me that a mis-direction
had occurred and I would then contact you directly, ask you if
you wanted a copy of the spam for reporting purposes.
Then, if you thought you might want to contact me in the future,
I have a way of making that easy for people that I want to be
able to contact me.
> Dan's qsecretary discourages a response except for legitimate mail:
>
I prefer to see that mis-directed C-Rs are not sent by using a
traditional spam filter preceding the C-R stage of the program, and
to give people a choice in the un-likely event that someone ever
receives a mis-directed C-R from me.
> If you reply to this notice, you are (1) acknowledging that Professor
> Bernstein does not want to receive bulk mail; (2) confirming that your
> message is not part of a bulk mailing; and (3) agreeing to pay Professor
> Bernstein $250 if your message is part of a bulk mailing.
>
> Suggestions I have seen for resolving the elrav1 dilemma amount to
> either choosing a) as a kind of sabotage, or choosing b) because
> being unable to write to Alan would be no great loss. As the designer
> of elrav1, Alan, what would you suggest?
>
There is no elrav1 dilemma. You obviously don't know the program at
all.
Or are *pretending* that you don't.
> --
> John Wingate Mathematics is the art which teaches
> joh...@worldpath.net one how not to make calculations.
> --Oscar Chisini
See that address above? This person is either a malicious liar or
an incompetent boob that runs around mis-representing himself as someone
who is an expert in subjects he knows nothing about.
Feel free to join me in blocklisting him from your mailbox.
(The odds of that being his real name and normal mailbox are zip. Anyone
can get dozens of free, throwaway mailboxes on the web, and put together a
sig like that. However, and munge the headers in their newsposts. if you
mail him/her/it at that address, any response will have his/her/it's REAL
IP address in the headers.)
Take it to the whois website and see what's what.
Anyone who would like to check out elrav1, which is so effective at
fighting spam that it drives spammers to do things like engage in
disinformational propaganda campaigns on the Usenet, see the URLS in
my sig.
Scott Wertz
>
> P.S. If you did NOT mail me, then your address
> is being forged by a spammer or some other
> criminal. Notify your network administrator or
> abuse at your ISP immediately.
Who is expected to do WHAT, exactly?
Thanks in advance for generating more help desk calls and wasting my time.
axlq
Alan Connor <xx...@yyy.zzz> wrote:
<nothing of consequence>
Yawn. Another logical fallacy. Argumentum ad verecundiam. "Use this
because some famous person does."
-A
Allodoxaphobia
>
> http://spamarrest.com/pressoffice/news/index.jsp
>
> Famed hacker endorses Spam Arrest
> Toronto Star - August 4, 2003
> So what does [Kevin] Mitnick, former
'Twasn't a "famous hacker".
He was an infamous, convicted _cracker_.
Jonesy
John Wingate
> On Sat, 19 Jun 2004 16:57:00 -0000, John Wingate <joh...@worldpath.net> wrote:
> The program also learns, and automatically blocklists addresses that fail
> to return a C-R twice, for a configurable length of time, so the number
> of C-Rs sent decreases with time.
I forgot that you allow two chances.
> Here's what anyone can see if they go to my website, which you either
> have not done, or are pretending that you have not done. A copy of
> one of my C-Rs:
I have actually seen this before, and it is partly responsible for
my belief in the dilemma I presented.
> ---------------------------------------------
> this is a computer-generated response
> ---------------------------------------------
> ...
> My apologies. If you will send this back with a
> string of big XXXXXXXX's in the body, I will
> blocklist your address to make sure it doesn't
> happen again. I have no way to tell whether
> someone is using their real address other than
> this...
> ...
> ----------------------------------------------
> elrav1 -- http://tinyurl.com/3c3ag
> ----------------------------------------------
> As you can see, I take as much responsibility as I can for
> any possible mis-directions caused by spammers.
> The XXXXXXXX in the body would tell me that a mis-direction
> had occurred and I would then contact you directly, ask you if
> you wanted a copy of the spam for reporting purposes.
This is not what your automated challenge says in the part that I didn't
delete. Perhaps you should make that clearer. It seems to indicate
that responding with the string of Xs would get my address blocked, just
as not responding would.
Upon further thought, there is a way out of the dilemma, should it
arise; that is to send a legitimate message and respond to the
challenge to that, while ignoring the one generated by the spam.
>> Dan's qsecretary discourages a response except for legitimate mail:
> I prefer to see that mis-directed C-Rs are not sent by using a
> traditional spam filter preceding the C-R stage of the program, and
> to give people a choice in the un-likely event that someone ever
> receives a mis-directed C-R from me.
Bernstein also uses spam-filtering before sending challenges for whatever
gets through.
>> --
>> John Wingate Mathematics is the art which teaches
>> joh...@worldpath.net one how not to make calculations.
>> --Oscar Chisini
> See that address above? This person is either a malicious liar or
> an incompetent boob that runs around mis-representing himself as someone
> who is an expert in subjects he knows nothing about.
Or I am neither.
> (The odds of that being his real name and normal mailbox are zip.
That is my real name and my normal mailbox. I have never tried to hide
my name or address in over a decade of posting to Usenet. I am willing
to believe that "Alan Connor" is your real name. I am not willing to
believe that zzz...@xxx.yyy is your mailbox--it's clearly fake.
> Anyone
> can get dozens of free, throwaway mailboxes on the web, and put together a
> sig like that. However, and munge the headers in their newsposts.
True. What does that have to do with me?
> if you
> mail him/her/it at that address, any response will have his/her/it's REAL
> IP address in the headers.)
True again. That address will be 209.187.114.115 in an address block
worldpath.net has authority for. (There is no corresponding A record.)
(FYI, it's "his/her/its".)
> Take it to the whois website and see what's what.
At first this puzzled me. What does whois have to do with any of this?
But then the frothing at the mouth you entered into after quoting my
sig made me realize that you were probably put out because
supernews.com fails to include an NNTP-Posting-Host header field. My
ISP, worldpath.net contracts with supernews.com instead of providing
its own newsserver:
news.worldpath.net. 5D IN CNAME corp.supernews.com.
corp.supernews.com. 1M IN A 216.168.3.44
That's why the Message-ID indicates corp.supernews.com while my address
is at worldpath.net.
You are welcome to write me, and I will send you an acceptably short
plain text response (I too prefer plain text), and you can then examine
the Received fields in the header to your heart's content. I would
write you, and put up with the C-R, but I can't because you don't even
provide a munged but human-intelligible address in your posts.
Rev. Beergoggles
And a poor _cracker_ at that. I was wondering when
someone would point out the misuse of the term hacker.
--
rbg
Alan Connor
>
>
>
>
>
>
>
> http://spamarrest.com/pressoffice/news/index.jsp
>
>
>
> Famed hacker endorses Spam Arrest
> Toronto Star - August 4, 2003
> So what does [Kevin] Mitnick, former
> hacker supremo, use to guard against
> spam? "I use Spam Arrest," he told
> The Guardian. "Any legitimate person
> who wants to send me a message has to
> jump through hoops before they can be
> added to my opt-in list." Read
> more...
>
>
Kevin Mitnick is also one of the world's foremost
computer security experts, which is one of the
reasons he uses challenge-responses:
People that send viruses and worms and such around
the internet, deliberately or unwittingly, do
not use their real email address or would not know
what mail the challenge-response was referring to if
the did receive one as the result of their address
being forged or used by a malicious program they did
not even know they were running.
They certainly would not have a copy to re-send to
the person whose challenge-response they recieved.
Therefore, his program just dumps the virus/worms
and they are never opened or even saved in memory.
This is very good protection against email-born
malicious programs.
Russell Miller
Hash: SHA1
Alan Connor wrote:
> Therefore, his program just dumps the virus/worms
> and they are never opened or even saved in memory.
>
> This is very good protection against email-born
> malicious programs.
>
I use mimedefang and clamav. This also dumps infected messages before the
client sees them, without the need for C/R.
- --Russell
> AC
>
>
- --
Russell Miller - Le Mars, IA
President, Duskglow Consulting, LLC 712-546-5886 - rmi...@duskglow.com
http://www.duskglow.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFA1RFwURTA4VCI9OARAtnAAJ9zWibRGinV/X3tT3g99Oqbro6otgCfatCZ
/1j7e1uiDLYQ1lwMu4tiVWc=
=OlAj
-----END PGP SIGNATURE-----
David F. Skoll
> So what does [Kevin] Mitnick, former
> hacker supremo, use to guard against
> spam? "I use Spam Arrest,"
Ah, yes. Endorsement of C/R by a convicted criminal. How nice.
--
David.
Morely 'I drank what?' Dotes
<s...@email-scan.com> wrote in
news:cone.1087707391....@grandpa.email-scan.com:
He'll have to wait his turn.
--
Solid Web hosting, responsive support, effective spam-blocking.
Tired of spam in your mailbox?
Come to http://www.spamblocked.com
Brad Jesness, net K00k: http://www.wilhelp.com/bj_faq/
Jonathan de Boyne Pollard
VS> would survive in court.
Actually, because of the way that it works, it has a greater than zero
chance of standing up in court - a far larger one than the similar (but
not identical) "contracts" that some people put in their Usenet
signatures, for example.
VS> My response to papers from his lawyers after I followed my
VS> practice of responding to all C/R challenges [...]
<URL:http://catless.ncl.ac.uk./Risks/23.38.html#subj15>
VS> The second task I'd give my lawyers would be to sue Dan for [...]
VS> a general history of violations of IETF standards and other
VS> vexatious nonsense in qmail [...]
Actually, "qmail" is as good at following standards as most other mainstream
MTAs. If you want to look for mainstream MTAs that violate standards and
that contain vexations nonsense, there are _far_ better candidates than
"qmail" around. Using the badly designed features of Postfix and "exim"
that cause them to violate RFC 2821 is (alas!) growing ever more popular,
for example.
VS> Dan's challenge would be an advertisement of his system and
VS> my response would be the only way to opt-out of additional
VS> advertisements.
Actually, responding to a "qsecretary" challenge does not qualify as
opting out of receiving anything. You need to find out how "qsecretary"
works. In particular, you need to stop thinking that it works like
TMDA and start _actually reading_ the text of the challenge that was
posted, which clearly shows the somewhat different way that it does work.
<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/djb-qsecretary.html>
Vernon Schryver
Jonathan de Boyne Pollard <J.deBoyn...@Tesco.NET> wrote:
>VS> My response to papers from his lawyers after I followed my
>VS> practice of responding to all C/R challenges [...]
>
><URL:http://catless.ncl.ac.uk./Risks/23.38.html#subj15>
Your summary there might fit other people's position, but it is
not close to mine.
As I've repeatedly said here, I have discovered from real challenges
that it is impractical for me to know whether a challenge is for one
of my mail messages. In theory, most challenges could be determined
to be bogus or not. In practice, many challenges require a lot of
checking of logs and some challenges simply cannot be (in)validated.
To ensure that my messages get through, I now answer all challenges.
That maximizes my benefits while minimizing my costs. Side effects
such as increased spam delivered to people who send bogus challenges
for mail I did not send do not matter to me, at least not immediately.
>VS> The second task I'd give my lawyers would be to sue Dan for [...]
>VS> a general history of violations of IETF standards and other
>VS> vexatious nonsense in qmail [...]
>
>Actually, "qmail" is as good at following standards as most other mainstream
>MTAs.
That nonsense has always been in the qmail liturgy chanted by members
of that church, but it is false in the real world.
> If you want to look for mainstream MTAs that violate standards and
>that contain vexations nonsense, there are _far_ better candidates than
>"qmail" around. Using the badly designed features of Postfix and "exim"
>that cause them to violate RFC 2821 is (alas!) growing ever more popular,
>for example.
I can't say that Postfix and exim are less bad for their users than
qmail, but they certainly do not cause me, a long time user of sendmail,
as much grief as qmail does. Based on many years of observations of
many efforts and statements from qmail's source, I tend to assume any
statements from that direction about any what it sees as competition
are grossly misleading.
>VS> Dan's challenge would be an advertisement of his system and
>VS> my response would be the only way to opt-out of additional
>VS> advertisements.
>
>Actually, responding to a "qsecretary" challenge does not qualify as
>opting out of receiving anything. You need to find out how "qsecretary"
>works. In particular, you need to stop thinking that it works like
>TMDA and start _actually reading_ the text of the challenge that was
>posted, which clearly shows the somewhat different way that it does work.
>
><URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/djb-qsecretary.html>
That may be true, but it requires that I spend my time and effort to
discover any differences between qsecretary and other C/R system merely
to benefit qsecretary users. Responding to most C/R challenges is an
"opt-out," so it is reasonable for me to assume the same of all C/R
challenges without paying more attention to whatever they are selling
than is required to discover how to respond.
Besides, if what you suggest above and in that web page is true,
that qsecretary is used only for mailing lists and that every
submission requires a confirmation dance, qsecretary seems unlikely
to become as popular as other sender authenticating mechanisms
including RMX. (sarcasm intended)
Vernon Schryver v...@rhyolite.com
Mark Crispin
> Actually, "qmail" is as good at following standards as most other mainstream
> MTAs.
Although this is not DJB's fault (since it's a third-party patch to qmail
and not part of DJB distributed qmail), the failure of the SMTP-SASL
support in qmail to follow standards has been an ongoing waste of my time.
I understand that that third-party patch was remedied, but most qmail
systems with that patch still run the old non-compliant version.
Although I understand perfectly well that it's not DJB's fault, the fact
is that what Vernon calls the "qmail liturgy chanted by members of that
church" tends to imply that there is no such thing as a standards problem
in any flavor of qmail ever concocted. This has made it *very* difficult
to convince ISPs with the broken SMTP-SASL support that they need to take
action.
The result is that, as far as this particular issue goes, it's like
dealing with Microsoft. Difficult to find an intelligent person who will
research your report instead of blowing you off, difficult to get a patch
developed, and extremely difficult to get people to update.
-- Mark --
http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.
Alan Connor
Kevin Mitnick is one of the world's foremost
computer security experts, which is one of the
reasons he uses a mail filter that uses challenge-responses
The folks that send worms and viruses around
the internet via email, deliberately or unwittingly, do
not use their real email address or would not know
what mail the challenge-response was referring to if
the did receive one as the result of their address
being forged or used by a malicious program they did
not even know they were running.
And they certainly would not have a copy to re-send to
the person whose challenge-response they recieved.
Therefore, his program just dumps the virus/worms
and they are never opened or even saved in memory.
This is *very* good protection against malicious programs
sent by email.
<snip>
AC
Kamus of Kadizhar
> And they certainly would not have a copy to re-send to
> the person whose challenge-response they recieved.
> Therefore, his program just dumps the virus/worms
> and they are never opened or even saved in memory.
Hmmm.... And how is this different/better than amavis+f-secure ->
spamassasin -> ask ?
Amavis does a great job of unwrapping email attachments and handing them
over to a virus scanner.
Spamassasin - well, we all know what it does.
And anything that gets through gets checked by ask, which is a C-R system.
On top of that, run a system that's immune/not targeted by virus writers.
Works for me.
It's also in line with the *nix philosophy of simple, specialized tools
that each to a single task, and do it well, as opposed to the kitchen sink
approach of a single tool that tries to do everything. Remember the
Bass-a-matic?
Not sure what the intent of your original post was, unless
it was some justification for the flames you received in your latest foray
into the real world.
My S/N ratio for email is about 100:1 not including system log
notifications. For each message generated by a real person who wants to
communicate with me, I get about 100 spam messages, and about 30 virus
emails / day.
--Kamus
--
o |
o__ >[] | A roadie who doesn't ride a mountain bike has no soul.
,>/'_ /\ | But then a mountain biker who doesn't ride a road bike has no legs...
(_)\(_) \ \ | -Doug Taylor, alt.mountain-bike
Sam
> On 20 Jun 2004 15:00:38 GMT, Morely 'I drank what?' Dotes <morel...@spamblocked.com> wrote:
>
>
> Kevin Mitnick is one of the world's foremost
> computer security experts, which is one of the
> reasons he uses a mail filter that uses challenge-responses
And, despite all of that, he still thinks Beavis is an asshat.
Morely 'I drank what?' Dotes
<s...@email-scan.com> wrote in news:cone.1087769474.316863.3969.501
@grandpa.email-scan.com:
>> Kevin Mitnick is one of the world's foremost
>> computer security experts,
Right. And I'm one of the world's foremost computer engineers, for exactly
the same reason: I know how to break computers.
Sigh.
Etaoin Shrdlu
> Famed hacker endorses Spam Arrest
> Toronto Star - August 4, 2003
> So what does [Kevin] Mitnick, former
> hacker supremo, use to guard against
> spam? "I use Spam Arrest," he told
> The Guardian. "Any legitimate person
> who wants to send me a message has to
> jump through hoops before they can be
> added to my opt-in list." Read
> more...
Kevin Mitnick? That's no hacker.
Just a friggin' cracker.
I hope bubba had fun with him...
--
Here in Canada, we believe in the public good, as in "good for all the
public." We don't believe in private affluence and public squalor. We
like to balance those two things.
-- Heather Mallick, The Globe and Mail
My little NANAE hangout - http://www.spamreaper.org/etaoin
D. Stussy
> Famed hacker endorses Spam Arrest
> Toronto Star - August 4, 2003
>
> So what does [Kevin] Mitnick, former hacker supremo, use to guard against
> spam? "I use Spam Arrest," he told The Guardian. "Any legitimate person who
> wants to send me a message has to jump through hoops before they can be added
> to my opt-in list." Read more...
Well, that is the last nail in the coffin in proving that AC is a complete
idiot. He cites as his source a BUSTED hacker. If KDM were so "smart," then
he never would have been caught in the first place.....
KDM is the only person to ever be expelled from one of the amateur radio clubs
I belong to....
D. Stussy
> Actually, "qmail" is as good at following standards as most other mainstream
Then explain to me why this construct by "qmail" is NOT an RFC 2821 violation:
Mail comes into a qmail server via SMTP acting as a relay and is passed on to
the next host via SMTP. Qmail has "input" into THREE "Received:" headers as
follows:
Received: from qmail.server by some.other.system with SMTP ; some_valid_date
Received: (qmail id 12345 ...) ; some_valid_date
Received: from some.remote.system by qmail.server with SMTP ; some_valid_date
What is the purpose of the middle header? Trace headers such as "Received:"
are supposed to record the host-to-host using what protocol type information
that indicates the path travelled, yet this middle header is recording INTERNAL
information ONLY. Who cares about the INTERNAL workings of a mail server?
That's what the server's LOG FILES are for, not message fields. Regardless,
why isn't this information known so it can be a comment inserted into the first
header [of the three] added?
Furthermore, if a message comes into a host via SMTP, leaves that host via
SMTP, and nothing more than relaying is done (i.e. no local delivery,
forwarding, list expansion, or other such operations), then when did it leave
what RFC 2821 calls "the SMTP environment" in order for the middle "Received:"
header to not be bound by the stricter syntax of 2821 (requiring "from" and
"by" clauses) as opposed to the looser syntax of RFC 2822? It is NOT of RFC
2821 syntax.
Thirdly, since comments are supposed to augment information in its respective
header, not stand on their own, what is the purpose and validity of a
comment-stripped header that is effectively:
"Received: ; some_valid_date"
What is the timestamp by itself indicating that we cannot conclude from the
"Received:" headers preceeding and following. Although syntactically valid,
what is the SEMANTIC purpose of such a header entry? What information is it
conveying to us?
Unless your point is to say that practically all (or almost all) mail server
programs violate the RFC standards, which your second sentence makes me think
you did not mean, then please clarify.....
Seth Breidbart
Alan Connor <xx...@yyy.zzz> wrote:
>Kevin Mitnick is also one of the world's foremost
>computer security experts,
That makes two people who think so.
Using the noun loosely.
Seth
Mark Crispin
> Then explain to me why this construct by "qmail" is NOT an RFC 2821 violation:
You have brought this up come up multiple times, and this has been
explained to you multiple times. You are acting like the kook who posts
as "Alan Connor".
The qmail behavior in question is not a violation of RFC 2821. That
Received: header line was not generated by an RFC 2821 agent, and
consequent falls under the rules of RFC 2822 not RFC 2821.
It does not matter if there is a "purpose" for that header line. RFCs do
not require "purpose". The fact that you do not perceive a purpose does
not mean that nobody else perceives one.
It is certainly within a mailer's right to have an internal structure in
which mail exits a logical SMTP environment for internal processing and
then reenters it. RFCs dictate protocol. RFCs do not dictate the
internal workings of software.
Your bogus attacks on qmail injure the credibility of legitimate
criticism. What's worse, when you do so, you not only lower yourself to
the level of the kook who posts as "Alan Connor", but you pull down the
legitimate critics with you.
Please stop.
Yvan Loranger
> Upon further thought, there is a way out of the dilemma, should it
> arise; that is to send a legitimate message and respond to the
> challenge to that, while ignoring the one generated by the spam.
I don't like this, more work for me, more email traffic. Creative idea
though.
--
Merci........Yvan I did not want to repeat other people's mistakes.
So I made new mistakes of my own.
Boy did I invent some good ones!
D. Stussy
> On Mon, 21 Jun 2004, D. Stussy wrote:
> > Then explain to me why this construct by "qmail" is NOT an RFC 2821
> > violation:
> > [snip]
>
> You have brought this up come up multiple times, and this has been explained
> to you multiple times. You are acting like the kook who posts as "Alan
> Connor".
>
> The qmail behavior in question is not a violation of RFC 2821. That Received:
> header line was not generated by an RFC 2821 agent, and consequent falls under
> the rules of RFC 2822 not RFC 2821.
"... consequent falls ...?" What is "consequent"(apparently a noun?)???
I disagree - It is my position that RFC 2821 DOES govern as the message
remained in "the SMTP environment" while in transit as it was transferred in
and out by SMTP and not locally delivered or otherwise manipulated. That
mandates the stricter syntax.
Your prior responses asked "what SMTP environment?" Granted, RFC 2821 itself
doesn't directly define what that is, but only implies it. However, it is
clear that this environment includes the transfer in, transfer out, and any
relaying action inbetween that is not a "delivery" of the message.
> It does not matter if there is a "purpose" for that header line. RFCs do not
> require "purpose". The fact that you do not perceive a purpose does not mean
> that nobody else perceives one.
If there is no purpose, then why do it? The RFC text directly contradicts you
on this - as "Received:" is defined in a section called "trace headers."
Obviously, there is a purpose as described....
> It is certainly within a mailer's right to have an internal structure in which
> mail exits a logical SMTP environment for internal processing and then
> reenters it. RFCs dictate protocol. RFCs do not dictate the internal
> workings of software.
However, if that were true, then there are other headers that are supposed to
be added (e.g. "Return-Path:") when the message leaves the SMTP environment.
Such other headers, like those indicating a resubmission when it re-enters, are
not present. If that is in fact what qmail is doing, then it is doing it
wrongly.
> Your bogus attacks on qmail injure the credibility of legitimate criticism.
> What's worse, when you do so, you not only lower yourself to the level of the
> kook who posts as "Alan Connor", but you pull down the legitimate critics with
> you.
>
> Please stop.
Qmail is the only SMTP software that I have seen that makes that particular
departure. RFC-noncompliance aren't "bogus attacks."
Jonathan de Boyne Pollard
JdeBP> most other mainstream MTAs. If you want to look for
JdeBP> mainstream MTAs that violate standards and that contain
JdeBP> vexatious nonsense, there are _far_ better candidates than
JdeBP> "qmail" around. Using the badly designed features of
JdeBP> Postfix and "exim" that cause them to violate RFC 2821 is
JdeBP> (alas!) growing ever more popular, for example.
DS> Then explain to me why this construct by "qmail" is NOT an
DS> RFC 2821 violation:
Why ? That was explained to you, several times, in depth, and by many people,
in this very discussion forum in October 2002. Didn't you listen ?
DS> [...] when did it leave what RFC 2821 calls "the SMTP environment" [...]
The answer to the question that I just asked seems to be that, indeed, you
didn't listen.
DS> Trace headers such as "Received:" are supposed to record the host-to-host
DS> using what protocol type information that indicates the path travelled,
False. Read RFC 821.
Jonathan de Boyne Pollard
MC> the fact is that what Vernon calls the "qmail liturgy chanted
MC> by members of that church" tends to imply that there is no such
MC> thing as a standards problem in any flavor of qmail ever
MC> concocted.
Entirely false. If you do read any of the "qmail" discussion fora you'll find
that the general consensus of the "qmail" users who provide free support to
other users (I'm going to ignore, here, the deliberately provocative
mischaracterisation of it as a "liturgy" of a "church".) is in fact *entirely
in opposition* to such an implication. The general consensus is that
third-party patches to "qmail" are a problem, that in some cases do cause
difficulties, and should be applied sparingly, with the minimum necessary
amount applied. The general consensus is that, of all of the third-party
modifications to "qmail", only that handful that are pre-packaged in
"netqmail" (<URL:http://qmail.org./netqmail/>) are those that have any sort of
universal applicability. (Look at how short the list at
<URL:http://qmail.org./top.html#patches> is.) The general consensus is that
the unnecessary use of things that aren't vanilla "qmail"/"netqmail" is a
support problem, and to discourage such use.
The "It's non-standard." cry was one that was raised a lot about "qmail" in
its early days, mainly by those who supported the existing long-entrenched
softwares that it was aimed at supplanting. Of course, most of these claims
about standards have long since been shown to be myths, based upon false
notions of what the standards actually say and how things actually work.
However, because of the lengthy discussions that the claims engendered where
people showed that the standards did not prohibit what "qmail" did, and the
fact that these claims were repeated often and thus had to be refuted often,
the tactic against "qmail" thus mutated into a subtler one, becoming cry of
"They deny that anything at all about 'qmail' is non-standard.". That, and
these notions of a "church" and a "liturgy" are simply subtler forms of the
same thing as before.
As I said, "qmail" is as good at following standards as most other mainstream
MTAs, and there are _far_ better candidates than "qmail" around for mainstream
MTAs that violate standards and contain "vexatious nonsense".
MC> The result is that, as far as this particular issue goes, it's
MC> like dealing with Microsoft. Difficult to find an intelligent
MC> person who will research your report instead of blowing you off,
MC> difficult to get a patch developed, [...]
Pah! It's much the same with _all_ softwares. (Indeed, one of the very
tenets of the Open Source business model is that programmers scratch their own
itches and those of their paying customers. Are you _really_ surprised that
you find it difficult to get other people to develop patches for you for
free? And are you really surprised that the fact that the problem is with a
third-party patch and not with the vanilla software itself only exacerbates
the difficulty of finding someone who will deal with it?) The SMTP-SASL patch
to "qmail" is not different in this regard from any other software.
Jonathan de Boyne Pollard
MC> does not mean that nobody else perceives one.
DS> If there is no purpose, then why do it?
Your question is a leading question that takes a falsehood as its premise,
and is thus unanswerable. Try reading what Mark wrote again, this time
noting that he nowhere said that there wasn't a purpose. (There is, of
course. And it is one that is readily apparent to any mail administrator
reading such headers. You are being deliberately obtuse.)
MC> Your bogus attacks on qmail injure the credibility of legitimate
MC> criticism. What's worse, when you do so, you not only lower
MC> yourself to the level of the kook who posts as "Alan Connor",
MC> but you pull down the legitimate critics with you.
MC>
MC> Please stop.
DS> Qmail is the only SMTP software that I have seen that makes
DS> that particular departure.
"qmail" isn't making any departure.
DS> [Assertions of] RFC-noncompliance aren't "bogus attacks."
That statement isn't relevant to this thread.
Mark Crispin
> MC> Although I understand perfectly well that it's not DJB's fault,
> MC> the fact is that what Vernon calls the "qmail liturgy chanted
> MC> by members of that church" tends to imply that there is no such
> MC> thing as a standards problem in any flavor of qmail ever
> MC> concocted.
> Entirely false. If you do read any of the "qmail" discussion fora you'll find
> that the general consensus of the "qmail" users who provide free support to
> other users (I'm going to ignore, here, the deliberately provocative
> mischaracterisation of it as a "liturgy" of a "church".) is in fact *entirely
> in opposition* to such an implication.
That may be, but what is being discussed are perceptions. The "general
concensus" that you mention does not reach out into the trenches.
For better or worse, that implication is out there. Worse, it seems that
sites which use that third-party patch do not understand that it is an
unsupported patch, not subject to the same level of quality control.
> these claims were repeated often and thus had to be refuted often,
> the tactic against "qmail" thus mutated into a subtler one
This sort of statement is what Vernon refers to as the "qmail liturgy
chanted by members of that church." You have to admit that it's a bit
"tin-foil hat"-ish.
-- Mark --
http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.
Tim Smith
> Here's what anyone can see if they go to my website, which you either have
> not done, or are pretending that you have not done. A copy of one of my
> C-Rs:
This is the big problem with C-R systems: each has its own message.
*If* they were all to agree on a standard format for the challenge and the
response, and include the message-ID in the challenge, so that senders could
easily automate handling the responses, *then* they would potentially be a
lot more useful.
--
--Tim Smith
Timo Salmi
> This is the big problem with C-R systems: each has its own message.
No system is without it flaws. But (this not to you, but in general
in many cases) there is an inherent hostility bias towards filtering
involving C/R ideas which hinders detached analysis discussion and
communal solution finding.
> *If* they were all to agree on a standard format for the challenge and the
> response, and include the message-ID in the challenge, so that senders could
> easily automate handling the responses, *then* they would potentially be a
> lot more useful.
Yes, of course agreed. The more standardized a message or a
newsposting is, the easier it is to avoid, when one so wishes.
Therefore, keeping the "frame", if you will, as constant as
possible, is indeed highly a desirable in c/r, FAQs and similar
messages and postings. In spam, as you naturally will have noted,
the spammers invent all kinds of artificial variations to pre-empt
filtering rules. In C-R this is not the case nor the goal, contrary
to some frequent name-calling. E.g. mine use a constant subject
header. If it were constant over a number of users, all the better.
All the best, Timo
--
Prof. Timo Salmi ftp & http://garbo.uwasa.fi/ archives 193.166.120.5
Department of Accounting and Business Finance ; University of Vaasa
mailto:t...@uwasa.fi <http://www.uwasa.fi/~ts/> ; FIN-65101, Finland
Spam foiling in effect http://www.uwasa.fi/~ts/info/spamfoil.html
Timo Salmi
> If legitimate senders could easily automate handling the challenges,
> then so could spammers,
Recycles one of the defeatist pet arguments. "Give up since the
opposition will counteract".
It is fallacious, though. Discarding a message based say on it
subject and responding to the challenge to the correct address and
with the required passphrase are two quite different things. The
essence is making the avoidance of challenges easy, but actually
reponding to them requires manual intervention.
> and the whole idea would be even more useless than it is now.
A preconvinced attitude, incidentally, is also one of the recycled
norms.
Eduardo Chappa
:) Alan Connor <zzz...@xxx.yyy> wrote:
:) > http://spamarrest.com/pressoffice/news/index.jsp
:)
:) Mitnick is not the only famous person using challenge-response. Dan
:) Bernstein does also.
Please tell all these people to stop using this system. The only thing it
does is to generate more e-mail traffic in a congested traffic already.
Bad idea. Please configure your spam filter to not to do this. I will
never respond to any such challenge messages, please do so too.
The Open Sourceror's Apprentice
news:Pine.LNX.4.60.9.0...@zeno1.math.washington.edu:
> I will
> never respond to any such challenge messages, please do so too.
>
Actually, Eduardo, the best way to handle C/R challenges is to *always*
respond to them - unless they come in response to mail that you actually
wrote. In that case, remove the individual who is using C/R from your address
book, and if you run your own server, block their email address.
--
Tired of spam in your mailbox?
Come to http://www.spamblocked.com
. . .
Who is Brad Jesness? http://www.wilhelp.com/bj_faq/
Alan Connor
This is excellent! Another selling point for challenge-responses:
It keeps ignorant and obnoxious people out of one's mailboxes.
Who could ask for more? No spam and no jerks.
(the above is not a joke)
AC
--
Pass-List -----> Block-List ----> Challenge-Response
The key to taking control of your mailbox. Design Parameters:
http://tinyurl.com/2t5kp || http://tinyurl.com/3c3ag
Challenge-Response links -- http://tinyurl.com/yrfjb
Eduardo Chappa
:) Eduardo Chappa <cha...@math.washington.edu> wrote in
:) news:Pine.LNX.4.60.9.0...@zeno1.math.washington.edu:
:)
:) > I will never respond to any such challenge messages, please do so
:) > too.
:) >
:)
:) Actually, Eduardo, the best way to handle C/R challenges is to *always*
:) respond to them - unless they come in response to mail that you
:) actually wrote. In that case, remove the individual who is using C/R
:) from your address book, and if you run your own server, block their
:) email address.
I have received a couple of C/R messages trying to answer questions posted
in mailing lists, etc, not very nice. Imagine an internet wher a
substantial amount of users use C/R, a huge nightmare.
Eduardo Chappa
2004:
:) On Mon, 12 Jul 2004 14:40:22 -0700, Eduardo Chappa
:) <cha...@math.washington.edu> wrote:
:) >
:) >
:) > *** John Wingate (abcj...@worldpath.net.edo) wrote in
:) > comp.mail.misc on...:
:) >
:) >:) Alan Connor <zzz...@xxx.yyy> wrote:
:) >:) > http://spamarrest.com/pressoffice/news/index.jsp
:) >:)
:) >:) Mitnick is not the only famous person using challenge-response.
:) >:) Dan Bernstein does also.
:) >
:) > Please tell all these people to stop using this system. The only
:) > thing it does is to generate more e-mail traffic in a congested
:) > traffic already. Bad idea. Please configure your spam filter to not
:) > to do this. I will never respond to any such challenge messages,
:) > please do so too.
:)
:)
:) This is excellent! Another selling point for challenge-responses: It
:) keeps ignorant and obnoxious people out of one's mailboxes. Who could
:) ask for more? No spam and no jerks.
:)
:) (the above is not a joke)
That's not a convincing argument to support your point. Look for a more
intelligent one. I was not joking above, nor now.
--
Eduardo
http://www.math.washington.edu/~chappa/personal.html
Richard Johnson
<Pine.LNX.4.60.9.0...@zeno1.math.washington.edu>,
Eduardo Chappa <cha...@math.washington.edu> wrote:
> I have received a couple of C/R messages trying to answer questions posted
> in mailing lists, etc, not very nice. Imagine an internet wher a
> substantial amount of users use C/R, a huge nightmare.
Yes, a huge nightmare.
However, at the present time, how do you know whether the challenge you
received was because you sent mail to someone, or because a spammer
forged your address? If you send responses to usenet posts, send to
people who forward mail, or send to mailing lists, you generall
-cannot- know.
Therefore, it behooves you to answer all challenges you receive. Only
by doing that can you have a chance of seeing your legitimate email go
through.
Richard
--
To reply via email, make sure you don't enter the whirlpool on river left.
My mailbox. My property. My personal space. My rules. Deal with it.
http://www.river.com/users/share/cluetrain/
Tim Smith
>> This is the big problem with C-R systems: each has its own message.
>
> C/R systems inevitably end up sending challenges to uninvolved third
> parties.
If someone is forging your address on spam, you'll get a ton of bounce
messages anyway. There is no such thing as an uninvolved third party
anymore with the current email system.
...
> If legitimate senders could easily automate handling the challenges, then
> so could spammers, and the whole idea would be even more useless than it
> is now.
If the spammer forges my address, how they are going to automate handling
the challenges, since those will come to me, not the spammer? If C/R
systems could force spammers to stop forging addresses, that would be a big
improvement over the current state of things: recipients using the C/R
systems would not see forged spam, and the people whose addresses are being
forged would see challenges instead of bounces, which they could easily
ignore.
--
--Tim Smith
axlq
Eduardo Chappa <cha...@math.washington.edu> wrote:
>
>does is to generate more e-mail traffic in a congested traffic already.
>Bad idea. Please configure your spam filter to not to do this. I will
>never respond to any such challenge messages, please do so too.
Vernon Schryver posted a persuasive argument for responding to ALL
challenges as a matter of policy.
It works like this. Most of the challenges I get are from mail I
didn't send, but rather from spammers forging my address. If I
respond to each challenge, then *I* will never again longer receive
a challenge for spam to that person. As an added bonus, the C/R
operator receives the spam!
By responding to ALL challenges, you ensure that: (a) your mail gets
through, (b) future spam forging your address doesn't result in another
challenge, and (c) the person who has the C/R system has to deal with
the spam.
If enough people do this, then C/R systems will become ineffective
to the point where miscreants like Allan Connor, who don't care what
he does to other people's mailboxes, will stop using them.
-A
Brian K. O'Neill
news:ccvoqq$6kg$1...@blue.rahul.net...
I like it, except that by clicking yes when you are reasonably sure it's
spam, you are therefore allowing a spammer to get his message across
(helping a spammer, bad) and also being an accessory to someone else's inbox
and networks being abused (helping create more abuse, bad).
I realize that it can be argued that the means justifies the ends and that
the person using C/R doesn't deserve courtesy because they don't have any
courtesy for the rest of the net when it comes to erroneous/spam-generated
C/R messages, but we do try and rise above in our fight rather than sink
down to the level of the abusers and the clueless, don't we?
</Devil's Advocate>
Eduardo Chappa
:) In article
:) <Pine.LNX.4.60.9.0...@zeno1.math.washington.edu>,
:) Eduardo Chappa <cha...@math.washington.edu> wrote:
:)
:) > I have received a couple of C/R messages trying to answer questions
:) > posted in mailing lists, etc, not very nice. Imagine an internet wher
:) > a substantial amount of users use C/R, a huge nightmare.
:)
:)
:) Yes, a huge nightmare.
:)
:) However, at the present time, how do you know whether the challenge you
:) received was because you sent mail to someone, or because a spammer
:) forged your address? If you send responses to usenet posts, send to
:) people who forward mail, or send to mailing lists, you generall
:) -cannot- know.
Which is exactly a good reason why you should not answer the challenge.
Confirming good addresses to a spammer is similar to shooting yourself on
the foot.
:) Therefore, it behooves you to answer all challenges you receive. Only
:) by doing that can you have a chance of seeing your legitimate email go
:) through.
I will sound presumptious, but in my opinion, I do not loose by the
receiver not receiving my message. I lost a couple of minutes, my
recipient lost my message. It's up to you to decide who lost more.
Eduardo Chappa
:) In article
:) <Pine.LNX.4.60.9.0...@zeno1.math.washington.edu>,
:) Eduardo Chappa <cha...@math.washington.edu> wrote:
:) >
:) >Please tell all these people to stop using this system. The only thing
:) >it does is to generate more e-mail traffic in a congested traffic
:) >already. Bad idea. Please configure your spam filter to not to do
:) >this. I will never respond to any such challenge messages, please do
:) >so too.
:)
:) Vernon Schryver posted a persuasive argument for responding to ALL
:) challenges as a matter of policy.
:)
:) It works like this. Most of the challenges I get are from mail I
:) didn't send, but rather from spammers forging my address. If I respond
:) to each challenge, then *I* will never again longer receive a challenge
:) for spam to that person. As an added bonus, the C/R operator receives
:) the spam!
That's a very persuasive argument, except by the fact that I do not think
that a particular e-mail address sends spam twice to the same account,
even when it's forged. Of course this principle is wrong, but in general
the error should be marginal with respect to the real amount of spam that
is not generated in the way described here. If this is a big problem in
the sense that you are consistently receiving a C/R from the same person,
then it pays to respond to such challenge, unless you are being sent a
challenge message from an account that belongs to a spammer which only
collects addresses of people that responds to such challenges which only
serves the purpose to confirm your e-mail address, in which case you are
only going to get more spam.
:) By responding to ALL challenges, you ensure that: (a) your mail gets
:) through, (b) future spam forging your address doesn't result in another
:) challenge, and (c) the person who has the C/R system has to deal with
:) the spam.
True and false as I've shown above.
:) If enough people do this, then C/R systems will become ineffective to
:) the point where miscreants like Allan Connor, who don't care what he
:) does to other people's mailboxes, will stop using them.
If enough people do this, those same people may get more and more spam.
Nancy McGough
>> By responding to ALL challenges, you ensure that: (a) your mail gets
>> through, (b) future spam forging your address doesn't result in another
>> challenge, and (c) the person who has the C/R system has to deal with
>> the spam.
>>
>> If enough people do this, then C/R systems will become ineffective
>
> spam, you are therefore allowing a spammer to get his message across
> (helping a spammer, bad) and also being an accessory to someone else's inbox
> and networks being abused (helping create more abuse, bad).
>
> I realize that it can be argued that the means justifies the ends and that
> the person using C/R doesn't deserve courtesy because they don't have any
> courtesy for the rest of the net when it comes to erroneous/spam-generated
> C/R messages, but we do try and rise above in our fight rather than sink
> down to the level of the abusers and the clueless, don't we?
The person using the C/R most likely *does* deserve courtesy
because they probably have no clue about the problems of C/R.
It's the company providing the C/R system who deserves no
courtesy. And if they make a statement like this:
"Challenge/Response blocks 100% of Spam"
which appears here:
Then I think it is a worthwhile endeavor to take Vernon's advice
and respond to the spam-instigated challenge, not because:
"(c) the person who has the C/R system has to deal with the
spam."
but because
(d) the company providing the C/R system will get complaints
from their customers about the ineffectiveness of their C/R
system.
Nancy
Infinite Ink
www.ii.com
Tim Smith
> By responding to ALL challenges, you ensure that: (a) your mail gets
> through, (b) future spam forging your address doesn't result in another
> challenge, and (c) the person who has the C/R system has to deal with
> the spam.
(d) your email address gets passed among spammers as one that is good to forge,
because it gets through C/R systems, and (e) people learn that blocking on your
email address reduces their spam.
--
--Tim Smith
Nancy McGough
>
>> By responding to ALL challenges, you ensure that: (a) your mail gets
>> through, (b) future spam forging your address doesn't result in another
>> challenge, and (c) the person who has the C/R system has to deal with
>> the spam.
>
> (d) your email address gets passed among spammers as one that is good to forge,
> because it gets through C/R systems, and (e) people learn that blocking on your
> email address reduces their spam.
And if it is one of your spam-trap email addresses, that's OK. My
new plan is to follow Vernon's advice only for challenges that
come to my spam-trap addresses. Challenges that come to my real
addresses, I ignore.
Nancy
Infinite Ink
www.ii.com
Peter Köhlmann
> On 2004-07-13, axlq <ax...@spamcop.net> wrote:
>> By responding to ALL challenges, you ensure that: (a) your mail gets
>> through, (b) future spam forging your address doesn't result in another
>> challenge, and (c) the person who has the C/R system has to deal with
>> the spam.
>
Right. Best possible solution to this C/R spamming
> (d) your email address gets passed among spammers as one that is good to
> forge, because it gets through C/R systems,
No. They have no indication at all. The response would not get back to the
spammer, but to the C/R using system
> and (e) people learn that
> blocking on your email address reduces their spam.
>
Well, anyone using C/R can happily block my email address, since I am not
interested to exchange mail with such retards
--
Lord, grant me the serenity to accept the things I can not change,
the courage to change the things I can, and the wisdom to hide the
bodies of those I had to kill because they pissed me off.
Paul Vader
>Actually, responding to a "qsecretary" challenge does not qualify as
>opting out of receiving anything. You need to find out how "qsecretary"
>works. In particular, you need to stop thinking that it works like
>TMDA and start _actually reading_ the text of the challenge that was
>posted, which clearly shows the somewhat different way that it does work.
The way it *does* work, especially in Bernstein's case, is to act as a
spamming vector. I wrote about this a while back, I get qsecretary notices
all the time from Dan, with the complete spam attached at the bottom,
addressed to me. qsecretary is effectively an open relay.
I used to just shitcan every C/R notice I received (and castigated any
friends using it), now I just reply to them all, secure in the knowledge
that I have annoyed the abusive C/R user with spam. *
--
* PV something like badgers--something like lizards--and something
like corkscrews.
Paul Vader
>Which is exactly a good reason why you should not answer the challenge.
>Confirming good addresses to a spammer is similar to shooting yourself on
>the foot.
The one place a bounce or C/R reply will NOT go to is the spammer. *
Paul Vader
>That's a very persuasive argument, except by the fact that I do not think
>that a particular e-mail address sends spam twice to the same account,
>even when it's forged.
What she was saying is that the less-broken C/R systems will only send the
challenge once to a given address. So, if you reply, you will never again
get a C/R notice when a spammer exploits the poor sucker who put one on
their email account.
Of course, on *really* broken ones like qsecretary, you get the damned
notices ever single time anyway, which is why spammers have started using
Dan's email address to relay their crap. *
Paul Vader
>Kevin Mitnick is also one of the world's foremost
>computer security experts, which is one of the
>reasons he uses challenge-responses:
Kevin Mitnick has, or rather had, a mental problem, and couldn't stop
himself from what he was doing. His current expertise is an interesting way
of turning his psychological pathology into a career, but it doesn't make
him a foremost at anything. He's just a guy with some really interesting
stories. Ever read "Takedown"? Mitnick isn't the one that comes off as the
bad guy. *
Richard Johnson
Nancy McGough <nm-reverse-...@ii.deflexion.com> wrote:
> And if it is one of your spam-trap email addresses, that's OK. My
> new plan is to follow Vernon's advice only for challenges that
> come to my spam-trap addresses. Challenges that come to my real
> addresses, I ignore.
Unless you respond to every challenge, mail you send that ends up
forwarded to addresses you don't immediately recognize won't be
delivered.
Also, contrary to the previous poster's supposition, spammers won't
know your address is a good one to forge. This is because the sender
of the challenge and not the spammer will receive your responses.
You should respond to all challenges if you respond to any at all.
Richard Johnson
<Pine.LNX.4.60.9.0...@zeno1.math.washington.edu>,
Eduardo Chappa <cha...@math.washington.edu> wrote:
> *** Richard Johnson (abcr...@whirlpool.river.com.edo) wrote in...:
> :) However, at the present time, how do you know whether the challenge you
> :) received was because you sent mail to someone, or because a spammer
> :) forged your address? If you send responses to usenet posts, send to
> :) people who forward mail, or send to mailing lists, you generall
> :) -cannot- know.
>
> Which is exactly a good reason why you should not answer the challenge.
> Confirming good addresses to a spammer is similar to shooting yourself on
> the foot.
How is answering a challenge confirming a good address to a spammer?
The spammer does not receive the response.
> :) Therefore, it behooves you to answer all challenges you receive. Only
> :) by doing that can you have a chance of seeing your legitimate email go
> :) through.
>
> I will sound presumptious, but in my opinion, I do not loose by the
> receiver not receiving my message. I lost a couple of minutes, my
> recipient lost my message. It's up to you to decide who lost more.
I'm more interested in providing back-pressure against those who bother
me with challenges based on forged mail. I lose time and bandwidth
regardless because of such spam challenges, so I might as well push
back.
Matchstick
says...
> Also, contrary to the previous poster's supposition, spammers won't
> know your address is a good one to forge. This is because the sender
> of the challenge and not the spammer will receive your responses.
Unless the mail is an HTML one containing web-bugs that the spammer can
use to identify the from address.
--
Contact Address matchstick a t oofg d o t com
"The wages of sin are death... but the hours are good and the perks are
fantastic."
Tim Smith
> Also, contrary to the previous poster's supposition, spammers won't know
> your address is a good one to forge. This is because the sender of the
> challenge and not the spammer will receive your responses.
Two problems with this.
(1) Spammers can send challenges and see which ones get responses, thereby
finding the "always answer" people.
(2) I expect at some point to see someone start a list of known "always
answer" addresses and make it available. It's purpose will be to let C/R
users block on those addresses, but spammers will be able to get it, too.
--
--Tim Smith
Nancy McGough
>
> I said:
>> Challenges that come to my real addresses, I ignore.
>
> Unless you respond to every challenge, mail you send that ends up
> forwarded to addresses you don't immediately recognize won't be
> delivered.
But I don't care! I basically quit doing email about a year ago
and anyone who's paying attention knows that it's much more
likely for me to respond in a discussion group than to personal
email. Email is dead and if you don't believe me, look at this:
<http://del.icio.us/Deflexion.com/Messaging/EmailIsDead>
> Also, contrary to the previous poster's supposition, spammers won't
> know your address is a good one to forge. This is because the sender
> of the challenge and not the spammer will receive your responses.
But it might be that the person using the C/R system will get
malicious or -- more likely -- the people running the C/R system
will get mailicious.
> You should respond to all challenges if you respond to any at all.
That depends on one's goal.
Nancy
Infinite Ink
www.ii.com
Vernon Schryver
Tim Smith <reply_i...@mouse-potato.com> wrote:
>> Also, contrary to the previous poster's supposition, spammers won't know
>> your address is a good one to forge. This is because the sender of the
>> challenge and not the spammer will receive your responses.
>
>Two problems with this.
>
>(1) Spammers can send challenges and see which ones get responses, thereby
>finding the "always answer" people.
>
>(2) I expect at some point to see someone start a list of known "always
>answer" addresses and make it available. It's purpose will be to let C/R
>users block on those addresses, but spammers will be able to get it, too.
Neither of those will be real problems until and unless C/R systems
are so widely used that spammers would care. When and if that happens,
the scaling problem implicit in C/R systems will have us all receiving
almost as many C/R challenges as we now receive forged spam, and that
have forced everyone except the most extreme kooks accept the fact
that C/R systems are based on sending lots of substantially identical
messages to people who didn't ask for them, i.e. spam.
Vernon Schryver v...@rhyolite.com
Eduardo Chappa
> In article
> <Pine.LNX.4.60.9.0...@zeno1.math.washington.edu>, Eduardo
> Chappa <cha...@math.washington.edu> wrote:
>
>> *** Richard Johnson (abcr...@whirlpool.river.com.edo) wrote in...:
>> :) However, at the present time, how do you know whether the challenge
>> :) you received was because you sent mail to someone, or because a
>> :) spammer forged your address? If you send responses to usenet posts,
>> :) send to people who forward mail, or send to mailing lists, you
>> :) generall -cannot- know.
>>
>> Which is exactly a good reason why you should not answer the challenge.
>> Confirming good addresses to a spammer is similar to shooting yourself
>> on the foot.
>
>
> How is answering a challenge confirming a good address to a spammer? The
> spammer does not receive the response.
Unless the spammer set the C/R system, just to confirm good e-mail
addresses.
Peter Köhlmann
> *** Richard Johnson (abcr...@whirlpool.river.com.edo) wrote in...:
>
>> In article
>> <Pine.LNX.4.60.9.0...@zeno1.math.washington.edu>, Eduardo
>> Chappa <cha...@math.washington.edu> wrote:
>>
>>> *** Richard Johnson (abcr...@whirlpool.river.com.edo) wrote in...:
>>> :) However, at the present time, how do you know whether the challenge
>>> :) you received was because you sent mail to someone, or because a
>>> :) spammer forged your address? If you send responses to usenet posts,
>>> :) send to people who forward mail, or send to mailing lists, you
>>> :) generall -cannot- know.
>>>
>>> Which is exactly a good reason why you should not answer the challenge.
>>> Confirming good addresses to a spammer is similar to shooting yourself
>>> on the foot.
>>
>>
>> How is answering a challenge confirming a good address to a spammer? The
>> spammer does not receive the response.
>
> Unless the spammer set the C/R system, just to confirm good e-mail
> addresses.
>
And using a valid email address to do so? Yeah, right
--
I refuse to have a battle of wits with an unarmed person.
Augustus S.F.X Van Dusen
excelled at was manipulating people into giving him information, rather
than at technical prowess?
The Open Sourceror's Apprentice
news:Pine.LNX.4.60.9.0...@zeno1.math.washington.edu:
> That's a very persuasive argument, except by the fact that I do not think
> that a particular e-mail address sends spam twice to the same account,
> even when it's forged.
Would you like 3,127 individual pieces of proof that you are mistaken?
--
Tired of spam in your mailbox?
Come to http://www.spamblocked.com
. . .
Who is Brad Jesness? http://www.wilhelp.com/bj_faq/
The Open Sourceror's Apprentice
@newsread1.news.pas.earthlink.net:
> (1) Spammers can send challenges and see which ones get responses, thereby
> finding the "always answer" people.
They will find that to be a very painful exercise - for them.
> (2) I expect at some point to see someone start a list of known "always
> answer" addresses and make it available. It's purpose will be to let C/R
> users block on those addresses, but spammers will be able to get it, too.
See previous response.
The Open Sourceror's Apprentice
@news-60.giganews.com:
> In article <2lie4oF...@uni-berlin.de>, rn...@whirlpool.river.com
> says...
>
>> Also, contrary to the previous poster's supposition, spammers won't
>> know your address is a good one to forge. This is because the sender
>> of the challenge and not the spammer will receive your responses.
>
> Unless the mail is an HTML one containing web-bugs that the spammer can
> use to identify the from address.
What sort of idiot reads email with a mail client that renders HTML by
default?
The Open Sourceror's Apprentice
> (d) your email address gets passed among spammers as one that is good to
> forge, because it gets through C/R systems, and (e) people learn that
> blocking on your email address reduces their spam.
People who use CR systems have already demonstrated that they are incapable
of learning; ergo, they won't figure out which address to block.
And in the event that they do, by some lucky circumstance - how does that
harm the non-C/R-using non-spammer? It's the C/R user who's deprived of
legitimate email from me; since my outgoing email is usually in response ot a
request for help, *I* am not going to be suffering if Joe C/R User fails to
get my reply.
The Open Sourceror's Apprentice
news:Pine.LNX.4.60.9.0...@zebes.dreamhost.com:
You *are* aware that you have just cited a spammer, are you not?
Eduardo Chappa
> Eduardo Chappa <cha...@math.washington.edu> wrote in
> news:Pine.LNX.4.60.9.0...@zeno1.math.washington.edu:
>
>> That's a very persuasive argument, except by the fact that I do not
>> think that a particular e-mail address sends spam twice to the same
>> account, even when it's forged.
>
> Would you like 3,127 individual pieces of proof that you are mistaken?
Sure, put the in the web. Let me know where I can see them.
The Open Sourceror's Apprentice
news:Pine.LNX.4.60.9.0...@zeno1.math.washington.edu:
>> Would you like 3,127 individual pieces of proof that you are mistaken?
>
> Sure, put the in the web. Let me know where I can see them.
news:news.admin.net-abuse.sightings
Paul Vader
He was and still is pretty good with the telephone system, but otherwise
that's mostly right. *
Sam
> *** The Open Sourceror's Apprentice (abcMore...@spamblocked.com.edo)...:
>
>> Eduardo Chappa <cha...@math.washington.edu> wrote in
>> news:Pine.LNX.4.60.9.0...@zeno1.math.washington.edu:
>>
>>> That's a very persuasive argument, except by the fact that I do not
>>> think that a particular e-mail address sends spam twice to the same
>>> account, even when it's forged.
>>
>> Would you like 3,127 individual pieces of proof that you are mistaken?
>
> Sure, put the in the web. Let me know where I can see them.
Jun 13 14:17:24 headache courieresmtpd: error,relay=::ffff:216.39.87.40,from=<a...@4epurchase.com>,to=<s...@email-scan.com>: 511 Blocked - see http://www.spambag.org/cgi-bin/spambag?mailfrom=sheckmedia
[ … ]
Jun 29 05:54:07 headache courieresmtpd: error,relay=::ffff:64.70.43.83,from=<A...@REAL-COUPONS.COM>,to=<s...@email-scan.com>: 511 Blocked - see http://www.spambag.org/cgi-bin/spambag?mailfrom=sheckmedia
This is the Sheckmedia spamhaus repeatedly trying to spam the same mailbox.
What you don't see are hundreds of other attempts, in the same time frame.
Despite being told, via SMTP in no uncertain terms, to fuck off, they've
been spamming (or trying to spam) the same mailbox for several months. I
believe that the only reason they stopped was that they did not renew their
hosting contract with their provider, since the spew stopped precisely at
the end of the calendar month.
Your belief that no spammer spams the same mailbox twice is very, very
naive.
John Thompson
On 2004-07-13, The Open Sourceror's Apprentice <Morel...@spamblocked.com> wrote:
> What sort of idiot reads email with a mail client that renders HTML by
> default?
"First rate, Mr Danger. First rate."
(apologies to Firesign theater)
--
-John (jo...@os2.dhs.org)
John Thompson
> But it might be that the person using the C/R system will get
> malicious or -- more likely -- the people running the C/R system
> will get mailicious.
Unfortunately, we've already seen plenty of that... :-(
--
-John (jo...@os2.dhs.org)
*Vanguard*
> Vernon Schryver posted a persuasive argument for responding to ALL
> challenges as a matter of policy.
>
> It works like this. Most of the challenges I get are from mail I
> didn't send, but rather from spammers forging my address. If I
> respond to each challenge, then *I* will never again longer receive
> a challenge for spam to that person. As an added bonus, the C/R
> operator receives the spam!
>
> By responding to ALL challenges, you ensure that: (a) your mail gets
> through, (b) future spam forging your address doesn't result in
> another challenge, and (c) the person who has the C/R system has to
> deal with
> the spam.
>
> If enough people do this, then C/R systems will become ineffective
> to the point where miscreants like Allan Connor, who don't care what
> he does to other people's mailboxes, will stop using them.
>
> -A
The problem with this is that you assume the challenge is really a message from a C-R user and not from a spammer or scammer. I've already started hearing about web sites that are scams to get senders to divulge personal information. They send the user a message which looks for all intent and purposes to be a challenge e-mail. Take any of the C-R webmail providers, like BlueBottle or Mailblocks, open a temp account, send an e-mail to it, and get back the challenge so you know how to compose a message that looks just like it. However, insert your own web site into the links that the sender is supposed to click on to supposedly verify their previously sent e-mail.
Will all e-mail users scan through all their messages to verify that the e-mail that the challenge said they sent was something they actually sent? No. The challenge may provide the To and Subject lines to supposedly clue the sender in regarding what e-mail they supposedly sent, but obviously that can be made vague enough so that enough recipients of this bogus challenge may think it was indeed something they sent. So now they click on the link (because most e-mail users do NOT look at the HTML code to see where the link really takes them), get to a site that looks like where they are supposed to enter some numbers from a graphical image to verify they sent the e-mail (i.e., they answer the challenge). However, this bogus challenge web site also asks them for personal information, like their e-mail address and could even ask for a password so the scammer could hijack their accounts. Are you going to investigate on every challenge if there is indeed a C-R service running at that web site? And so what if there is? How do you know it is a reputable C-R service that actually has users rather than someone running a scam site that is issuing bogus challenge e-mails for users they don't have so obviously no one could be sending e-mails that should be generating challenges?
I sure doesn't look smart to be answering all challenges as a general policy. I don't answer any of them. Instead I use enough info in their supposedly standard formatted challenge (which is only standard within that C-R service) to define a rule to auto-delete their challenge from my mail server.
*Vanguard*
news:RkrIc.924$Qu5...@newsread2.news.pas.earthlink.net:
> On 2004-06-19, Alan Connor <zzz...@xxx.yyy> wrote:
>> Here's what anyone can see if they go to my website, which you
>> either have not done, or are pretending that you have not done. A
>> copy of one of my C-Rs:
>
> This is the big problem with C-R systems: each has its own message.
> *If* they were all to agree on a standard format for the challenge
> and the response, and include the message-ID in the challenge, so
> that senders could easily automate handling the responses, *then*
> they would potentially be a lot more useful.
But ISPs are starting to reject "challenge spam". And the C-R user will never know it.
As a test, I opened a bogus BlueBottle.com account (they are a C-R provider with free accounts that provide webmail and POP3/IMAP/SMTP servers). It's bogus because all the profile information that I entered is bogus (they monitor that stuff and will kill your account in about a day). I can send an e-mail from my BlueBottle account to my Yahoo account and receive it okay in my Yahoo account. So I know that Yahoo is not blocking e-mails from the BlueBottle domain. Then I send an e-mail from my Yahoo account to my BlueBottle account. It goes into the Pending folder of my BlueBottle account and a challenge supposedly gets sent immediately (this according to a tech support reply from BlueBottle regarding how long they wait before sending a challenge). I then wait, and wait, and wait for the challenge e-mail to show up in my Yahoo account. After 4 hours, still not challenge e-mail. I send several more test e-mails from multiple Yahoo accounts to my BlueBottle account. Still no challenges get received back in my Yahoo accounts. I contact BlueBottle who says that Yahoo's spam filtering might be the reason for never getting the challenges. Nope, nothing in my Bulk folder where all the spam gets moved.
Then I start to wonder about rejection during the SMTP handshaking. What if BlueBottle connects to Yahoo, tries to send the challenge e-mail, but Yahoo rejects it right there during the mail transfer? With a normal e-mail that I would send, my mail server would return a NDR (non-delivery report) message saying my e-mail got rejected by the receiving mail server. However, the challenge wasn't sent by me. It was sent by BlueBottle's C-R mechanisms. So I will never get notified that a challenge got rejected.
While this test was just against Yahoo, I'm hearing more and more ISPs are rejecting challenge spam. That means the C-R user will never know their challenges were rejected (because the C-R service sent the challenge, not the user of the C-R account), the senders never get the challenge, their e-mails never get delivered to the C-R user's Inbox, and the C-R user quietly dies away as his/her good senders figured they are sending to the wrong e-mail address, that C-R user doesn't want to talk to them, or they died. Unless the C-R service provides feedback to the C-R account user that challenges are getting rejected (or provides any status on those challenges), it's a worthless scheme. E-mail is not a guaranteed communications venue, ISPs may be rejecting challenge spam, or other problems arise where the challenge is never delivered or cannot be responded to. What if the sender doesn't have a browser, HTTP is blocked, or whatever might prevent them from getting to the web site where they are supposed to verify they sent their message?
Even if C-R ever manages to bother with the going through RFC ratification, even if other problems with C-R are addressed, unless the C-R user gets status on their challenges, like notifying the C-R user after some configurable wait period that a challenge never got answered or immediately when it gets rejected, the C-R user is blind to whether or not his e-mail scheme is even working.
Vernon Schryver
*Vanguard* <lh_va...@mailblocks.com> wrote:
>personal information. They send the user a message which looks for all
>intent and purposes to be a challenge e-mail. Take any of the C-R
>the challenge). However, this bogus challenge web site also asks them
>for personal information, like their e-mail address and could even ask
>for a password so the scammer could hijack their accounts. Are you
Anyone dumb enough to give any private information to any C-R service
include those that are perfectly legitimate (so to speak) is too dumb
to be allowed to use the Internet without adult supervision.
On the other hand, the phishers don't need to use C-R to hook suckers.
They send messages that seem more understandable than any C-R
challenge and still hook a lot of suckers.
>I sure doesn't look smart to be answering all challenges as a general
>policy. I don't answer any of them. Instead I use enough info in their
>supposedly standard formatted challenge (which is only standard within
>that C-R service) to define a rule to auto-delete their challenge from
>my mail server.
If you can't trust yourself to not blab everything to anyone who asks,
no matter how implausibly, then that is the start of the right tactic.
For proper protection you should disable the form handling in your web
browser, because you might be tempted by a phisher's form sent via
ordinary, non-C-R spam.
I would suggest turning off HTML in your mail user agent (MUA), but
you've evidently already rejected that idea.
Vernon Schryver v...@rhyolite.com
Eduardo Chappa
I never said a spammer does not spam a mailbox twice, I said that if your
address is used to spam people, the amount of C/R that you will get will
have minimal intersection (see the word marginal), then I said in the
unlikely case that this will happen use the C/R at your own risk. See the
difference? (most of you have concentrated on the first sentence of my
paragraph, which is quite unfair, are you guys politicians? or are trying
to understand my whole point? or just rebating anything losing the context
of the conversation?)
Eduardo Chappa
> Eduardo Chappa <cha...@math.washington.edu> wrote in
> news:Pine.LNX.4.60.9.0...@zeno1.math.washington.edu:
>
>>> Would you like 3,127 individual pieces of proof that you are mistaken?
>>
>> Sure, put the in the web. Let me know where I can see them.
>
> news:news.admin.net-abuse.sightings
This has nothing to do with what I meant in my original post. Reread it
and then comment on it again. By the way, refute the argument of the
paragraph, not isolated sentences.(Hint: the paragraph is about spam
received as a result of C/R systems, not about spam in general).
*Vanguard*
> In article <EamdnQ0Ul7d...@comcast.com>,
> *Vanguard* <lh_va...@mailblocks.com> wrote:
>
>> personal information. They send the user a message which looks for
>> all intent and purposes to be a challenge e-mail. Take any of the
>> C-R
>
>> the challenge). However, this bogus challenge web site also asks
>> them for personal information, like their e-mail address and could
>> even ask for a password so the scammer could hijack their accounts.
>> Are you
>
> Anyone dumb enough to give any private information to any C-R service
> include those that are perfectly legitimate (so to speak) is too dumb
> to be allowed to use the Internet without adult supervision.
Divulging personal info (to scammers) was just *one* of the problems I mentioned of of challenge e-mails. Just responding to the challenge means you divulge your e-mail address is valid and that it is actively monitored, something valuable in itself to spammers. With everything you do to keep your e-mail address out of the hands of spammers, are you really going to answer every challenge message without any proof that it was indeed a challenge sent by a valid C-R user (who is not the spammer sending you the challenge) and that those operating the web site you visit to respond to the challenge aren't also the spammers? For example, how do you know that a challenge that looks like it came from a BlueBottle C-R user really came from a BlueBottle C-R user? And when you visit the web site where you respond the challenge, just exactly how to you know who is operating that web site?
> On the other hand, the phishers don't need to use C-R to hook suckers.
> They send messages that seem more understandable than any C-R
> challenge and still hook a lot of suckers.
So you are proposing that C-R will never take off, always be relegated to just a few users, and be used in such low numbers that challenge e-mail will not be anything that e-mail users will not become accustomed to? Well, that suits me, too. Phishers also try to con recipients by pretending to be the recipient's ISP asking for them to verify details of their account. So how many valid e-mails have you seen from your ISP asking for such information? For me, I've never gotten one. The recipient getting lots of the same type of spam or scam can be easily recognized. It's the rare type of spam/scam that dupes users. It's not the common crap that will lull in a user. It's the legit-looking rare crap that gets them. Just because your challenges are cryptic and hard to understand doesn't mean others cannot craft them to present a professional and legit looking challenge which is very understandable.
>> I sure doesn't look smart to be answering all challenges as a general
>> policy. I don't answer any of them. Instead I use enough info in
>> their supposedly standard formatted challenge (which is only
>> standard within that C-R service) to define a rule to auto-delete
>> their challenge from my mail server.
>
> If you can't trust yourself to not blab everything to anyone who asks,
> no matter how implausibly, then that is the start of the right tactic.
That was MY point. A policy of responding to EVERY challenge DOES have you blabbing to anyone who asks. Such a policy has you blabbing to any spammer that composes a challenge that they reached a valid and active e-mail account. It's not like any of these challenges are digitally signed with PGP or x.509 certificates will full registrant information so you can positively identify who is the sender of a challenge. Just because it looks like a challenge e-mail doesn't mean that it came from a C-R user.
> For proper protection you should disable the form handling in your web
> browser, because you might be tempted by a phisher's form sent via
> ordinary, non-C-R spam.
> I would suggest turning off HTML in your mail user agent (MUA), but
> you've evidently already rejected that idea.
Actually I would like the feature of reading e-mails in plain text and letting me switch to an HTML view should I choose. Oh, wait, I already have that. It's called AutoPreview mode in Outlook (and I am NOT talking about using the Preview pane which is not a preview at all but a full view and gets rendered if HTML). AutoPreview shows you several lines of the message in plain-text. Then you can decide if you want to open the message to see it as the sender intended. Using an HTML modifier also helps to protect when you should decide to view in HTML mode, like using SpamPal's HTML-Modify plug-in. But I don't demand that the entire e-mail community takes the same level of protection just to use e-mail. I'm not stupid in thinking everyone has to be as smart or smarter than me in using e-mail. Arguing the evils of HTML is rather fruitless, like yelling at the waves lapping up on the shore. It is here, it is pervasive, it is is common use. But this digression regarding HTML, forms, and such was not related to what I posted. It was about how challenges can be misused and forged, so answering ALL of them is a dubious policy.
Nancy McGough
Yes, I'm very aware of that they are spammers and involved in
lawsuits and that their founder used to be in the porn business.
That's why I chose them as an example of why I've decided to
follow Vernon's suggestion! I have details and lots of links
about them on my IMAP Service Providers page in this section:
What to Look OUT For in an IMAP Service Provider
<http://www.ii.com/internet/messaging/imap/isps/#lookOut>
They are discussed in item #3a.
Nancy
Infinite Ink
www.ii.com
Matchstick
Morel...@spamblocked.com says...
> What sort of idiot reads email with a mail client that renders HTML by
> default?
People who run OE with the default settings, I believe... :(
Sam
> I never said a spammer does not spam a mailbox twice, I said that if your
> address is used to spam people, the amount of C/R that you will get will
> have minimal intersection (see the word marginal),
… now. That's because nobody uses C/R.
In the unlikely even that will ever change, what you will have to take care
of would be several thousands C/R spams every day.
The notion that somehow the spew of bogus C/Rs will ever cease is naive.
There's already an existing case study. Already people are getting
bouncebacks from forged spam. Which can be logically equated to C/R spam,
at least as far as the annoyance factor goes.
And the bouncebacks are not stopping.
Vernon Schryver
Eduardo Chappa <cha...@math.washington.edu> wrote:
>I never said a spammer does not spam a mailbox twice, I said that if your
>address is used to spam people, the amount of C/R that you will get will
>have minimal intersection (see the word marginal), then I said in the
>unlikely case that this will happen use the C/R at your own risk. See the
>difference? (most of you have concentrated on the first sentence of my
>paragraph, which is quite unfair, are you guys politicians? or are trying
>to understand my whole point? or just rebating anything losing the context
>of the conversation?)
Huh?
- What will have "(a?) minimal intersection" with what?
- No, I don't see the word "marginal." Where should it have been?
- What is the unlikely case? Is it related to that undefined
intersection?
- Of course, you should do everything at your own risk, including
use C/R systems. In other words, "caveat emptor."
- This is netnews, and so I can't care much, but I'd settle for understand
any of your point.
- What is the context you mean? It seems to be something about
Challenge-Response systems and something spammers would do or
refrain from doing, but I do not understand what.
An individual or two appearing to misunderstand you can be a mere
rhetorical ploy. When most people don't understand you, the fault is
always entirely yours.
I've read more at least two or three of your articles, but I still do
not know whether you think C/R systems are good or bad, whether you
think spammers will somehow exploit them, or whether you think spammers
might exploit people who always or never answer C/R challenges.
Try proofreading your articles. Avoid run-on sentences such as the
first confusing mess in the quoted text. Ensure that every string
ending with a period (.) or question mark (?) is a complete sentence
with a subject and a verb. If you are not familiar with English, ask
a native speaker to proofread your text.
An address at math.washington.edu suggests a need to write intelligible
English. Consider treating writing netnews as a valuable exercise.
Formal math proofs often have odd symbols like upside down A's and
backwards E's, but those strings of symbols are usually separated with
simple declarative sentences. No one unable to write intelligible
English can get a doctorate from a worthwhile U.S. college or university.
A case can be made that no one who hopes to do serious math in the
entire world, with the possible exception of France, can avoid being
able read and write English.
Vernon Schryver v...@rhyolite.com
Eduardo Chappa
> Eduardo Chappa writes:
>
>> I never said a spammer does not spam a mailbox twice, I said that if
>> your address is used to spam people, the amount of C/R that you will
>> get will have minimal intersection (see the word marginal),
>
> … now. That's because nobody uses C/R.
is nobody 0% of users?, 1% of users? 10% of users?. I don't think you mean
nobody, really. My point was never the amount of users who use C/R, if
your point is that this would only be a problem when too many people use
C/R, I can tell you that the problem will not be that, but it will be
people using C/R systems, and use will be discouraged, maybe forbidden.
> In the unlikely even that will ever change, what you will have to take
> care of would be several thousands C/R spams every day.
>
> The notion that somehow the spew of bogus C/Rs will ever cease is naive.
I agree, but I never claimed that.
> There's already an existing case study. Already people are getting
> bouncebacks from forged spam. Which can be logically equated to C/R
> spam, at least as far as the annoyance factor goes.
As far as annoyance, well, that depends on who you are. I am glad I ignore
all bouncebacks, so this is pretty much 0 annoyance to me.
> And the bouncebacks are not stopping.
Agree on that one.
Mark Ferguson
>
> In article
> <Pine.LNX.4.60.9.0...@zeno1.math.washington.edu>,
> Eduardo Chappa <cha...@math.washington.edu> wrote:
>
> > *** Richard Johnson (abcr...@whirlpool.river.com.edo) wrote in...:
> > :) received was because you sent mail to someone, or because a spammer
> > :) forged your address? If you send responses to usenet posts, send to
> > :) people who forward mail, or send to mailing lists, you generall
> > :) -cannot- know.
> >
> > Which is exactly a good reason why you should not answer the challenge.
> > Confirming good addresses to a spammer is similar to shooting yourself on
> > the foot.
>
> How is answering a challenge confirming a good address to a spammer?
> The spammer does not receive the response.
I have a question. I note the subject lime and ask, who cares what a
famous hacker does or does not do? Do the actions of others dictate
what we do?
I truly do not care what some hacker does to not get spam. Instead of
writing filters to help others he takes the easy way out and I am glad I
won't ever be sending him an email.
On another note:
I have had emails from others that did use challange and response.
These folks have emailed me and then challanged my email response to
them. I of course promptly ignored their challange and went on about my
day. They think that I never answered their email, that is their
problem and not mine.
> > :) Therefore, it behooves you to answer all challenges you receive. Only
> > :) by doing that can you have a chance of seeing your legitimate email go
> > :) through.
> >
> > I will sound presumptious, but in my opinion, I do not loose by the
> > receiver not receiving my message. I lost a couple of minutes, my
> > recipient lost my message. It's up to you to decide who lost more.
>
> I'm more interested in providing back-pressure against those who bother
> me with challenges based on forged mail. I lose time and bandwidth
> regardless because of such spam challenges, so I might as well push
> back.
>
> Richard
>
> --
> To reply via email, make sure you don't enter the whirlpool on river left.
>
> My mailbox. My property. My personal space. My rules. Deal with it.
> http://www.river.com/users/share/cluetrain/
--
Mark Ferguson
Eduardo Chappa
> In article
> <Pine.LNX.4.60.9....@zeno1.math.washington.edu>, Eduardo
> Chappa <cha...@math.washington.edu> wrote:
>
>> I never said a spammer does not spam a mailbox twice, I said that if
>> your address is used to spam people, the amount of C/R that you will
>> get will have minimal intersection (see the word marginal), then I said
>> in the unlikely case that this will happen use the C/R at your own
>> risk. See the difference? (most of you have concentrated on the first
>> sentence of my paragraph, which is quite unfair, are you guys
>> politicians? or are trying to understand my whole point? or just
>> rebating anything losing the context of the conversation?)
>
> Huh?
>
I guess you tried to understand my message without reading the one I was
referring to.
> - What will have "(a?) minimal intersection" with what?
among themselves, meaning not two C/R messages will come from the same
person. Again I refer you to my earlier message for a complete statement,
that's false as stated, but true in generic sense. We, mathematicians,
have a notion of "set of measure zero", which is ignored for practical
purposes, this is one case. Again read my earlier message for a complete
explanation.
> - No, I don't see the word "marginal." Where should it have been?
I quote: "but in general the error should be marginal with respect to the
real amount of spam that is not generated in the way described here."
> - What is the unlikely case? Is it related to that undefined
> intersection?
explained above.
> - Of course, you should do everything at your own risk, including
> use C/R systems. In other words, "caveat emptor."
We happen to agree here, but in this case the C/R system is being used by
the person who did not set it up, where you probably don't even know the
sender. My common sense tells me "don't use it".
> - This is netnews, and so I can't care much, but I'd settle for
> understand any of your point.
hopefully you will now.
> - What is the context you mean? It seems to be something about
> Challenge-Response systems and something spammers would do or refrain
> from doing, but I do not understand what.
I meant to say that the argument that I referred before (which you need to
read) was only about C/R systems. Somehow, some people made it look like
it was about spam in general, which was not.
> An individual or two appearing to misunderstand you can be a mere
> rhetorical ploy. When most people don't understand you, the fault is
> always entirely yours.
Huh? No it's not that, it's taking words out of context. Reread the
thread, you will see how it was done (hint: quote a part of the message,
remove the rest, reply to the part quoted as if it was never attached to
the part removed and make it look in the reply like something different
was said).
Since I don't know the people that followed that procedure I can not claim
inoccence of guilt in their intentions, but it strikes me as supicious,
like someone who can't win a debate so just makes a correct statement that
has nothing to do with the debate, but gets the feeling of winning because
the other person did not refute that point. I am claiming that
> I've read more at least two or three of your articles, but I still do
> not know whether you think C/R systems are good or bad, whether you
> think spammers will somehow exploit them, or whether you think spammers
> might exploit people who always or never answer C/R challenges.
Huh? This subthread started by me saying "stop using C/R systems, they are
bad!" (paraphrased). You will need to return to the top of this subthread.
> Try proofreading your articles. Avoid run-on sentences such as the
> first confusing mess in the quoted text. Ensure that every string
> ending with a period (.) or question mark (?) is a complete sentence
> with a subject and a verb. If you are not familiar with English, ask a
> native speaker to proofread your text.
It helps if you can point out sentences that I've said that fall in that
category. I do not see any.
By the way, would you be willing to proofread my messages? Somehow I feel
the answer is NO, and somehow I feel the answer I will get from everyone
in the world is NO, so I don't think this will happen.
> An address at math.washington.edu suggests a need to write intelligible
> English. Consider treating writing netnews as a valuable exercise.
> Formal math proofs often have odd symbols like upside down A's and
> backwards E's, but those strings of symbols are usually separated with
> simple declarative sentences. No one unable to write intelligible
> English can get a doctorate from a worthwhile U.S. college or
> university. A case can be made that no one who hopes to do serious math
> in the entire world, with the possible exception of France, can avoid
> being able read and write English.
Well I am more that happy to read my unintelligible english if you show me
why it was unintelligible and show me how to make it intelligible, but
since this thread is not about that, feel free to do it by e-mail.
Eduardo Chappa
> On 13 Jul 2004 Tim Smith (reply_i...@mouse-potato.com) wrote:
>>
>>> By responding to ALL challenges, you ensure that: (a) your mail gets
>>> through, (b) future spam forging your address doesn't result in
>>> another challenge, and (c) the person who has the C/R system has to
>>> deal with the spam.
>>
>> (d) your email address gets passed among spammers as one that is good
>> to forge, because it gets through C/R systems, and (e) people learn
>> that blocking on your email address reduces their spam.
>
> And if it is one of your spam-trap email addresses, that's OK. My new
> plan is to follow Vernon's advice only for challenges that come to my
> spam-trap addresses. Challenges that come to my real addresses, I
> ignore.
Nancy,
What about entering those people which sent you an "unsolicited" C/R
message into your "block messages from this person" list?, wouldn't that
work for you too?, if not, why not?
To me confirming an e-mail address to an unknown sender is similar to
returning a call from a person who left a message in your answering
machine telling you to call back, a person who never even used your name
to start with. That sounds like a telemarketer to me, and I do not return
calls from people I don't know either.
I would say, about C/R, either ignore them or block them, but don't answer
Eduardo Chappa
> Nancy McGough <nm-reverse-...@ii.deflexion.com> wrote in
> news:Pine.LNX.4.60.9.0...@zebes.dreamhost.com:
>
>> <http://spamarrest.com/>
>
> You *are* aware that you have just cited a spammer, are you not?
I am *very* interested to see the proof of this. Do you know where I can
find such proof? (my post is genuine, I do not mean to bother you, I'd
really like to see such proof).
Paul Vader
>among themselves, meaning not two C/R messages will come from the same
>person.
NOT TRUE. I've gotten more than a dozen from Dan Bernstein alone, wingnut.
>that's false as stated, but true in generic sense. We, mathematicians,
>have a notion of "set of measure zero", which is ignored for practical
We, usenet readers, have a notion of "bullshit". *
Eduardo Chappa
> Eduardo Chappa <cha...@math.washington.edu> writes:
>> among themselves, meaning not two C/R messages will come from the same
>> person.
>
> NOT TRUE. I've gotten more than a dozen from Dan Bernstein alone,
> wingnut.
Ok, I'm convinced that it's intentional. You failed to quote my whole
paragraph (just a sentence of it) just to make a point that I had already
made.
>> that's false as stated, but true in generic sense. We, mathematicians,
>> have a notion of "set of measure zero", which is ignored for practical
>
> We, usenet readers, have a notion of "bullshit". *
Oh, now you quote the rest of the paragraph and is so separated from the
other sentence that it doesn't even make sense (then someone will claim
that I write unintelligible English). Shameful. I think you need a new
thread.
Daniel W. Johnson
> I am *very* interested to see the proof of this. Do you know where I can
> find such proof? (my post is genuine, I do not mean to bother you, I'd
> really like to see such proof).
I don't know about "proof", but you might want to classify the following
as "evidence":
<http://groups.google.com/groups?threadm=v4ndhn5o0s641e%40corp.supernews
.com>
<http://groups.google.com/groups?threadm=slrnb4m6bl.4hk.you%40jazz.hq.ne
wdream.net>
--
Daniel W. Johnson
pano...@iquest.net
http://members.iquest.net/~panoptes/
039 53 36 N / 086 11 55 W
Nancy McGough
>>>
>>>> By responding to ALL challenges, you ensure that: (a) your mail gets
>>>> through, (b) future spam forging your address doesn't result in another
>>>> challenge, and (c) the person who has the C/R system has to deal with the
>>>> spam.
>>>
>>> (d) your email address gets passed among spammers as one that is good to
>>> forge, because it gets through C/R systems, and (e) people learn that
>>> blocking on your email address reduces their spam.
>>
>> And if it is one of your spam-trap email addresses, that's OK. My new plan
>> is to follow Vernon's advice only for challenges that come to my spam-trap
>> addresses. Challenges that come to my real addresses, I ignore.
>
> into your "block messages from this person" list?, wouldn't that work for you
> too?, if not, why not?
>
> To me confirming an e-mail address to an unknown sender is similar to
> returning a call from a person who left a message in your answering machine
> telling you to call back, a person who never even used your name to start
> with. That sounds like a telemarketer to me, and I do not return calls from
> people I don't know either.
That's why I said I'd do it only with challenges sent to my spam
trap addresses:
1) I want the spammers to spam those addresses (that's what they
are for!)
2) I do not mind making life difficult for (the non spamming)
people who are using (or selling) C/R systems that send
challenges to forged From: headers.
I hope this makes sense. I realize that I'm being a bit of an
anarchist here, but maybe it will help to get the C/R folks to
clean up their systems and quit sending challenges to forged
From: headers.
BTW, for challenges that come to my real addresses, those people
can wait and wait and maybe eventually they will read the "Email
Deflexion for Infinite Ink" web page.
Nancy
Infinite Ink
www.ii.com
Peter Peters
wrote:
>> It does not matter if there is a "purpose" for that header line. RFCs do not
>> require "purpose". The fact that you do not perceive a purpose does not mean
>> that nobody else perceives one.
>
>If there is no purpose, then why do it? The RFC text directly contradicts you
>on this - as "Received:" is defined in a section called "trace headers."
>Obviously, there is a purpose as described....
The purpose seems to be to increase the number of Received: headers to
reach anti-loop limits earlier.
--
Peter Peters, senior netwerkbeheerder
Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE)
Universiteit Twente, Postbus 217, 7500 AE Enschede
telefoon: 053 - 489 2301, fax: 053 - 489 2383, http://www.utwente.nl/itbe
Vernon Schryver
*Vanguard* <lh_va...@mailblocks.com> wrote:
> With everything
>you do to keep your e-mail address out of the hands of spammers,
Excuse me, but what are those things that I do to keep my address out
of the hands of spammers?
> are you
>really going to answer every challenge message without any proof that it
>was indeed a challenge sent by a valid C-R user (who is not the spammer
>sending you the challenge) and that those operating the web site you
>visit to respond to the challenge aren't also the spammers?
The challenges from any given C-R system are substantially identical
and there are a bunch of them. That makes them bulk mail. I don't
want or ask for them, and that makes them unsolicited. Unsolicited
bulk mail is spam, and so as I have been saying since C-R systems were
first proposed, C-R users are spammers, whether not they send any other
unsolicited bulk email.
> For
>example, how do you know that a challenge that looks like it came from a
>BlueBottle C-R user really came from a BlueBottle C-R user?
I can't think of a reason to care. It's true that responding to a
mail message leaks information in theory, but that information about
me is so readily available that "leak" is misleading.
> And when
>you visit the web site where you respond the challenge, just exactly how
>to you know who is operating that web site?
My goals in dealing with C-R challenges are that same as my goals
in dealing with other unsolicited bulk mail:
- minimize the waste of my time, effort, bandwidth, etc.
- keep my incoming and outgoing mail as reliable as possible.
Thus, I generally do not respond to C-R challenges that require me to
visit web sites. I use a 20 year old MUA in a text X window that requires
that I cut and past from it to a browser to do any web site visiting.
>So you are proposing that C-R will never take off, always be relegated
>to just a few users, and be used in such low numbers that challenge
>e-mail will not be anything that e-mail users will not become accustomed
>to?
That is practically certain.
>crap that gets them. Just because your challenges are cryptic and hard
>to understand doesn't mean others cannot craft them to present a
>professional and legit looking challenge which is very understandable.
Challenges that I send? Given of my long and frequently (but perhaps
not frequently enough) stated view that C-R challenges are spam, are
you calling me a spammer?
>That was MY point. A policy of responding to EVERY challenge DOES have
>you blabbing to anyone who asks. Such a policy has you blabbing to any
>spammer that composes a challenge that they reached a valid and active
>e-mail account.
Getting a response is one of the least used and least useful tactics
for verifying spam target addresses. For example, anyone running an
SMTP server on a known domain name sees at least hundreds of dictionary
attacks per hour. Those attacks are checking the validity of target
addresses with SMTP Rcpt_To commands.
Vernon Schryver v...@rhyolite.com
Vernon Schryver
Eduardo Chappa <cha...@math.washington.edu> wrote:
> I guess you tried to understand my message without reading the one I was
>referring to.
I've tried to understand several of your messages. Like most people,
I have trouble remembering things that make no sense to me even when
I want to. I generally don't want to waste synapses remembering netnews.
Because this is netnews, you cannot assume that your readers will have
seen all of your messages. Propagaion vagaries ensure that at least
some of your readers will not have seen at least some of the preceding
articles when any given example reaches them. That is why people
familiar with usenet try to make each of their articles stand alone.
>> - What will have "(a?) minimal intersection" with what?
>
>among themselves, meaning not two C/R messages will come from the same
>person. Again I refer you to my earlier message for a complete statement,
>that's false as stated, but true in generic sense. We, mathematicians,
>have a notion of "set of measure zero", which is ignored for practical
>purposes, this is one case. Again read my earlier message for a complete
>explanation.
I have only a vauge notion what you mean.
Given the finite cardinality of all email that will have ever been
sent by all creatures in the universe from the big bang until all
protons have decayed, what sort of measure are you thinking about?
It's been decades since I studied measure theory as taught by the
real analysts, I seem to recall the need for at least countably
infinite sets to be able to talk about sets of zero (Lebesgue?)
measure. I think there are some games you could play with model
theory, such as those Cohen invented to prove the second half of
the independence of AC, but that sort of mathematical sophistication
doesn't seem relevant here.
Never mind that the claim that sets of zero measure are "ignored for
practical purposes" by mathematicians sets my hackles. All of the
sets that we can ever know are not only of measure zero, but countable.
Last winter I read and enjoyed Penelope Maddy's exploration of that
issue in her "Naturalism in Mathematics." I found the first half
plodding, but the second half is fun. I see the full text is online at
http://www.oxfordscholarship.com/oso/public/content/philosophy/0198250754/toc.html
>> - This is netnews, and so I can't care much, but I'd settle for
>> understand any of your point.
>
>hopefully you will now.
Sorry, but I've inferred only that you are a student in a math
department, probably recently acquainted with real analysis, and
probably in the applied side of the department.
>> - What is the context you mean? It seems to be something about
>> Challenge-Response systems and something spammers would do or refrain
>> from doing, but I do not understand what.
>
>I meant to say that the argument that I referred before (which you need to
>read) was only about C/R systems. Somehow, some people made it look like
>it was about spam in general, which was not.
Since this is netnews, I don't *need* to read anything.
>> An individual or two appearing to misunderstand you can be a mere
>> rhetorical ploy. When most people don't understand you, the fault is
>> always entirely yours.
>
>Huh? No it's not that, it's taking words out of context. Reread the
>thread, you will see how it was done (hint: quote a part of the message,
>remove the rest, reply to the part quoted as if it was never attached to
>the part removed and make it look in the reply like something different
>was said).
On the contrary, your articles have been mostly unintelligible. We
have all been grabbing phrases that seem to make some sense and ignoring
the rest. That's how humans read and listen. Things that don't make
sense are practically invisible. You really learn this as a computer
programmer; bug reports invariably omit vital facts that were meaningless
to the person reporting the bug.
Besides, this is netnews. By decades of tradition, you should only
quote and respond to points that you care about.
>> I've read more at least two or three of your articles, but I still do
>> not know whether you think C/R systems are good or bad, whether you
>> think spammers will somehow exploit them, or whether you think spammers
>> might exploit people who always or never answer C/R challenges.
>
>Huh? This subthread started by me saying "stop using C/R systems, they are
>bad!" (paraphrased). You will need to return to the top of this subthread.
Again, this is netnews so I don't *need* to do anything.
>> Try proofreading your articles. Avoid run-on sentences such as the
>> first confusing mess in the quoted text. Ensure that every string
>> ending with a period (.) or question mark (?) is a complete sentence
>> with a subject and a verb. If you are not familiar with English, ask a
>> native speaker to proofread your text.
>
>It helps if you can point out sentences that I've said that fall in that
>category. I do not see any.
You "need" to look your words that I quoted in my previous article.
The first string with its several commas and ending with the first
period was such a terrible long, convoluted, confusing mess that "run
on sentence" is a polite fiction.
>By the way, would you be willing to proofread my messages? Somehow I feel
>the answer is NO, and somehow I feel the answer I will get from everyone
>in the world is NO, so I don't think this will happen.
True, my answer is "no." If you have no friends who would answer "yes,"
then you should immediately stop worrying about netnews, C-R systems,
and even math, and fix that problem.
>Well I am more that happy to read my unintelligible english if you show me
>why it was unintelligible and show me how to make it intelligible, but
>since this thread is not about that, feel free to do it by e-mail.
That's a problem that only you can address.
In a sense, each of us is at most inversely as smart as we think we
are. People who think they are very smart never are. At best they
are academic equivalents of autistic musical prodigies, but usually
they are merely poseurs and four-flushers.
Vernon Schryver v...@rhyolite.com