Misguided energy (was Re: Do we need a new SMTP protocol? (OT))

["David F. Skoll" <df...@roaringpenguin.com>]

On Wed, 1 Dec 2010 16:02:03 -0500
Michael Grant <mg...@grant.org> wrote:

> The main problem with this approach is how does
> someone send you mail if they're not on your contact list?  I don't
> have any magic answers how to solve that beyond what's already out
> there as in return messages with captchas in them or things like Blue
> Bottle seem to be quite effective.

Challenge-Response systems are evil.  I never reply to challenges and I
typically blacklist systems that send them.

There's a fundamental economic principle at play: If you make it harder
for spammers to send spam, then you make it less convenient to send email
to someone you've never written to before.  There is simply no way around
that.

Rather than destroying email (its killer feature is *precisely* the
ability to dash off a note to someone new) by making it harder to send
spam, viable anti-spam solutions make it less likely that spam will be
received.  Yes, this is costly and annoying, but it's the price we pay
for the convenience of email.

Regards,

David.

Re: Misguided energy (was Re: Do we need a new SMTP protocol? (OT))

[RW <rw...@googlemail.com>]

On Sat, 4 Dec 2010 16:08:36 +0000
RW <rw...@googlemail.com> wrote:

> On Sat, 04 Dec 2010 12:44:37 +0100
> Bernd Petrovitsch <be...@petrovitsch.priv.at> wrote:
> 
> 
> > C/R is only means to make it move your own effort over to others.
> > 
> > The really "interesting" case is if both sides choose to require C/R
> > to get the first mail delivered.
> > Which should be a clear sign to everyone that C/R is basically a bad
> > idea.
> 
> That's only a problem in very naive C/R systems. It can be solved by
> using a time-limited disposable address in the envelope "mail from".
> The recipient's challenge goes to the disposable address which
> bypasses the senders own C/R system. Some mailservers already do this
> because it eliminates almost all backscatter while allowing remotely
> generated legitimate DSNs to pass. 
> 
> Infuriating advocates of C/R pretty much have an answer for

that should be "Infuriatingly"

> everything. If a benign dictator imposed a well thought-out scheme on
> everyone, it would probably work very well.
> 
> At the moment though spam isn't that much of a problem, and C/R is
> more trouble than it's worth.

Re: Misguided energy (was Re: Do we need a new SMTP protocol? (OT))

[jdow <jd...@earthlink.net>]

Sorry bubbie, send me a challenge and you go into the evil list, which
tends to be a permanent /dev/null redirect. This is iron clad on a
mailing list. Direct I may or may not consign. C/R is plain evil as I
have encountered it in the past. On mailing lists it's beyond evil as
it generates challenges from every message sent to the list as the
list server never responds to the challenges.

I'm rather inflexible on Challenge/(lack of) Response because of my
experience on the wrong end of it.

{','}   C/R sucks dead bunnies through garden hoses.
----- Original Message ----- 
From: "RW" <rw...@googlemail.com>
Sent: Saturday, 2010/December/04 08:08


> On Sat, 04 Dec 2010 12:44:37 +0100
> Bernd Petrovitsch <be...@petrovitsch.priv.at> wrote:
> 
> 
>> C/R is only means to make it move your own effort over to others.
>> 
>> The really "interesting" case is if both sides choose to require C/R
>> to get the first mail delivered.
>> Which should be a clear sign to everyone that C/R is basically a bad
>> idea.
> 
> That's only a problem in very naive C/R systems. It can be solved by
> using a time-limited disposable address in the envelope "mail from".
> The recipient's challenge goes to the disposable address which bypasses
> the senders own C/R system. Some mailservers already do this because it
> eliminates almost all backscatter while allowing remotely generated
> legitimate DSNs to pass. 
> 
> Infuriating advocates of C/R pretty much have an answer for everything.
> If a benign dictator imposed a well thought-out scheme on everyone, it
> would probably work very well.
> 
> At the moment though spam isn't that much of a problem, and C/R is more
> trouble than it's worth.

Re: Misguided energy (was Re: Do we need a new SMTP protocol? (OT))

[RW <rw...@googlemail.com>]

On Sat, 04 Dec 2010 12:44:37 +0100
Bernd Petrovitsch <be...@petrovitsch.priv.at> wrote:


> C/R is only means to make it move your own effort over to others.
> 
> The really "interesting" case is if both sides choose to require C/R
> to get the first mail delivered.
> Which should be a clear sign to everyone that C/R is basically a bad
> idea.

That's only a problem in very naive C/R systems. It can be solved by
using a time-limited disposable address in the envelope "mail from".
The recipient's challenge goes to the disposable address which bypasses
the senders own C/R system. Some mailservers already do this because it
eliminates almost all backscatter while allowing remotely generated
legitimate DSNs to pass. 

Infuriating advocates of C/R pretty much have an answer for everything.
If a benign dictator imposed a well thought-out scheme on everyone, it
would probably work very well.

At the moment though spam isn't that much of a problem, and C/R is more
trouble than it's worth.

Re: Misguided energy (was Re: Do we need a new SMTP protocol? (OT))

[Bernd Petrovitsch <be...@petrovitsch.priv.at>]

On Mit, 2010-12-01 at 16:17 -0500, David F. Skoll wrote: 
> On Wed, 1 Dec 2010 16:02:03 -0500
> Michael Grant <mg...@grant.org> wrote:
> 
> > The main problem with this approach is how does
> > someone send you mail if they're not on your contact list?  I don't
> > have any magic answers how to solve that beyond what's already out
> > there as in return messages with captchas in them or things like Blue

Some people (including me) do not like to be Turing-tested. And if you
Turing-test me, why shouldn't I require the same in the other direction
before?
Apart from the obvious misuses of captchas.

> > Bottle seem to be quite effective.
> 
> Challenge-Response systems are evil.  I never reply to challenges and I
> typically blacklist systems that send them.

C/R is only means to make it move your own effort over to others.

The really "interesting" case is if both sides choose to require C/R to
get the first mail delivered.
Which should be a clear sign to everyone that C/R is basically a bad
idea.

> There's a fundamental economic principle at play: If you make it harder
> for spammers to send spam, then you make it less convenient to send email
> to someone you've never written to before.  There is simply no way around
> that.

Even worse, the professional spammers adapt faster to such new stuff
than the average admin or user.

[...]

Bernd
-- 
Bernd Petrovitsch                  Email : bernd@petrovitsch.priv.at
                     LUGA : http://www.luga.at

Re: Misguided energy

[John Wilcock <jo...@tradoc.fr>]

Le 02/12/2010 01:02, Karsten Bräckelmann a écrit :
> Personally, I have *never* received a legit C/R. Every single one that
> ended up on my machines have been in response to spam sent with a forged
> sender address.

I wish I could say the same - at work we have at least a dozen clients 
who use challenge/response, and when it's for business you can't just 
ignore the challenges, let alone blacklist your clients.

Mailinblack in particular seem to have been quite successful in selling 
their C/R system to companies here in France... who seem to have totally 
overlooked the very real business risk of other anti-spam systems 
classifying their challenges as spam.

John.

-- 
-- Over 4000 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages    - www.tradoc.fr

Re: Misguided energy

[Michael Scheidell <mi...@secnap.com>]

On 12/1/10 10:37 PM, Karsten Bräckelmann wrote:
> On Wed, 2010-12-01 at 20:38 -0500, Michael Scheidell wrote:
>> On 12/1/10 7:02 PM, Karsten Bräckelmann wrote:
>>> Personally, I have *never* received a legit C/R. Every single one that
>>> ended up on my machines have been in response to spam sent with a forged
>>> sender address.
>> I had a legit one.
>>
>> I was stupid enough to answer a question on this list directly to a poster.
>>
>> Guess what? I got a CR.
> I would have appreciated to know about that. In particular, considering
> what this list is about. If not publicly shaming, lest so I won't
> contribute to such behavior by answering.
>
@putercom.com



-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
 >*| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best in Email Security,2010: Network Products Guide
    * King of Spam Filters, SC Magazine 2008

______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________  

Re: Misguided energy

[Karsten Bräckelmann <gu...@rudersport.de>]

On Wed, 2010-12-01 at 20:38 -0500, Michael Scheidell wrote:
> On 12/1/10 7:02 PM, Karsten Bräckelmann wrote:
> > Personally, I have *never* received a legit C/R. Every single one that
> > ended up on my machines have been in response to spam sent with a forged
> > sender address.
> 
> I had a legit one.
> 
> I was stupid enough to answer a question on this list directly to a poster.
> 
> Guess what? I got a CR.

I would have appreciated to know about that. In particular, considering
what this list is about. If not publicly shaming, lest so I won't
contribute to such behavior by answering.

> Guess what? luser got blacklisted.

Guess what? I can sympathize with that...


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: Misguided energy

[Michael Scheidell <mi...@secnap.com>]

On 12/1/10 7:02 PM, Karsten Bräckelmann wrote:
> Personally, I have*never*  received a legit C/R. Every single one that
> ended up on my machines have been in response to spam sent with a forged
> sender address.
>
I had a legit one.

I was stupid enough to answer a question on this list directly to a poster.

Guess what? I got a CR.
Guess what? luser got blacklisted.

-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
 >*| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best in Email Security,2010: Network Products Guide
    * King of Spam Filters, SC Magazine 2008

______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________  

Re: Misguided energy

[Karsten Bräckelmann <gu...@rudersport.de>]

On Wed, 2010-12-01 at 16:17 -0500, David F. Skoll wrote:
> Challenge-Response systems are evil.  I never reply to challenges and I
> typically blacklist systems that send them.

Personally, I have *never* received a legit C/R. Every single one that
ended up on my machines have been in response to spam sent with a forged
sender address.

Hardly distinguishable from backscatter. And in fact, all samples I have
are dating back from times when certain addresses have received quite a
lot of that blow-back spam.


> There's a fundamental economic principle at play: If you make it harder
> for spammers to send spam, then you make it less convenient to send email
> to someone you've never written to before.  There is simply no way around
> that.
> 
> Rather than destroying email (its killer feature is *precisely* the
> ability to dash off a note to someone new) by making it harder to send
> spam, viable anti-spam solutions make it less likely that spam will be
> received.  Yes, this is costly and annoying, but it's the price we pay
> for the convenience of email.

Very true, David. Spam filtering helps. Which, coincidentally, probably
is what we all are here for. ;)

Both, backscatter as well as C/R as a specific form of backscatter [1]
are evil. I have refused to answer questions on this very list before,
when it became obvious the OP uses or considers C/R -- unless he thought
about that a second time. I will continue to do so.


[1] Its stated purpose is to reduce spam, by sending out a challenge to
    legit first-time senders -- as well as forged addresses, mind you!
    That is *deliberately* spamming [2] innocent bystanders.

[2] I don't use that term lightly. Anyone who has sufficient knowledge
    of the problem to create such beast, also knows about address
    forgery. He knows, he turns the recipient's problem into a
    bystander's problem.

-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}