Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

Yet another badly-broken challenge-response mail system

From: Dave Farber <dave () farber net>
Date: Fri, 01 Aug 2003 07:31:43 -0700


Date: Fri, 01 Aug 2003 08:02:00 -0400
From: Rich Kulawiec <rsk () gsp org>
Subject: Yet another badly-broken challenge-response mail system
To: Dave Farber <dave () farber net>


----- Forwarded message from Ted Dolotta <Ted () Dolotta ORG> -----
> Thank you for sending me your email with the subject "Re: [IP] An interesting > perspective on the latest DARPA brouhaha". I really want to receive your email. 
> In an effort to eliminate junk email, I am using MailFrontier Matador.
> Matador has placed your message on hold.
>
> Please click the link below so you will be added to my Allowed people list,
> I will receive your email, and we will be able to communicate freely going
> forward.
>
> <http://c.mailfrontier.net/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX>

This presumes that I am
        a) on a TCP/IP network
        b) not behind a firewall which blocks HTTP
        c) on a computer with a web browser
        d) willing to start up a web browser just to have my mail delivered
        e) using a web browser that works with their site -- any bets on
                a text-only cookie-rejecting Javascript-disabled browser?
        f) willing to verify for mailfrontier.net, a third party,
                that this is a known-working mail address
        g) not blocking mail from the third party (as opposed to
                the person I was sending mail to)
        h) willing to do this jump-through-the-hoop exercise (with
                individual variations, of course) every time I send
                mail to someone

I *probably* could subvert this by forging Dave's address or the
address from which IP is sent into the headers, but I'm not going
to do that.  Instead, I'm going to drop mailfrontier.net into the
local blocklist, permanently, so that I am no longer asked to
jump through hoops merely to send a mail message.

The irony of all this is that a simple, low-cost anti-spam system built
from open-source software and databases -- one which should already
be in place on all competently-operated mail servers -- is capable of
blocking upwards of 90% of spam with a false positive rate ranging
tenths to hundredths of a percent AND simple mechanisms [which use
mail themselves] for those accidently caught to report the problem
and get it fixed.  It works; it works efficiently; and it doesn't
require that senders/recipients use anything other than the mail
client that they are obviously already using.

But *this* system has a 100% false-positive rate, until corrections
are incrementally applied by correspondents.  It thus shifts the work
of achieving accurate results (low false positive and low false negative
rates) to everyone BUT the vendor who's presumably the one being paid to
perform the task of screening mail!  Even so, application of thousands
of corrections would still leave it with a 99.999% false positive rate --
which is ludicrous.

---Rsk


-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: