waider: (Default)
waider ([personal profile] waider) wrote2004-08-24 03:50 pm
  • Add Memory
  • Share This Entry
Entry tags:

I'll type slowly so you can understand.

  1. Email is flawed.
  2. You can trivially forge an email from dork@example.com and by and large you'll get away with it.
  3. Various things are being done in an attempt to combat this, but the problem exists, and we have to live with it for now.
  4. When a spammer forges mail in this way, anything that treats the origin address as authoritative will not in any way affect the spammer.
  5. This includes your stupid challenge/response system.
  6. Instead, you will annoy the owner of the forged domain.
  7. This person most likely already has their hands full dealing with genuine spam, to say nothing of bounce messages (which are an automatic part of the email system, and can not as such be dispensed with).
  8. You are adding to this person's daily intake of useless crap.
  9. As one of these people, I am rapidly approaching the point at which I will set up an automated filter to approve spam to your mailbox.
  10. This should be considered fair warning.
  11. CHALLENGE/RESPONSE SPAM PROTECTION IS A BURDEN ON OTHERS. STOP USING IT.
Thankyou.
Flat | Top-Level Comments Only
jwgh: (Default)

[personal profile] jwgh 2004-08-24 07:58 am (UTC)(link)
What happens when one person using challenge/response emails another who's using challenge/response, do you know? I can think of a couple of broken things that could happen but I can't think of a good way to handle that situation off the top of my head.
ext_181967: (Default)

[identity profile] waider.livejournal.com 2004-08-24 08:02 am (UTC)(link)
Hopefully, they annihilate each other and stop bothering me.

[identity profile] mskala.livejournal.com 2004-08-24 08:09 am (UTC)(link)
The way it's supposed to work is that when you send a message, you automatically whitelist the recipient. Then you get their challenge, respond to it, and they whitelist you, and any future mail between you and them is unimpeded.

However, because outgoing and incoming email are COMPLETELY SEPARATE (a fact I had a fun time explaining to the old-time BBSers), making that kind of thing actually work is, um, an interesting technical challenge. As far as I can tell, most challenge/response systems in actual use would fail if they encountered another instance of themselves.
Flat | Top-Level Comments Only