Slash Boxes
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
More | Login | Reply
Loading... please wait.
  • Like you, I encounter these periodically and I don't like them either. The particularly annoying scenario I encountered recently was that someone sent me email. I replied to their question and was then expected to leap through hoops to shepherd my reply through their challenge response system.

    • by inkdroid (3294) on 2003.05.14 6:59 (#20095) Homepage Journal

      That's a poorly designed C/R system. The C/R systems that I've seen (and liked somewhat) will automatically whitelist an email address when an email is *sent* to that address. This means that people within an organization can send an email to whoever they want, and when that person responds it will go straight through.

      If email lists sent from the same address that you sign up at, then C/R systems that use the whitelisting technique above would have no problems receiving emails sent from legit email lists. The problem is that the list software I'm familiar with (listserv, ezmlm) have you sign up at different addresses than the list which email is sent from. I imagine this could be adjusted somehow though. If C/R systems were to catch on.

      I must be different because the first time I got a challenge from a C/R system I was intruiged and thought it was rather interesting. Presumably the challenge could also contain some question that it would be hard for spammers to automate an answer to. Perhaps if I understood more why people disliked the systems then I would understand more. As with implementations of SMTP, there are applications that do a sloppy job, and some that do a better job. The same will certainly be true for C/R systems as well.

      Matt, just to play devil's advocate here: are you against C/R systems because (if widely adopted) they would make spam filtering no longer a viable business niche? Heresy!

      • by Matts (1087) on 2003.05.14 9:22 (#20108) Journal

        No, I'm against them because spammers lie. They forge the reply address to someone innocent. That means that the amount of spam I receive is going to double (as I count C/R requests as spam).

        I have a good mind to respond to C/R's that are the result of a joe-job against my domains just to prove this point.

        Mostly though I'm against them because I consider it impolite. A C/R anti-spam system is a cost shifting exercise. It shifts the recipients cost of spam to everyone who sends him email. That cost *should* be pushed to the spammers, not to legitimate users.

        I have a list of other problems, but it's a few pages ;-)
        • Just to take my devil's advocacy a bit further &evilgrin; When a spammer lies, using another persons email address as the From, then the content of their original email would not be delivered, thus reducing the incentive to send it in the first place. The few C/R systems I've interacted with did not include the content of the email I sent as part of the challenge.

          Sure, someone else would get the "challenge"...But if that person was also using a C/R system then they would never need to know...would the

          • by vsergu (505) on 2003.05.14 10:05 (#20112) Journal
            The idea is for the spammer to use 'From' addresses taken from the same group the 'To' addresses came from (for example, they appeared on a web page together). Then there's a chance the addresses have been whitelisted previously and the spam will get through.

            And everyone not using C/R gets bombarded with ever-increasing numbers of challenges.

            C/R is a poorly thought-out attempt at solving the spam problem. It needs to be stopped before it makes the situation worse.
            • Oh, I hadn't thought of that. Duh. I guess one solution to that problem would be to only position C/R systems in between the Internet and an organizations Intranet: so internal emails would never go through it, and email posing as internal email with common username would be rejected. But you are right, this gets way to complicated way too fast, and if widely adopted would result in way too much complexity.
              • When I said the same group, I didn't necessarily mean the same domain. I'm not really talking about people in the same organization, just people who seem to be associated in some way and thus might be on each other's whitelists. Such people may show up on a web page together, for example.
            • You know what'd be an interesting twist - if you look at all the headers and MD5 checksum a concatonation of the server routes, from origin to destination and when you add the e-mail to a whitelist, you also associate it with the MD5 checksum of the traffic route. Any spammer forging the 'From' address won't be able to reproduce the route.

          • So in order for C/R to work everyone has to implement it?
    • This is exactly why I don't like them either. As the other person said, if there was an automatic whitelisting of the e-mail that the person sent TO expecting a reply FROM that would then bypass the C/R I'd be okay with it.

      As it is, it tends to get in the way of communication, which is ostensibly what the internet is all about. The more difficult we make communication, the less of it is likely to happen. Basic principle of quantum laziness. :)
    • I have yet to reply to one, though so far the only ones I remember encountering have been when some moron has subscribed to a mailing list but neglected to whitelist it and then every time anyone posts they get the challenge (at least it hasn't gone to the list address). I really wish they could be nipped in the bud, but I fear the plague will spread.

      As far as I'm concerned, anyone who wants to offload their spam problem onto me isn't worth writing to. Handle your spam yourself, and don't bother your cor