[ILUG] spam: requiring signed email

[Paul Jakma]

On Mon, 9 Feb 2004, kevin lyda wrote:

> wait, you want all these changes to hundreds of mua's to support
> this method and you won't take 5 minutes to visit the quagga
> mailing list admin page to tell people what addresses the mailing
> list sends mail from?

Its bleeding obvious where it comes from to anyone who visits the 
smegging subscription page. The list address is shown there, it 
should be bloody obvious what string is needed for people's 
whitelists, at worst they can whitelist the hostname and fine tune 
once they receive list email.

Further, not all list software has a web frontend, you interact with
the list manager software via email (indeed, as you can with mailman
too - i can easily disable the web frontend, you can still interact
with it via email), how would you suggest I advertise the address for
the person to whitelist in such a case?

If people will deploy seriously furked Challenge/Response systems I'm 
not going to go out of my way for those people.

And my problem with the challenge i received to a list-owner address,
which I had forwarded to you (hence why brought up C/R in your reply
to me), was the *format* of the challenge - a URL leading to a web
page with a *picture* of some text which had to be entered.[3]

That kind of *crap*, if it (god forbid), became commonplace would be 
a _huge_ impediment to use of email by the visually impaired.[2] 

Never mind the fact that I am _not_ prepared to click on URLs to have
my mail to someone go through. Further, imagine if the general
userbase out there were, by way of URL using Challenges, conditioned
to go click on URLs in received emails? They already do anyway, but
then trying to explain to them "dont click on stuff in emails unless
you're 100% sure what it is"  becomes a lot more complicated.[1]

And NO I'm not going to molly coddle people who install such _stupid_
systems. Even more so when mail to postmaster@ that domain, regarding
the absurdity of their system, also bounces - at which stage I go to
rfc-ignorant.org and submit them for listing.

C/R is a bad idea[5]. It works for you now because very few sites use
it. But it's _dumb_, it wont work in the long-run - the spammers
_would_ adapt - and worst of all, if it were to catch on, it will
result in many deployments using http URLs and/or "transcribe the
text from this picture" in their challenges.[4]

The surprising thing about all this is that you're normally an
intelligent bloke.

> i find it amusing how many "spam solutions" are advocated by people
> with the caveat that "small" changes need to be made - but they're
> unwilling to make any changes themselves for other people's spam
> solutions.

LOL. The premise behind C/R is that I _shouldnt_ have to make any
operational changes.

The subscriber should have been able to whitelist the list host. The
failling is either with their (already known to be a particularly
stupid) C/R system for not allowing easy whitelisting, or with
whoever installed it for not educating their userbase as to how to 
whitelist and when they should do so.

Wrt anti-spam efforts, I, for a while, spent a not insignificant
amount of money supporting a reasonably widely-used anti-spam
blacklist, until it was DoSed out of existance.

And yeah, you were probably yanking my chain, I know.

> kevin

1. never mind, for now, that email access need not imply web access

2. never mind, for now, that I may not be able to view images, even i
were not visually impaired.

3. never mind, for now, that the C/R system concerned should /not/
have replied to a machine generated email.

4. never mind, for now, the huge Joe-Job DoS liability reasonably
widely deployed C/R potentially implies. (i've already received one 
or two challenges to virus mail I never sent).

5. The dated addresses of TMDA are very nifty though.

regards,
-- 
Paul Jakma	paul at clubi.ie	paul at jakma.org	Key ID: 64A2FF6A
	warning: do not ever send email to spam at dishone.st
Fortune:
You will remember something that you should not have forgotten.