richard lyons <[EMAIL PROTECTED]> said on Tue, 1 Jun 2004 12:36:59 -0400: > On Tuesday 01 June 2004 08:29, Tom Allison wrote: > [...] > > They are also a pain in the neck when you get a CR sent to a > > mailing list. > > > > But most importantly, and this is from personal experience here, > > they are not very useful. I played with a CR mechanism for a few > > months on my own mail server and found that I was severely defeated > > by one simple mechanism. The spammers would fire off their mail > > and auto-respond to my CR. That created an entirely automated > > system to whitelist their spam into my server. > > Wow, what nice spammers you meet: give you real addresses. Mine all > use fake sending addresses, so would never receive any challenge I > sent.
If challenge response ever becomes ubiquitous, then spammers will trivially be able to verify the responses without providing their own email address. They will simply do what the currently do - open up millions of backdoors on cracked computers, go through the address books to look for email addresses, then send using a From: of the current computer. An MTA running via the backdoor will pick up an CR attempts, respond to them, and voila, send spam to a verified email address. -- TimC -- http://astronomy.swin.edu.au/staff/tconnors/ "The thing I love most about deadlines is the wonderful WHOOSHing sound they make as they go past" - DNA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
