> From: loos [mailto:[EMAIL PROTECTED] > Sent: Friday, November 18, 2005 8:25 PM
<...> > Unfortunately, most of their clients are very happy with this > system: It is very effective for SPAM protection. > > In fact for non-list mail it is really a good idea: all you > correspondents have to respond the challenge one and only one time, > all subsequent mail is unchallenged. C/R systems are fundamentally broken as spam protection for the following simple reason: virtually all spam uses a forged return-path. The challenge message you send to a purported sender is itself spam, as that party never sent you a message and your challenge is unsolicited. In the absence of a means of return-path authentication, sending challenges to forged address is no different from anti-virus systems that send "virus notifications" to people who never sent them mail. This type of email abuse is collectively referred to as backscatter. SpamCop, for instance, treats backscatter exactly the same as spam and will list abusers for it. I completely agree with them. Many mail system maintainers feel the same way and will put MTA's that emit backscatter on local blacklists. While it might appear to the users of the C/R system that it is good because it reduces their spam load, they are probably unaware that their backscatter is part of the growing spam problem. All they're doing is shifting the burden to innocent third parties, and that kind of abuse deserves getting your MTA's blacklisted. While it's unreasonable to expect the average user to understand this, the ISP _certainly_ should understand this since they have to deal with everyone else's backscatter. They know how _exactly_ much it costs the recipients and they don't care because it is helping them. Knowingly abusing third parties in order to reduce your own costs is clearly abuse, and they deserve whatever each receiving system operator dishes out to them. > > You just can't use this account for list subscriptions. And you shouldn't turn on C/R at all, unless you don't care if you abuse innocent third parties whose addresses spammers decide to forge. > > Besides that they are one of the largest and most popular ISP here. And that makes a difference because ... ? Microsoft if very popular, yet they produce mostly crap. Popularity does not make something reasonable. I think it might help get the problem solved if more large organizations just put a block on their whole ASN. If that doesn't get their attention, then I don't want their mail anyway. Losing a large part of their email connectivity might be the event necessary to encourage a competitor with more clue to come along and eat their lunch. That's a win-win situation for former UOL users as well as former victims of UOL abuse. Of course, UOL gets a well-deserved loss. This is one kind of problem that competition is very good at solving. In the absence of competition, the users are stuck. That's why it's actually in your long-term interest for as many services as possible to ban UOL's mail. Though it is painful in the short run, if you attract more than one competitor, you may even get lower prices out of the deal. But the main thing is that you won't be part of the spam problem, and people will gladly accept your mail. -- Seth Goodman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
