On Thu, 2 Oct 2003, John Biggs wrote: > I'm torn: I like Spamassassin and I like ASK (Active Spam Killer). Has > anyone been able to filter spam through SpamAssassin first and then hit > a CR system like ASK for extra protection?
Pet peeve time ... C/R systems employ what's called "cost shifting": They replace the burden on the recipient (deleting the spam) with a burden on the sender (answering the challenge). Because spam almost always has a forged sender, the cost is frequently shifted to an innocent third party. Furthermore, C/R systems burden legitimate correspondents more than they burden spammers (the spammers either never see or plainly ignore the challenges), plus they double or triple the number of messages that are exchanged, adding to network overload. Spammers generally don't care any more how many messages they send _don't_ get through; they only care how many _do_. They aren't using their own resources for the sending, most of the time. The spammer response to hitting a block is to try sending _more_ messages, in the hopes that they can manage to forge a sender address that will pass the whitelist. Meanwhile, the innocent parties whose addresses they forged are getting flooded with bogus challenges. Even if they don't manage to get through the whitelist, if a spammer can find an autoresponder (or an accept-then-bounce queuing SMTP server) that includes the text of their spam in its reply, they can forge as the apparent sender the address of the indended recipient, and thus use the autoresponder as a reflector to bounce the spam to whereever they want. Some C/R systems try to mitigate this (and the feedback loop problem when two C/R systems run into each other) by sending only one challenge per incoming address per X time period; but you can work out denial-of-service scenarios for every such "delayed challenge" system. E.g.: Suppose somebody forges my address on a message to you. Your C/R system sends me a challenge, to which I do not respond because I didn't send the forged message. Now I send you a real message, but your system neither challenges nor passes that because it hasn't heard back from me yet on the first challege. Eventually the quarantine expires and it deletes both messages, and my legitimate message has been lost. Occassionally when I rant like this, someone retorts, "If a confirmation challenge is OK when subscribing to a mailing list, why can't we treat all mailboxes as mailing lists?" It's because a mailing list represents a _group_ of recipients _and senders_ that a challenge at subscription time is OK -- it's confirming acceptance of the costs of receiving messages from everyone on the list (via the list), as well as confirming the validity of the subscription request. The same neither applies nor is scalable for single-recipient mailboxes. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
