Dennis Kavadas wrote:
why ?
On 5/31/07, John Rudd <[EMAIL PROTECTED]> wrote:
Per Jessen wrote:
> Dennis Kavadas wrote:
>
>> guys, even though we use SA for tagging... the real short to long term
>> solution is TMDA
>
> I remember one of my friends saying just that - about 5 years ago. It
> might be fine for personal email, but it's not very useful in a
> business context. Too much end-user education required.
That, and TDMA is a blight upon the internet. It is at best misguided,
and at worst irresponsible, to use challenge-response email systems.
(this really ought to be an FAQ somewhere)
Misguided:
As was stated elsewhere, you're moving the burden of your anti-spam
decision to another person's resources (not just their system resources,
but their actual personal time). Further, this burden will ONLY be
placed upon legitimate senders, as spambots wont see the challenge and
direct-spammers will either ignore it or catalog it. So, it's
essentially a tax upon legitimate senders. That's stupid (and there
aren't many things I outright call stupid).
Irresponsible:
Challenge-Response anti-spam email systems are a perfect vector for
implementing a joe-job style denial of service. Consider that if
challenge-response/TDMA systems become widespread, say one million
users. Now lets say a spam goes out that claims to be from
[EMAIL PROTECTED], and domain.tld doesn't have anything in place like SPF,
DK, nor DKIM (or if they have SPF, it's in done in a way that's
exploitable and thus useless but keeps them from being blocked for not
having an SPF record).
So, now [EMAIL PROTECTED] is about to get a flood of a million challenge
messages. Probably within a few seconds. Even if these don't reach his
own account because of his own challege-reponse system, they WILL hit
his mail server. One million extra email messages (above and beyond
usual production email rate) in a few seconds is nothing to dismiss.
Most email services would be overwhelmed by that. And the potential
flood is even higher if more people adopt the technology.
And, remember what I said above about spammers might catalog those
challenge-response messages? There's a growing overlap between spam
senders and organized crime. The very people who might use their botnet
to send spam might turn around and use it to leverage a list of known
challenge-response users to get them to be the source of a distributed
denial of service attack.
Challenge-response systems are just ripe for abuse by 3rd parties.
Using them is allowing you and your resources to be ripe for abuse, and
is therefore irresponsible.
