RE: [Asrg] C/R - What people say

Yakov Shafranovich <> Fri, 16 May 2003 00:00 UTC

Received: from ( [] (may be forged)) by (8.9.1a/8.9.1a) with ESMTP id UAA27903 for <>; Thu, 15 May 2003 20:00:18 -0400 (EDT)
Received: (from mailnull@localhost) by (8.11.6/8.11.6) id h4FNRXR12168 for; Thu, 15 May 2003 19:27:33 -0400
Received: from ( []) by (8.11.6/8.11.6) with ESMTP id h4FNRXB12165 for <>; Thu, 15 May 2003 19:27:33 -0400
Received: from ietf-mx ( []) by (8.9.1a/8.9.1a) with ESMTP id TAA27882; Thu, 15 May 2003 19:59:48 -0400 (EDT)
Received: from ietf-mx ([]) by ietf-mx with esmtp (Exim 4.12) id 19GSfO-00034B-00; Thu, 15 May 2003 20:01:42 -0400
Received: from ([] by ietf-mx with esmtp (Exim 4.12) id 19GSfO-000345-00; Thu, 15 May 2003 20:01:42 -0400
Received: from (localhost.localdomain []) by (8.11.6/8.11.6) with ESMTP id h4FNGWB11832; Thu, 15 May 2003 19:16:32 -0400
Received: from ( []) by (8.11.6/8.11.6) with ESMTP id h4FNFIB11810 for <>; Thu, 15 May 2003 19:15:18 -0400
Received: from ietf-mx ( []) by (8.9.1a/8.9.1a) with ESMTP id TAA27681 for <>; Thu, 15 May 2003 19:47:33 -0400 (EDT)
Received: from ietf-mx ([]) by ietf-mx with esmtp (Exim 4.12) id 19GSTY-00031j-00 for; Thu, 15 May 2003 19:49:28 -0400
Received: from ([] helo= by ietf-mx with smtp (Exim 4.12) id 19GSTQ-00031U-00 for; Thu, 15 May 2003 19:49:22 -0400
Message-Id: <>
X-Mailer: QUALCOMM Windows Eudora Version
To:, Eric Dean <>
From: Yakov Shafranovich <>
Subject: RE: [Asrg] C/R - What people say
In-Reply-To: <>
References: <>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-MimeHeaders-Plugin-Info: v2.03.00
X-GCMulti: 1
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <>, <>
List-Id: Anti-Spam Research Group - IRTF <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
List-Archive: <>
Date: Thu, 15 May 2003 19:48:50 -0400

At 06:14 PM 5/15/2003 -0400, Daniel Feenberg wrote:

>On Thu, 15 May 2003, Vernon Schryver wrote:
> >
> > What is the real goal a C/R system?  I thought it had something to do
> > with reducing "spam."  How does spam differ from any other bulk mail
> > except in whether it is solicited?
> >
> > As I've pointed out, a substantal amount of the unsolicited bulk
> > mail in my traps has headers just like mail from other "lists"
> > including this one.
> >
> > If a C/R system only stops spam from transient, "hit-and-run" systems
> > that do not stand still long enough to receive and answer a challenge,
> > it won't be very impressive.
> >
>I was hoping someone would bring this up. I didn't because it seemed like
>I was missing something. Did I also miss the discussion of how two C/R
>systems would interact if both sender and receiver have them? This must
>have come up in real life - do the users of these systems have experience
>to relate?
>I would have thought the role of standardization in the C/R system would
>not be to standardize the challenge, which needs to be non-standardized so
>that automated systems can't respond effectively, but rather to provide an
>effective route around the C/R system for legitimate lists.

At this point, as outlined, Eric is proposing an automated protocol for C/R 
not for internal use but for actually responding to challenges 
automatically. As I mentioned before, we need to better define the goals of 
C/R. Is is to make sure that senders are legit, or is it going to an extra 
level to making sure the sender is human (essentially creating a Turing 
Test). As for having spammers set up automatic responders, see TDMA FAQ, 
section 1.1 (

"1.1. Can't spammers just setup an auto-responder to defeat TMDA? *

In theory yes, but in practice this is not likely to happen. Most SPAM is 
unrepliable, so TMDA's confirmation requests are never delivered to them. 
They use non-valid return addresses as to not incur the cost of the 
tremendous number of bounces they generate. Using a valid return address to 
process all the bounces looking for confirmation messages to auto-reply to 
would defeat their economies of scale. It would also make them easy to 
block, track down and report, sue, etc. In short, trying to thwart TMDA in 
this manner would defeat the cost-effectiveness of the bulk-mailing 
process. Simple economics keep us safe.

But should these facts change, TMDA could modify its (currently very 
simple) challenge/response to make it more difficult for a computer to 
auto-reply to. The level of difficulty could increase as much as is 
necessary for the sender to prove their humanity and legitimacy.

The idea is to keep the challenge/response as simple as possible to avoid 
inconveniencing legitimate senders, while at the same time difficult enough 
to thwart an automated response system. At the present time, TMDA offers 
the ability to confirm by a simple e-mail reply, or by clicking on a URL. 
There is no evidence to suggest that a more challenging procedure is even 
close to necessary.

If spammers do resort to auto-confirmation however, we've won a huge battle 
for the community by raising the bar and forcing them to leave a breadcrumb 
trail leading back to their lair. As the focus on legislation continues, 
and spamming becomes an increasingly illegal activity, who will take these 
great risks for such a little reward? "

Perhaps the primary purpose of C/R should be counteracting the basic flaw 
in SMTP that allows anyone to send email without verifying who the sender 
is? Or perhaps not? Disabling the ability for automated systems to be able 
to send email is something we might not want to do. There are also various 
other issues, such as the ones raised in section 7.1 of RFC 2821 which as 
we mentioned apply to mailing lists.


Asrg mailing list