RE: [Asrg] C/R Thoughts: Take 1

Yakov Shafranovich <research@solidmatrix.com> Tue, 13 May 2003 18:57 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA24534 for <asrg-archive@odin.ietf.org>; Tue, 13 May 2003 14:57:26 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h4DINaj18974 for asrg-archive@odin.ietf.org; Tue, 13 May 2003 14:23:36 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4DINZB18971 for <asrg-web-archive@optimus.ietf.org>; Tue, 13 May 2003 14:23:35 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA24503; Tue, 13 May 2003 14:56:56 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19FezE-0006qi-00; Tue, 13 May 2003 14:58:52 -0400
Received: from ietf.org ([132.151.1.19] helo=www1.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19FezE-0006qf-00; Tue, 13 May 2003 14:58:52 -0400
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4DIM3B18729; Tue, 13 May 2003 14:22:03 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4DIESB18219 for <asrg@optimus.ietf.org>; Tue, 13 May 2003 14:14:28 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA24104 for <asrg@ietf.org>; Tue, 13 May 2003 14:47:49 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19FeqP-0006jv-00 for asrg@ietf.org; Tue, 13 May 2003 14:49:45 -0400
Received: from 000-246-276.area7.spcsdns.net ([68.27.201.151] helo=68.27.201.151) by ietf-mx with smtp (Exim 4.12) id 19FeqN-0006js-00 for asrg@ietf.org; Tue, 13 May 2003 14:49:44 -0400
Message-Id: <5.2.0.9.2.20030513142946.00bbd008@std5.imagineis.com>
X-Sender: research@solidmatrix.com
X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9
To: asrg@ietf.org
From: Yakov Shafranovich <research@solidmatrix.com>
Subject: RE: [Asrg] C/R Thoughts: Take 1
In-Reply-To: <MBEKIIAKLDHKMLNFJODBKEHKFCAA.eric@purespeed.com>
References: <5.2.0.9.2.20030512171321.00bd7bf8@std5.imagineis.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-MimeHeaders-Plugin-Info: v2.03.00
X-GCMulti: 1
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Tue, 13 May 2003 14:47:00 -0400

At 10:05 PM 5/12/2003 -0400, Eric Dean wrote:

> > However, one problem with C/R systems is that spammers do not currently
> > have an incentive to break them since there are many other ways to send
> > spam. If C/R systems become wide spread, spammers will have an
> > incentive to
> > attack them and perhaps (gasp) even manage to break them.
>
>Well, we better build something they can't break.  There are many, many
>smart people on this list that can surely put something  together over time
>
> > How would a whitelist handle mailing lists? What about automated computer
> > programs that notify users, like Ebay's auction bots? And what about
> > anonymous email, if C/R is implemented everywhere, can anyone send
> > anonymous email anymore? What about opt-in email that the receiver forgot
> > about the original opt-in? And email that is sent from different email
> > addresses everytime (like some mailing lists)?
>
>All of these are important tactical issues..any more?

What is the intent of a C/R system? Is it merely to double-check the 
sender's email address to make sure it is working and valid, or is it also 
to make sure that the sender is a human being and not a computer? If it is 
only the first, that we are trying to make sure that the sender has a valid 
email address, then it might make sense to develop an automated C/R 
protocol that can be used by email clients and senders' MTAs to reply to 
the challenge. This will take care of issues like dealing with lists, 
automated bots and anonymous remailers - the list server will simply reply 
to the response via this automated protocol. It will also hide the C/R 
process from users. The obvious flaw is that the spammer will use it too - 
but they will have to use a valid email address to do it, or own their own 
MTA and domain (which is not a problem since we already see spammers owning 
name servers). However, if the intent of C/R systems is to make sure that 
the sender is human, than it essentially must perform a Turing test. 
Current techniques include using specially coded graphic images, etc.

I personally think that the intent of the C/R systems is to make sure that 
the originating email is valid. Thus it would make sense to have an 
automatic protocol for verification which can be utilized by systems to do 
so. This way we will undo one of the problems that the open nature of the 
Internet currently has - lack of checking who sent email, without disabling 
ability for machines to send emails. I don't think we should be seeking to 
create systems that verify whether the sender is human since the Net is 
full of computers sending email too - many of which are very useful and are 
not spammers.

One way to implement this automated C/R protocol is by using headers 
similar to the "return receipt" feature defined in RFCs 1894 and 2298.

Yakov



---------------------------------------------------------------------------------------------------
Yakov Shafranovich / <research@solidmatrix.com>
SolidMatrix Research, a division of SolidMatrix Technologies, Inc.
---------------------------------------------------------------------------------------------------
"One who watches the wind will never sow, and one who keeps his eyes on
the clouds will never reap" (Ecclesiastes 11:4)
---------------------------------------------------------------------------------------------------  

_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg