Re: [Asrg] Passive Spam Revocation
Yao Ziyuan <yaoziyuan@gmail.com> Tue, 27 October 2009 18:06 UTC
Return-Path: <yaoziyuan@gmail.com>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 60D7A28C185 for <asrg@core3.amsl.com>; Tue, 27 Oct 2009 11:06:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.689
X-Spam-Level:
X-Spam-Status: No, score=-1.689 tagged_above=-999 required=5 tests=[AWL=0.910, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A2GXZdDf7xGe for <asrg@core3.amsl.com>; Tue, 27 Oct 2009 11:06:29 -0700 (PDT)
Received: from mail-bw0-f227.google.com (mail-bw0-f227.google.com [209.85.218.227]) by core3.amsl.com (Postfix) with ESMTP id BA66528C178 for <asrg@irtf.org>; Tue, 27 Oct 2009 11:06:28 -0700 (PDT)
Received: by bwz27 with SMTP id 27so511229bwz.1 for <asrg@irtf.org>; Tue, 27 Oct 2009 11:06:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=Jsyjj/f57H1CnVgLrfXOysdM8mq82BcyTreZwKjXixY=; b=TS/srDbpiEsW5FfnkmJ3E65p9SlIetk8HNxjc3JbjoxTGtBkAJkPFlBRbaC6LnNUFg 2mQmQTgNJlnL4l286n0AnUVN9fg3JdEyUOVmeJvTsToKy8gTmB2ACcqnvx0u0Sk3MRWH JzT297Fg890GeOQYhBo7Xo1gE4XTiu4gB05T0=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=I5PryqtbIR8wcJbLOfMapEzfOb9Pem6x60N9YsKjpxkYSMd2H3KvGfOmGhjtMlHNMo fKXdZEmoj66uKlZA+OKdJcZz3fFmNHVn+KO5cbuIxBteKwM5RifYyi80TvEX4P10X56G xHrFxlxfWo2uI1cxO3z0P7qpRYVV08jZ6/xFs=
MIME-Version: 1.0
Received: by 10.204.34.70 with SMTP id k6mr2580434bkd.178.1256666799559; Tue, 27 Oct 2009 11:06:39 -0700 (PDT)
In-Reply-To: <5ec229170910270834w1cd93d01i35ba3f6c5d0d6b41@mail.gmail.com>
References: <6679e0500910251716p53a8195cub260eac43cdf505e@mail.gmail.com> <5ec229170910270834w1cd93d01i35ba3f6c5d0d6b41@mail.gmail.com>
Date: Wed, 28 Oct 2009 02:06:39 +0800
Message-ID: <6679e0500910271106g34dd4e61i1c6d65d1328487ee@mail.gmail.com>
From: Yao Ziyuan <yaoziyuan@gmail.com>
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [Asrg] Passive Spam Revocation
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Oct 2009 18:06:30 -0000
On Tue, Oct 27, 2009 at 11:34 PM, Danny Angus <danny.angus@gmail.com> wrote: > Hi Yao Ziyuan, > I see you also posted this to the asrg. I'm shamelessly cross posting > my reply, sorry in advance to *both* lists! > > My response is in two parts: > > a) I like the fact that the recipient can set up a test which must be > passed by the sender. I also like the fact that the test would be > passive protection when protecting against, for example spam viruses. > In other words the recipient can set up a test, but the test itself > only generates load when the sender considers it worthwhile to take > the test. > > However I would prefer to see the test administered by the mail > system, rather then via another channel. > Solving the problem of spam by invoking a channel not currently > involved in mail transport is not really a solution, it is both > delegating the problem to another arena, and changing the nature of > email. > > There's nothing inherently wrong with this, but if we are to consider > changing the nature of email and channels involved we assume that we > could design out the problem from the outset by introducing a strong > concept of identity to the process. > > If we anticipate a design which uses the mail transport the passivity > advantage breaks down as the sender must be notified that a test > exists. In this case it would fail the criteria for not introducing > *more* load (email) in response to spam. > > The goal is to find a solution which reduces the load as it becomes > successful, even if faced with increased demand. What I mean is that a > true solution would be completely passive when confronted with spam, > and in reducing the spam transported would result in a net decrease in > demand. > > A passive test that meets the criteria would be one in which a test is > published in advance at low cost (perhaps by a third party), and for > which the solution is encapsulated in the message when it is sent. A sender may not think it's necessary to solve a test when sending a message, but changes his mind later, when he realizes the message is important and a reply is expected but doesn't arrive in time. > > For example the test may be for the sender to publish SPF records, or > use a mark similar to the habeus warrant mark. A recipient domain can > publish the test in the their T's & C's. > > If you want to consider CAPTCHA, perhaps the test would be to > pre-solve a CAPTCHA, send the UID of the puzzle and its solution in > the mail headers, but CAPTCHA is not really low cost, and is still > another channel. > > > b) the idea of using a CAPTCHA is flawed and has already been > discussed at length by the asrg. > > In essence CAPTCHA works where there is less value in solving the > puzzle than it costs to solve. > If you introduce a strong commercial incentive you will start an arms > race which will see people compete to develop systems which can solve > puzzles at a lower cost, and others compete to develop more complex > puzzles. > We must assume that this will happen unless you can describe a test > which can be reasoned to be unable to be solved by a machine. > The fact that CAPTCHA are impractical to solve with current technology > doesn't imply that they are impossible to solve. > > This ties in with point a) because it suggests that in operation the > incentive is there for spammers to now not only send spam but also > create additional work for the CAPTCHA component and the quarantine > components. > > Even if spammers use systems which can only achieve a low sucess rate > at the test, there is an incentive to attempt the test every time. > This generates additional demand. > > d. > > > On Mon, Oct 26, 2009 at 12:16 AM, Yao Ziyuan <yaoziyuan@gmail.com> wrote: >> Passive Spam Revocation (PSR) >> >> Currently almost all mail systems (e.g. Hotmail and Gmail) use a spam >> filter, which can drop good and important messages. >> >> I propose an optional feature for current mail systems. The main idea >> is if a message is considered spam, this spam status can be tracked by >> the sender (but not sent to him directly, as the From field can be >> faked). The message can be re-marked as "not spam" if the sender can >> solve a CAPTCHA. >> >> STEP 1: A is going to send B a message. A's mail client generates a >> random code and puts it in a custom field in the outgoing message's >> header: >> Code: <random code> >> STEP 2: A's mail client sends the message, waits 30 seconds, and then visits: >> https://spamstatus.<B's mail domain>/?msgid=<Message-ID>&code=<Code> >> This page displays one of these possible "spam statuses": >> * MESSAGE CONSIDERED SPAM. (A CAPTCHA is also presented below.) >> * MESSAGE CONSIDERED NOT SPAM. >> * PENDING. PLEASE TRY AGAIN LATER. >> * All other responses mean B's mail system doesn't support this feature. >> In the first case, A's mail client will report the status and the >> CAPTCHA to A. A can choose to solve the CAPTCHA to prove the message >> is not spam. >> >> Like the idea? Here is the official Google group for it: >> http://groups.google.com/group/passive-spam-revocation >> >> Regards, >> Yao Ziyuan >> http://sites.google.com/site/yaoziyuan/ >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org >> For additional commands, e-mail: server-dev-help@james.apache.org >> >> > _______________________________________________ > Asrg mailing list > Asrg@irtf.org > http://www.irtf.org/mailman/listinfo/asrg >
- [Asrg] Passive Spam Revocation Yao Ziyuan
- Re: [Asrg] Passive Spam Revocation Alessandro Vesely
- Re: [Asrg] Passive Spam Revocation Claudio Telmon
- Re: [Asrg] Passive Spam Revocation Yao Ziyuan
- Re: [Asrg] Passive Spam Revocation Rich Kulawiec
- Re: [Asrg] Passive Spam Revocation Jose-Marcio Martins da Cruz
- Re: [Asrg] Passive Spam Revocation Claudio Telmon
- Re: [Asrg] Passive Spam Revocation Rich Kulawiec
- Re: [Asrg] Passive Spam Revocation Pars Mutaf
- Re: [Asrg] Passive Spam Revocation Yao Ziyuan
- Re: [Asrg] Passive Spam Revocation Yao Ziyuan
- Re: [Asrg] Passive Spam Revocation Rich Kulawiec
- Re: [Asrg] Passive Spam Revocation Danny Angus
- Re: [Asrg] Passive Spam Revocation Yao Ziyuan