RE: [Asrg] C/R - What people say

Yakov Shafranovich <research@solidmatrix.com> Thu, 15 May 2003 22:55 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA26779 for <asrg-archive@odin.ietf.org>; Thu, 15 May 2003 18:55:24 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h4FMMbb08675 for asrg-archive@odin.ietf.org; Thu, 15 May 2003 18:22:37 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4FMMbB08672 for <asrg-web-archive@optimus.ietf.org>; Thu, 15 May 2003 18:22:37 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA26772; Thu, 15 May 2003 18:54:54 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19GRea-0002na-00; Thu, 15 May 2003 18:56:48 -0400
Received: from ietf.org ([132.151.1.19] helo=www1.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19GRea-0002nV-00; Thu, 15 May 2003 18:56:48 -0400
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4FMIAB08561; Thu, 15 May 2003 18:18:10 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4FMHiB08525 for <asrg@optimus.ietf.org>; Thu, 15 May 2003 18:17:44 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA26698 for <asrg@ietf.org>; Thu, 15 May 2003 18:50:01 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19GRZr-0002mY-00 for asrg@ietf.org; Thu, 15 May 2003 18:51:55 -0400
Received: from 000-232-794.area5.spcsdns.net ([68.27.148.131] helo=68.27.148.131) by ietf-mx with smtp (Exim 4.12) id 19GRZk-0002mU-00 for asrg@ietf.org; Thu, 15 May 2003 18:51:49 -0400
Message-Id: <5.2.0.9.2.20030515180543.00ba7958@std5.imagineis.com>
X-Sender: research@solidmatrix.com
X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9
To: asrg@ietf.org
From: Yakov Shafranovich <research@solidmatrix.com>
Subject: RE: [Asrg] C/R - What people say
In-Reply-To: <200305152059.h4FKxreC027669@calcite.rhyolite.com>
References: <19612672051.20030514223713@brandenburg.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-MimeHeaders-Plugin-Info: v2.03.00
X-GCMulti: 1
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Thu, 15 May 2003 18:52:15 -0400

At 02:59 PM 5/15/2003 -0600, Vernon Schryver wrote:

> > From: Yakov Shafranovich <research@solidmatrix.com>
>
> > ...
> > >ok..well should we try to identify those methods, or should we just say
> > >"don't challenge lists"?
> >
> > If an automated protocol for C/R is in place, why shouldn't we challenge
> > lists? If the list software supports the protocol, it will response to the
> > challenge automatically. ...
>
>Is that a joke?   I guess not.
>
>What is the real goal a C/R system?  I thought it had something to do
>with reducing "spam."  How does spam differ from any other bulk mail
>except in whether it is solicited?

Actually its not a joke. As outlined in the Eric's C/R draft:

"This document proposes the use of MIME experimental content-type values 
for automated C/R control at either the server or client software 
level.  In addition, this document proposes a C/R method that requires user 
manual intervention with existing mail systems and clients that may not be 
compatible with automated C/R methods."

There are two separate things here - an automated protocol and some 
guidelines. The primary intent of C/R is to make sure that email comes from 
a valid email address. As pointed out prior on the list 
(https://www1.ietf.org/mail-archive/working-groups/asrg/current/msg04700.html)

 >>"What is the intent of a C/R system? Is it merely to double-check the 
sender's email address to make sure it is working and valid, or >>is it 
also to make sure that the sender is a human being and not a computer? If 
it is only the first, that we are trying to make sure >>that the sender has 
a valid email address, then it might make sense to develop an automated C/R 
protocol that can be used by email >>clients and senders' MTAs to reply to 
the challenge. This will take care of issues like dealing with lists, 
automated bots and >>anonymous remailers - the list server will simply 
reply to the response via this automated protocol. It will also hide the 
C/R process >>from users. The obvious flaw is that the spammer will use it 
too - but they will have to use a valid email address to do it, or own 
their >>own MTA and domain (which is not a problem since we already see 
spammers owning name servers). However, if the intent of C/R >>systems is 
to make sure that the sender is human, than it essentially must perform a 
Turing test. Current techniques include using >>specially coded graphic 
images, etc."

Making Turing tests would be highly impractical. Even now, TDMA and 
MailCircuit systems do not use them, instead a simple reply to any 
challenge message will verify the sender. However, in the last two years 
according to MailCircuit only 4 spammers did so.

Yakov

_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg