Thursday, July 15, 2004

Challenge-Response Dashed Upon the Rocks

Well, wasn't that a short-lived moment?

This article makes the important point that a critical part of the C-R system is that the challenge e-mail (that gets sent from the recipient to the sender) MUST reach the sender. If the sender's anti-spam system blocks it, then the whole process falls over. Therefore, all spammers need to do is to construct their drivel in the same way as a challenge e-mail. Game over.

My good friend rant came up with an even more damning problem: spammers use real emails which belong to others.

So the spammer sends you an email, you send a challenge back...that challenge goes to a spoofed email address...that spoofed user gets annoyed and writes you an angry email, or more likely (and much worse), gets flooded by thousands of challenge emails.

1 Comments:

At 3:38 pm, Blogger amnoti said...

The current filter-system is not an answer to SPAM. Boolean filters are all good and well, but they never get 100% accuracy,a nd having to look in yr spam folder for some friendly mail defeats the whole object. CR does seem like a reasonably simple solution - and this is not an unsurmountable problem. If i sent out an email to some1 i'd expect my CR to automatically put that person on my WHITE list, so when i get a challenge from that person's CR, it'll atomatically come through to me.
Off course it'll make it easier if everyone uses a CR system - but it has to start somewhere....
If everyone uses a CR system instead of a spam-filter then the spammers can make their spams look like CR as much as the'd like to, it still wouldnt come through...

 

Post a Comment

<< Home