How Can Challenge Response Deal with Spoofing?
The original premise of C-R is that when spam is sent, you will effectively double the resulting internet traffic, because every spam will result in a challenge (which presumably will be ignored, or at least that's the premise upon which the C-R solution is based). However, if the spammer spoofs a legitimate email address, which I believe is very common, then the situation is much worse, as I illustrate below.
Let's say Spammer Sam sends a spam email to Alice (who uses a C-R system), but spoofs Bob's email address. There are two cases to consider:
1. Bob does not use a C-R system
- Sam sends email to Alice
- Alice's C-R system sends challenge to Bob
- Bob gets puzzling challenge mail and sends angry mail to Alice
- Alice receives this angry mail as well as the orginal spam, as Bob's mail has now passed the challenge responded to the challenge
Two extra emails have been generated (effectively tripling the email load of the original spam), and confusion for Alice and Bob is the result. Alice has also received the spam.
2. Bob also uses a C-R system
- Sam sends email to Alice
- Alice's C-R system sends challenge to Bob
- Bob's C-R system sends challenge to Alice
- this may carry on indefinitely, but one would hope the C-R systems would be smart enough to recognize duplicates and ignore subsequent emails
In this case, neither Alice nor Bob receive any confusing mail, Alice does not receive her spam, but again the original spam has been tripled.
2 Comments:
Yes, it can be assumed that part of the C-R system is that sending an email automatically places the recipient on your WHITE list. This would require some co-operation between the email client and the server based C-R system. Hopefully this isn't too hard.
Worryingly, however, it seems to me that for this to work there needs to be mass acceptance of the acceptance, both in terms of support from email clients and servers, but more importantly, from email users.
well... if u followed the comments on the page of the person who dismissed CR, you'll find quite a few people who have installed CR and are VERY happy with the results. - One would actually be in a WIN situation if one installs it NOW, b4 spammers catch on (well at least until the spammers catch on)
Post a Comment
<< Home