"kurttrail" said in news:
[email protected]:
"But the most promising, Gates said, was a method that would hit the
sender of an e-mail in the pocketbook."
"People would set a level of monetary risk - low or high, depending
on their choice - for receiving e-mail from strangers. If the e-mail
turns out to be from a long-lost relative, for example, the recipient
would charge nothing. But if it is unwanted spam, the sender would
have to fork over the cash."
"'In the long run, the monetary (method) will be dominant,' Gates
predicted." -
http://www.informationweek.com/story/showArticle.jhtml?articleID=17500979
Let's all sign up for MS newsletters, and get some of our monopoly
money back! <vbg>
What's new about C-R (challenge-response) e-mail clients? Vanquish
is a C-R client that pre-charges senders where the good senders hope
you won't actually charge them. How many years now have C-R e-mail
clients been around?
The problem with C-R users is that they become part of the problem.
Their challenge gets sent to whatever e-mail address is listed in the
From or Reply-To headers. Oh, yeah, like spammers use their real
e-mail address. If they use an invalid e-mail address then your
challenge goes nowhere - but still consumes bandwidth and resources
to have it rejected. If they use an invalid username but a valid
domain, like aol.com or earthlink.net, then the receiving mail server
has to waste resources to receive the challenge and then to return a
non-delivery status e-mail since no such username exists there - and
you still had to waste bandwidth and resources to send it. If the
spammer uses a valid e-mail address but which is for someone else
(i.e., an innocent), your challenge gets received by someone having
nothing to do with the spam crap. So you end up polluting the mail
servers with your "challenge spam".
None of the C-R schemes that I've seen employ any intelligence in
computing a threshold of probability that the claimed sender of a
message is actually the sender. They don't parse and interrogate the
Received headers to see if the e-mail address is even from the domain
from whence the message was sent (and to eliminate relayed messages).
They don't go online to do reverse name lookups of the IP address
reported by the receiving mail server that puts the IP address in the
Received header for the sender to see if there is a reverse lookup of
that IP address. They don't use any of the publicly available DNSBLs
(DNS blacklists) or RBLs (relay blacklists) to determine if the
message originated from a known spam source. In other words, the
simplistic method used to address to whom your challenge gets sent is
very, very stupid. I have contacted Vanquish, ChoiceMail, other
commercial C-R products, and looked at some of the home-grown
solutions proffered by some users in newsgroups and none of them have
any decent intelligence in where they direct their challenge. I
managed after some pushing to get the commerical producers to
acknowledge that their products are only a stop-gap measure and incur
other problems as a result of how they behave.
C-R schemes pretend that you never have to look at the pending
messages until the sender has sent a response to your challenge. The
message has to be held until it expires awaiting the response from
the supposed sender that gets your challenge, whether that response
is another e-mail from the sender or the sender clicking on a link
(that requires some separate web site be up to accept the response).
Almost all the C-R products let you see the list of pending messages
awaiting confirmation. C-R users will periodically scan this pending
list because: (1) They are curious; (2) Need to determine if there
were false positives; or, (3) Need to check their setup or rules
haven't worked right. The fact that such a list is available for
review and that it *will* get reviewed obviates the proclaimed
feature that you never see the spam. It's no different than
directing spam to the Junk folder (without the Preview pane) using
SpamPal or other passive filtering products and setting auto-archive
on the Junk folder to [permanently] delete messages that are older
than N days. The recipient will still end up looking at the list of
headers in the pending store for C-R or in the holding folder when
spam filtering to look at the headers. Senders of any message can
simply wait out the recipient to get their message delivered. The
recipient will eventually review their pending C-R store to note any
messages that they really do want to get and yank them out of the
pending store into their Inbox. I don't bother responding to any
challenges. If the recipient wants to not receive my message (by
sticking it in a pending C-R store which expires without my
response), that's their choice to *filter* my e-mails. C-R is just
another filtering scheme.
If the sender has to send a confirmation e-mail as their response to
your challenge, you've tripled the number of e-mails sent just to
receive one e-mail message: the sender's original message, your
challenge message, and the sender's response message. If the sender
has to click on a URL in your challenge to send their response, they
have to be online (rather than compose the response offline and send
whenever they next connect)
The timeliness of e-mails is destroyed by C-R. Say your buddy sends
you an e-mail telling you where the party is tonight that you talked
about in the morning. You send a challenge. However, your buddy
isn't online at the time or doesn't have their e-mail client running
and polling for new messages to see your challenge. Guess you don't
get to go to the party - unless you get curious and happen to review
the pending C-R store which then obviates you never seeing the spam.
Another case is you agree to take car of your friend's cat while they
are on vacation. When they leave, they e-mail you some critical
info, like where is the house key. They did sent it with a receive
confirmation that shows your mail server got their message, so you
did receive it. They're gone already on vacation by the time your
challenge gets delivered to their Inbox. I doubt they would
appreciate a dead cat or broken window on their return just because
you were too stupid to read your received e-mails.
C-R generates "challenge spam" to innocents. C-R is a nuisance to
good senders (which have not yet been whitelisted by you), so
obviously it is NOT something you want to use in business since you
don't want to piss off your customers. C-R pretends that you never
have to see the spam yet they still must have a pending message store
which you can review which obviates you never seeing the spam. C-R
doubles or triples the number of e-mails for each message. C-R
reduces reliability of e-mail because of the extra e-mails for
challenges and responses. C-R reduces or destroys the timeliness of
a message.
While the other problems with C-R are passable, I'm not going to
become part of the spam problem by issuing "challenge spam" at
innocents. When C-R products show decent intelligence as to whom
they send their challenge then I'll again review whether I want to
use one or not. However, by the time the RFCs for e-mail get updated
to allow authentication and full tracking (and the mail servers
implement the updates and also block any mail servers that don't
comply) so C-R products can work then C-R products won't be needed.
Right now, being a C-R user makes you an irresponsible e-mail user.
