Richard Reynolds wrote:
On Sat, 24 May 2008, Andrew Lentvorski wrote:
Every single challenge email I have ever seen now gets marked as SPAM.
This caused me a *huge* nightmare with three different companies that
I was caught in between.
then your system is broken. but your not saying "i cant fix my system"
your saying "this type of system cant work" those are different
No, I'm saying that a system which I *do not control* is capable of
causing huge amounts of breakage *for me*. I have had to personally
forward emails between three different parties because their respective
challenge response systems wouldn't let the challenges through.
And this is invariably what happens when challenge/response systems come
in contact with one another. The main reason why this doesn't happen
more often is that once you implement challenge/response for a large
enough block of people, adminning the stupid thing eventually becomes
too much work and it gets ripped out. Fortunately.
Yes, in theory, challenge response systems can be set up perfectly,
maintain lists so they don't DDoS systems, create mutable challenges
that won't be cloned by spammers, etc.
And, BTW, this *still* doesn't work if there are enough
challenge/response systems because then you use 10,000 of these systems
to bombard the poor victim rather than just one. Any form of unverified
backscatter is simply broken. Period. Fortunately, challenge/response
systems are few and far between.
In reality, the spammers have more incentive to do nasty things than the
good folks have to keep up with it. Once any system hits critical mass,
the spammers figure out how to take advantage of it. See the current
battle between Craigslist and spammers, for example.
Even worse, in real reality, the challenge/response system is being run
by some random sysadmin who doesn't know jack about it and is afraid to
touch it. Thus, you wind up with dueling challenge response systems and
two intransigent sysadmins who are determined not to be the one who has
to make the change.
Lots of things are useful, in theory. In theory, there is no difference
between practice and theory. In practice, there is.
-a
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
