RE: not everyone is happy with SA

[Robert Taylor]

So incredibly funny to have Stub Email referenced in an email to me. 

I was in on the original specification (by Nathan Cheng to CircleID)
regarding this idea. 

I wish that it would be quickly adopted!


Robot Terror
(IRL: Robert Taylor) 

-Original Message-
From: Robot Terror [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 23, 2007 5:26 PM
To: John D. Hardin
Cc: Skip Brott; spamd
Subject: Re: not everyone is happy with SA


The ridiculousness of that sentiment that prompted my first post to this
list came from the following comments:



I have found this whole line of debate somewhat interesting, but
it has
clearly strayed from the real core question:

Who is responsible?

Is it the responsibility of the sender to verify that they
indeed intended
to send the email?
Or is it the responsibility of the recipient to verify senders?

My personal opinion is that it is the latter.  If I send an
email to a valid
address, I find it a bit offensive that they send a challenge
back.  Why is
it my responsibility as the sender to teach another system to
accept mail
from me?



I admit I don't know the full context of the comments, but based on the
preamble ("the real core question") these comments assert a stand-alone
absoluteness. It is to that "absolute standard" of recipient is
responsible to verify sender that I made my reply.

In fact, I am adamant that no sender should expect their message to be
delivered by another's service. The Post Office (in real world terms)
exists outside any recipient's ability to pay. In that world, the sender
pays so the PO services the sender. In electronic mail many parties
outside the sender PAY for the service. Therefore the PAYER has the
right to put up roadblocks to delivery as he/she sees fit. Let the
sender pay for my infrastructure costs and I'll gladly bear the
responsibility to auto-trash his messages to me.

Otherwise, get used to difficulty sending messages of any kind to
others. The world is turning on SMTP and people are realizing the most
common scenario is that a sender is illegitimately sending a message to
a recipient (that is, spam out numbers ham).

That the current system defaults in favor of carrying every message, no
matter how inane or large, through the entire infrastructure of the
Internet and then puts the onus on the client to "filter" the message is
stupid. Instead of such a sender-preferential system, a recipient-biased
system would result in lower bandwidth utilization and reduced
processing needs (therefore exposing that, perhaps, spam benefits the
bandwidth sellers, processor sellers, and storage sellers ultimately!). 

As an aside, such a proposal to put the responsibility for
bandwidth/processing use on the sender is on the table and is called
"Stub Email" or "Hypertext Mail Transport Protocol":
 
http://www.circleid.com/posts/hypertext_mail_protocol_aka_stub_emaill/
 
http://techrepublic.com.com/5208-6230-0.html?forumID=9&threadID=194716&s
tart=0
http://icl.pku.edu.cn/bswen/_old_stuff/Email++/index.html
 
http://autodesk.blogs.com/between_the_lines/2006/10/misc_interestin.html
Of course, such a proposal will be ignored as the spammers have the
money to prop-up the status quo.


--
Robot Terror
"Always a treat, never a threat"

http://robotterror.com
[EMAIL PROTECTED]



On 7/23/07 12:27 PM, "John D. Hardin" <[EMAIL PROTECTED]> ostensibly
wrote:

> On Fri, 20 Jul 2007, Robot Terror wrote:
> 
>> Why is it my responsibility as a holder of a valid email address to 
>> accept mail from anyone who wants to send me the mail?
> 
> Who ever said *that*?
> 
> --
>  John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
>  [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
>  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
>
---
>   Where We Want You To Go Today 07/05/07: Microsoft patents in-OS
>   adware architecture incorporating spyware, profiling, competitor
>   suppression and delivery confirmation (U.S. Patent #20070157227)
> --
> -
>  12 days until The 272nd anniversary of John Peter Zenger's acquittal
> 



Confidentiality Notice: This e-mail message (including any attached or
embedded documents) is intended for the exclusive and confidential use of the
individual or entity to which this message is addressed, and unless otherwise
expressly indicated, is confidential and privileged information of Rackspace.
Any dissemination, distribution or copying of the enclosed material is 
prohibited.
If you receive this transmission in error, please notify us immediately by 
e-mail
at [EMAIL PROTECTED], and delete the original message.
Your cooperation is appreciated.

Re: not everyone is happy with SA

[John D. Hardin]

On Mon, 23 Jul 2007, jdow wrote:

> With snail mail it is nigh on to impossible to interrupt the
> reception process and reject a piece of mail. I simply place it
> into the trash on my way into the house. (Some things, like
> unwanted subscription offers or credit card offers, I tear in
> half. One half goes out this week in recylecables and the other
> goes out next week in the cat poop.)

You feed credit card solicitations to your cats? How cruel! How much 
penance must they do for peeing on the couch? :)

> I've been tempted more than once to respond to somebody's
> challenge and then forward a week's worth of spam to them as
> punishment. That's also too much work.

That's what scripting languages were invented for.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Where We Want You To Go Today 07/05/07: Microsoft patents in-OS
  adware architecture incorporating spyware, profiling, competitor
  suppression and delivery confirmation (U.S. Patent #20070157227)
---
 11 days until The 272nd anniversary of John Peter Zenger's acquittal

Re: not everyone is happy with SA

[jdow]

From: "John D. Hardin" <[EMAIL PROTECTED]>


On Fri, 20 Jul 2007, Robot Terror wrote:


Why is it my responsibility as a holder of a valid email address
to accept mail from anyone who wants to send me the mail?


Who ever said *that*?


Anyone who holds to the snail mail analogy certainly would.

At the very least any email recipient has the responsibility to
handle incoming messages as they see fit WITHOUT bothering other
people with their decisions.

If you decide my address is not good and elect to simply drop emails
from me on the floor or issue a permanent error as the initial mail
exchange takes place, that's fine. But if you challenge me, that
violates the "without bothering other people with their decisions."

With snail mail it is nigh on to impossible to interrupt the reception
process and reject a piece of mail. I simply place it into the trash
on my way into the house. (Some things, like unwanted subscription
offers or credit card offers, I tear in half. One half goes out this
week in recylecables and the other goes out next week in the cat poop.)
That is to say I make the decision myself as a multitasking project as
I walk the 250' from the mailbox to the house. No particular loss to
me there. If I wanted to perform a snail mail challenge/response it
would cost me time, money (bandwidth waste on the Internet), and bother
the sender. To do it right I'd have to waste the same time it'd take
to figure out it is junk as to figure out I need to challenge. So I do
not bother. And if the mail has a forged return address I'd bother
somebody innocent if I sent a cat poop to the return address.

I treat email the same way. *I* decide what I want to see. I do not
delegate this to some third party, even the purported sender. For
snail mail my brain is performing the SpamAssassin duties reasonably
quickly. The volume of spam snail mail is light; and, it is usually
VERY easy to distinguish. (If it isn't in an envelope or have postage
on it the destination is the trashbin. That covers the loose collections
of trash with separate address cards, for example. And I do keep musing
about sending it all back to PennySaver with an enclosed cat poop, too.
But it's less work to simply drop it in the trash on the way in the
door.)

I've been tempted more than once to respond to somebody's challenge
and then forward a week's worth of spam to them as punishment. That's
also too much work.

{^_^}

Re: not everyone is happy with SA

[John Rudd]

Robot Terror wrote:

On 7/20/07 12:55 PM, "Skip Brott" <[EMAIL PROTECTED]> ostensibly wrote:


If I send an email to a valid
address, I find it a bit offensive that they send a challenge back.  Why is
it my responsibility as the sender to teach another system to accept mail
from me?


Why is it my responsibility as a holder of a valid email address to accept
mail from anyone who wants to send me the mail? As the owner of the email
address or, as the admin of the domain's mail server, I have no obligation
to accept your mail at all.

Obligations should be on the sender.



Nor am I obligated to accept and read messages from you.  Including your 
C/R challenges.



You're also not obligated to be a good "net citizen", but if you're not, 
then you can and should expect to have your mail server black listed by 
people who consider that to be important.  After all, just as you are 
not required to accept and read someone's email, the internet at large 
is also not required to accept and read yours.  And things like C/R and 
SAV are both good criteria of "not being a good net citizen".

Re: not everyone is happy with SA

[John D. Hardin]

On Mon, 23 Jul 2007, Robot Terror wrote:

> It is to that ³absolute standard² of recipient is responsible to
> verify sender that I made my reply.

Okay, but that is vastly different from:

> "[it is] my responsibility as a holder of a valid email address
> to accept mail from anyone who wants to send me the mail"

To me the latter says "you have to accept email whether you want to or
not!" which nobody here is proposing.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Where We Want You To Go Today 07/05/07: Microsoft patents in-OS
  adware architecture incorporating spyware, profiling, competitor
  suppression and delivery confirmation (U.S. Patent #20070157227)
---
 12 days until The 272nd anniversary of John Peter Zenger's acquittal

Re: not everyone is happy with SA

[Robot Terror]

"Knowing I have CR"? Hah!

I have Greylisting and SA. That's it. Oh, I also block Spamhaus.org's DROP
list net blocks. Other than that, nothing.

I just resent being told I have the "burden" of verifying senders,
regardless of the context. You wanna send a message to me? Prove yourself
worthy. (Not you, personally, of course; I speak w/r/t the bulk -- pun
intended -- of Internet senders.)

-- 
Robot Terror
³Always a treat, never a threat²

http://robotterror.com
[EMAIL PROTECTED]





On 7/23/07 3:55 PM, "Michael Scheidell" <[EMAIL PROTECTED]> ostensibly
wrote:

> 
>> -Original Message-
>> From: Robot Terror [mailto:[EMAIL PROTECTED]
>> Sent: Friday, July 20, 2007 4:28 PM
>> To: Skip Brott; spamd
>> Subject: Re: not everyone is happy with SA
>> 
>> 
>> On 7/20/07 12:55 PM, "Skip Brott" <[EMAIL PROTECTED]> ostensibly wrote:
>> 
>>> If I send an email to a valid
>>> address, I find it a bit offensive that they send a
>> challenge back. 
>>> Why is it my responsibility as the sender to teach another
>> system to 
>>> accept mail from me?
>> 
>> Why is it my responsibility as a holder of a valid email
>> address to accept mail from anyone who wants to send me the
>> mail? As the owner of the email address or, as the admin of
>> the domain's mail server, I have no obligation to accept your
>> mail at all.
> 
> Right, you have the right to drop any email you want on the floor.
> You don't have the right to bounce crap back to me (so, knowing you
> probably have CR, I didn't cc you)
> 
>> 
>> Obligations should be on the sender.
>> 
> Why?
> Where is that in the RFC's or common law in any civilized nation? Or is
> this just in your mind?
> _
> This email has been scanned and certified safe by SpammerTrap(tm).
> For Information please see http://www.spammertrap.com
> _

Re: not everyone is happy with SA

[Robot Terror]

The ridiculousness of that sentiment that prompted my first post to this
list came from the following comments:

> I have found this whole line of debate somewhat interesting, but it has
> clearly strayed from the real core question:
> 
> Who is responsible?
> 
> Is it the responsibility of the sender to verify that they indeed intended
> to send the email?
> Or is it the responsibility of the recipient to verify senders?
> 
> My personal opinion is that it is the latter.  If I send an email to a valid
> address, I find it a bit offensive that they send a challenge back.  Why is
> it my responsibility as the sender to teach another system to accept mail
> from me?

I admit I don¹t know the full context of the comments, but based on the
preamble (³the real core question²) these comments assert a stand-alone
absoluteness. It is to that ³absolute standard² of recipient is responsible
to verify sender that I made my reply.

In fact, I am adamant that no sender should expect their message to be
delivered by another¹s service. The Post Office (in real world terms) exists
outside any recipient¹s ability to pay. In that world, the sender pays so
the PO services the sender. In electronic mail many parties outside the
sender PAY for the service. Therefore the PAYER has the right to put up
roadblocks to delivery as he/she sees fit. Let the sender pay for my
infrastructure costs and I¹ll gladly bear the responsibility to auto-trash
his messages to me.

Otherwise, get used to difficulty sending messages of any kind to others.
The world is turning on SMTP and people are realizing the most common
scenario is that a sender is illegitimately sending a message to a recipient
(that is, spam out numbers ham).

That the current system defaults in favor of carrying every message, no
matter how inane or large, through the entire infrastructure of the Internet
and then puts the onus on the client to ³filter² the message is stupid.
Instead of such a sender-preferential system, a recipient-biased system
would result in lower bandwidth utilization and reduced processing needs
(therefore exposing that, perhaps, spam benefits the bandwidth sellers,
processor sellers, and storage sellers ultimately!).

As an aside, such a proposal to put the responsibility for
bandwidth/processing use on the sender is on the table and is called ³Stub
Email² or ³Hypertext Mail Transport Protocol²:
http://www.circleid.com/posts/hypertext_mail_protocol_aka_stub_emaill/

http://techrepublic.com.com/5208-6230-0.html?forumID=9&threadID=194716&start
=0
http://icl.pku.edu.cn/bswen/_old_stuff/Email++/index.html
http://autodesk.blogs.com/between_the_lines/2006/10/misc_interestin.html
Of course, such a proposal will be ignored as the spammers have the money to
prop-up the status quo.


-- 
Robot Terror
³Always a treat, never a threat²

http://robotterror.com
[EMAIL PROTECTED]



On 7/23/07 12:27 PM, "John D. Hardin" <[EMAIL PROTECTED]> ostensibly wrote:

> On Fri, 20 Jul 2007, Robot Terror wrote:
> 
>> Why is it my responsibility as a holder of a valid email address
>> to accept mail from anyone who wants to send me the mail?
> 
> Who ever said *that*?
> 
> --
>  John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
>  [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
>  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> ---
>   Where We Want You To Go Today 07/05/07: Microsoft patents in-OS
>   adware architecture incorporating spyware, profiling, competitor
>   suppression and delivery confirmation (U.S. Patent #20070157227)
> ---
>  12 days until The 272nd anniversary of John Peter Zenger's acquittal
> 

<>

RE: not everyone is happy with SA

[Michael Scheidell]

> -Original Message-
> From: Robot Terror [mailto:[EMAIL PROTECTED] 
> Sent: Friday, July 20, 2007 4:28 PM
> To: Skip Brott; spamd
> Subject: Re: not everyone is happy with SA
> 
> 
> On 7/20/07 12:55 PM, "Skip Brott" <[EMAIL PROTECTED]> ostensibly wrote:
> 
> > If I send an email to a valid
> > address, I find it a bit offensive that they send a 
> challenge back.  
> > Why is it my responsibility as the sender to teach another 
> system to 
> > accept mail from me?
> 
> Why is it my responsibility as a holder of a valid email 
> address to accept mail from anyone who wants to send me the 
> mail? As the owner of the email address or, as the admin of 
> the domain's mail server, I have no obligation to accept your 
> mail at all.

Right, you have the right to drop any email you want on the floor.
You don't have the right to bounce crap back to me (so, knowing you
probably have CR, I didn't cc you)

> 
> Obligations should be on the sender.
> 
Why?
Where is that in the RFC's or common law in any civilized nation? Or is
this just in your mind?
_
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_

Re: not everyone is happy with SA

[John D. Hardin]

On Fri, 20 Jul 2007, Robot Terror wrote:

> Why is it my responsibility as a holder of a valid email address
> to accept mail from anyone who wants to send me the mail?

Who ever said *that*?

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Where We Want You To Go Today 07/05/07: Microsoft patents in-OS
  adware architecture incorporating spyware, profiling, competitor
  suppression and delivery confirmation (U.S. Patent #20070157227)
---
 12 days until The 272nd anniversary of John Peter Zenger's acquittal

Re: not everyone is happy with SA

[Robot Terror]

On 7/20/07 12:55 PM, "Skip Brott" <[EMAIL PROTECTED]> ostensibly wrote:

> If I send an email to a valid
> address, I find it a bit offensive that they send a challenge back.  Why is
> it my responsibility as the sender to teach another system to accept mail
> from me?

Why is it my responsibility as a holder of a valid email address to accept
mail from anyone who wants to send me the mail? As the owner of the email
address or, as the admin of the domain's mail server, I have no obligation
to accept your mail at all.

Obligations should be on the sender.

-- 
Robot Terror
³Always a treat, never a threat²

http://robotterror.com
[EMAIL PROTECTED]

Re: not everyone is happy with SA

[Nix]

On 20 Jul 2007, [EMAIL PROTECTED] spake thusly:
> Um, captcha? Then I'd doubly never respond to the abortion. It wasted
> bandwidth on the captcha AND I CANNOT READ THE CAPTCHA IN PLAIN TEXT.
>
> I use plain text for security reasons.

What, are you worried about Langford basilisks?

More significant is the disability problem, and the problem that
spammers have long since defeated captcha anyway (what you do is, you
put up the captcha images on a nasty porn site run by your affiliate and
the drooling masses fill them in for you).

Re: not everyone is happy with SA

[John Rudd]

Gene Heskett wrote:

On Friday 20 July 2007, John Rudd wrote:


All very well stated.  So if "you" send me a C/R, for any reason whatsoever, 
if it actually gets past SA, it either is fed back as spam to train my bayes 
or deleted and promptly forgotten about.  But don't expect any of us to be 
happy when, after composing a 4 kilobyte response from scratch in response to 
your plea for help, something that took half an hour of my time typing with 
72 year old fingers, and looking up the data so that my answer might be 
correct, only to be greeted 90 seconds later on my next mail suck, with a C/R 
from you.  Then, because you're an ass, you didn't get the answers you asked 
for, so you keep on flooding the list with your question.  At that point, 
I'll not reply again, but I will add your email address to my procmailrc file 
as one to be delivered to /dev/null.


And you had better believe me when I say I am not the only one here who will 
do that, there are far more knowledgeable people here than I who will do 
that, maybe even quicker.  And I do not make it a habit to expire those 
entries in my procmailrc.  Once you are there, goodbye.  And no one but you 
gave me reason to put you there.


Oh, did I mention I don't like C/R systems?  I don't...



uh... did you actually read my message?  You're attacking me for being 
anti-C/R, and then stating some of my exact same arguments against me? 
Did you have a few too many beers while out on Friday night?

Re: not everyone is happy with SA

[Gene Heskett]

On Friday 20 July 2007, jdow wrote:
>From: "Steven Stern" <[EMAIL PROTECTED]>
>
>> John Rudd wrote:
>>> Further, I as the sender have no obligation to participate in your
>>> anti-spam mechanism.  It's YOUR mechanism.  You feed it, you configure
>>> it, your CPU cycles are spent on it.  I have no obligation to
>>> participate in the program you use for deciding "is this spam or not". I
>>> have no obligation to devote my time and my CPU cycles to your anti-spam
>>> program.  It's rather rude for you to assume otherwise.
>>
>> My company's website has a "click here and we'll send you your password"
>> (or something similar).  You'd be amazed how many calls we get claiming
>> it doesn't work. When I track through the logs, I find most come from
>> people with CR systems.  You can't use a CR when you're talking to a
>> robot.  These things make me sooo mad.
>
>I wonder how many "I can't get off this #)$([EMAIL PROTECTED] mailing list!" 
>messages
>are due to a recently installed C/R system.
>
>C/R systems CAN be their own punishment.
>
>{^_-}

Not CAN my dear girl, ARE...

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Whistler's Law:
You never know who is right, but you always know who is in charge.

Re: not everyone is happy with SA

[Gene Heskett]

On Friday 20 July 2007, John Rudd wrote:
>someone that Skip Brott didn't attribute wrote:
>>> Why is it my responsibility as a holder of a valid email address to
>>> accept mail from anyone who wants to send me the mail? As the owner of
>>> the email address or, as the admin of the domain's mail server, I have no
>>> obligation
>>
>> to
>>
>>> accept your mail at all.
>>> Obligations should be on the sender.
>
>You are correct that you have no obligation to accept email from me (nor
>anyone else for that matter), the issue of "obligations upon the sender"
>depends on which obligations you're talking about, and which sender
>you're talking about.
>
>
>If I'm replying to a question you asked, then you are the _original_
>sender, and no, it is not my obligation to jump through your C/R hoops
>in order to get the answer to you.  If you want the answer to your
>question, it's YOUR obligation to make sure you can receive my answer.
>
>
>If I didn't send the message at all, but this is backscatter, then it is
>your obligation to prevent backscatter to innocent bystanders.  It's not
>my obligation to deal with your challenge messages, and it's entirely my
>  digression as to whether or not I'm going to report you to a blacklist
>for producing backscatter.  At that point, it becomes YOUR obligation to
>get yourself off of a blacklist.
>
>
>Further, I as the sender have no obligation to participate in your
>anti-spam mechanism.  It's YOUR mechanism.  You feed it, you configure
>it, your CPU cycles are spent on it.  I have no obligation to
>participate in the program you use for deciding "is this spam or not".
>I have no obligation to devote my time and my CPU cycles to your
>anti-spam program.  It's rather rude for you to assume otherwise.

All very well stated.  So if "you" send me a C/R, for any reason whatsoever, 
if it actually gets past SA, it either is fed back as spam to train my bayes 
or deleted and promptly forgotten about.  But don't expect any of us to be 
happy when, after composing a 4 kilobyte response from scratch in response to 
your plea for help, something that took half an hour of my time typing with 
72 year old fingers, and looking up the data so that my answer might be 
correct, only to be greeted 90 seconds later on my next mail suck, with a C/R 
from you.  Then, because you're an ass, you didn't get the answers you asked 
for, so you keep on flooding the list with your question.  At that point, 
I'll not reply again, but I will add your email address to my procmailrc file 
as one to be delivered to /dev/null.

And you had better believe me when I say I am not the only one here who will 
do that, there are far more knowledgeable people here than I who will do 
that, maybe even quicker.  And I do not make it a habit to expire those 
entries in my procmailrc.  Once you are there, goodbye.  And no one but you 
gave me reason to put you there.

Oh, did I mention I don't like C/R systems?  I don't...

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Q:  What do Winnie the Pooh and John the Baptist have in common?
A:  The same middle name.

Re: not everyone is happy with SA

[Gene Heskett]

On Friday 20 July 2007, Loren Wilton wrote:
>> I guess that's just another chapter in the proof that there is one born
>> every
>> minute.
>
>When P.T. Barnum made that statement the population of the US was about 60
>million.  It is now somewhere north of 250 million.
>
>Loren

Humm, so we must be averaging around 4 a minute in order to keep the curve 
rising that steeply?

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Q:  What do Winnie the Pooh and John the Baptist have in common?
A:  The same middle name.

Re: not everyone is happy with SA

[hamann . w]

Steven Stern wrote:
>> > 
>> 
>> My company's website has a "click here and we'll send you your password"
>> (or something similar).  You'd be amazed how many calls we get claiming
>> it doesn't work. When I track through the logs, I find most come from
>> people with CR systems.  You can't use a CR when you're talking to a
>> robot.  These things make me sooo mad.
>> 
>> - --
>> 
>>   Steve

Hi Steven,

just out of curiosity: if this happens,are you telling them to fix their mail 
system first, or are
you trying to help them?

Wolfgang

Re: not everyone is happy with SA

[jdow]

From: "Steven Stern" <[EMAIL PROTECTED]>


John Rudd wrote:



Further, I as the sender have no obligation to participate in your
anti-spam mechanism.  It's YOUR mechanism.  You feed it, you configure
it, your CPU cycles are spent on it.  I have no obligation to
participate in the program you use for deciding "is this spam or not". I
have no obligation to devote my time and my CPU cycles to your anti-spam
program.  It's rather rude for you to assume otherwise.



My company's website has a "click here and we'll send you your password"
(or something similar).  You'd be amazed how many calls we get claiming
it doesn't work. When I track through the logs, I find most come from
people with CR systems.  You can't use a CR when you're talking to a
robot.  These things make me sooo mad.


I wonder how many "I can't get off this #)$([EMAIL PROTECTED] mailing list!" 
messages
are due to a recently installed C/R system.

C/R systems CAN be their own punishment.

{^_-}

Re: not everyone is happy with SA

[jdow]

From: "John Rudd" <[EMAIL PROTECTED]>


someone that Skip Brott didn't attribute wrote:
Why is it my responsibility as a holder of a valid email address to 
accept
mail from anyone who wants to send me the mail? As the owner of the 
email
address or, as the admin of the domain's mail server, I have no 
obligation

to

accept your mail at all.
Obligations should be on the sender.


You are correct that you have no obligation to accept email from me (nor 
anyone else for that matter), the issue of "obligations upon the sender" 
depends on which obligations you're talking about, and which sender you're 
talking about.



If I'm replying to a question you asked, then you are the _original_ 
sender, and no, it is not my obligation to jump through your C/R hoops in 
order to get the answer to you.  If you want the answer to your question, 
it's YOUR obligation to make sure you can receive my answer.



If I didn't send the message at all, but this is backscatter, then it is 
your obligation to prevent backscatter to innocent bystanders.  It's not 
my obligation to deal with your challenge messages, and it's entirely my 
digression as to whether or not I'm going to report you to a blacklist for 
producing backscatter.  At that point, it becomes YOUR obligation to get 
yourself off of a blacklist.



Further, I as the sender have no obligation to participate in your 
anti-spam mechanism.  It's YOUR mechanism.  You feed it, you configure it, 
your CPU cycles are spent on it.  I have no obligation to participate in 
the program you use for deciding "is this spam or not". I have no 
obligation to devote my time and my CPU cycles to your anti-spam program. 
It's rather rude for you to assume otherwise.


John, let's go to the snail mail analogy for email. In the light of
snail mail it is your responsibility to make a determination to read
or not to read any given piece of mail. It is your responsibility to
create a filter in your mailbox that tosses snail mail spam into a
trashbucket mounted thoughtfully just beneath your filtering mail box.
It still gets delivered. You delete it. You filter, mark, and sort it.
Or you simply read it.

The analogy breaks down a little when you can filter mail in the process
of delivery as the postal person places the mail into your mailbox. You
can let some of them through and mash the others back into the postal
person's hand, as it were. In the real world "this ain't gonna happen"
for snail mail. It can happen for real mail. Temporarily rejecting mail
and sending a "who are you" message back just does not fly with the post
office, with any efficiency. (They'd welcome the wasted postage if you
want to do it - up to the point the challenges swamped them or the first
challenge loop happened.)

Any way you look at it challenge/response is just plain evil and insulting.
There is no conceivable help for it.

{^_^} 

Re: not everyone is happy with SA

[jdow]

From: "Skip Brott" <[EMAIL PROTECTED]>

Why is it my responsibility as a holder of a valid email address to 
accept

mail from anyone who wants to send me the mail? As the owner of the email
address or, as the admin of the domain's mail server, I have no 
obligation

to

accept your mail at all.
Obligations should be on the sender.


I will respectfully disagree.  I believe you are pushing the burden onto 
the

sender rather than have your system accept the reponsibility of reviewing
messages for you.  The C/R basically works the same way except the 
challenge

goes to the recipient.  Just a different concept.  Personally, I won't
employ either one.

And if the sender acknowledges the C/R, if the sender is not a "bot" but 
is

still from a source you don't want sending you email - what control do you
have over that?


The recipient does not have any responsibility to actually read any email
that comes in any more than the recipient of snail mail must read any
snail mail that comes in. (I trashcan lots of it without bothering to open
the envelopes if I recognize a sender who is annoying.)

In that light the recipient of either email or snail mail has the
responsibility of determining for themselves or delegating that
responsibility to another of THEIR choice and PAY for "spam filtering"
of snail mail or email.

Sending a challenge response snail mail becomes amusing as a concept.
The thought of doing so with email is equally absurd.

{^_^} 

Re: not everyone is happy with SA

[Steven Stern]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

John Rudd wrote:

> 
> Further, I as the sender have no obligation to participate in your
> anti-spam mechanism.  It's YOUR mechanism.  You feed it, you configure
> it, your CPU cycles are spent on it.  I have no obligation to
> participate in the program you use for deciding "is this spam or not". I
> have no obligation to devote my time and my CPU cycles to your anti-spam
> program.  It's rather rude for you to assume otherwise.
> 

My company's website has a "click here and we'll send you your password"
(or something similar).  You'd be amazed how many calls we get claiming
it doesn't work. When I track through the logs, I find most come from
people with CR systems.  You can't use a CR when you're talking to a
robot.  These things make me sooo mad.

- --

  Steve
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFGoURoeERILVgMyvARAgeSAJ9Cwu/vRWEgskKwXF5QAg4QbpDB+QCfRNU0
Ya/NuKWXYspVpCIzNvN8zxs=
=oLbD
-END PGP SIGNATURE-

Re: not everyone is happy with SA

[Loren Wilton]

I guess that's just another chapter in the proof that there is one born 
every

minute.


When P.T. Barnum made that statement the population of the US was about 60 
million.  It is now somewhere north of 250 million.


   Loren

Re: not everyone is happy with SA

[John Rudd]

someone that Skip Brott didn't attribute wrote:

Why is it my responsibility as a holder of a valid email address to accept
mail from anyone who wants to send me the mail? As the owner of the email
address or, as the admin of the domain's mail server, I have no obligation

to

accept your mail at all.
Obligations should be on the sender.


You are correct that you have no obligation to accept email from me (nor 
anyone else for that matter), the issue of "obligations upon the sender" 
depends on which obligations you're talking about, and which sender 
you're talking about.



If I'm replying to a question you asked, then you are the _original_ 
sender, and no, it is not my obligation to jump through your C/R hoops 
in order to get the answer to you.  If you want the answer to your 
question, it's YOUR obligation to make sure you can receive my answer.



If I didn't send the message at all, but this is backscatter, then it is 
your obligation to prevent backscatter to innocent bystanders.  It's not 
my obligation to deal with your challenge messages, and it's entirely my 
 digression as to whether or not I'm going to report you to a blacklist 
for producing backscatter.  At that point, it becomes YOUR obligation to 
get yourself off of a blacklist.



Further, I as the sender have no obligation to participate in your 
anti-spam mechanism.  It's YOUR mechanism.  You feed it, you configure 
it, your CPU cycles are spent on it.  I have no obligation to 
participate in the program you use for deciding "is this spam or not". 
I have no obligation to devote my time and my CPU cycles to your 
anti-spam program.  It's rather rude for you to assume otherwise.

RE: not everyone is happy with SA

[Skip Brott]

> Why is it my responsibility as a holder of a valid email address to accept
> mail from anyone who wants to send me the mail? As the owner of the email
> address or, as the admin of the domain's mail server, I have no obligation
to
> accept your mail at all.
> Obligations should be on the sender.

I will respectfully disagree.  I believe you are pushing the burden onto the
sender rather than have your system accept the reponsibility of reviewing
messages for you.  The C/R basically works the same way except the challenge
goes to the recipient.  Just a different concept.  Personally, I won't
employ either one.

And if the sender acknowledges the C/R, if the sender is not a "bot" but is
still from a source you don't want sending you email - what control do you
have over that?

Re: not everyone is happy with SA

[jdow]

From: "Skip Brott" <[EMAIL PROTECTED]>


I have found this whole line of debate somewhat interesting, but it has
clearly strayed from the real core question:

Who is responsible?

Is it the responsibility of the sender to verify that they indeed intended
to send the email?
Or is it the responsibility of the recipient to verify senders?

My personal opinion is that it is the latter.  If I send an email to a 
valid
address, I find it a bit offensive that they send a challenge back.  Why 
is

it my responsibility as the sender to teach another system to accept mail
from me?

Would it not seem a lot more appropriate for the recipient to be the one 
to

manage this?  The premise is the same, but it places the burden on the
recipient to make the determination - which, imho, is where the ultimate
responsibility lies.

I don't utilize blacklists on our system based on the same rationale.  I
don't want something completely outside of my control (i.e. spamhaus,
spamcop, etc) determining whether or not my email server should accept 
email
from a particular host.  While this adds some additional load to our 
system,

I would much rather allow the filtering rules to make the determination
based on content not strictly on a host address.


Using block lists without scoring is utterly stupid. Using block lists
without secondary criteria is utterly stupid. As part of SpamAssassin
block lists work remarkably well, especially if you select the block
lists carefully, as is the default SA configuration.

Of course, if you use blocklists, or for that matter rules, it is very
wise to use sa-stats.pl to monitor the SpamAssassin performance to find
which rules are particularly effective and which rules have decayed into
being useless. I've removed rules and block lists on that basis before.

(And no amount of mass checking can adequately tune rules for use with
block lists simply because masses that are checked against are not as
"fresh" as the mail coming through your site. They can approximate. But
over time you can get a sense that there are tuning errors that need to
be tweaked.)

(Of course, if you have customers and you become "too good" they will in
time demand you maintain that level of "too good" even when the spammers
adopt clever new techniques - one such I may have just defeated here with
some meta-rules.)

{^_^} 

Re: not everyone is happy with SA

[jdow]

From: "John Rudd" <[EMAIL PROTECTED]>


David B Funk wrote:

On Fri, 20 Jul 2007, John Rudd "@ucsc.edu" wrote:


Jonas Eckerman wrote:


What do they think will happen when someone who doesn't know english
tries to send to a user of such a system that outputs english error
mesages that directs the sender to web pages with english instructions?

One possibility is, it could just spit out a url, with no other text,
and assume that the sender will understand that they're intended to view
the URL to find out why the message was rejected.


Umm, if -you- got a message that you didn't expect written in a language
that you couldn't read which contained a link, would you click on it?


That's not what will happen here.

What will happen here is that the sender's own system will generate the 
error report, so it will be in that user's own system's language.  If they 
can't read the language used by their own mailadmin/ISP/etc., then there's 
a larger issue here, and again an issue that is not specific to this 
technology.


Within that message that we can safely assume is readable by the sender, 
because it came from their own mail system, will be the one line SMTP 
return code, which only has "5xx 5.y.y some://url".  They will know that 
this is the error returned by their intended recipient exactly because 
that's what the rest of the message told them (in the languages their ISP 
supports, because the message came from their ISP, and presumably they 
understand their own ISP, or, again, we're back to a problem that is not 
specifically the fault of this technology).


So, the real question here is not the one you asked.  The real question 
is:
would you follow a url that is unknown to you, but clearly presented and 
explained to you by your own ISP?"


And, if I had a reasonable browser (to protect me against anything 
nefarious that might be in various web pages), and a reasonable mail 
provider (which I do, since I run my own mail server at home, as well as 
being the postmaster at work), then the answer is "if I knew it wasn't 
spoofed, yes".


If you don't have a reasonable browser, then you shouldn't be clicking on 
_ANY_ urls other than ones that go to web pages you wrote.


If you don't have a reasonable mail provider ... well, then, it doesn't 
matter if you can read the message or not, does it?





It's hard enough trying to teach safe internet usage to our Lusers, now
I have to go and tell them "in this -one- particular case just do it"?


What you should be teaching them is to understand and analyze what's in 
front of them.  Encouraging them to _never_ pay attention to the messages 
is just encouraging them to be lazy ignorant sheep instead of energetic 
ignorant sheep.  It's certainly easier to corral lazy ignorant sheep than 
energetic ones, but the problem is still the "ignorant sheep" part.


The willingly ignorant and lazy are hopeless.  Just be sure you've lots of 
firewalls up between you and them, because you can't really predict what 
they're going to do no matter what inputs you give them.




If the site which rejected the message is multi-lingual, then they can
have the resulting webpage offer multiple translations.

If they're not multi-lingual, and only speak english, then there wasn't
any point in the non-english speaker trying to contact them, was there? 
:-)


OK, and the IT staff a some-big-name university speaks all the languages
that their constituents/visitors speak? I would be surprised if you
didn't have some people on your campus who couldn't speak English.


It doesn't matter.  If they're contacting me, and I only speak english, 
and they don't speak english, then there's no point in them directly 
contacting me.  It doesn't matter if they're on my campus or on Mars. They 
will need to contact an intermediary.


And, as I pointed out, this isn't an issue that is specific to the 
technology being discussed.




Though, I would also point out that it seems most such error messages
are in english anyway.  But there's no necessity, in what's been
described so far, that the web page the URL leads to would be english 
only.


Do you mean to tell me that you've never gotten any "mailer-daemon"
messages from China, Russia, etc that you couldn't read?


From China or Russia?  No.

I have received a VANISHINGLY SMALL number from spanish and german 
speaking countries, however.  Certainly not enough to threaten the claim 
that "most such error messages are in english".


And, again, because it happens in the SMTP session between the sender's 
ISP and the C/R using ISP, the error is most likely to come from the 
sender's own ISP.  Hopefully the sender is already able to communicate 
with their own ISP in the ISP's supported languages.


John, I don't care HOW a challenge is worded, documented, presented I
cannot understand the language in which it is written. I don't speak "Duh",
the language of simpletons - the language of email challenges regardless of
what language they SEEM to be w

Re: not everyone is happy with SA

[Gene Heskett]

On Friday 20 July 2007, Kelson wrote:
>Gene Heskett wrote:
>>> I've been toying with "DANGER - DIHYDROGEN-MONOXIDE IN USE" signs
>>> recommending use of appropriate protective gear. But in today's terrorism
>>> atmosphere some idiot might not get it and
>>
>> Chuckle...
>>
>> Only if they failed introductory chemistry 101, but it should be good for
>> a chuckle even if you did have to explain it to the high school graduate,
>> I know everything crowd.  Its when they _still_ don't get it that could be
>> a problem.  By then they wouldn't touch a glass of it even with some of it
>> in frozen form on a steaming hot day.  Doesn't Darwin have an award for
>> those?
>
>Sadly, this isn't as implausible as one might hope.  A few years ago, a
>nearby city council (Aliso Viejo, California) came close to banning
>styrofoam cups based on the fact that they contained a dangerous
>chemical: dihydrogen monoxide.
>
>They blamed it on a paralegal who did "bad research," but somehow
>managed not to catch the joke until after it had been scheduled for a vote.

I guess that's just another chapter in the proof that there is one born every 
minute.

And, sometimes one lets such things come to their regular conclusion just so 
we can say, while sharpening one finger against another, I told you so...  
There is a certain amount of self satisfaction to that when the whole thing 
is a matter of public record to be discussed in the media, at length, just 
prior to the next election.  :-)

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Suspicion always haunts the guilty mind.
-- Wm. Shakespeare

RE: not everyone is happy with SA

[Skip Brott]

I have found this whole line of debate somewhat interesting, but it has
clearly strayed from the real core question:

Who is responsible?

Is it the responsibility of the sender to verify that they indeed intended
to send the email?
Or is it the responsibility of the recipient to verify senders?

My personal opinion is that it is the latter.  If I send an email to a valid
address, I find it a bit offensive that they send a challenge back.  Why is
it my responsibility as the sender to teach another system to accept mail
from me?

Would it not seem a lot more appropriate for the recipient to be the one to
manage this?  The premise is the same, but it places the burden on the
recipient to make the determination - which, imho, is where the ultimate
responsibility lies.

I don't utilize blacklists on our system based on the same rationale.  I
don't want something completely outside of my control (i.e. spamhaus,
spamcop, etc) determining whether or not my email server should accept email
from a particular host.  While this adds some additional load to our system,
I would much rather allow the filtering rules to make the determination
based on content not strictly on a host address.

- Skip

Re: not everyone is happy with SA

[John Rudd]

David B Funk wrote:

On Fri, 20 Jul 2007, John Rudd "@ucsc.edu" wrote:


Jonas Eckerman wrote:


What do they think will happen when someone who doesn't know english
tries to send to a user of such a system that outputs english error
mesages that directs the sender to web pages with english instructions?

One possibility is, it could just spit out a url, with no other text,
and assume that the sender will understand that they're intended to view
the URL to find out why the message was rejected.


Umm, if -you- got a message that you didn't expect written in a language
that you couldn't read which contained a link, would you click on it?


That's not what will happen here.

What will happen here is that the sender's own system will generate the 
error report, so it will be in that user's own system's language.  If 
they can't read the language used by their own mailadmin/ISP/etc., then 
there's a larger issue here, and again an issue that is not specific to 
this technology.


Within that message that we can safely assume is readable by the sender, 
because it came from their own mail system, will be the one line SMTP 
return code, which only has "5xx 5.y.y some://url".  They will know that 
this is the error returned by their intended recipient exactly because 
that's what the rest of the message told them (in the languages their 
ISP supports, because the message came from their ISP, and presumably 
they understand their own ISP, or, again, we're back to a problem that 
is not specifically the fault of this technology).


So, the real question here is not the one you asked.  The real question is:
would you follow a url that is unknown to you, but clearly presented and 
explained to you by your own ISP?"


And, if I had a reasonable browser (to protect me against anything 
nefarious that might be in various web pages), and a reasonable mail 
provider (which I do, since I run my own mail server at home, as well as 
being the postmaster at work), then the answer is "if I knew it wasn't 
spoofed, yes".


If you don't have a reasonable browser, then you shouldn't be clicking 
on _ANY_ urls other than ones that go to web pages you wrote.


If you don't have a reasonable mail provider ... well, then, it doesn't 
matter if you can read the message or not, does it?





It's hard enough trying to teach safe internet usage to our Lusers, now
I have to go and tell them "in this -one- particular case just do it"?


What you should be teaching them is to understand and analyze what's in 
front of them.  Encouraging them to _never_ pay attention to the 
messages is just encouraging them to be lazy ignorant sheep instead of 
energetic ignorant sheep.  It's certainly easier to corral lazy ignorant 
sheep than energetic ones, but the problem is still the "ignorant sheep" 
part.


The willingly ignorant and lazy are hopeless.  Just be sure you've lots 
of firewalls up between you and them, because you can't really predict 
what they're going to do no matter what inputs you give them.




If the site which rejected the message is multi-lingual, then they can
have the resulting webpage offer multiple translations.

If they're not multi-lingual, and only speak english, then there wasn't
any point in the non-english speaker trying to contact them, was there? :-)


OK, and the IT staff a some-big-name university speaks all the languages
that their constituents/visitors speak? I would be surprised if you
didn't have some people on your campus who couldn't speak English.


It doesn't matter.  If they're contacting me, and I only speak english, 
and they don't speak english, then there's no point in them directly 
contacting me.  It doesn't matter if they're on my campus or on Mars. 
They will need to contact an intermediary.


And, as I pointed out, this isn't an issue that is specific to the 
technology being discussed.




Though, I would also point out that it seems most such error messages
are in english anyway.  But there's no necessity, in what's been
described so far, that the web page the URL leads to would be english only.


Do you mean to tell me that you've never gotten any "mailer-daemon"
messages from China, Russia, etc that you couldn't read?


From China or Russia?  No.

I have received a VANISHINGLY SMALL number from spanish and german 
speaking countries, however.  Certainly not enough to threaten the claim 
that "most such error messages are in english".


And, again, because it happens in the SMTP session between the sender's 
ISP and the C/R using ISP, the error is most likely to come from the 
sender's own ISP.  Hopefully the sender is already able to communicate 
with their own ISP in the ISP's supported languages.

Re: not everyone is happy with SA

[Kelson]

Gene Heskett wrote:


I've been toying with "DANGER - DIHYDROGEN-MONOXIDE IN USE" signs
recommending use of appropriate protective gear. But in today's terrorism
atmosphere some idiot might not get it and


Chuckle...

Only if they failed introductory chemistry 101, but it should be good for a 
chuckle even if you did have to explain it to the high school graduate, I 
know everything crowd.  Its when they _still_ don't get it that could be a 
problem.  By then they wouldn't touch a glass of it even with some of it in 
frozen form on a steaming hot day.  Doesn't Darwin have an award for those?


Sadly, this isn't as implausible as one might hope.  A few years ago, a 
nearby city council (Aliso Viejo, California) came close to banning 
styrofoam cups based on the fact that they contained a dangerous 
chemical: dihydrogen monoxide.


They blamed it on a paralegal who did "bad research," but somehow 
managed not to catch the joke until after it had been scheduled for a vote.


--
Kelson Vibber
SpeedGate Communications 

Re: not everyone is happy with SA

[David B Funk]

On Fri, 20 Jul 2007, John Rudd "@ucsc.edu" wrote:

> Jonas Eckerman wrote:
>
> > What do they think will happen when someone who doesn't know english
> > tries to send to a user of such a system that outputs english error
> > mesages that directs the sender to web pages with english instructions?
>
> One possibility is, it could just spit out a url, with no other text,
> and assume that the sender will understand that they're intended to view
> the URL to find out why the message was rejected.

Umm, if -you- got a message that you didn't expect written in a language
that you couldn't read which contained a link, would you click on it?

It's hard enough trying to teach safe internet usage to our Lusers, now
I have to go and tell them "in this -one- particular case just do it"?

> If the site which rejected the message is multi-lingual, then they can
> have the resulting webpage offer multiple translations.
>
> If they're not multi-lingual, and only speak english, then there wasn't
> any point in the non-english speaker trying to contact them, was there? :-)

OK, and the IT staff a some-big-name university speaks all the languages
that their constituents/visitors speak? I would be surprised if you
didn't have some people on your campus who couldn't speak English.

> Though, I would also point out that it seems most such error messages
> are in english anyway.  But there's no necessity, in what's been
> described so far, that the web page the URL leads to would be english only.

Do you mean to tell me that you've never gotten any "mailer-daemon"
messages from China, Russia, etc that you couldn't read?
I've seen cases where even the SMTP conversation was in encoded
Chinese. Asian countries are fast becoming the largest community on
the net.

This is not meant as a criticism, just to point out that simplistic
'solutions' often run into the reality buzz-saw.

-- 
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: not everyone is happy with SA

[John Rudd]

Jonas Eckerman wrote:

John Rudd wrote:

If they're not multi-lingual, and only speak english, then there 
wasn't any point in the non-english speaker trying to contact them, 
was there? :-)


The fact that the mail system and it's supporting sites aren't 
multilingual does not mean that the mail users aren't. A typical 
national ISP for example might well have many users that are fluent in a 
number of languages that the ISP's pages are not available in.


My use of "they" was more inclusive than you're reading.  I wasn't 
referring to just the ISP/mailadmin.  I was also referring to the 
original recipient.



But there's no necessity, in what's been described so far, that the 
web page the URL leads to would be english only.


Of course there isn't. There is a very real possibility though.

For a mail service provider it could mean quite a lot of work to first 
find out what languages all of their users might receive (and be able to 
understand) mail in, and then to make sure that they instructions 
available in all those languages.


They already have to bear that burden in providing documentation, don't 
they?  They either pick a one or a few standard languages to support, or 
they try to come up with a huge base of documentation in every language 
they can conceive.  If they choose the former, then some percentage of 
users (their own, and remote people trying to figure out things) will be 
out in the cold if they don't speak one of the supported languages. 
This isn't a problem specific to the technology being discussed.

Re: not everyone is happy with SA

[John Rudd]

Leonardo Rodrigues Magalhães wrote:



John Rudd escreveu:


If they're not multi-lingual, and only speak english, then there 
wasn't any point in the non-english speaker trying to contact them, 
was there? :-)




   And what about non-english companies that host their domains 
worldwide, sometimes in USA servers or even in other countries 




I think if you re-read what I said, you'll see that it addresses your 
question completely.


What you quoted specifically says "if they're not multi-linguagel, and 
only speak english".  If they're a non-english company, no matter 
whether they're worldwide or not, and no matter where they're hosted, 
then the fact that they are non-english alone clearly says they don't 
conform to the condition I set, right?

Re: not everyone is happy with SA

[Jonas Eckerman]

John Rudd wrote:

What do they think will happen when someone who doesn't know english 
tries to send to a user of such a system that outputs english error 


One possibility is, it could just spit out a url, with no other text, 
and assume that the sender will understand


They can, but my *guess* is that lots of senders won't.

If they're not multi-lingual, and only speak english, then there wasn't 
any point in the non-english speaker trying to contact them, was there? :-)


The fact that the mail system and it's supporting sites aren't 
multilingual does not mean that the mail users aren't. A typical 
national ISP for example might well have many users that are 
fluent in a number of languages that the ISP's pages are not 
available in.


But there's no necessity, in what's been 
described so far, that the web page the URL leads to would be english only.


Of course there isn't. There is a very real possibility though.

For a mail service provider it could mean quite a lot of work to 
first find out what languages all of their users might receive 
(and be able to understand) mail in, and then to make sure that 
they instructions available in all those languages.


Of course, a company could provide a system that is allready 
translated to a huge number of languages, but then the price 
would probably reflect that.


IAC, it is one of the problems one should be aware of when one 
thinks about this kind of system.


Regards
/Jonas
--
Jonas Eckerman, FSDB & Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/

Re: not everyone is happy with SA

[Ken A]

Leonardo Rodrigues Magalhães wrote:



John Rudd escreveu:


If they're not multi-lingual, and only speak english, then there 
wasn't any point in the non-english speaker trying to contact them, 
was there? :-)




   And what about non-english companies that host their domains 
worldwide, sometimes in USA servers or even in other countries 




Well, you could put the language based on the email's character set into 
the url as a query string.


But, it's still a very unfriendly practice. Email is email, and should 
not require a browser of any kind. So, you are back to sending a 
challenge email, which is broken for all the other reasons already 
stated by many here. Stick a fork in it, it's done.


Ken


--
Ken Anderson
Pacific.Net

Re: not everyone is happy with SA

[Leonardo Rodrigues Magalhães]

John Rudd escreveu:


If they're not multi-lingual, and only speak english, then there 
wasn't any point in the non-english speaker trying to contact them, 
was there? :-)




   And what about non-english companies that host their domains 
worldwide, sometimes in USA servers or even in other countries 


--


Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email
[EMAIL PROTECTED]
My SPAMTRAP, do not email it

Re: not everyone is happy with SA

[John Rudd]

Jonas Eckerman wrote:

What do they think will happen when someone who doesn't know english 
tries to send to a user of such a system that outputs english error 
mesages that directs the sender to web pages with english instructions?


One possibility is, it could just spit out a url, with no other text, 
and assume that the sender will understand that they're intended to view 
the URL to find out why the message was rejected.


If the site which rejected the message is multi-lingual, then they can 
have the resulting webpage offer multiple translations.


If they're not multi-lingual, and only speak english, then there wasn't 
any point in the non-english speaker trying to contact them, was there? :-)



Though, I would also point out that it seems most such error messages 
are in english anyway.  But there's no necessity, in what's been 
described so far, that the web page the URL leads to would be english only.

Re: not everyone is happy with SA

[Jonas Eckerman]

Dave Pooser wrote:


Yes, it used a CAPTCHA. And if we can design a system where sending spam
requires more effort from the spammer (reading the error message, browsing
to the site, reading the CAPTCHA, typing it in, and then clicking "Release"


Ah. Of course. A system that prevents all blind users from 
sending mail.


(And before someone mentions CAPTCHAs with audio, I'll mention 
that deafblind people can't hear the audio...)


What do they think will happen when someone who doesn't know 
english tries to send to a user of such a system that outputs 
english error mesages that directs the sender to web pages with 
english instructions?


Regards
/Jonas
--
Jonas Eckerman, FSDB & Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/

RE: Re: not everyone is happy with SA

[Rob Sterenborg]

Per Jessen wrote:
> Like I said - provided that the objective is to avoid spam, it might
> work for the individual user.  The objective of C-R was never (IMO) to
> help reduce or eliminate spam other than for one person.

However, there isn't just one email user; there's a lot of them.
If every private email user used C/R as spam protection that wouldn't be
good either. IMO C/R just shouldn't be used for spam checking, corporate
or private.


--
Rob

Re: not everyone is happy with SA

[Per Jessen]

Andy Sutton wrote:

> On Thu, 2007-07-19 at 21:35 +0200, Per Jessen wrote:
>> Well, provided the objective is to avoid spam, it still might work
>> well for that individual user.
> 
> Avoid?  For whom?  The objective should be to reduce or eliminate
> spam, not pass filtering costs off on others. 

Like I said - provided that the objective is to avoid spam, it might
work for the individual user.  The objective of C-R was never (IMO) to
help reduce or eliminate spam other than for one person. 



/Per Jessen, Zürich

[OT] Re: not everyone is happy with SA

[Loren Wilton]

Love it Loren, justice prevails. :)  But don't they eventually take over 
the
place leading to the purchase of a DR Trimmer and other less neat 
eradication

methods, like flame throwers and such?


They started from some my mother had planted beside the house that took over 
about half an acre and made the house half inaccessible.  Took A LOT of work 
to finally get rid of those.  So far the other stuff is being fairly 
managable.  I keep the live stuff small, and just distribute lots of dead 
branches about.


   Loren

Re: not everyone is happy with SA

[Doc Schneider]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

jdow wrote:
> From: "Michael Scheidell" <[EMAIL PROTECTED]>
>> -Original Message-
>> From: David B Funk [mailto:[EMAIL PROTECTED]
>> On Thu, 19 Jul 2007, Dave Pooser wrote:
>> their 'PC' interpretation of the error code. Thus Exchange LLusers[1]
>> will not see the link and have no chance to release their message.
>>
> 
> But the correct term is lusers, as in l.a.r.t. as defined by the cabel
> (tinc)
> Only bad thing about CR systems is that if I refuse to play with them I
> cant send a lart.
> 
> 
> 
> 
> 
> Let's say there are lusers and Looney Lusers, llusers.
> 
> {^_-}
Lusers losers and then total Starfish!

/me keeps his TAC-Nuke LART always handy... HAR!

- --

 -Doc

 Penguins: Do it on the ice.
   8:44am  up 4 days, 16:55, 17 users,  load average: 0.18, 0.30, 0.37

 SARE HQ  http://www.rulesemporium.com/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org

iD8DBQFGoCZvqOEeBwEpgcsRAo6EAJ9GciRA/+rI812AIy0ouilO7UFFowCeNV84
vhxB2DFflQ7lcoP4m9R1Qfc=
=cEq4
-END PGP SIGNATURE-

Re: not everyone is happy with SA

[jdow]

From: "Michael Scheidell" <[EMAIL PROTECTED]>

-Original Message-
From: David B Funk [mailto:[EMAIL PROTECTED] 


On Thu, 19 Jul 2007, Dave Pooser wrote:
their 'PC' interpretation of the error code. Thus Exchange 
LLusers[1] will not see the link and have no chance to 
release their message.




But the correct term is lusers, as in l.a.r.t. as defined by the cabel
(tinc)
Only bad thing about CR systems is that if I refuse to play with them I
cant send a lart.





Let's say there are lusers and Looney Lusers, llusers.

{^_-}

RE: not everyone is happy with SA

[Michael Scheidell]

> -Original Message-
> From: David B Funk [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, July 19, 2007 8:17 PM
> To: spamassassin-users
> Subject: Re: not everyone is happy with SA
> 
> 
> On Thu, 19 Jul 2007, Dave Pooser wrote:
> their 'PC' interpretation of the error code. Thus Exchange 
> LLusers[1] will not see the link and have no chance to 
> release their message.
> 

But the correct term is lusers, as in l.a.r.t. as defined by the cabel
(tinc)
Only bad thing about CR systems is that if I refuse to play with them I
cant send a lart.
_
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_

Re: not everyone is happy with SA

[Gene Heskett]

On Thursday 19 July 2007, jdow wrote:
>From: "Loren Wilton" <[EMAIL PROTECTED]>
>
>>> Chuckle.  Now in that case, a tall chain link fence, with a few "Beware
>>> of
>>> Mickey" placards might be in order.
>>
>> It is a 6' fence, variously wood and chain link.  And I used to have LOTS
>> of problem with people ignoring the "private property" signs on the other
>> side and jumping the fence any time they wanted a convenient path from one
>> place to another.  I finally planted Jeruselem Thorn bushes at the major
>> traffic points, and dropped the trimmings (these are prolific plants)
>> along the base of the fence in other traffic places.  This stopped the
>> "jump over the six foot fence" traffic after about a month.
>
>Longer than that. I kept the jump spots "fed".
>
>For those who don't know about Jerusalem Thorn we're talking about the
>Mexican variety, Parkinsonia Aculeata.
>
>http://en.wikipedia.org/wiki/Parkinsonia_aculeata
>
>This is a NASTY thorn bush. And the Wikipedia description underestimates
>the thorn size. The trees we had would produce thorns about an inch to
>an inch and a half long that would go through tennis shoe soles. They
>would embed deeply into hard rubber soled walking shoes that had 3/4"
>soles. Around each randomly curved thorn at its base were a collection
>of little thorns about 2 to 4 mm long.
>
>It was a pain, literally, to cut off branches and then pull them loose
>from the other branches. It was only safe to carry a small number at a
>time lest their weight force thorns through thick leather work gloves.
>But I did keep the "traps" seeded. And I am nasty enough to get giggles
>when I think of the reactions of those who jumped the fence into a
>bunch of these monsters.
>
>(Now we have a second fence across the "front" of the property so the
>short cut doesn't work so well, particularly with the easy gate from the
>jump spots seems to have gotten jammed in a Santana wind storm a couple
>years ago.)

Santana wind?  I'll bet...  And that has worked so well that no effort to 
repair it has been spared. :)

>{^_-}



-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If you have never been hated by your child, you have never been a parent.
-- Bette Davis

Re: not everyone is happy with SA

[Gene Heskett]

On Thursday 19 July 2007, Loren Wilton wrote:
>> Chuckle.  Now in that case, a tall chain link fence, with a few "Beware of
>> Mickey" placards might be in order.
>
>It is a 6' fence, variously wood and chain link.  And I used to have LOTS of
>problem with people ignoring the "private property" signs on the other side
>and jumping the fence any time they wanted a convenient path from one place
>to another.  I finally planted Jeruselem Thorn bushes at the major traffic
>points, and dropped the trimmings (these are prolific plants) along the base
>of the fence in other traffic places.  This stopped the "jump over the six
>foot fence" traffic after about a month.
>
>Loren

Love it Loren, justice prevails. :)  But don't they eventually take over the 
place leading to the purchase of a DR Trimmer and other less neat eradication 
methods, like flame throwers and such?

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If you have never been hated by your child, you have never been a parent.
-- Bette Davis

Re: not everyone is happy with SA

[Gene Heskett]

On Thursday 19 July 2007, jdow wrote:
>From: "Gene Heskett" <[EMAIL PROTECTED]>
>
>> On Thursday 19 July 2007, Loren Wilton wrote:
 If someone poops in my swimming pool, I don't find it an acceptable
 solution to chuck it over the fence into my neighbors yard.  Why do you?
>>>
>>>Perhaps because most people believe that is the correct solution?
>>>
>>>I have a fairly large yard surrounded by about two dozen newer tract
>>>houses.
>>>I employ a gardener to go around once a week and pick up all the yard
>>>trash
>>>that the neighbors have thrown over their back fences into my yard because
>>>they were two lazy to carry it out to the street for the FREE yard trash
>>>pickup by the city.  Generally any time they trim a bush, plant, or tree,
>>>they assume *I* want their dead plant parts.  And broken awnings, and
>>>discarded toys, and used up swimming pool treatment containers, etc.
>>>
>>>Out of the 20 or so houses, I'd say this is a major problem with about 16
>>>of
>>>them.  So I'd say 4 out of 5 people would prefer C/R systems, as long as
>>>their C/R system filters out all of the Cs from other users before they
>>>see
>>>them.
>>>
>>>Loren
>>
>> Chuckle.  Now in that case, a tall chain link fence, with a few "Beware of
>> Mickey" placards might be in order.
>
>That's "Mikey", because he'll eat ANYTHING.

Sorry, I didn't intentionally miss-spell his name.  If I run across an extra 
door to door salesman I'll send him along as retribution.

>I've been toying with "DANGER - DIHYDROGEN-MONOXIDE IN USE" signs
>recommending use of appropriate protective gear. But in today's terrorism
>atmosphere some idiot might not get it and

Chuckle...

Only if they failed introductory chemistry 101, but it should be good for a 
chuckle even if you did have to explain it to the high school graduate, I 
know everything crowd.  Its when they _still_ don't get it that could be a 
problem.  By then they wouldn't touch a glass of it even with some of it in 
frozen form on a steaming hot day.  Doesn't Darwin have an award for those?

>In the past I've toyed with (and used once on an antenna tower) signs
>like "Trespassers will be experimented upon."

Or "Trespassers will be violated by Mikey" :)

Reminds me somewhat of a sign I once saw on the entrance to a ranch road SE of 
Farmington NM in 1979 that went in a semi-straight line over several hills in 
the distance and it said:


|  No hunting or trespassing,  |
|   violators will be shot,|
| survivors will be shot again |
|(and again)   |


Obviously I never found out where that road actually went.  And to top it off, 
I've seen a pix of that sign in print since but google can't find the actual 
pix.  Silk screened imitations is all.

The neighbors must have been having a 'can you top this' contest because there 
was another sign down in the boondocks about 40 miles away approaching 
Heurfano Mtn. 

that said his trespasser load for his shotgun wasn't exactly soft pillows.  I 
did pass that one several times on my way to check a microwave site on the 
far end of that sacred ridge in the desert floor. (I had the only 1st phone 
in that region at the time so I was in popular demand)  Our vehicles were 
allowed passage but we weren't allowed to put a foot down until we were past 
the sacred portion, not even if the vehicle broke down.  I prayed to 
the "Bronco, get me there and back" gods when I headed up that trail.  
Somehow it always did.  The microwave shack was the end of the road, and to 
walk 50 feet past it you'd need a parachute or rock crawling gear.

Very very interesting pieces of country to an archeologist, 3rd ranked by me, 
with Chaco Canyon and Mesa Verde #1 & #2.  I have personally seen the 'ghosts 
of time' at Chaco Canyon, and there are some un-explainable in 800 year old 
technology things at Mesa Verde.  All 3 are magic places to visit if you let 
your mind listen to what you see.

>{+_+}



-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
I'd like MY data-base JULIENNED and stir-fried!

Re: not everyone is happy with SA

[jdow]

From: "Loren Wilton" <[EMAIL PROTECTED]>

Chuckle.  Now in that case, a tall chain link fence, with a few "Beware 
of

Mickey" placards might be in order.


It is a 6' fence, variously wood and chain link.  And I used to have LOTS 
of problem with people ignoring the "private property" signs on the other 
side and jumping the fence any time they wanted a convenient path from one 
place to another.  I finally planted Jeruselem Thorn bushes at the major 
traffic points, and dropped the trimmings (these are prolific plants) 
along the base of the fence in other traffic places.  This stopped the 
"jump over the six foot fence" traffic after about a month.


Longer than that. I kept the jump spots "fed".

For those who don't know about Jerusalem Thorn we're talking about the
Mexican variety, Parkinsonia Aculeata.

http://en.wikipedia.org/wiki/Parkinsonia_aculeata

This is a NASTY thorn bush. And the Wikipedia description underestimates
the thorn size. The trees we had would produce thorns about an inch to
an inch and a half long that would go through tennis shoe soles. They
would embed deeply into hard rubber soled walking shoes that had 3/4"
soles. Around each randomly curved thorn at its base were a collection
of little thorns about 2 to 4 mm long.

It was a pain, literally, to cut off branches and then pull them loose
from the other branches. It was only safe to carry a small number at a
time lest their weight force thorns through thick leather work gloves.
But I did keep the "traps" seeded. And I am nasty enough to get giggles
when I think of the reactions of those who jumped the fence into a
bunch of these monsters.

(Now we have a second fence across the "front" of the property so the
short cut doesn't work so well, particularly with the easy gate from the
jump spots seems to have gotten jammed in a Santana wind storm a couple
years ago.)

{^_-} 

Re: not everyone is happy with SA

[David B Funk]

On Thu, 19 Jul 2007, Dave Pooser wrote:

> Actually I've seen one C/R variant that addresses the backscatter C/R issue
> quite nicely; it dropped the suspected spam in a quarantine folder and
> issued an SMTP fakereject after DATA that included a link to a website where
> the sender could release the spam from quarantine. So no backscatter
> spamming innocent third parties, but you still get a chance for the sender
> to verify sending a message. The backend might be a little involved to set
> up, but the final system looked secure and easy to use.

This breaks as soon as it runs into an Exchange server. Microsoft, in
their infinitely great wisdom, "sanitizes" DSNs, removes the original
error text and replaces it with their 'PC' interpretation of the error
code. Thus Exchange LLusers[1] will not see the link and have
no chance to release their message.


[1] the 'LL' is pronounced in the Spanish style.

-- 
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: not everyone is happy with SA

[jdow]

THAT you should have realized already.

Justin is a gentleman and a scholar as I see it.

{^_^}Joanne said that
- Original Message - 
From: "Thomas Raef" <[EMAIL PROTECTED]>



You went into some fantastic depth in investigating the "truth" of this
PR.

You, sir, ROCK!!!

Thomas J. Raef
e-Based Security, LLC
www.ebasedsecurity.com
1-866-838-6108
"You're either hardened, or you're hacked!"


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 



Per Jessen writes:




http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/0
7-17-2007/0004626829&EDATE=

That "study" is very flawed.  I wrote up two major problems over
at my blog: http://taint.org/2007/07/19/122638a.html

--j.

Re: not everyone is happy with SA

[John Rudd]

jdow wrote:

From: "John Rudd" <[EMAIL PROTECTED]>




If you return a 5xx error, what is to prevent the spammer from 
clicking to release? CAPTCHA?


I'm actually not concerned about that.  While that is a quality issue 
for the user of the C/R system, it isn't something that pollutes the net.


THAT is where we disagree. C/R pollutes the net. There is no question
about it. It is the effort of a weak mind to defend itself from knowledge
as well as spam.



You misunderstood my point.  I'm not saying C/R doesn't pollute the net. 
  I said the exact release mechanism isn't something I'm concerned 
about.  It is not an extra set of net pollution, above and beyond the 
basic C/R system.


Also, the mentioned C/R system is at least less polluting than other C/R 
mechanisms: it's rejecting instead of bouncing, so messages from direct 
spam sending bots will just disappear instead of being backscattered. 
Normal C/R systems would cause backscatter from those same messages.


But, as I pointed out, and as you agreed with me, it still has at least 
2 features that remain unacceptable (and as the person who mentioned it 
said, he doesn't know if the 3rd one is a problem in that implementation 
or not; so it might be 3 features that remain unacceptable).



What if this system was in widespread use? It could be a serious 
single point of failure.


Again, that's a quality issue for the user of the C/R system, not for 
the rest of us.  And, it's an implementation detail that might be 
solvable with clustered web servers and databases, so a large scale 
implementation might not have a single point of failure.


If you intend to email me Challenge/Response sets off a 


a) I believe there is supposed to be a comma after "me" ... otherwise 
the rant is a bit awkwardly worded.


b) I never said I plan to use C/R systems.  I don't like C/R systems.  I 
never said anything that comes close to saying that I like them or would 
use them.  You of all people I would expect to intelligently read a 
message instead of knee-jerking to a message which simply analyzes a 
newly presented C/R mechanism (and still points out its flaws), while 
dismissing some of its implementation details* as "not relevant to its 
non-users".



(* the captcha question, and the single point of failure question)

Re: not everyone is happy with SA

[jdow]

So THIS Is where the idiot thread started.

Please don't troll with this crap.
{^_^}
- Original Message - 
From: "Per Jessen" <[EMAIL PROTECTED]>




http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/07-17-2007/0004626829&EDATE=



/Per Jessen, Zürich 

Re: not everyone is happy with SA

[Loren Wilton]

Chuckle.  Now in that case, a tall chain link fence, with a few "Beware of
Mickey" placards might be in order.


It is a 6' fence, variously wood and chain link.  And I used to have LOTS of 
problem with people ignoring the "private property" signs on the other side 
and jumping the fence any time they wanted a convenient path from one place 
to another.  I finally planted Jeruselem Thorn bushes at the major traffic 
points, and dropped the trimmings (these are prolific plants) along the base 
of the fence in other traffic places.  This stopped the "jump over the six 
foot fence" traffic after about a month.


   Loren

Re: not everyone is happy with SA

[jdow]

From: "Dave Pooser" <[EMAIL PROTECTED]>


I think CR can perhaps work quite well for an individual user with the
technical insight & time to spare, but such individual users are only
an small part of the picture.


No it doesn't.  It foists the recipients burden on others, usually due
to the *lack* of technical insight.  Otherwise they'd realize they are
only making the problem worse.


Actually I've seen one C/R variant that addresses the backscatter C/R 
issue

quite nicely; it dropped the suspected spam in a quarantine folder and
issued an SMTP fakereject after DATA that included a link to a website 
where

the sender could release the spam from quarantine. So no backscatter
spamming innocent third parties, but you still get a chance for the sender
to verify sending a message. The backend might be a little involved to set
up, but the final system looked secure and easy to use.


STILL not going to get "responsed" from here no how no way. AND I will
mark the site as a spammer.

{^_^} 

Re: not everyone is happy with SA

[jdow]

From: "Gene Heskett" <[EMAIL PROTECTED]>


On Thursday 19 July 2007, Loren Wilton wrote:

If someone poops in my swimming pool, I don't find it an acceptable
solution to chuck it over the fence into my neighbors yard.  Why do you?


Perhaps because most people believe that is the correct solution?

I have a fairly large yard surrounded by about two dozen newer tract 
houses.
I employ a gardener to go around once a week and pick up all the yard 
trash

that the neighbors have thrown over their back fences into my yard because
they were two lazy to carry it out to the street for the FREE yard trash
pickup by the city.  Generally any time they trim a bush, plant, or tree,
they assume *I* want their dead plant parts.  And broken awnings, and
discarded toys, and used up swimming pool treatment containers, etc.

Out of the 20 or so houses, I'd say this is a major problem with about 16 
of

them.  So I'd say 4 out of 5 people would prefer C/R systems, as long as
their C/R system filters out all of the Cs from other users before they 
see

them.

   Loren


Chuckle.  Now in that case, a tall chain link fence, with a few "Beware of
Mickey" placards might be in order.


That's "Mikey", because he'll eat ANYTHING.

I've been toying with "DANGER - DIHYDROGEN-MONOXIDE IN USE" signs
recommending use of appropriate protective gear. But in today's terrorism
atmosphere some idiot might not get it and

In the past I've toyed with (and used once on an antenna tower) signs
like "Trespassers will be experimented upon."

{+_+} 

Re: not everyone is happy with SA

[jdow]

From: "Dave Pooser" <[EMAIL PROTECTED]>


That sounds like a very badly designed system. While I do not like C/R
systems so would never implement one, surely it is only common sense to
expect responses to emails which are sent out and therefore to accept
such responses without issuing a challenge.


I agree.  But the proposed design didn't mention whitelisting the
recipients of your own outbound traffic.  And there are C/R systems that
are deficient in this area.


Let me be more clear: I'm not proposing this system, merely describing one 
I

encountered. My presumption is that the system whitelisted recipients of
outbound traffic and only applied this fakereject to messages that hit 
some

sort of spam threshold, but I don't know for sure. (And I REALLY wish I
remembered where I encountered this system!)


If you return a 5xx error, what is to prevent the spammer from clicking
to release? CAPTCHA?


Yes, it used a CAPTCHA. And if we can design a system where sending spam
requires more effort from the spammer (reading the error message, browsing
to the site, reading the CAPTCHA, typing it in, and then clicking 
"Release"

for each message) than clicking "delete" requires from the recipient, we
just won the spam war anyway.


Um, captcha? Then I'd doubly never respond to the abortion. It wasted
bandwidth on the captcha AND I CANNOT READ THE CAPTCHA IN PLAIN TEXT.

I use plain text for security reasons. If somebody is arrogant enough to
feed me a captcha I have to fill in before I can email with him he never
speaks to me. That is a triple massive insult, waste bandwidth, waste
my time, and force me to change to HTML mode before I can reply.

fsck'em.

{^_^} 

Re: not everyone is happy with SA

[John Rudd]

Loren Wilton wrote:
It occurs to me to wonder how C/R is supposed to establish 
communications between two users of C/R systems.


You send a message to X.  His C/R system, not knowing you, doesn't 
deliver the mail to X, it sends a challenge back to you.


Your C/R system, not knowing X, sends him a C/R message, demanding he 
jump through hoops to send YOU a C/R message.


His system recieves the C/R message from your system.  Not knowing you, 
it sends you a C/R message...


While this is good for bandwidth providers that charge by the bit, it 
isn't clear to me how you establish communications.


Perhaps the original sender calls the recipient on the phone and asks to 
be pre-authorized to break the loop?



Not that I'm defending C/R systems, as I dislike them, but, I believe 
the above is solved by C/R systems that whitelist outbound messages.



So:

1) you send message to X, and your C/R system whitelists X.

2) X's C/R system gets the message, holds it, and sends you a Challenge

3) your C/R system lets the Challenge through because you whitelisted X.

4) you handle the challenge however you want to.


Of course, this depends on X using the a sender address for his 
Challenges that matches the recipient address, and that said recipient 
address wasn't munged along the path.  Any kind of modification due to 
masquerading, non-transparent forwarding, etc., will keep that from working.

Re: not everyone is happy with SA

[jdow]

From: "John Rudd" <[EMAIL PROTECTED]>


Graham Murray wrote:

John Rudd <[EMAIL PROTECTED]> writes:


However, it still leaves the problems of:

1) A user sends me a technical question.  I answer, and get back a
Challenge, forcing me to jump through hoops to get their answer to
them.


That sounds like a very badly designed system. While I do not like C/R
systems so would never implement one, surely it is only common sense to
expect responses to emails which are sent out and therefore to accept
such responses without issuing a challenge.


I agree.  But the proposed design didn't mention whitelisting the 
recipients of your own outbound traffic.  And there are C/R systems that 
are deficient in this area.


HOw do you know all the intended recipients of emails sent to mailing
lists. Sometimes it is most polite to reply off list. A C/R loses at
that point. It becomes spam and an insult.

But, there's also the simple case that the recipient of the message 
might not be the person who replies to it.  You might send a message to 
[EMAIL PROTECTED], which is a mailing list or multi-delivery alias, 
and get an answer back from [EMAIL PROTECTED] ... same 
problem, but not easily whitelisted.


Precisely.

{^_^}

Re: not everyone is happy with SA

[jdow]

From: "John Rudd" <[EMAIL PROTECTED]>


Ken A wrote:

Dave Pooser wrote:

I think CR can perhaps work quite well for an individual user with the
technical insight & time to spare, but such individual users are only
an small part of the picture.

No it doesn't.  It foists the recipients burden on others, usually due
to the *lack* of technical insight.  Otherwise they'd realize they are
only making the problem worse.


Actually I've seen one C/R variant that addresses the backscatter C/R 
issue

quite nicely; it dropped the suspected spam in a quarantine folder and
issued an SMTP fakereject after DATA that included a link to a website 
where

the sender could release the spam from quarantine. So no backscatter
spamming innocent third parties, but you still get a chance for the 
sender
to verify sending a message. The backend might be a little involved to 
set

up, but the final system looked secure and easy to use.


I think that's the first non-backscatter form of C/R I've seen.

However, it still leaves the problems of:

1) A user sends me a technical question.  I answer, and get back a 
Challenge, forcing me to jump through hoops to get their answer to them.


User never gets the reply if that happens to me. I am rather rigid
about spam like Challenge/Response mailings. I have most of them trained
into my SpamAssassin to simply get treated as spam if I didn't get mad
enough to filter the entire site out in procmail.

2) I send email inquiry to a business.  They send me a Challenge, making 
me jump through hoops in order to give them money.



I categorically refuse to do business with spammers. Users of Challenge/
Response are spammers. Hence they get dropped on the floor and lose my
business.


3) You're still forcing a legitimate sender to do your anti-spam decision 
making for you.


And I take that as a mortal insult from somebody too lazy to do proper
spam filtering.


All of those are still, IMO, unacceptably rude.


If you return a 5xx error, what is to prevent the spammer from clicking 
to release? CAPTCHA?


I'm actually not concerned about that.  While that is a quality issue for 
the user of the C/R system, it isn't something that pollutes the net.


THAT is where we disagree. C/R pollutes the net. There is no question
about it. It is the effort of a weak mind to defend itself from knowledge
as well as spam.

What if this system was in widespread use? It could be a serious single 
point of failure.


Again, that's a quality issue for the user of the C/R system, not for the 
rest of us.  And, it's an implementation detail that might be solvable 
with clustered web servers and databases, so a large scale implementation 
might not have a single point of failure.


If you intend to email me Challenge/Response sets off a pavlovian
reaction after my having had problems with some  in Brazil
who sent C/R requests to every message I posted on the Fedora list.
For awhile I had Brazil blocked here. Then I opened it up to one ISP
being blocked (UOL). Then I simply sequestered their C/R messages. If
the  who used it wanted help they can bloody well turn off
the C/R before they get help from me. I learned to HATE C/R with a
purple passion. I'd like to find its inventor and insert a through
hole in a fun part of his anatomy. The UOL C/R got to be a REALLY
REALLY annoying phenomenon. It is a concept that is broken and cannot
be fixed.

{`_'}

Re: not everyone is happy with SA

[Gene Heskett]

On Thursday 19 July 2007, Loren Wilton wrote:
>> If someone poops in my swimming pool, I don't find it an acceptable
>> solution to chuck it over the fence into my neighbors yard.  Why do you?
>
>Perhaps because most people believe that is the correct solution?
>
>I have a fairly large yard surrounded by about two dozen newer tract houses.
>I employ a gardener to go around once a week and pick up all the yard trash
>that the neighbors have thrown over their back fences into my yard because
>they were two lazy to carry it out to the street for the FREE yard trash
>pickup by the city.  Generally any time they trim a bush, plant, or tree,
>they assume *I* want their dead plant parts.  And broken awnings, and
>discarded toys, and used up swimming pool treatment containers, etc.
>
>Out of the 20 or so houses, I'd say this is a major problem with about 16 of
>them.  So I'd say 4 out of 5 people would prefer C/R systems, as long as
>their C/R system filters out all of the Cs from other users before they see
>them.
>
>Loren

Chuckle.  Now in that case, a tall chain link fence, with a few "Beware of  
Mickey" placards might be in order.

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Message will arrive in the mail.  Destroy, before the FBI sees it.

Re: not everyone is happy with SA

[Loren Wilton]

If someone poops in my swimming pool, I don't find it an acceptable
solution to chuck it over the fence into my neighbors yard.  Why do you?


Perhaps because most people believe that is the correct solution?

I have a fairly large yard surrounded by about two dozen newer tract houses. 
I employ a gardener to go around once a week and pick up all the yard trash 
that the neighbors have thrown over their back fences into my yard because 
they were two lazy to carry it out to the street for the FREE yard trash 
pickup by the city.  Generally any time they trim a bush, plant, or tree, 
they assume *I* want their dead plant parts.  And broken awnings, and 
discarded toys, and used up swimming pool treatment containers, etc.


Out of the 20 or so houses, I'd say this is a major problem with about 16 of 
them.  So I'd say 4 out of 5 people would prefer C/R systems, as long as 
their C/R system filters out all of the Cs from other users before they see 
them.


   Loren

Re: not everyone is happy with SA

[Loren Wilton]

It occurs to me to wonder how C/R is supposed to establish communications 
between two users of C/R systems.


You send a message to X.  His C/R system, not knowing you, doesn't deliver 
the mail to X, it sends a challenge back to you.


Your C/R system, not knowing X, sends him a C/R message, demanding he jump 
through hoops to send YOU a C/R message.


His system recieves the C/R message from your system.  Not knowing you, it 
sends you a C/R message...


While this is good for bandwidth providers that charge by the bit, it isn't 
clear to me how you establish communications.


Perhaps the original sender calls the recipient on the phone and asks to be 
pre-authorized to break the loop?


   Loren

RE: not everyone is happy with SA

[Michael Scheidell]

> -Original Message-
> From: John Rudd [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, July 19, 2007 6:06 PM
> To: Graham Murray
> Cc: users@spamassassin.apache.org
> Subject: Re: not everyone is happy with SA
> 
> Graham Murray wrote:
> > John Rudd <[EMAIL PROTECTED]> writes:
> > 
> >> However, it still leaves the problems of:
> >>
> >> 1) A user sends me a technical question.  I answer, and get back a 
> >> Challenge, forcing me to jump through hoops to get their answer to 
> >> them.
> >

And, if yahoo used CR, and gmail used CR, and someone on gmail sent an
email to someone on Yahoo, who they had never sent an email to before,
what happens?  (does anyone remember bofh.bot?

Also, there was at least ONE CR company that gathered the 'willing
participants who volunteered their email addresses to be harvested for
spam'.

See: ' anti-spam company is spamming'
www.techdirt.com/articles/20030213/091225.shtm

When (two years ago?) IBM stated they had the best solution to spam
(CR), they got laughed at.

CR is a plague, and should be outlawed by every civilized country in the
world.


_
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_

Re: not everyone is happy with SA

[Dave Pooser]

>> That sounds like a very badly designed system. While I do not like C/R
>> systems so would never implement one, surely it is only common sense to
>> expect responses to emails which are sent out and therefore to accept
>> such responses without issuing a challenge.
> 
> I agree.  But the proposed design didn't mention whitelisting the
> recipients of your own outbound traffic.  And there are C/R systems that
> are deficient in this area.

Let me be more clear: I'm not proposing this system, merely describing one I
encountered. My presumption is that the system whitelisted recipients of
outbound traffic and only applied this fakereject to messages that hit some
sort of spam threshold, but I don't know for sure. (And I REALLY wish I
remembered where I encountered this system!)

> If you return a 5xx error, what is to prevent the spammer from clicking
> to release? CAPTCHA?

Yes, it used a CAPTCHA. And if we can design a system where sending spam
requires more effort from the spammer (reading the error message, browsing
to the site, reading the CAPTCHA, typing it in, and then clicking "Release"
for each message) than clicking "delete" requires from the recipient, we
just won the spam war anyway.
-- 
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com
"...Life is not a journey to the grave with the intention of arriving
safely in one pretty and well-preserved piece, but to slide across the
finish line broadside, thoroughly used up, worn out, leaking oil, and
shouting GERONIMO!!!" -- Bill McKenna

Re: not everyone is happy with SA

[John Rudd]

Graham Murray wrote:

John Rudd <[EMAIL PROTECTED]> writes:


However, it still leaves the problems of:

1) A user sends me a technical question.  I answer, and get back a
Challenge, forcing me to jump through hoops to get their answer to
them.


That sounds like a very badly designed system. While I do not like C/R
systems so would never implement one, surely it is only common sense to
expect responses to emails which are sent out and therefore to accept
such responses without issuing a challenge.


I agree.  But the proposed design didn't mention whitelisting the 
recipients of your own outbound traffic.  And there are C/R systems that 
are deficient in this area.



But, there's also the simple case that the recipient of the message 
might not be the person who replies to it.  You might send a message to 
[EMAIL PROTECTED], which is a mailing list or multi-delivery alias, 
and get an answer back from [EMAIL PROTECTED] ... same 
problem, but not easily whitelisted.

Re: not everyone is happy with SA

[Graham Murray]

John Rudd <[EMAIL PROTECTED]> writes:

> However, it still leaves the problems of:
>
> 1) A user sends me a technical question.  I answer, and get back a
> Challenge, forcing me to jump through hoops to get their answer to
> them.

That sounds like a very badly designed system. While I do not like C/R
systems so would never implement one, surely it is only common sense to
expect responses to emails which are sent out and therefore to accept
such responses without issuing a challenge.

Re: not everyone is happy with SA

[John Rudd]

Ken A wrote:

Dave Pooser wrote:

I think CR can perhaps work quite well for an individual user with the
technical insight & time to spare, but such individual users are only
an small part of the picture.

No it doesn't.  It foists the recipients burden on others, usually due
to the *lack* of technical insight.  Otherwise they'd realize they are
only making the problem worse.


Actually I've seen one C/R variant that addresses the backscatter C/R 
issue

quite nicely; it dropped the suspected spam in a quarantine folder and
issued an SMTP fakereject after DATA that included a link to a website 
where

the sender could release the spam from quarantine. So no backscatter
spamming innocent third parties, but you still get a chance for the 
sender
to verify sending a message. The backend might be a little involved to 
set

up, but the final system looked secure and easy to use.


I think that's the first non-backscatter form of C/R I've seen.

However, it still leaves the problems of:

1) A user sends me a technical question.  I answer, and get back a 
Challenge, forcing me to jump through hoops to get their answer to them.


2) I send email inquiry to a business.  They send me a Challenge, making 
me jump through hoops in order to give them money.


3) You're still forcing a legitimate sender to do your anti-spam 
decision making for you.


All of those are still, IMO, unacceptably rude.


If you return a 5xx error, what is to prevent the spammer from clicking 
to release? CAPTCHA?


I'm actually not concerned about that.  While that is a quality issue 
for the user of the C/R system, it isn't something that pollutes the net.



What if this system was in widespread use? It could 
be a serious single point of failure.


Again, that's a quality issue for the user of the C/R system, not for 
the rest of us.  And, it's an implementation detail that might be 
solvable with clustered web servers and databases, so a large scale 
implementation might not have a single point of failure.

Re: not everyone is happy with SA

[Andy Sutton]

On Thu, 2007-07-19 at 21:35 +0200, Per Jessen wrote:
> Well, provided the objective is to avoid spam, it still might work
> well for that individual user.

Avoid?  For whom?  The objective should be to reduce or eliminate spam,
not pass filtering costs off on others.  The "individual user" didn't
solve anything, other than proving they fine with wasting others time
and bandwidth.  Like it or not you're advocating throwing trash in my
yard for an "individual users" advantage.

If these systems worked as intended, then no email would ever get
delivered since any significant penetration would block challenge
messages too.  They were specifically designed to exploit the fact that
most people won't use them.
-- 
- Andy

This is not the place to ask for a scooby snack or hand holding
without getting attacked with a flamethrower.
  - Stack Smasher, Full-disclosure email list

Re: not everyone is happy with SA

[Ken A]

Dave Pooser wrote:

I think CR can perhaps work quite well for an individual user with the
technical insight & time to spare, but such individual users are only
an small part of the picture.

No it doesn't.  It foists the recipients burden on others, usually due
to the *lack* of technical insight.  Otherwise they'd realize they are
only making the problem worse.


Actually I've seen one C/R variant that addresses the backscatter C/R issue
quite nicely; it dropped the suspected spam in a quarantine folder and
issued an SMTP fakereject after DATA that included a link to a website where
the sender could release the spam from quarantine. So no backscatter
spamming innocent third parties, but you still get a chance for the sender
to verify sending a message. The backend might be a little involved to set
up, but the final system looked secure and easy to use.


If you return a 5xx error, what is to prevent the spammer from clicking 
to release? CAPTCHA? What if this system was in widespread use? It could 
be a serious single point of failure.


--
Ken Anderson
Pacific.Net

Re: not everyone is happy with SA

[Dave Pooser]

>> I think CR can perhaps work quite well for an individual user with the
>> technical insight & time to spare, but such individual users are only
>> an small part of the picture.
> 
> No it doesn't.  It foists the recipients burden on others, usually due
> to the *lack* of technical insight.  Otherwise they'd realize they are
> only making the problem worse.

Actually I've seen one C/R variant that addresses the backscatter C/R issue
quite nicely; it dropped the suspected spam in a quarantine folder and
issued an SMTP fakereject after DATA that included a link to a website where
the sender could release the spam from quarantine. So no backscatter
spamming innocent third parties, but you still get a chance for the sender
to verify sending a message. The backend might be a little involved to set
up, but the final system looked secure and easy to use.
-- 
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com
"...Life is not a journey to the grave with the intention of arriving
safely in one pretty and well-preserved piece, but to slide across the
finish line broadside, thoroughly used up, worn out, leaking oil, and
shouting GERONIMO!!!" -- Bill McKenna

Re: not everyone is happy with SA

[Per Jessen]

Andy Sutton wrote:

> On Thu, 2007-07-19 at 19:37 +0200, Per Jessen wrote:
>> I think CR can perhaps work quite well for an individual user with
>> the technical insight & time to spare, but such individual users are
>> only an small part of the picture.
> 
> No it doesn't.  It foists the recipients burden on others, usually due
> to the *lack* of technical insight.  Otherwise they'd realize they are
> only making the problem worse.

Well, provided the objective is to avoid spam, it still might work well
for that individual user.

> If someone poops in my swimming pool, I don't find it an acceptable
> solution to chuck it over the fence into my neighbors yard.  Why do
> you?

I never said I did.  I just said some users might.


/Per Jessen, Zürich

Re: not everyone is happy with SA

[Andy Sutton]

On Thu, 2007-07-19 at 19:37 +0200, Per Jessen wrote:
> I think CR can perhaps work quite well for an individual user with the
> technical insight & time to spare, but such individual users are only
> an small part of the picture. 

No it doesn't.  It foists the recipients burden on others, usually due
to the *lack* of technical insight.  Otherwise they'd realize they are
only making the problem worse.

If someone poops in my swimming pool, I don't find it an acceptable
solution to chuck it over the fence into my neighbors yard.  Why do you?
-- 
- Andy

This is not the place to ask for a scooby snack or hand holding
without getting attacked with a flamethrower.
  - Stack Smasher, Full-disclosure email list

Re: not everyone is happy with SA

[Per Jessen]

John Thompson wrote:

> Perhaps C-R users are so satisfied because they seldom have to deal
> with the backscatter their "solution" causes?

I think CR can perhaps work quite well for an individual user with the
technical insight & time to spare, but such individual users are only a
small part of the picture. 


/Per Jessen, Zürich

Re: not everyone is happy with SA

[Luis Hernán Otegui]

Funny how the closed-source companies need to base their marketing
policies on FUD, or even worse, user-defined indexes. If I'm allowed
to non-literally quote Homer Simpson here:

"Ah, Kent, everything can be proven these days with statistics. 60% of
the people knows it..."

I used to work as netadmin in a group who did cardiac arrhitmia
research. And everyone had their theories, which they backed up with
indexes kinda "created on the fly" for that sole purpose. I used to
compare this to Madamme Blavatski's theories on how the distance from
Earth to the Sun was related to a side of the Great Piramid of
Gizah...

Plain statistics tells you the real story, IMHO. Five years of SA
usage had convinced me it's a great product.
Backscatter virus and spam warningns do nothing but trash traffic. C/R
does the same.


Luis
2007/7/19, Steve Freegard <[EMAIL PROTECTED]>:

Per Jessen wrote:
> 
http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/07-17-2007/0004626829&EDATE=

Justin's response is far better reading:

http://taint.org/2007/07/19/122638a.html


Kind regards,
Steve.




--
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: not everyone is happy with SA

[Steve Freegard]

Per Jessen wrote:

http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/07-17-2007/0004626829&EDATE=


Justin's response is far better reading:

http://taint.org/2007/07/19/122638a.html


Kind regards,
Steve.

Re: not everyone is happy with SA

[John Thompson]

On 2007-07-19, Per Jessen <[EMAIL PROTECTED]> wrote:

> Jim Maul wrote:
>
>> Thats retarded.  Might as well say, "Uplugging my mail server from 
>> the internet is the best method because I received 0 spam since I did 
>> it!"
>> 
>> Challenge response is fundamentally broken.  It can not and should not
>> be considered an anti-spam solution.

> Completely agree.

Perhaps C-R users are so satisfied because they seldom have to deal with 
the backscatter their "solution" causes?

-- 

John ([EMAIL PROTECTED])

Re: not everyone is happy with SA

[Dave Pooser]

> Any C/R I recieve automatically gets deleted.

Back when we were running a catchall account at $DAYJOB I used to confirm
every C/R message that hit the catchall. I figured if they wanted me to be
their unpaid filter-boy, I was going to give them exactly the service they
were paying me for.
-- 
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com
"Every bad turn I've made, you've been at the helm, sowing
chaos and stupidity through the landscape of my days like
some sort of retarded Johnny Appleseed." -- Goats 8-31-2005

RE: not everyone is happy with SA

[Bernd Petrovitsch]

On Thu, 2007-07-19 at 08:58 -0500, Thomas Raef wrote:
> I think you should rename your subject to: SPAM filtering alone is not 
> accepted as well as Challenge-Response.

C-R is accepted? By whom?
Probably by harvesters of verified addresses ...

One problem is that the sad person with the C-R doesn't get to know
which "important" email they loose by people not doing Turing-Tests.

Personally I throw C-R mails into the Bayes-DB similar to other spam ...

Bernd
-- 
Firmix Software GmbH   http://www.firmix.at/
mobil: +43 664 4416156 fax: +43 1 7890849-55
  Embedded Linux Development and Services

Re: not everyone is happy with SA

[Duane Hill]

On Thu, 19 Jul 2007 at 15:35 +0200, [EMAIL PROTECTED] confabulated:



http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/07-17-2007/0004626829&EDATE=



Any C/R I recieve automatically gets deleted.

---
  _|_
 (_| |

RE: not everyone is happy with SA

[Per Jessen]

Michael Scheidell wrote:

> No problem, just uninstall it troll and go away.
> 
> 

Go away yourself.  
Listen - I'm not trolling - I just thought this was a bit news worth
mentioning, regardless of what one's opinion about it might be.  I have
already seen it quoted in several other news sources around the world. 


/Per Jessen, Zürich

Re: not everyone is happy with SA

[Per Jessen]

JT DeLys wrote:

> "Login required for download."
> 
> Heh. There's a surprise ... Marketing wizards at work!
> 

http://www.brockmann.com/index.php?option=com_content&task=view&id=847&Itemid=2


/Per Jessen, Zürich

Re: not everyone is happy with SA

[Per Jessen]

Jim Maul wrote:

> Thats retarded.  Might as well say, "Uplugging my mail server from the
> internet is the best method because I received 0 spam since I did it!"
> 
> Challenge response is fundamentally broken.  It can not and should not
> be considered an anti-spam solution.

Completely agree.


/Per Jessen, Zürich

RE: not everyone is happy with SA

[Thomas Raef]

You went into some fantastic depth in investigating the "truth" of this
PR.

You, sir, ROCK!!!

Thomas J. Raef
e-Based Security, LLC
www.ebasedsecurity.com
1-866-838-6108
"You're either hardened, or you're hacked!"


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 19, 2007 9:00 AM
To: Per Jessen
Cc: users@spamassassin.apache.org
Subject: Re: not everyone is happy with SA 


Per Jessen writes:
> 
>
http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/0
7-17-2007/0004626829&EDATE=

That "study" is very flawed.  I wrote up two major problems over
at my blog: http://taint.org/2007/07/19/122638a.html

--j.

Re: not everyone is happy with SA

[Justin Mason]

Per Jessen writes:
> 
> http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/07-17-2007/0004626829&EDATE=

That "study" is very flawed.  I wrote up two major problems over
at my blog: http://taint.org/2007/07/19/122638a.html

--j.

RE: not everyone is happy with SA

[Thomas Raef]

I think you should rename your subject to: SPAM filtering alone is not accepted 
as well as Challenge-Response.

If you read the article and the report, you'll notice that it does not combine 
various methods. SA can be used with RBLs which would increase it's 
effectiveness and not everyone uses the "SPAM" option.

Thank you for informing us about the article though. It was interesting to read.

Thomas J. Raef
e-Based Security, LLC
www.ebasedsecurity.com
1-866-838-6108
"You're either hardened, or you're hacked!"

-Original Message-
From: Per Jessen [mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 19, 2007 8:36 AM
To: users@spamassassin.apache.org
Subject: not everyone is happy with SA


http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/07-17-2007/0004626829&EDATE=



/Per Jessen, Zürich

Re: not everyone is happy with SA

[JT DeLys]

"Login required for download."

Heh. There's a surprise ... Marketing wizards at work!

--
Thanks,

   JTDeLys

RE: not everyone is happy with SA

[Michael Scheidell]

No problem, just uninstall it troll and go away.


-- 
Michael Scheidell, CTO
SECNAP Network Security Corporation
Keep up to date with latest information on IT security: Real time
security alerts:
http://www.secnap.com/news
 
_
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_

Re: not everyone is happy with SA

[Jim Maul]

Per Jessen wrote:

http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/07-17-2007/0004626829&EDATE=



/Per Jessen, Zürich





Thats retarded.  Might as well say, "Uplugging my mail server from the 
internet is the best method because I received 0 spam since I did it!"


Challenge response is fundamentally broken.  It can not and should not 
be considered an anti-spam solution.


-Jim