Robin Lynn Frank wrote: > On Saturday 13 March 2004 02:06, Simon Waters wrote: > >>>Isn't the bigger problem what to put into the C/R challenge. >>> >>>The current TMDA scheme of a digitally secured email addresses doesn't >>>work, as the spammer will immediately use this to send a confirmation >>>(assuming it is widely enough used to be worth their while) assuming >>>their spambot is directly connected. >>> > > We've only seen one instance of this in two months.
Are you doing C/R at the SMTP level? The current TMDA scheme works because the challenge is sent to the "from" address (I use from loosely), which is usually not the spammer, so the spammer never acquires the "secret". If we reject at the SMTP level, the rejection reason is sent to the spammer, so if it is a secret (cryptographically secured email address), we have just given the secret to the spammer. So if you want C/R at the SMTP level you need a different type of challenge entirely.
signature.asc
Description: OpenPGP digital signature
_____________________________________________ tmda-users mailing list ([EMAIL PROTECTED]) http://tmda.net/lists/listinfo/tmda-users
