__/ [ Tim Smith ] on Tuesday 28 March 2006 17:34 \__
> In article <e0arqt$21vd$2@xxxxxxxxxxxxxxxxx>, Roy Schestowitz wrote:
>>> What happens when spammer A sends you spam, forging innocent user B's
>>> email address as the sender? Does BoxTrapper send a challenge to B?
>> Sheesh. Don't help him. *smile* Besides, I can modify the rules in SA.
> What I'm getting at is that you have to be extremely careful with
> challenge/response systems. Running one can easily get you blacklisted at
> many sites, for net abuse.
Yes, Brad Templeton had me aware of this:
Some months ago, I came to realise that my Supervisor's filter had dozens of
my messages delivered to his spam box. That was a big, big bummer.
> At one domain we had at work, which we *never* used for email (basically,
> it was a parked domain bought for something we never got around to doing),
> we ended up getting 20000 mails a day, all due to that domain being used in
> forged addresses by spammers. The mails were mostly bounce messages, with
> some challenges from C/R systems mixed in.
Ouch. I am really sorry to hear that. I sometimes wonder what damages such
filters (or rather the spammer's choice of addresses) actually cause. I
mean, I rarely hear about stories directly from the sufferers. I am among
the sufferers too nonetheless. I get residues of traffic which is not spam.
Not 20,000 E-mails a day though! Dear, oh dear!
> Challenges can be particularly annoying to people who receive them because
> of a forgery on spam, because challenges won't look like spam, and so are
> likely to get by their filters.
> If you read the email admin groups, you'll find that some people have
> decided to deal with this by making their filters recognize challenges from
> the more common C/R systems, and *automatically* respond. Of course, some
> C/R systems try to prevent automatic responses by doing things like making
> the recipient read something from an image, but then they don't work with
> blind recipients, and they are annoying to the recipient in general. But
> then the challenge stops being some simple thing that won't overly annoy
> people who legitimately want to correspond with you.
I have come across such filters (been put to the challenge) and indeed I did
not like them. Too labour-intensive and somewhat impersonal too.
> Basically, C/R is one of those things that would be great, *IF* the mail
> system was designed to incorporate it. The current mail system was not
> designed for it, and so it doesn't work well. At best, in most cases, all
> it does is hide, not solve, the spam problem for one person, at the expense
> of making problems for innocent people.
Not all my E-mail account have BoxTrapper enabled. I only enable it for
accounts where traffic is rarely expected or the ham/spam ratio is verging
0. SpamAssassin handles the rest of the accounts. In a period of one year,
SA has not had a /single/ false-positive as I had set the threshold score to
I currently have Boxtrapper enabled for 5 mail accounts and I still check the
moderation queues at the end of each month, which makes it seem like a
rather benign solution. The big pitfall is people who refuse to verify using
BoxTrapper or do not comprehend the challenge. They get a reply up a a month
overdue. At least they have the cause/evidence in their box.
Roy S. Schestowitz
http://Schestowitz.com | SuSE Linux ¦ PGP-Key: 0x74572E8E
7:00pm up 20 days 8:45, 8 users, load average: 0.57, 0.54, 0.65
http://iuron.com - help build a non-profit search engine