[linux-elitists] (tmda) Re: Constraining Bogus challenges.

Karsten M. Self kmself@ix.netcom.com
Tue Sep 23 00:11:48 PDT 2003


on Mon, Sep 22, 2003 at 03:22:50PM -0600, Jason R. Mastaler (jason@mastaler.com) wrote:
> "Karsten M. Self" <kmself@ix.netcom.com> writes:
> 
> > In the case where the domain does resolve, you are at a minimum
> > sending mail to the mailserver, where it is either rejected
> > immediately as non-deliverable
> 
> So called "sender address verification" is supported by some MTAs such
> as Postfix, and I expect more as this becomes more of a problem,
> especially since it's trivial to implement.

It's not possible in all cases, however.  There are MX secondaries,
pop mail systems, user-forwards, and other asynchronous mail transport
scenarios in which one cannot verify the final recipient at SMTP
contact.


> In any event, TMDA provides this ability via the included
> `smtp-check-sender' script.
> 
> > Bollux.  There are existing content/context based filters which
> > discriminate between spam and non spam with better than 98%
> > accuracy, and less than 0.02% false positive rates.
> 
> These numbers come at a high price though -- my time.  TMDA is
> significantly less time consuming than maintaining content filters.

Bollox:

    apt-get install SpamAssassin

Edit your mail filter to include "X-Spam-Status: .*Yes" as a positive
spam filter.

With exim4 and other current-generation MTAs, there is increasing
integration of spam filtering into the mailserver itself.  And as I
suspect you're going to come around to asking this at some point:  yes,
I'd like to see that this becomes a standard (though not necessarily
mandated) configuration for mailservers.


> > ...then TMDA is part of the problem.  Couldn't have said it better
> > myself.
> 
> One thing you'll have to accept is that trying to hide or revoke the
> technology is not going to work.  

I'm not trying to hide anything.  To the contrary, I'm trying (and if
Google on "challenge-response" is any guide, succeeding modestly) to
reveal the truth about C-R.  That it's spam.  That it can get the user
marked as a spammer.  

That, to put it delicately, TMDA and C-R advocates misrepresent the
alternatives, are parsimonious with the truth, are dismissive of those
who raise legitimate concerns, boast of the spurious challenges they
send, equivocate on the matter of false-positives, insult those they
inconvenience, criticize those who label them spammers, refuse to
quantify advantages, advise critics to "not waste your time" when not
outright libelling them, apologize for their own spam, all while dodging
the essential question of why it is necessary to spam in the name of
curing spam, when it is provably _not_ necessary.


> Why?  Because C/R works.

It spams.  It has flaws.  It can contribute to massive DoS, by design,
in ways which a pure-play C-R system *cannot* avoid.  Pure-play C-R is a
fundamental design flaw.  This has been pointed out to you.  Repeatedly.


In future, when you're sitting in the witness chair, facing plaintiff's
counsel who's about to vaporize your mortal assets, and the question:

    Mr. Mastaler, were you aware that the software in which you are
    listed as copyright holder, that it had the capacity, and was in
    fact likely to, cause hundreds of thousands or even millions of
    emails to be launched at an arbitrary party's mail server, denying
    this party Internet access, clogging its mail servers, and millions
    of dollars in damages in the form of cleanup costs and lost
    business, such as was the fact with my client?

...is asked, you will know this:  This email, to you, posted to the
tmda-users and linux-elitists list, Google's cache, and countless
inboxes around the Net, shows that your are in fact aware.  You have
been placed on notice.


For the sake of the Net:  Fix your software.
For my own peace of mind:  Fix your software.
For the sake of your users:  Fix your software.
For the sake of your developers:  Fix your software.
For your own sake:  Fix your software.


> If I decided to terminate the TMDA project tomorrow, nothing would
> change.  The knowledge is already out there.  You might as well just
> try to make positive contributions to the technology.

So help me $DIETY, that's precisely what I'm trying to do.


Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
    Defeat EU Software Patents!                         http://swpat.ffii.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20030923/02f2cb22/attachment.pgp 


More information about the linux-elitists mailing list