Challenge / Response

nbarr · 17 Oct 2004, 10:21 AM

I use mailblocks (Challenge / Response) to deal with some of my older ISP e-mail accounts that receive more spam than I care to put up with.

I FM were to include a challenge response feature someday that would great. But only if it could be engaged under user definable conditions, perhaps even from within sieve.

It would be one more asset and one more step for some of us towards having all our e-mail "under one roof", so to speak.

Neil

David · 17 Oct 2004, 10:42 PM

Hi Neil: Personally I do not want to see fastmail employ a challenge response system. Fastmail have enough problems now, due to an overdeveloped feature set. This would be just one more thing to cause bugs and mail delays.

Anyone who receives lots of important mail, from customers or clients (or people in large organizations) likely would not support the development of this feature.

WelshGareth · 18 Oct 2004, 06:21 AM

Hi Neil,

I'm another who uses mailblocks for c/r and I get FM to pick them up from there. It's a feature that seems to get raised fairly regularly here (and even just about scrapes into the top 10 of Kander's features pole).

Quote:

Originally posted by David
Fastmail have enough problems now, due to an overdeveloped feature set.

David, My impression of the causes of the problems of late is that it's primarily to do with coping with volume of demand rather than being caused by too many features (see Jeremy's latest update on outages). I can see why many using FM for their business wouldn't want to use a c/r feature but I can't see why they'd object to it.

Gareth

xlr9 · 19 Oct 2004, 10:52 PM

I'd like to see this feature also. It would be gr8 in sieve..eg

if x-spam-score>5 THEN divert to C/R

severach · 27 Oct 2004, 02:28 PM

It's probably easier and much more appropriate to have C/R a checkbox on each of your aliases. C/R depends more on where you are advertizing your address and not what kind of mail you are receiving.

xlr9 · 1 Nov 2004, 12:20 PM

Quote:

Originally posted by severach
It's probably easier and much more appropriate to have C/R a checkbox on each of your aliases. C/R depends more on where you are advertizing your address and not what kind of mail you are receiving.

A built in sieve function would provide a global solution that would satisfy everyone's needs. You could you sieve to force all incoming emails coming to a certain alias thru to a C/R system. BUT I get the feeling FM is very much against C/R. Why?

David · 1 Nov 2004, 01:14 PM

Quote:

Originally posted by xlr9
BUT I get the feeling FM is very much against C/R. Why?

I don't speak for Fastmail, but challenge response systems are (imo) a work-around. These systems do not solve problems, but they do inconvenience both the senders and receivers of legitimate email.

C/R systems would put an end to "mailing lists" as we know them today (if adopted as a standard) as many of them authenticate mail using the "from line" address, which is (in most cases) forged.

C/R systems will only force spammer's to become more inventive. As they seek out new ways and think up new ideas to crack "whitelists" they will further increase their efforts, And puke out even greater amounts of spam.... resulting in longer delays, as the existing (plugged up) pipelines become even more congested.

You don't protect yourself against the bad guy by putting yourself in jail...

Chipper · 2 Nov 2004, 01:07 AM

Just to throw some other (potentially interesting) stuff into the mix: in this thread JeffK came up with an interesting idea of creating a C/R system. The thread also generated some interesting discussion on the pros/cons of such a system.

**JeffK** · 2 Nov 2004, 03:45 AM

I am intersted in this conversation again. I was recently the "victim" of literally thousands of C/R and "I'm not here" responses from a rolling joe-job performed using my daughter's fastmail address. To the extent where I had to close the address down.

It made me think about whether I am contributing to the problem by having some C/R in my email setup and whether I should change that aspect.

Jeff

itinko · 8 Jan 2006, 02:33 AM

From what I've seen so far C/R is by far the most complete defense against spam email. To avoid problems with your clients it's up to you to put people you don't want challenged on your whitelist. Joejob attacks can happen wether you're using C/R or not.

n5bb · 8 Jan 2006, 02:20 PM

In my opinion, challenge/response systems have the same problem as bouncing spam -- the C/R system causes any message with an incorrect reply-to address (such as spam) to be resent to an unsuspecting victim.

For example, I get a lot of challenge responses sent to my personal domain which were caused by spam sent to others using C/R systems. If I also had a C/R system, I might be generating a challenge to the unsuspecting victims of the original spam mail. Their C/R system would then send me a challenge. If my C/R system was properly keeping track of these messages (including the use of aliases), then it might stop there. But it's filling up a lot of victim Inboxes from one spam!

So I don't support using challenge/response. I just delete any such challenges which I receive. None of my normal personal or business contacts uses C/R.

itinko · 8 Jan 2006, 02:50 PM

I think most spam don't have a valid reply addresses. Your scenario is certainly plausible but I haven't experienced it. More and more of my clients are starting to use C/R desktop applications or C/R mail services such as SpamArrest and are reducing their flood of spam to almost nothing. I have yet to hear one of them report the scenario you speak of.

hadaso · 9 Jan 2006, 05:37 AM

Quote:

Originally posted by itinko
... and are reducing their flood of spam to almost nothing. ...

They are just diverting their spam...

itinko · 9 Jan 2006, 06:22 AM

only if they are the subject of a joejob attack, eh? otherwise the challenge goes out into the ether.

17 Oct 2004, 10:21 AM	#1
nbarr Cornerstone of the Community Join Date: Sep 2004 Location: Calgary Posts: 606	Challenge / Response I use mailblocks (Challenge / Response) to deal with some of my older ISP e-mail accounts that receive more spam than I care to put up with. I FM were to include a challenge response feature someday that would great. But only if it could be engaged under user definable conditions, perhaps even from within sieve. It would be one more asset and one more step for some of us towards having all our e-mail "under one roof", so to speak. Neil

17 Oct 2004, 10:42 PM	#2
David Ultimate Contributor Join Date: Dec 2001 Location: Canada. Posts: 10,355	Hi Neil: Personally I do not want to see fastmail employ a challenge response system. Fastmail have enough problems now, due to an overdeveloped feature set. This would be just one more thing to cause bugs and mail delays. Anyone who receives lots of important mail, from customers or clients (or people in large organizations) likely would not support the development of this feature.

19 Oct 2004, 10:52 PM	#4
xlr9 Senior Member Join Date: Apr 2004 Posts: 156	I'd like to see this feature also. It would be gr8 in sieve..eg if x-spam-score>5 THEN divert to C/R

27 Oct 2004, 02:28 PM	#5
severach Essential Contributor Join Date: Jul 2004 Location: Michigan Posts: 307	It's probably easier and much more appropriate to have C/R a checkbox on each of your aliases. C/R depends more on where you are advertizing your address and not what kind of mail you are receiving.

2 Nov 2004, 01:07 AM	#8
Chipper Master of the @ Join Date: Oct 2003 Location: Greenbelt, MD (USA) Posts: 1,278	Just to throw some other (potentially interesting) stuff into the mix: in this thread JeffK came up with an interesting idea of creating a C/R system. The thread also generated some interesting discussion on the pros/cons of such a system.

2 Nov 2004, 03:45 AM	#9
JeffK Moderator Join Date: Feb 2002 Location: Kingaroy, AU Posts: 3,179	I am intersted in this conversation again. I was recently the "victim" of literally thousands of C/R and "I'm not here" responses from a rolling joe-job performed using my daughter's fastmail address. To the extent where I had to close the address down. It made me think about whether I am contributing to the problem by having some C/R in my email setup and whether I should change that aspect. Jeff

8 Jan 2006, 02:33 AM	#10
itinko Junior Member Join Date: Sep 2004 Posts: 16	From what I've seen so far C/R is by far the most complete defense against spam email. To avoid problems with your clients it's up to you to put people you don't want challenged on your whitelist. Joejob attacks can happen wether you're using C/R or not.

8 Jan 2006, 02:20 PM	#11
n5bb Intergalactic Postmaster Join Date: May 2004 Location: Irving, Texas Posts: 8,930	In my opinion, challenge/response systems have the same problem as bouncing spam -- the C/R system causes any message with an incorrect reply-to address (such as spam) to be resent to an unsuspecting victim. For example, I get a lot of challenge responses sent to my personal domain which were caused by spam sent to others using C/R systems. If I also had a C/R system, I might be generating a challenge to the unsuspecting victims of the original spam mail. Their C/R system would then send me a challenge. If my C/R system was properly keeping track of these messages (including the use of aliases), then it might stop there. But it's filling up a lot of victim Inboxes from one spam! So I don't support using challenge/response. I just delete any such challenges which I receive. None of my normal personal or business contacts uses C/R.

8 Jan 2006, 02:50 PM	#12
itinko Junior Member Join Date: Sep 2004 Posts: 16	I think most spam don't have a valid reply addresses. Your scenario is certainly plausible but I haven't experienced it. More and more of my clients are starting to use C/R desktop applications or C/R mail services such as SpamArrest and are reducing their flood of spam to almost nothing. I have yet to hear one of them report the scenario you speak of.

9 Jan 2006, 06:22 AM	#14
itinko Junior Member Join Date: Sep 2004 Posts: 16	only if they are the subject of a joejob attack, eh? otherwise the challenge goes out into the ether.