From: Eagle L. C. S. <ser...@ea...> - 2008-03-13 19:59:31
|
Don't get me wrong, I agree that it could be a problem, but only if not configured properly. The only real problem would be if someone went on vacation, but if they're on vacation, their not going to sign up for mailing lists, so it should be mail from already accepted users, spam, or legitimate users that won't mind replying to the messages. But anything could happen. Jeff Steve Campbell wrote: > Kris, > > Nicely put, as I don't present myself so well as you do. There was no > intent to incinerate or accuse or whatever, but I could see the OP still > was not seeing this problem from my(your) point of view. > > Not only the challenge-to-the-challenge problem, but the mailing list > problem, the vacation problem, and all those similiar type problems that > can creep up. > > Good luck with finding something that works, though. > > Steve > > > > Kris Deugau wrote: > >> Eagle Link Customer Service wrote: >> > AND FOR ANY OTHER FUTURE COMMENTS ABOUT THIS!!! I only asked if >> > anyone had seen such a system for linux, I DID NOT ASK FOR OPINIONS ON >> > THEM! >> >> You asked for information on something that's a hot-button topic among >> mail admins that have had to clean up the mess that (far more often than >> not) results from the class of tool you're looking for. >> >> Some responses *will* sound a little harsh because they're not >> interested in helping to increase their workload (or system load) for >> little to no benefit. >> >> > And as I have ALREADY pointed out, yes, it may not be such a >> > good system for a business, but I provide web hosting with e-mail not >> > just to businesses. And if some personal user, who is not worried >> > about getting a request for a quote wants to have such a system, I >> > would like to offer it. SO PLEASE STOP ALL THE UNNECESSARY NAGGING! >> > I REALLY DON'T CARE ABOUT OPINIONS! I just want to know if such a >> > system is available. >> >> Quite a few. The only one I can recall a name for is CRM114, and I'm >> not certain that's correct. >> >> A web search for "challenge response email" (did you even try any kind >> of search before asking?) should turn up a whole lot of flamewars much >> nastier than you've been seeing, plus links to a number of tools that >> provide the capability you're looking for. >> >> Eagle Link Customer Service wrote: >> >> >>> I look at it from both points of view, if I received a challenge >>> message, I would not mind as it simply shows that this person is fed up >>> with spam. >>> >>> >> Well, that's the thing; as it is relatively few people use C-R systems. >> And while responding to a legitimate challenge is only a mild >> nuisance, consider the problem of hundreds or thousands of challenges to >> email you never even sent in the first place. >> >> I've actually taken limited measures on one hosting server (that also >> acts as a customer SMTP relay) to block a client-side C-R system that >> tries to send its challenges using the SMTP null sender <>. I >> understand the reasoning behind this design choice (mostly boils down to >> "end-user doesn't have to deal with the mess"), but IMO end-client >> systems are NOT supposed to generate messages with that sender - such >> behaviour is restricted to systems that can accept inbound SMTP >> connections IMO. >> >> That would be enough reason to block such things on a private server, >> but not an ISP mail system. The reason I *did* block such behaviour? >> Those challenges, with **VERY** few exceptions, ended up in one of the >> postmaster mailboxes I read. >> >> To the tune of 20-30 per day. From *one* C-R-using customer. IIRC it >> actually peaked around 100 for about a week before I got tired of >> dealing with the mess. >> >> They ended up in my administrative mailbox because the nominal sender of >> the original spam (the recipient of the challenge) didn't even exist in >> the first place. Or the poor *legitimate* owner of that address got >> flooded with postmaster notices from the same spam run and was over >> quota. (The long-term split was about 40/60 respectively, IIRC.) >> >> Assume, then, that maybe 40 people decide to start using this same program. >> >> That's now 800-1200 extra totally **useless** emails that I as a systems >> administrator have to deal with somehow. I can scan through mail like >> this pretty quickly, but it's going to take me ~20 minutes+ to deal with >> several hundred of these things. >> >> And that's a *small* ISP mail system. >> >> A similar argument applies to the challenges themselves; if a spammer's >> spamware picks my email address as the source for a spam run, and most >> of the recipients use a C-R system.... *my* mailbox gets flooded with >> challenges. >> >> >> >>> And if you understand the system properly as I have >>> previously described it, once the person responds to the challenge, they >>> never get another one as their e-mail address is added to the friends >>> list. >>> >>> >> *nod* Quite true. But from a private end-user point of view, this is >> roughly equivalent to creating a manual whitelist and assuming >> everything else is spam - with the *dis*advantage as above that you're >> now *generating* glop that appears in someone *else's* inbox. Someone >> who never sent you an email in the first place. >> >> Consider also a theoretical situation in which all, or almost all, users >> on the Internet decide to enable a C-R system. Suppose it's even one of >> the better ones. >> >> Assume further that users only know about 25% of the email addresses of >> people they would like to receive mail from to start with. >> >> You get challenges sent in response to challenges, and only mail from >> previously-approved senders gets through. Users are still stuck wading >> through the glop (either all of it, or whatever is left after a spam >> filter is done with it) to see what legitimate mail they might not know >> about. >> >> Since, y'know, mail from X can't get through to Y until X responds to >> the challenge, but Y's challenge has itself been challenged, and X's >> challenge is sitting in quarantine because X hasn't responded to Y's >> initial challenge... and that's just the case if the C-R systems are >> smart enough to not send repeated challenges to senders that haven't >> responded; some of them aren't that smart. :( So you get a challenge >> to a challenge to a challenge to a challenge.... >> >> Sticking a real spam filter in front of the C-R system is helpful... >> but you're still stuck dealing with false-positives there, right? And >> many spamfilter systems include learning components that rely on manual >> feedback about both legit mail that got caught *and spam that got through*. >> >> -kgd >> >> ------------------------------------------------------------------------- >> This SF.net email is sponsored by: Microsoft >> Defy all challenges. Microsoft(R) Visual Studio 2008. >> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ >> - >> Forwarded by the Webmin mailing list at web...@li... >> To remove yourself from this list, go to >> http://lists.sourceforge.net/lists/listinfo/webadmin-list >> >> >> >> > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > - > Forwarded by the Webmin mailing list at web...@li... > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-list > |