[vox] spam control: send email to confirm

Mike Simons vox@lists.lugod.org
Wed, 25 Jun 2003 15:00:51 -0400 

--0OAP2g/MAC+5xKAE
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Jun 23, 2003 at 11:32:01AM -0700, Peter Jay Salzman wrote:
> http://hr.uoregon.edu/davidrl/confirm/
[...]
> when someone sends you an email for the first time, they have to send a
> confirmation email to verify they're not a spammer.

On Mon, Jun 23, 2003 at 11:58:14AM -0700, Rod Roark wrote:
> Well, what it should do is require a reply that only a
> human could easily produce.  For example ask them to
> reply with a word depicted in a graphic image.
>=20
> Of course most businesses would never implement a reply-to-
> confirm scheme, out of fear they would lost a potential
> customer.

Rod,

  A vast majority of the 100% real spam with no useful purpose does not
have valid source email address, in that the forged headers will go
to someone that is not really there.  Even without wet-wear
comprehension tricks the simple verify the sender really exists
and will acknowledge a test message would be very effective.  Only the
small portion of spam from real companies/people would be left, and
those are easy to blacklist.


All,

  One minor problem is this kind of system in wide deployment could be
used as a DDOS on a particular person... spam a batch of thousands of=20
people who you know have a system like this, forge some target's real=20
email address as the sender, suddenly that one person has thousands of
junk email messages saying "confirm me" in their inbox.


  Another minor problem is if two people both have a similar system
in operation they may not ever see each other's email... because
=3D=3D=3D
person A sends a real email to person B,
person B's auto-system sends a "confirm you exist first" email to person A,
person A's auto-system sends a "confirm you exist first" email to person B,
  [hopefully deadlock, worst case mail loop between two auto-systems]
=3D=3D=3D

=2E.. if person A's auto-system is very smart and does whatever B's
auto-system is asking for in the contents of it's "confirm you exist"
message then A's original mail would get through.

  I don't think spam is a simple problem.

--=20
GPG key: http://simons-clan.com/~msimons/gpg/msimons.asc
Fingerprint: 524D A726 77CB 62C9 4D56  8109 E10C 249F B7FA ACBE

--0OAP2g/MAC+5xKAE
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE++fFj4Qwkn7f6rL4RAoMCAJ98zy67A6k7Re4UzcqRLdY6pd2yhwCgo6uj
jhYiIib3fdj4OqS8kf010j4=
=UwH3
-----END PGP SIGNATURE-----

--0OAP2g/MAC+5xKAE--