Challenge/Response systems considered harmful

Vernon Schryver vjs@calcite.rhyolite.com
Thu Mar 18 15:28:11 UTC 2004


Challenge/response systems are a Bad Idea(tm), as demonstrated by the
appearance of the enclose message in my mailbox for the preceding
message to this mailing list.

There are three reasonable responses to a such challenge:
  1. ignore it
   which causes mail to be lost
  2. respond to it
   which causes people to get spam, when what is being challenged is
   spam with forged sender addresses.
  3. notice what it is, unsolicited, unwanted, and substantially identical
   to many other messages or unsolicitd bulk mail or spam.  That implies
   reporting it to an abuse mailbox or blacklisting the sender.

I've used all only #1 and #3 so far.  For example, yesterday I received
a message that was either advertising for a challenge/response system
or a challenge for spam with my address forged as sender, so I used #3. 
Like many people, I will never respond to a challenge any mail I sent,
and I feel somewhat uncomfortable about using #2 for forged spam.

I will use #1 in this case.  However, future challenges of mail from any
of the DCC mailing lists that reach my mailbox will provoke a silent and
permanent unsubscribing from the mailing list and a nomination for
an entry in the Rhyolite Software list of unwelcome domain names.


Vernon Schryver    vjs@rhyolite.com


> From dcc-admin@rhyolite.com  Wed Mar 17 22:59:01 2004
> Date: 18 Mar 2004 05:51:45 -0000
> Message-ID: <confirm-a5a9bec4-789d-11d8-94cf-000a95da9cb4@messagecare.com@qwestip.net>
> From: "Qwest Email Server mail-handler" <iqbala-qconfirm-f6d859b58f91a66a7f52041ec1b8809a@qwestip.net>
> To: dcc-admin@rhyolite.com
> Subject: Please confirm your message
>
> Hi. This is the Qwest Email Server mail-handling program.  One or more messages
> from you are being held because your address was not recognized.
>
> To release your pending message(s) for delivery, please reply to this
> request.  Your reply will not be read, so an empty message is fine.
>
> If you do not reply to this request, your message(s) will eventually be
> returned to you, and will never be delivered to the envelope recipient.
>
> This confirmation verifies that your message(s) are legitimate and not
> junk-mail.
>
> Regards, 
>
> Qwest Email Server (qmail.qwestip.net)
>
> --- Below this line is the top of a message from you.
>
> Received: (qmail 18145 invoked by uid 7801); 18 Mar 2004 05:51:45 -0000
> Received: from dcc-admin@rhyolite.com by qmail by uid 7791 with qmail-scanner-1.20 
>  (spamassassin: 2.63.  Clear:RC:0(192.188.61.3):SA:0(0.0/5.0):. 
>  Processed in 2.778093 secs); 18 Mar 2004 05:51:45 -0000
> X-Spam-Status: No, hits=0.0 required=5.0
> Received: from calcite.rhyolite.com ([192.188.61.3]) (envelope-sender <dcc-admin@rhyolite.com>)
>           by qmail.qwestip.net (qmail-ldap-1.03) with SMTP
>           for <iqbala@qwestip.net>; 18 Mar 2004 05:51:41 -0000
> Received: from calcite.rhyolite.com (localhost [127.0.0.1])
> 	by calcite.rhyolite.com (8.12.11/8.12.11) with ESMTP id i2I5iuaf078879 env-from <dcc-admin@rhyolite.com>;
> 	Wed, 17 Mar 2004 22:44:56 -0700 (MST)
> Received: from bne438d.server-web.com (bne438d.server-web.com [202.139.232.86])
> 	by calcite.rhyolite.com (8.12.11/8.12.11) with ESMTP id i2I5dLje078808
> 	for <dcc@rhyolite.com> env-from <bernard.gardner@messagecare.com>;
> 	Wed, 17 Mar 2004 22:39:22 -0700 (MST)
> Received: from [192.168.0.57] ([203.147.138.233])
> 	by bne438d.server-web.com (8.11.6/8.11.6) with ESMTP id i2I5WW825266
> 	for <dcc@rhyolite.com>; Thu, 18 Mar 2004 15:32:33 +1000
> Mime-Version: 1.0 (Apple Message framework v613)
> Content-Transfer-Encoding: 7bit
> Message-Id: <A5A9BEC4-789D-11D8-94CF-000A95DA9CB4@messagecare.com>
> Content-Type: text/plain; charset=US-ASCII; format=flowed
> To: dcc@rhyolite.com
> ...



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.