LWN.net Logo

Advertisement

Writers Wanted

Front, Kernel, Security, Distributions, Development. See your byline here on LWN.net.

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for December 4, 2008

KSM runs into patent trouble

Tux3: the other next-generation filesystem

LWN.net Weekly Edition for November 27, 2008

LWN.net Weekly Edition for November 20, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Challenge-response is a spam-propogation system

Challenge-response is a spam-propogation system

Posted Dec 24, 2003 13:28 UTC (Wed) by kmself (subscriber, #11565)
Parent article: TMDA 1.0 final available

TMDA is advertised, among other things, as an anti-spam solution based on its challenge-response (C/R) features. This is strongly discouraged, particularly if implemented as a "pure-play" anti-spam solution without additional virus or spam filters. C/R and TMDA advocates misrepresent the effectiveness of their solution, severly discount its disadvantages, and simply lie about the effectiveness alternatives such as Bayesian filters.

At best, challenge-response is a spam-propogation system. The whole idea of challenge-response is that spammers either use bogus reply addresses, or won't respond to challenges. In practice, most spam contains spoofed addresses tracing back to legitimate domains, and often legitimate users. This isn't solving the spam problem. It's dumping it in someone else's lap.

What is wrong with TMDA and C-R? Just a few things:

  1. It's spam. The basic premise of sending a challenge is "I don't know if you're who you say you are". So you're mailing an address you've admitted you can't verify. Spam in the name of spam reduction is still spam -- I've got the "spam solution" spam to prove it.

  2. TMDA and C-R advocates lie. A stated assumption on TMDA's hompage is that content-based filters are not sufficiently effective:
    http://tmda.net/
    2. Content-based filters can't distinguish SPAM from legitimate mail with sufficient accuracy.
  3. Jason R. Mastaler, TMDA's developer, when asked to provide the basis of this statement replied "My personal experience":
    http://mla.libertine.org/tmda-users/2003-09/msg00227.htmlz
    Which he refuses to quantify:
    http://mla.libertine.org/tmda-users/2003-09/msg00235.html
    "I'd prefer not to".
  4. At the same time, both third party independent tests of various content-based and Bayesian filtering systems, and my own personal experience, shows 80-99.9% efficacy, with very low false positive rates. Best results are achieved with multiple methods: virus filtering, spam filtering, and a whitelist of known correspondants:
    http://freshmeat.net/articles/view/964/
    http://themes.freshmeat.net/articles/view/852/
  5. TMDA and C-R advocates sidestep, handwave, and dismiss legitimate criticisms of the system. Users who can't handle a Joe-job flood ov thousands of C-R requests are "mentally ill":
    http://mla.libertine.org/tmda-users/2003-09/msg00175.html
    Bernard Johnson <bjohnson@symetrix.com>
    ...or a "moron"
    http://mla.libertine.org/tmda-users/2003-09/msg00171.html
    Chris Berry <compjma@hotmail.com>
  6. And spam-reporting services which record misdirected challenges as spam are "trigger-happy":
    http://mla.libertine.org/tmda-users/2003-08/msg00172.html
    Jason R. Mastaler <jason@mastaler.com>
  7. Sending 4,000 challenges to spoofed, and likely legitimate addresses warrants "praise":
    http://mla.libertine.org/tmda-users/2003-08/msg00120.html
    Sven Neuhaus <sn@heise.de>
  8. Generating 187,707 messages to unverified, unauthenticated, and likely innocent recipients is the mark of "a great piece of software!"
    http://mla.libertine.org/tmda-users/2003-08/msg00085.html
    Mike Usmar <m.usmar@actrix.co.nz>

There are elements of TMDA which might be useful in some limited situations, particularly where automated mail processing rules based on the tagged addresses generated by the system can be useful. Most users will be far better served with a filtering and/or teergrubing system, particularly with tools incorporating Bayesian filters such as SpamAssassin, Bogofilter, and SpamBayes.

(Log in to post comments)

Re: Challenge-response is a spam-propogation system

Posted Jan 15, 2004 0:11 UTC (Thu) by iwilcox (guest, #18701) [Link]

While TMDA is mostly used as an example of a C-R system, and I agree with you on some of the anti-CR points below, you should be careful not to attach your anti-CR comments to the project - there are plenty of other C-R systems out there besides TMDA, and TMDA is *not* just about C-R - I use it (alongside other anti-spam measures) purely for its whitelisting and disposable address features.

Oh, and point 1/6:

> What is wrong with TMDA and C-R? Just a few things:
>
> 1. It's spam [...]
> 6. And spam-reporting services which record misdirected challenges as spam are "trigger-happy":

Well, to be pedantic, it's not, and they are. Challenges aren't technically spam.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds