cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No Lies (Linux Journal) [LWN.net]

cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No Lies (Linux Journal)

Posted Mar 10, 2004 16:24 UTC (Wed) by ken_i_m (guest, #4938) [Link]

post to nanog yesterday:
[...]
Consider:
1) in order to reduce annoyance, systems validate essentially ONCE. At best,
they're going to validate once a month or so.
2) it's trivial these days to register a fresh domain and enter auth servers.
Fraudulent registrations are already common.
3) DHCP assignments on broadband are *just* stable enough that someone can
setup some verifiable servers and send some mostly mundane messages
4) it's technically trivial to collect verify responses and direct things
into a bot that senses a validation system and replies(via email or web,
either is a well-known pattern that MUST remain valid once deployed to
customer sites, to be useful to the customers) as needed.
5) it'll take longer to clean these out of your validation system than it
will for them to move onto another domain that's newly in(hours).

All you've really down is open up your whitelisting policy to the outside world. Well, that and tie up more system resources to manage the database.

Now ask yourself how you're going to track down a validated server that went away, to be replaced by more spam from 0wned systems. Your own protection system has opened the door. You think getting help stopping a DDOS in progress is bad? And of course, the folks you're asking for help are the ones getting spammed by your validation email to begin with. Congratulations.

If these annoying systems become widespread, very smart people with more time than us to work on it will have no trouble defeating them.
[...]
Ray Wong
/* end post */

I have seen quite a number of other arguments about how brain dead this scheme is. Most of them revolve around how it off loads work onto others. This shows negative impact on the user of such a system.

cheers,
Ken

cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No Lies (Linux Journal)

Posted Mar 10, 2004 20:07 UTC (Wed) by AnswerGuy (subscriber, #1256) [Link]

Ken,

Have you tried ASK or TMDA?

When you do, then you'll be qualified to critique them.

I have (on a secondary e-mail account).

The biggest problem I've found with ASK is that some forged virus mail and all bounce messages get through. However, those are problems which are
distinct from simple spam.

You seem to be conflating ASK's simple confirmation transaction (which is based solely on from/return address) with some sort of MTA server "validation." Thus most of these NANOG criticisms that you cite are totally irrelevant. This is not an anti-forgery system; it's just a way to ensure that mail into your mailbox has some known, legitimate (confirmed) return address.

Yes, some spammers will set up systems with auto-confirming auto-responders. A diversity of different confirmation semantics will
require little of the humans but greatly increase the complexity of the AI that would blindly automate the response.

It's not a solution to spam. It's just one of the techniques that some of us can use until solutions are found.

cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No Lies (Linux Journal)

Posted Mar 10, 2004 21:34 UTC (Wed) by ballombe (subscriber, #9523) [Link]

I don't need to try ASK or TMDA. I have received hundred of ASK/TMDA
messages from people I had never sent email to because spamers and
viruses love to forge my email address and I get the confirmation message.

As for sending spam to people using ASK or TMDA: find an auto-answerer
email somewhere and forge its address.

The only reason TMDA seems to work is because few people use it, hopefully.
Not only it is not a solution to spam, but it make things worse. It's a
short-sighted and selfish attitude.

cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No Lies (Linux Journal)

Posted Mar 10, 2004 22:47 UTC (Wed) by roelofs (subscriber, #2599) [Link]

Have you tried ASK or TMDA?
When you do, then you'll be qualified to critique them.

Indeed?

It's not a solution to spam. It's just one of the techniques that some of us can use until solutions are found.

Fair enough. Just don't go asking people like me for help and expect to get a response. Nothing pisses me off more than taking the time to compose a helpful message to some complete stranger, only to have it bounce and thus inform me that I have to spend even more of my nearly nonexistent free time jumping through additional hoops in order for my response to go through.

F*** 'em and the horse they rode in on, as they say. Like everyone else with a published contact address on a web site, I have my own (very large) spam problem to deal with. I most assuredly don't need or want to deal with anyone else's.

Greg Roelofs
Info-ZIP, PNG/MNG Groups, AlphaWorld map, etc.

cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No Lies (Linux Journal)

Posted Mar 10, 2004 22:59 UTC (Wed) by riel (guest, #3142) [Link]

Same for me. I regularly get TDMA confirmation emails, some because of forged virus and spam mail, some because I answered somebody's question that was sent to me.

Since I ignore TDMA, you won't get any answer from me ;)

cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No Lies (Linux Journal)

Posted Mar 11, 2004 0:13 UTC (Thu) by ken_i_m (guest, #4938) [Link]

Yes, I read Chris's article before posting. This isn't Slashdot. :-)

I sympathize with Chris's plight. I get several k of messages everyday. In today's world the highest priority is to be more productive. I do not tolerate short-sighted attempts to improve _whatever_ that has the effect of creating friction for me getting things done.

SPAM and viruses are the problem. Challenge/response systems are misdirected. That is, they add friction to the wrong people. I think anti-spam measures are proving effective. Notice how little resemblence spam has to English anymore? Force spammers to evolve their messages so that in order to get through the filters they are no longer effective at selling to that small percentage of idiots that keeps them doing it... SPAM drys up. Then the money to create spambot armies via viruses drys up. Then we are back to annoying pimple-face kids with nothing better to do due to lack of a life.

If you want email from me then remember to...
“Be liberal in what you accept, and conservative in what you send”
For while my mail system will accept the challenge from ASK (or whatever) I will be conservative by giving no reply.

cheers,
Ken

cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No Lies (Linux Journal)

Posted Mar 11, 2004 1:51 UTC (Thu) by cdibona (subscriber, #13739) [Link]

Well, thanks for reading the article. I respect your position on this, and I agree that I am adding friction to exactly the wrong people in what is in essessce a selfish system.

That said: I don't feel particularly bad about this because of the large number of people of people in my whitelist, truly everyone who has ever emailed me over the last 7 years and since I've cascaded a virus/low sensitivity spam checker, I think that those extra emails are okay and are truly being sent to those who are emailing me for the first time, likely
as an email response to my articles, posts or tv spots. Because of these reasons ASK makes sense and I think it is a decent answer to the spam problem.

Thanks for reading :-)

Chris

cat /dev/DiBona/brain: ASK Me No Questions, I'll Tell You No Lies (Linux Journal)

Posted Mar 10, 2004 22:59 UTC (Wed) by oconnorcjo (subscriber, #2605) [Link]

"It poses a problem for anonymous mail of course, but the way things are going, that will be a problem in any case... :-("

I don't see that as a problem. I never want anonymous mail. If somebody wants to get my time and attention, I want to know WHO I am giving my time and attention to. A great improvement to email would be a system of authentacadable e-mail. It is not that I can't see situations in which anonomous e-mail would be usefull- just that for most people, it is just not important.

Send me no challenges and I'll not call you a spammer

Posted Mar 11, 2004 0:54 UTC (Thu) by maney (subscriber, #12630) [Link]

I don't know what the answer to spam is, but if this is the best we can do then we may as well just shutdown SMTP and admit we've been beaten by halfwitted imbeciles whose crowning achievment was getting the unregistered trial version of SpamSowerXIII to run, at least briefly.

I have to admit that every time another one of these challenge-response systems comes around I look it over and feel that same old attraction. By damn, it sures feels righteous to have the very anonymity that makes spam-as-we-know-it practical into a key part of the solution, doesn't it? Yeah, but the glow fades quickly when you look at the actual effects on others. Right off the bat, you're pushing the time and effort of despamming your mail spool off on others - this is simply inherent in challenge-response, and it's not righteous at all, at all. Then you resend the spam to the hapless folks whose addresses were forged by the spammers; here, you haven't even the weak excuse for wasting their time that they sent you mail. All the attempts to spam filter before applying the challenge-response can only reduce the magnitude of this selfish behavior; after all, if you had a perfect passive filter you wouldn't feel the need for a challenge-response system, would you?

Another nagging worry that I can't seem to shake is that there just has to be some underhanded way to use challenge-response systems - this is assuming they become common, and users get accustomed to dealing with them - to gather well and truly confirmed email addresses for some nefarious purpose. That is, the way would be to send out forged challenges and collect the replies; what I haven't figured out in the half hour I've been contemplating the idea is how to monetarize the operation. Doesn't it seem likely to you, too, that in a world where challenges are common the system would be integrated with the MUA, and might pre-register addresses when you answer a challenge? After all in the intended use-case that should be one to whom you wrote, so you probably want to receive the hoped-for reply, right? The usability guys will be all over this one (and for the intended use it is a plus), I think.