Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Verification required for, protected by

  • From: Ray Wong
  • Date: Tue Mar 09 04:51:33 2004

Only because I was up checking on a remote problem...

> This is the future of e-mail, if something better at spam suppression
> doesn't come along. 

Like the Delete function?  what's NOT better than easily duped validation
mechanisms?  Perhaps the only reason spammers haven't bothered is because
adoption rates are so low.

1) in order to reduce annoyance, systems validate essentially ONCE.  At best,
they're going to validate once a month or so.
2) it's trivial these days to register a fresh domain and enter auth servers.
Fraudulent registrations are already common.
3) DHCP assignments on broadband are *just* stable enough that someone can
setup some verifiable servers and send some mostly mundane messages
4) it's technically trivial to collect verify responses and direct things
into a bot that senses a validation system and replies(via email or web,
either is a well-known pattern that MUST remain valid once deployed to
customer sites, to be useful to the customers) as needed.
5) it'll take longer to clean these out of your validation system than it
will for them to move onto another domain that's newly in(hours).

All you've really down is open up your whitelisting policy to the outside
world.  Well, that and tie up more system resources to manage the database.

Now ask yourself how you're going to track down a validated server that went
away, to be replaced by more spam from 0wned systems.  Your own protection
system has opened the door.  You think getting help stopping a DDOS in
progress is bad? And of course, the folks you're asking for help are the
ones getting spammed by your validation email to begin with.  Congratulations.

If these annoying systems become widespread, very smart people with more time
than us to work on it will have no trouble defeating them.

> > > > A message you recently sent to a user with the subject "Re: Source address validation (was Re: UUNet Offer..." was not delivered because they are using the anti-spam service.  Please click the link below to confirm that this is not spam. When you confirm, this message and all future messages you send will automatically be accepted.
> > > > 
> > > >


Ray Wong

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.