[Dshield] Re: Spam Email is there a solution "finally"?

John Groseclose iain at caradoc.org
Thu Dec 18 19:40:27 GMT 2003


IT Manager writes: 

> Here is the excerpt.... 
> 
> --------------------------------
> Hello, you recently sent a message to me at email name . I'm using a
> spam-blocker to screen junk email, however. Please click the link below and
> fill in a few words about why you are emailing me. It shouldn't take more
> than 30 seconds.
> Thanks,
> Name of person

I'm of the opinion that "challenge/response" systems for spam-blocking are 
*very* abusable. 

Does the system limit responses to a single sender? If not, a black hat can 
use your e-mail C/R system to mailbomb someone else, simply by sending lots 
of forged-sender e-mail into your system. 

How does the system verify that the challenge is sent back to the *real* 
sender of such a message? 

I've gotten several "challenge" messages in my inbox from systems that I've 
never sent e-mail to - but my return address was forged into the original 
message. 




More information about the list mailing list