1 |
On Sun, 2008-09-28 at 16:21 +0300, Alex Efros wrote: |
2 |
> Hi! |
3 |
> |
4 |
> To everybody in this thread who said "C/R is bad idea": |
5 |
> |
6 |
> While qconfirm and TMDA will work in most cases, I've read C/R critique |
7 |
> here http://en.wikipedia.org/wiki/Challenge-response_spam_filtering and |
8 |
> agree it's bad idea in general. I unlike tools like SpamAssassin because |
9 |
> if there just a "X% chance" something is spam, then it's mean there always |
10 |
> "Y% chance" I'll lose non-spam email. C/R systems have same issues, but |
11 |
> it's harder to find out that fact. |
12 |
|
13 |
A properly setup spamassassin doesn't lose mail, it sticks it in a |
14 |
quarantine that you can go through and look for false positives |
15 |
(spamassassin and amavisd-new make it pretty easy).. Never accept mail |
16 |
that doesn't get delivered somewhere.. But, even a properly setup C/R |
17 |
systems adds to the problem by spamming the forged sender with the C/R |
18 |
request.. If you ever get Joe Jobbed with a dictionary attack at a site |
19 |
using C/R you will be busting out some null routes, iptables DROP, |
20 |
filtering in your router, something.. Joe Jobs are bad enough with those |
21 |
that accept and bounce (another no no, see above about accepting mail |
22 |
you're not going to deliver), C/R just adds to it.. |
23 |
|
24 |
-- |
25 |
Homer Parker <hparker@g.o> |