| 1 |
On Sun, 2008-09-28 at 16:21 +0300, Alex Efros wrote: |
| 2 |
> Hi! |
| 3 |
> |
| 4 |
> To everybody in this thread who said "C/R is bad idea": |
| 5 |
> |
| 6 |
> While qconfirm and TMDA will work in most cases, I've read C/R critique |
| 7 |
> here http://en.wikipedia.org/wiki/Challenge-response_spam_filtering and |
| 8 |
> agree it's bad idea in general. I unlike tools like SpamAssassin because |
| 9 |
> if there just a "X% chance" something is spam, then it's mean there always |
| 10 |
> "Y% chance" I'll lose non-spam email. C/R systems have same issues, but |
| 11 |
> it's harder to find out that fact. |
| 12 |
|
| 13 |
A properly setup spamassassin doesn't lose mail, it sticks it in a |
| 14 |
quarantine that you can go through and look for false positives |
| 15 |
(spamassassin and amavisd-new make it pretty easy).. Never accept mail |
| 16 |
that doesn't get delivered somewhere.. But, even a properly setup C/R |
| 17 |
systems adds to the problem by spamming the forged sender with the C/R |
| 18 |
request.. If you ever get Joe Jobbed with a dictionary attack at a site |
| 19 |
using C/R you will be busting out some null routes, iptables DROP, |
| 20 |
filtering in your router, something.. Joe Jobs are bad enough with those |
| 21 |
that accept and bounce (another no no, see above about accepting mail |
| 22 |
you're not going to deliver), C/R just adds to it.. |
| 23 |
|
| 24 |
-- |
| 25 |
Homer Parker <hparker@g.o> |
Archives