Challenge-Response More Effective

[xmailer]

Quote:

Originally Posted by elvey

spam-by-press-release

Proviing that with a loose enough definition, inspired by sufficient bias and subjective analysis, virtually anything might qualify as "spam." Or, more broadly, virtually anything might qualify as almost anything.

[rmns2bseen]

Yeah, I agree. Sometimes discussions of this sort take on almost theological dimensions, which is a little silly.

[hadaso]

Quote:

Originally Posted by xmailer

One of the "costs" which I believe was mentioned repeatedly in this thread, of backscatter in general, and which therefore C/R was alleged as partly to blame for, was domain owners having to turn off their "catchall" forwarding. But couldn't it be argued that the use of catchall addresses/forwarding in itself, in making oneself a "larger target", as it were, is, in effect, "asking" to get more spam and backscatter?

Quote:

Originally Posted by xmailer

I still think enabling catchall forwarding and complaining about spam and/or backscatter may be a little like walking down a dark alley with money hanging out of one's pockets and crying about being robbed. (Nothing personal, but to whomever it may apply.)

That's a good example. If I walk down in a dark alley with money hanging out of my pockets and someone robs me then despite my taking a risk the robber is still a robber and the robbery is the same kind of crime it would have been if no money was visible. If I use a catchall address I can expect to get more spam from spammers. It doesn't mean that I have to agree to also receive spam diverted by people who divert spam they receive. And backscatter affects everyone, not just users of catchall addresses, just like robbery in a dark alley can happen to everyone, not just to people walking around with cash sticking out of their pockets.

Quote:

Originally Posted by xmailer

In fact, at least one service seems to acknowledge that fact in it's recent announcement on this page that it would no longer be offering free catchall forwarding, but that hencefoth customers would have to pay extra for that feature, suggesting it is itself a contributor to greater amounts of spam (and therefore presumably, in turn, backscatter in general as well, of which of course C/R is only one form, or part, of).

That's "catchall forwarding", not exactly the same as a "catchall address". If a domain owner forwards all email to all addresses in the domain to another mail service, and then bounces most of these, it creates the same damage as C/R by "bouncing" mail to invalid addresses to innocent bystanders whose email addresses were forged on spam. The user of "catchall forwarding" this way sees almost no spam but creates a lot of spam to others, just like the user of C/R. This is not the same as the user of a catchall address (either by catchall forwarding or without forwarding) that doesn't bounce mail to any address that gets all the spam including spam to generated addresses and backscatter to forged addresses in the domain, but doesn't generate backscatter for others.
There are many reasons why uk2.net would want to charge more for a catchall forwarding service, and reason number 1 is probably that it doesn't seem to limit bandwidth, so pricing a catchall address the same as a single email address doesn't fit its business model. The catchall address uses more resources as it potentially forwards much more email. Then there are those that use it instead of having several aliases and only accept mail for several addresses at their mail providers. This means that they use uk2.net's mail servers to bounce all mail accepted for their catchall and later rejected by their mail host, and this causes uk2.net's servers to create lots of backscatter and probably end up on lots of blocklists. So it's sensible that they would want to charge more from customers for a service that creates a lot more work for them and probably requires them to either constantly work to get off blocklists or to have separate servers just to bounce the mail to their catchall addresses so only those servers end up on blocklists due to the amount of spam they create.

[xmailer]

Quote:

Originally Posted by hadaso

That's a good example. If I walk down in a dark alley with money hanging out of my pockets and someone robs me then despite my taking a risk the robber is still a robber and the robbery is the same kind of crime it would have been if no money was visible.

I think you're taking my analogy a little too far. I doubt there is an analogy to fit perfectly or if there is, I was unable to easily think of one. But the fact that AFAIK C/R isn't a crime, while spamming is, might suggest that "the law" can distinguish between a C/R message and "true" spam (as I suspect most people can), whether or not you or others can, or if you may choose to emphasize any similarities and "de-emphasize" any obvious dissimilarities -- such as the fact that the C/R user's "motive" is purely "self-defensive" in nature, while the spammers motives are strictly "offensive", despite the superficial (IMO) similarities which you've used to "prove" C/R a form of spam.

As has been said earlier, it certainly isn't the C/R user's fault that someone has successfully forged "your" address or domain. But in attacking the morality of his C/R use, you are, in effect, holding him responsible for the forgery, rather than the spammer, who is the actual forger, or yourself for allowing your address/domain to be forged (in his context I might add that I take the very concept of.a completely "innocent bystander", or "innocent victim", with something of a grain of salt -- that is, e.g, you can't receive any spam or backscatter - or any email - without being "guilty" of choosing to use email, knowing that spam and backscatter are part of that "package"). But without both these latter two as well, the problem for which you're blaming the C/R user (and for which I've still seen no one present here any credible evidence is a particularly serious problem in the first place) wouldn't ever exist, would it?

But the C/R user isn't using deceptive tactics to hide his identity (another clear difference between a spammer and a C/R user) and as such makes an easier scapegoat. But it's also presumably because it's assumed that the spammer is amoral, so an appeal to morality might likely be perceived as more likely having influence over the C/R user than the spammer -- unless of course you wish to also assume the C/R user is as amoral as the spammer, although I believe such a supposition might also be based on as circular an argument. That is, only by defining C/R use as "immoral" can that be proven, but any such moral judgement might seem obviously subjective and self-serving in this case.

But as a practical matter, I think it's only realistic to expect people to do/use what works best, and it will likely take a much more powerful moral argument than I've seen presented here in the form of real proof that C/R "does more harm than good" -- that is, with real factual data to back it up, as opposed to mere (IMO specious) theoretical arguments -- to convince many people perceiving a real need for such a system that there's a serious "moral imperative" at issue in their availing themselves of it.

Quote:

If I use a catchall address I can expect to get more spam from spammers. It doesn't mean that I have to agree to also receive spam diverted by people who divert spam they receive.

Well, to expect not to get more of both spam and backscatter might seem a bit like expecting to "have your cake and eat it too", that being the point of my "robbery" analogy, although I admit that the best analogy I was able to come up with more or less invited you to discount that point. In fact, I think it's just plain silly to effectively "open oneself up" to more spam and backscatter -- backscatter of any and all "types" -- and expect NOT to get them. Regardless of any moral analyses.

Quote:

And backscatter affects everyone, not just users of catchall addresses, just like robbery in a dark alley can happen to everyone, not just to people walking around with cash sticking out of their pockets.

Yes, backscatter affects "everyone" -- well, in theory anyway. But I don't use catchall addressing and I haven't ever experienced a serious backscatter problem with C/R specifically. But I think that if I DID user catchall addressing, I would expect to see more spam and more backscatter in general, it certainly wouldn't surprise me, as I would assume that would go with the territory, as it were. That is, I wouldn't expect to be able to "have my cake and eat it too." Is the C/R user being "selfish"? Of course he is. Just as are those who whine about receiving his so-called spam, and would rather hold the C/R user responsible than undertake the more difficult task of preventing spam messages being sent to "innocent parties" in their name in the first place.

But what percentage of backscatter is in the form of "misdirected" C/R, do you know? Regardless of the percentage, assuming there are other "forms" of backscatter, does it follow that all backscatter is equally "wrong", or based on "morally wrong" action, policy, practice, or protocol? If so, then why are we "obsessing" on the C/R user's "morality" here (especially if the case may be that his "share" of the backscatter may be relatively minuscule) rather than on the larger, more general, problem? And if not, why not?

[Scott Kitterman]

I really don't think the amount matters. Sending me unsolicited mail so that you don't get any is just not right. No matter how you dress it up, that's what's going on. It does nothing to reduce unsolicited mail, it just moves it elsewhere.

[King Of Email]

Agree. Every challenge response system I have ever used doesn't work at all, partially works, or eventually breaks down and degrades over time allowing in spam and junk mail which must be nevertheless be dealt with in some other fashion. I just dumped three of my so-called air tight, iron clad anti-spam email services after years of frustration and trying to tweak and configure them to block and divert the junk mail garbage that isn't supposed to be in my box at all. Maybe if spammers and junk mailers were severely flogged when caught, it would lessen the flow of junk mail. Even if it didn't, it would sure feel good to the rest of us.

[xmailer]

Quote:

Originally Posted by Scott Kitterman

I really don't think the amount matters.

Agreed that the "amount" may "not matter" with regard to the question of whether it's "right" or "wrong", although it might make a difference as to "how wrong" it is if it is "wrong." But, conversely, because it may add to the total.amount of backscatter, doesn't as far as I can tell, in and of itself, make it "wrong" either. Unless backscatter in general is "wrong" -- a question which I haven't yet seen answered.

Quote:

Sending me unsolicited mail so that you don't get any is just not right.

But it isn't unsolicited from my point of view. I'm merely trying to verify whether you solicited it. It does, after all, appear to be from you. In any case, as I've probably stated more than once, I don't think "unsolicited" is a sufficient definition of "spam."

Quote:

No matter how you dress it up, that's what's going on.

That would appear to be how you "dress it up."

Quote:

It does nothing to reduce unsolicited mail, it just moves it elsewhere.

Well, the contention of the originally cited article would seem to be that in fact it does significantly reduce the amount of "unsolicited" mail (whether or not one accepts this as an adequate defintion of "spam", as I don't) for the C/R user. And as I haven't yet seen proof that it doesn't reduce the aggragate amount of "unsolicited" mail received by email users in general, I'm not sure that there's sufficient data to support your claim that it "just moves it elsewhere." That is, this would thus far appear to be a somewhat vague claim unsupported by actual data AFAIK.

Having said that, my own experiments to date with C/R have left me less than fully convinced of its overall merit from the point of view of the C/R user him/herself, whether for some of the reasons suggested above by King of Email and/or other misgivings expressed previously in this thread by others. However, for those who may feel that they clearly benefit from its use, I don't see that sufficient real evidence has been presented here of the claim that it "does more harm than good", nor any particularly compelling arguments suggesting its "wrongness" in any case. Merely stating (and re-stating) a proposition (based, AFAICT, on little more than your own moral "slant") doesn't consititute proof.

[Scott Kitterman]

It's well known that virutally all spam uses forged e-mail addresses. The rest follows from that. It's not that hard.

[hadaso]

Quote:

Originally Posted by Scott Kitterman

... The rest follows from that. It's not that hard.

That's what I was thinking but haven't posted. I also think that C/R requests probably pass most tspam filters that the spam that caused them would not have passed, so globally C/R (and other forms of backscatter) might be increasing the amount of unwanted mail that reaches mailboxes. Backscatter detection systems are not as common as content based filtering systems.

[xmailer]

Quote:

Originally Posted by Scott Kitterman

It's well known that virutally all spam uses forged e-mail addresses. The rest follows from that. It's not that hard.

What's also well-known is that it is indeed "not that hard" to extrapolate to an invalid conclusion in the lack of supportiing factual evidence, while conveniently ignoring/stonewalling any any all facts and questions which might cast doubt upon that conclusion -- especially in conjunction with an obvious predisposing quasi-religious moral or other bias.

As the article cited by the OP reported the results of the study of actual data, and AFAICT didn't make any claims beyond which that data could support, any meaningful counter-argument should be similarly supported by factual data; whereas your sole argument seems to be based on little more than your repeated "authoritative" proclamation that "it's just wrong" -- with little or no explanation as to WHY it is, or should be considered, "wrong", but we are apparently merely expected to accept your moral judgement on the matter as a "given". In short, you appear to be making a questionable moral argument augmented only by conjecture -- which as far as I can tell is all your opinion that "it just moves it around" is in the absence of actual objective data.

Quote:

Originally Posted by hadaso

...might be increasing the amount of unwanted mail...

"Might be" = an unsubstantiated hypothesis

Again, simply repeating a proposition ad nauseum based on a theory or hypothesis isn't a reasonable substitute for factual data. In the immortal words of Dr. Carl Sagan -- a scientist, not a theologian -- where's the evidence? Which in this case might be actual "hard" statistical data to support the (counter-)claims being made..

[Scott Kitterman]

So are you saying that you think that it's not established (and needs proving) that most spam is from a forged address?

[xmailer]

Quote:

Originally Posted by Scott Kitterman

So are you saying that you think that it's not established (and needs proving) that most spam is from a forged address?

No, Scott. I'm saying (among other things) that I don't believe that the conclusions that you have formed inevitably follow from your premises, as you seem to believe they do, in the lack of hard data to support them (at least that I've seen anyone present here or elsewhere). And that you seem to be simply ignoring anything which doesn't conveniently fit your (IMO simplistic) analysis.

[Scott Kitterman]

OK. If most (actually virtually all) e-mail addresses in spam are forged then virtually all replies replies go to innocent third parties (to the extent they go to anyone). What's mysterious about that?

[xmailer]

Quote:

Originally Posted by Scott Kitterman

OK. If most (actually virtually all) e-mail addresses in spam are forged then virtually all replies replies go to innocent third parties (to the extent they go to anyone). What's mysterious about that?

I've bolded the portion of your own observation which, short of sufficient statistical data either way, casts doubt on your claim that C/R doesn't reduce the number of "unsolicited" messages, but "just moves them around". That's what's "mysterioius" about it. Short of statistical data, it's a "mystery" exactly how many "unsolicited" messages are received, and there is insufficient data to conclude that it "just moves it around." In fact, I strongly suspect that any "hard" statistics would prove your assumption/conclusion incorrect.

But the burden of proof falls to those making the claim. Those claiming that C/R users reduce the receipt of unsolicited messages for the C/R user have provided statistcs to prove their claim. Whereas,you have not provided sufficient proof for your claims that "it does more harm than good" or "it just moves it around." Unlike the study cited in the first post of this thread, your "proof" is a purely theoretical one, with no "hard" data, or any source for such data, presented here by you or anyone else that I've seen.

[Scott Kitterman]

I'm not disputing that C/R reduces unwanted messages for the C/R users, so I'm not arguing with that claim at all. What I'm arguing is the side effects of doing so.

If you accept that most spam comes from forged addresses (I don't see you disagreeing with that), then C/R challenges are, by their nature, unsolicited and bulk which are two of the basic tests for spam.