On Sun, 2008-09-28 at 16:21 +0300, Alex Efros wrote:
> Hi!
>
> To everybody in this thread who said "C/R is bad idea":
>
> While qconfirm and TMDA will work in most cases, I've read C/R critique
> here http://en.wikipedia.org/wiki/Challenge-response_spam_filtering and
> agree it's bad idea in general. I unlike tools like SpamAssassin because
> if there just a "X% chance" something is spam, then it's mean there always
> "Y% chance" I'll lose non-spam email. C/R systems have same issues, but
> it's harder to find out that fact.
A properly setup spamassassin doesn't lose mail, it sticks it in a
quarantine that you can go through and look for false positives
(spamassassin and amavisd-new make it pretty easy).. Never accept mail
that doesn't get delivered somewhere.. But, even a properly setup C/R
systems adds to the problem by spamming the forged sender with the C/R
request.. If you ever get Joe Jobbed with a dictionary attack at a site
using C/R you will be busting out some null routes, iptables DROP,
filtering in your router, something.. Joe Jobs are bad enough with those
that accept and bounce (another no no, see above about accepting mail
you're not going to deliver), C/R just adds to it..
--
Homer Parker <[EMAIL PROTECTED]>
