Do not use Challenge Response to mailing lists

[John Malmberg]

Hello all,

If any of you are using a Challenge Response system on your e-mail, 
please make sure that it does not issue challenges to any e-mail from 
any mailing lists that you are subscribed to.

This can block important messages from the mailing list management 
software, as it has no way to respond to such challenges.

Also many people refuse to answer such challenges, and this can result 
in you missing important information.  This behavior comes from those 
users or their system administrators being mail bombed by challenge 
response systems as a result of a virus outbreak or a spam run.

The stuff comes in faster than they can delete it, and places their 
mailbox over quota, resulting in real e-mail being lost.

The most public case of this is the TEST.COM domain, which is a real 
domain by a commercial company of test equipment that is commonly 
spoofed in spam.

In general, the challenge-Response system has proved to be a very bad 
solution to spam and virus control.

Most spam and viruses are sent with forged addresses.  When a new virus 
breaks out, a challenge response system will end up doing a denial of 
service attack against the innocent victims that have had their address 
spoofed.


This SAMBA-VMS list and the other SAMBA mailing lists have been hit 
badly by such autoresponders in the past, and the only defense has been 
for the mail server operators to block such abusive hosts, as found, 
because historically they ignore all requests to stop auto-responding to 
the viruses.  And in many cases at least one of the RFC required contact 
addresses of Abuse and Postmaster are not working.


Many mail servers are now blocking all e-mail from any mail server that 
is using a challenge response system because they have been hit with 
mail bombs from them.

Also if the challenge-response system mail-bombs a spamtrap, it can 
result in that mail server being listed in several spam blocking systems.

This typically happens every time a new worm comes out.


Also many users whose e-mail addresses are victimized by spam or viruses 
spoofing them are acknowledging the challenges to let the spam through.


If a mail message is not deliverable, the only non-abusive way to notify 
the real sender is for the receiving mail server to reject the message 
with an SMTP error code, and an small text tag.  This is the only way 
that will cause a non-delivery message to be reliably sent to a real person.

Any other method is either abusive to the rest of the internet or is 
causing real e-mail to be silently deleted with out the sender or the 
receiver being notified in a timely fashion.


Using a Challenge-Response system in practice is an unreliable system 
and can result in both legitimate incoming e-mail being lost, and in 
other systems refusing your outgoing e-mail because it is abusive in 
auto-responding to forged addresses in spam and viruses.


There are many anti-spam techniques that will reliably block almost 100% 
of the incoming spam with out rejecting real e-mail.  The most reliable 
use DNS based blocking lists to reject over 80% of the spam, and for the 
remaining percentage check the I.P. addresses of the URLs in the e-mail 
against the same DNS based blocking lists.  Steve Linford, and 
internationally recognized expert on spam (spamhaus.org) is reporting 
that a commercial ISP (UXN.COM) is achieving well over 99% spam 
rejection with zero false positives.


And also, auto-responders like out-of-office or vacation messages to 
external or unknown e-mail addresses are the on-line equivalent to 
letting the mail and papers pile up in front of you house while you are 
on vacation.  Convicted criminals use these auto-responders to e-mail 
and voice mail messages to steal from companies.

They have successfully gotten top-secret prototypes shipped to post 
office drop boxes, and fake bills approved in past cases.


So make sure that Challenge response is off for any mailing list you are 
subscribed to, and better yet, turn it off.  The rest of the internet 
will thank you.


-John
wb8tyw at qsl.network
Personal Opinion Only