Do not use Challenge Response to mailing lists
John Malmberg
wb8tyw at qsl.net
Fri Aug 13 12:01:50 GMT 2004
Hello all,
If any of you are using a Challenge Response system on your e-mail,
please make sure that it does not issue challenges to any e-mail from
any mailing lists that you are subscribed to.
This can block important messages from the mailing list management
software, as it has no way to respond to such challenges.
Also many people refuse to answer such challenges, and this can result
in you missing important information. This behavior comes from those
users or their system administrators being mail bombed by challenge
response systems as a result of a virus outbreak or a spam run.
The stuff comes in faster than they can delete it, and places their
mailbox over quota, resulting in real e-mail being lost.
The most public case of this is the TEST.COM domain, which is a real
domain by a commercial company of test equipment that is commonly
spoofed in spam.
In general, the challenge-Response system has proved to be a very bad
solution to spam and virus control.
Most spam and viruses are sent with forged addresses. When a new virus
breaks out, a challenge response system will end up doing a denial of
service attack against the innocent victims that have had their address
spoofed.
This SAMBA-VMS list and the other SAMBA mailing lists have been hit
badly by such autoresponders in the past, and the only defense has been
for the mail server operators to block such abusive hosts, as found,
because historically they ignore all requests to stop auto-responding to
the viruses. And in many cases at least one of the RFC required contact
addresses of Abuse and Postmaster are not working.
Many mail servers are now blocking all e-mail from any mail server that
is using a challenge response system because they have been hit with
mail bombs from them.
Also if the challenge-response system mail-bombs a spamtrap, it can
result in that mail server being listed in several spam blocking systems.
This typically happens every time a new worm comes out.
Also many users whose e-mail addresses are victimized by spam or viruses
spoofing them are acknowledging the challenges to let the spam through.
If a mail message is not deliverable, the only non-abusive way to notify
the real sender is for the receiving mail server to reject the message
with an SMTP error code, and an small text tag. This is the only way
that will cause a non-delivery message to be reliably sent to a real person.
Any other method is either abusive to the rest of the internet or is
causing real e-mail to be silently deleted with out the sender or the
receiver being notified in a timely fashion.
Using a Challenge-Response system in practice is an unreliable system
and can result in both legitimate incoming e-mail being lost, and in
other systems refusing your outgoing e-mail because it is abusive in
auto-responding to forged addresses in spam and viruses.
There are many anti-spam techniques that will reliably block almost 100%
of the incoming spam with out rejecting real e-mail. The most reliable
use DNS based blocking lists to reject over 80% of the spam, and for the
remaining percentage check the I.P. addresses of the URLs in the e-mail
against the same DNS based blocking lists. Steve Linford, and
internationally recognized expert on spam (spamhaus.org) is reporting
that a commercial ISP (UXN.COM) is achieving well over 99% spam
rejection with zero false positives.
And also, auto-responders like out-of-office or vacation messages to
external or unknown e-mail addresses are the on-line equivalent to
letting the mail and papers pile up in front of you house while you are
on vacation. Convicted criminals use these auto-responders to e-mail
and voice mail messages to steal from companies.
They have successfully gotten top-secret prototypes shipped to post
office drop boxes, and fake bills approved in past cases.
So make sure that Challenge response is off for any mailing list you are
subscribed to, and better yet, turn it off. The rest of the internet
will thank you.
-John
wb8tyw at qsl.network
Personal Opinion Only
More information about the samba-vms
mailing list