I've been keeping an informal list of challenge-response systems -- you can imagine I get a bunch of such challenges from Politech subscribers who have not chosen one that will auto-whitelist mailing lists. Last night I received mail from a new one, ipermitmail.com, that is one of the worst-designed response systems I've seen so far. First, it doesn't attempt a reverse Turing test to try to figure out if you're a human -- it merely asks you to type in your name and information about your email in a web form, which could be trivially exploited by spammers. Second, its privacy policy fails to pledge to *never* spam people who have emailed its customers and in facts contemplates sharing "personal or online transactional data with third parties." Third, and most seriously, a flaw in its implementation will challenge you *multiple times* when you're emailing an ipermitmail.com user from the same address. I don't mean to pick on ipermitmail.com. I'm sure they're well-intentioned. But such a challenge-response system is relatively easy to code (in the Unix world, such systems implemented in procmail have been around for years, and I once contemplated writing my own or adapting one of the existing ones), which means we'll see plenty of poorly-implemented ones emerge. I'm worried about their impact on legitimate mailing lists like Politech. I don't have the resources to respond to tens of thousands of different people using hundreds of different challenge-response schemes. Previous Politech message: http://www.politechbot.com/p-04733.html -Declan --- Date: Fri, 09 May 2003 03:39:09 -0700 To: declanat_private Subject: Re: FC: Earthlink will begin to offer email challenge technology Declan McCullagh wrote: >[I've already sent an alert to the hundreds of Politech subscribers from >Earthlink warning them to make sure this list is whitelisted. This as a >reminder. :) --Declan] Declan, It would be a good note a couple of things about EarthLink's new spam tool. First, it is only a beta-product at this point and requires the use of EarthLink's TotalAccess 2003 software or EarthLink's webmail. Second, only EarthLink members whose mail resides on the Atlanta mail servers (domains like mindspring.com and pipeline.com) are currently able to participate in the beta. A decent reference for spamBlocker is located at http://www.earthlink.net/spamblocker/faq/ A key portion of the page reads: Do I have to use spamBlocker? No. spamBlocker is an optional service. You can opt out of Known spam Blocking at any time. Suspect Email Blocking is an opt-in service, which means it only works if you activate it. If you are going to post this to the list, I would appreciate it if you would omit my name and email address as I am an EarthLink employee. Regards, [deleted] --- From: "Brian K. Yoder" <byoderat_private> To: <declanat_private> Subject: RE: Earthlink will begin to offer email challenge technology Date: Fri, 9 May 2003 03:43:48 -0700 I was an architect at EarthLink for many years and I have passed along a copy of this to the folks over there. One important point in all of this though is that is this scheme becomes "widely adopted" the spammers will just forge source addresses to exploit the holes that allow widely-distributed emails (such as mailer daemon bounce messages or popular mailing lists) to be forged and the problem will just move in a direction that makes it even harder to handle legitimate emails. The only hope these systems really have is to remain small and too troublesome for the spammers to bother with subverting. Let's hope that they do NOT become pervasive since when they do they will be subverted. --Brian --- Brian Yoder --- byoderat_private --- Cell Phone: 626-255-3338 Pager: byodermobileat_private --- Date: Fri, 9 May 2003 01:31:13 -0700 From: Brad Templeton <bradat_private> To: Declan McCullagh <declanat_private> Subject: Re: FC: Earthlink will begin to offer email challenge technology Declan, no properly programmed challenge response system will challenge a piece of mailing list mail. It just has to show the mail to the user in the summary of mail that never got challenged to ferret out mailing list mail. --- Date: Fri, 09 May 2003 07:47:23 -0400 To: declanat_private From: Tracy <tracyat_private> Subject: Re: FC: Earthlink will begin to offer email challenge technology In-Reply-To: <5.2.1.1.0.20030509012320.01a9bd48at_private> Of course, the real question here is whether or not Earthlink has licensed this solution from MailBlocks, who currently holds a patent on the use of challenge/response techniques for fighting spam. Which they didn't, as MailBlocks has already filed suit - so the question becomes, will Earthlink just roll over and take it, will they fight it, or will they settle out of court for a nominal license fee, thus granting "legitimization" of the patent that MailBlocks holds, which is somewhat questionable based on available former art and reasonably common usage of challenge/response? --- Date: Fri, 09 May 2003 13:33:34 +0530 To: declanat_private, politechat_private From: Suresh Ramasubramanian <sureshat_private> Subject: Re: FC: Earthlink will begin to offer email challenge technology At 01:25 AM 5/9/2003 -0400, Declan McCullagh wrote: >[I've already sent an alert to the hundreds of Politech subscribers from >Earthlink warning them to make sure this list is whitelisted. This as a >reminder. :) --Declan] the followup being that mailblocks.com (the Phil Goldman outfit that went around buying up challenge response patents) is now suing Earthlink. srs ps - just in case, as others have confused the two, mailblocks != mail-block.com the spammer -- Suresh Ramasubramanian + suresh <@> hserus dot net EMail Sturmbannführer, Lower Middle Class Sysadmin --- From: "L. Gallegos" <jandlat_private> To: declanat_private Date: Fri, 09 May 2003 08:20:45 -0400 MIME-Version: 1.0 Subject: Re: FC: Earthlink will begin to offer email challenge technology Reply-To: jandlat_private I really hate challenge/response. Lately I've had so many of them that I just began to ignore them. If someone wants me contact them, they can whitelist me. If it's a business and I am a customer, they better whitelist me or I'm no longer a customer. Simple. As for ISP's who implement it, they should make it a choice for their users. My 2 cents. Leah --- To: declanat_private Date: Fri, 09 May 2003 18:03:02 +1000 From: Jeff Schultz > Once the sender does that by replicating a word or picture displayed on the > screen, the original e-mail is allowed through. The system automatically So only people who send mail from a system with a graphical web browser will be able to get through? Might be a few places where this is an unlawful form of discrimination. Please delete email address before posting. Jeff Schultz --- Subject: EarthLink Is Sued by Holder of Anti-Spam Patents From: Shawn Yeager <mailat_private> To: declanat_private Message-Id: <EF890309-816A-11D7-B605-000A95682EB0at_private> X-Mailer: Apple Mail (2.552) The champs at MailBlocks are at it again: http://www.nytimes.com/2003/05/08/business/08SPAM.html?pagewanted=print&position= Shawn -- shawnyeager.com +1 416 305 4142 EarthLink Is Sued by Holder of Anti-Spam Patents By SAUL HANSELL A Silicon Valley start-up yesterday sued EarthLink, the big Internet service provider, saying that EarthLink's latest technology to block unwanted e-mail marketing, or spam, violates two of the start-up's patents. The plaintiff, MailBlocks, introduced an e-mail service in March that shows users mail only from senders whom they approve or who can show that they are people and not automated senders. MailBlocks was started by Phillip Y. Goldman, a founder of WebTV. MailBlocks, which is based in Los Altos, Calif., has been granted two patents related to its method of verifying senders, a technology called challenge response. The company charges $9.95 a year for the service. EarthLink has said it will offer its customers a free challenge-response system, under the name SpamBlocker, at the end of this month. Several other companies are starting to offer similar approaches. MailBlocks, in fact, had already filed suit against three companies — Spam Arrest of Seattle, DigiPortal Software of Sanford, Fla., and MailFrontier of Palo Alto, Calif. Mr. Goldman said that MailBlocks tried to license its patents to EarthLink as well but was rebuffed. Yesterday it filed suit in federal court in the central district of California, charging that EarthLink's system violates MailBlocks' patents and asking the court to move quickly to block its release. "They are in violation of our patents and should not be allowed to proceed," Mr. Goldman said. ... ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. ------------------------------------------------------------------------- To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ Declan McCullagh's photographs are at http://www.mccullagh.org/ Like Politech? Make a donation here: http://www.politechbot.com/donate/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri May 09 2003 - 06:34:26 PDT