On 1/22/06, Bart Schaefer <schaefer at brasslantern.com> wrote:
On Jan 22, 3:17pm, Michael Kaplan wrote:
Many reputable businesses send very large volumes of email. If it is
economically infeasible for spammers to decode the CAPTCHAs, why do you
believe it will be feasible for other businesses?
On my website I assume that the spammer would spend a tenth of a cent to manually decode a CAPTCHA and I demonstrate how this would be a crippling expense.
Let's assume that over the course of a year
Amazon.com emails 10 million customers. I'll say that 5% of these sub-addresses are deactivated without the customers bothering to notify amazon. I'll say that it costs Amazon 5 cents to decode a CAPTCHA (fifty times as expensive as what I assumed the spammer would have to pay!). It would cost Amazon $25,000 over the course of the entire year - and that is for an enormous company.
Not a great example because I'm sure
Amazon.com would be a trusted domain and they would have the software upgrade to automatically resend the bounces. The same calculations for a small company with 20,000 customers would be $50 a year.
And another point: You have to purchase Adobe Acrobat but you can get Adobe Acrobat Reader for free. Likewise you may have to pay to use ISACS to rid yourself of spam but I'm sure that the software to appropriately process ISACS bounces will be distributed freely and aggressively for web mail and email user agents.
} It's more of a Vacation message than a Challenge.
It requires that the recipient take action, or the notification has not
served its purpose. That's much closer to a challenge than to a mere
out-of-office response.
Ultimately once the software upgrade to process bounces is installed (free of charge I should add) the recipient will take no action of any kind.
} How does the spammer figure out who is on your white-list?
By raiding the address books of the people to whom you send mail. This
happens *all* the time, usually (I suspect) via virus or worm or other
compromise of the correspondent's system.
The following is taken from my website:
"People will have malware infesting their computers, raiding their address book and constantly supplying spammers with valid addresses.
This is an argument for, not against ISACS.
All of the contacts of the person infected with malware will be able to identify the source of the security breach based on the sub-address.
In this case this system is a true blessing since the situation will become readily apparent and it can be remedied, saving anyone who would later be added to that address book.
Almost no other anti-spam system aids in the identification of such malware."
I have little faith in the statistics that have been collected so far
for systems like zoemail/reflexion/traveler, because I have no evidence
that they are yet in use by the general public.
I quote some outside reviews and even a comment from this board supporting Reflexion on my web page. I know of a lot of anecdotal evidence of email accounts being spam free for months until one little security breach resulted in endless spam. You are right, I don't have absolute proof, but what evidence I do have is suggestive.
Yep. "Bounce spamming" is less common now than it was a couple of years
ago, if the examples in my trapped spam archives are representative, but
it's not unheard-of.
I see how this is possible, but I don't see how this is advantageous to the spammer. Use of the free ISACS bounce filtering software upgrade will make this completely futile for the spammer.
} 95% of this spam will be filtered immediately
So despite the claim of near-perfect performance for ISACS, all domains
are expected to continue using and maintaining their adaptive filters?
Why would I take on the added cost of ISACS for only that remaining 5%
of the problem, if I can't get rid of any other costs?
Because ISACS will result in near total elimination of spam (I'll guesstimated that you'll still get 3 or 4 spams a year - a speculative but I think reasonable estimate).
} If the victims filters are set to filter out ISACS
} bounces that don't correspond to recently sent emails
I'll direct you to the archives of this list for discussions of the
problems of keeping track of recently-sent email and matching it to
arriving bounces. You can't handwave this away.
Most email systems I have interacted with have a list of sent messages immediately available. If this is a problem then ISACS bounces can be cached for one hour or ten hours or one day or for whatever amount of time is needed to correlate the bounce with the sent email list.
Further, I'd dispute that applying two 95%-effective spam filters has
a net 99.75% success rate.
Very well, but I still don't see why bounce spamming is preferable to directly spamming users. It only adds a barrier, even if you feel it is not a great barrier.
Thank you once again,
Michael Kaplan