> However, one problem with C/R systems is that spammers do not currently
> have an incentive to break them since there are many other ways to send
> spam. If C/R systems become wide spread, spammers will have an
> incentive to
> attack them and perhaps (gasp) even manage to break them.
Well, we better build something they can't break. There are many, many
smart people on this list that can surely put something together over time
> How would a whitelist handle mailing lists? What about automated computer
> programs that notify users, like Ebay's auction bots? And what about
> anonymous email, if C/R is implemented everywhere, can anyone send
> anonymous email anymore? What about opt-in email that the receiver forgot
> about the original opt-in? And email that is sent from different email
> addresses everytime (like some mailing lists)?
All of these are important tactical issues..any more?
What is the intent of a C/R system? Is it merely to double-check the
sender's email address to make sure it is working and valid, or is it also
to make sure that the sender is a human being and not a computer? If it is
only the first, that we are trying to make sure that the sender has a valid
email address, then it might make sense to develop an automated C/R
protocol that can be used by email clients and senders' MTAs to reply to
the challenge. This will take care of issues like dealing with lists,
automated bots and anonymous remailers - the list server will simply reply
to the response via this automated protocol. It will also hide the C/R
process from users. The obvious flaw is that the spammer will use it too -
but they will have to use a valid email address to do it, or own their own
MTA and domain (which is not a problem since we already see spammers owning
name servers). However, if the intent of C/R systems is to make sure that
the sender is human, than it essentially must perform a Turing test.
Current techniques include using specially coded graphic images, etc.