LinkBack URL
About LinkBackshttp://linuxmafia.com/faq/Mail/challenge-response.html
Check it out. Thinking of removing this entirely after reading the above page.
Thank you.
Boxtrapper - Harmful. Should it be avoided?
http://linuxmafia.com/faq/Mail/challenge-response.html
Check it out. Thinking of removing this entirely after reading the above page.
Thank you.
I agree with the sentiments, challenge response systems such as boxtrapper usually cause more harm than good and are an easy way of getting your server on an RBL if people report false bounces of spam (or hit a spam trap).
Jonathan Michaelson
Need your cPanel servers secured and tuned?
cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
http://www.configserver.com
Yea but then you have people like my wife that only get email from about 10 people worldwide. Why should she have to sit there an filter out spam from everyone. The Boxtrapper works great in her situation as she can have 100% control over the white/blacklist. Spamcop should be ashamed of themselves for doing things like that is the real issue here. The spam reporting systems such as Spamcop and Spamhause are so unregulated that most are useless.
The problem is that for every spam challenge you're most likely sending an email to someone entirely innocent, thus doubling the amount of unwanted email in a single stroke.
I have no problems with SpamCop of Spamhaus myself. SpamCop need (IIRC) 10 reports from different sources to block an IP address and the block only lasts 48 hours after which the block is dropped so long as there are no more reports. SpamCop, IMX, very rarely indeed has any false-positives.
As for spamhaus, I doubt that they can have done more against spam than anyone else, epecially naming and shaming some large US ISP's that have been used as spam havens and them knowing it - and successfully lobbying them to mend their ways. They've also been at the forefront at advising China and the like in anti-spam policies. AFAIK, their block lists are based on carefully built block lists based on spam trap and analysis of spam, not from arbitrary user submissions.
Now, the likes of SPEWS is another matter.
Personally, I detest challenge response systems because of the damage they do compared to the benefit. Thankfully, their use seems to be on the decline because of the problems that they create.
IMHO
Jonathan Michaelson
Need your cPanel servers secured and tuned?
cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
http://www.configserver.com
I've had over a dozen requests for this sort of thing recently. And BoxTrapper, already being in cPanel seemed like a good solution. However, it doesn't automatically add people to the list like it should! People reply to the challenge and get the approval email but still can't email my clients!
Have sent email to stop using it until I can figure out if this is a problem with my server or not...
Originally Posted by HaveHost
The latestest builds auto whitelist any address you send to if you use smtp auth.
This thread is 2 years old, and I'm sure BoxTrapper has evolved...
Are there still the same the dangers of using C-R systems such as BoxTrapper on one's own server?
I have never used boxtrapper, so I can't exactly speak for it.
In my opinion, any challenge-response system is a bad idea. Challenge-response is just an ill-conceived idea. The main thing against challenge response is that spammers practically never use their real e-mail address as the from address when they send out spam. This means that when your address receives a spam message, your challenge response system is going to send a message to a completely innocent party. Since that innocent party has no idea what the message is for, they will flag the message as spam. Those challenge response messages are coming from your server, so each time someone flags a challenge response message as spam, then that adds a tally against your server, marking your server as a spam source.
I have heard that boxtrapper can be used with the challenge response system disabled. I don't know if this is true or how to set this up (again, I've never used boxtrapper). But in this sense, it might be a better solution. I believe with this functionality only messages that are from whitelisted addresses are allowed through. Otherwise you have to review the mail that is sent your domain and whitelist accordingly. I'm not sure if I am understanding if this is how this set up works or not, but if no challenge response messages are being sent out, then this would not be a harmful set up. I just don't know if this can be set up without using the challenge response part of boxtrapper.
Like others have said, I don't believe you can really improve anymore upon C-R methods. The fact is that any time your server will automatically send a response email each time an email is received from a new sender, you are going to eventually be adding to the problem of spam in somebody's eyes.
I don't have an absolute statistic on how much mail to a mailbox is typically spam, but let's say for a mailbox that has been in regular use the rate of spam versus nonspam is 80% - that means that for each 10 emails sent, 8 are spam (and likely from a forged sender). So the C-R system sends out 8 challenges in response to the 8 spam that are received (and sends those 8 challenges out to the 8 forged senders who never asked for the email and never emailed you in the first place). As soon as that happens, your mail system is contributing to the distrust people already have in email.
Mike
Whooooah there partner! How could you have an opinion about something you have no direct experience with? Well I guess it's certainly possible to have an opinion but how valid such an opion is, remains to be seen.
Anyway, please know that in the 7 years we have been using cPanel, not one of our hosted customers has ever been blackballed, nor had the slightest problem from using BoxTrapper.
One time a tech that we hired to server tune our servers switched off BoxTrapper for all of our hosted accounts just out-of-the-blue. Why? I guess he just didn't like it, so without telling us he just caused it to dissapear from all of our customers' control panels. Which in turn aused a firestorm of complaints from people who were using BoxTrapper and who were very much in love with this thing. So we kicked the tech, turned BoxTrapper back on and everything has been groovy since.
Well, that line was kind of meant to be a disclaimer. No I haven't used boxtrapper before, but that doesn't mean that the explanation I gave afterwards is not valid. Does this apply directly to boxtrapper? I don't know, never used it. But boxtrapper is a challenge response system, correct? (at least in one sense). All challenge response systems are virtually the same and I think my explanation basically described why they are a bad idea. It also seems that mtindor shares in my sentiments and chirpy, who is very well respected around here, also seems to agree that it is a bad idea.
But yea, that first sentence was meant as a disclaimer so you can take my explanation with a grain of salt if you want to. Boxtrapper may work very well for you. I'm not going to tell someone they should or should not use something, I just give my opinions and my reasoning for those opinions.
Actually it's a really good idea because very little spam actually get's through, period.
Consider a worst case scenario:
Spammer joe-jobs some legitimate email address and sends spam to a challange response system.
The legitimate email holder gets a confirmation message, NOT the spam mind you, just a confirmatioin that says something like, "Thanks for your email, please just respond to this message to have your email go through."
So then what happens?
99% of the time the one who receives this email says, "What the &^*& is this?" And tosses the email.
End of story.
So how exactly is this going to get someone's server blackballed? Flagged as spam? Sorry, I just don't think so. Do you flag all misdirected email as spam?
----
Now let's consider the far-and-away most common secnario:
Spammer sends out spam with a totally fake/made up email address as the reply to..... You can take it from there.
Last edited by jols; 07-24-2007 at 03:12 AM.
Or they get the message, select the message, and click the convenient "This is spam" button in their e-mail interface. I can't speak for every e-mail provider, but I know with AOL, when this happens, AOL will increase the tally against your server's IP address, marking your server's IP address as a spam source. I suspect that other e-mail players (Hotmail, Yahoo, etc) do the same thing.
In my opinion, users are a bit quick to pull the trigger on the "This is spam" button. I have seen AOL flagged message come back to us showing users flagged e-commerce receipts as spam (but, who knows, maybe they didn't really order something). It just seems that everybody is so fed up with spam, that they will mark anything as spam and I suspect that they would mark these challenge response messages as spam too.
It basically comes down to how you want to believe. If you believe that users will just delete challenge response messages when they receive them from fake spammers then boxtrapper and other challenge-response systems would work ok. If you believe that users will mark those challenge response messages as spam, then boxtrapper and other challenge-response systems are a bad idea.
Any message that a recipient gets that they didn't specifically solicit is spam - If they didn't sign up for the mailing on a mailing list or it isn't directed specifically at them for legitimate reasons, it is spam. This applies to C-R emails as well. The forged sender _never_ in their wildest dreams ever attempted to communicate with the recipient whose mail server is sending the C-R. It was all triggered by spam/virii with a forged sender. And when the forged sender gets that mail, it IS spam to them. Now whether they just ignore it and dispose of it, or whether they specifically designate the message as spam somehow, they have gained more distrust for the email system each time it happens.
So whether it's actual spam, server backscatter from poorly configured servers, C-R emails to a forged sender, etc., it increases the mistrust in the mail system. That can never be good.
You say very little spam gets through - It may be correct that very little spam gets through to the recipient, but oftentimes this is at the expense of the forged sender.
Mike
P.S. - If I had time, I'd certainly flag all C-R mail sent to me as spam - It is spam. It is a waste of my time to have to download and read it.
But in the real world UCE (unsolicited commercial email) is like porn, "You know it when you see it."
So, would a BoxTrapper confirmatioin actually be classed as UCE?
Hmmmm ---> http://www.webopedia.com/TERM/s/spam.html
In any case, the backscatter question goes to the heart of the following question:
What percent of spam contains real/joe-jobbed reply-to email addresses?
Reply With Quote