Because this topic is getting somewhat out of hand, and is being discussed in various threads, I thought I would try and consolidate it, if only to make it easier for the regulars who aren't interested to ignore one thread, instead of several.

Brief summary:
There are several ways of dealing with spam, including, but not limited to, Spamassassin, Mr. Conner's C-R scripts, and several proprietary ones. This particular discussing deals mostly with Mr. Conner's Mailbox Sentry Program (MSP)
In the fight against spam, there are several solutions that try to balance false positives/negatives, ease of use and ease of maintenance.
/Brief summary

Picking up from where I left off elsewhere:
Reading through Mr. Conner's page [1], I found an interesting concession to the fact that C-R systems could still be abused:
"on rare occassions, you may find yourself being harassed by someone with the patience to send a second mail with a password, or even write a program that automates the process."

This suggests that it would be possible for people sending out Unsolicited Mass Mail (UMM) could set up a system to send out a message, get a challenge, and send back a response, getting themselves whitelisted. Mr. Conner even alludes that such a program already exists:

Alan Connor <alanconnor@earthlink.net> wrote:
> I have just persuaded a large non-profit organization to install the
> simple server-side software that will allow them to transparently deal
> with people using C-R programs.
However, it seems to be that the challenge message is user-defined to a certain degree. Therefore, I suppose one could put the pass in a non-standard place, and fool UMMers.

Another issue that is not addressed is forged From: headers. Mr. Conner insists that these can not be forged, or at least Received headers can not be:
>Mail from debian.org to me must COME from debian.org...
>Don't tell me you have never heard of Received: headers? (etc.)
However, there is no indication the MSP even looks at Received: headers. Truthfully, email is one of the most insecure forms of communication, as far as verifying the sender. PGP seeks to solve that, but that is another topic altogether. The very basis of email, smtp, has no method for verifying a sender.

I hope we can keep this exchange civil, and confined to this new thread, for the benefit of all those reading linux.debian.user.

[1]
[url]http://home.earthlink.net/~alanconnor/msp/msp.html[/url]
--
-johann koenig
now playing: Gass Huffer - Rotten Egg
Today is Prickle-Prickle, the 68th day of Confusion in the YOLD 3169
My public pgp key: [url]http://mental-graffiti.com/pgp/johannkoenig.pgp[/url]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/LCmsFk4duwOzQpURAqKfAJ9ulKv/ZNu4ygoV8kh0Wtlmez79NwCePePf
lgspUyN1Y7nULZyHeu8pVU0=
=b+9B
-----END PGP SIGNATURE-----