On Mon, 9 Feb 2004, Ed Gerck wrote:
Dean Anderson wrote:
On 10 Feb 2004, Franck Martin wrote:
When you realign your anti-spam efforts from control of business to
control of techno-terrorists, the problem is quite a bit different, and
you can see also that things like signing and other things aren't going to
Signing doesn't work because it cannot provide a load per recipient,
just per sender. Encryption with the recipient's public-key (as I am
proposing) works because the spammer must encrypt each message
for each recipient. This applies to lawful spammers as well, finally
adding friction to email by creating a mandatory "fee" (burdenwise) to
Then using the IETF list as an example, you would need the entire list of
recipients and their public keys, and you would need to send a message
either directly to each of them, one by one, or send a single message with
a session key for each recipient (thousands). This isn't going to work.
Second, even if the above weren't a problem, one still has the problem
that a virus infected user will still be sending messages, just like
You can't make it more expensive without shooting yourself in the foot.
In information theory-speak, you can't prevent a covert channel** unless
you have no channel at all. Covert-channel detection is a whack-a-mole
game. The whack-a-mole characteristic can't be avoided, except by having
no channel at all. Then your problem is to be sure that there really isn't
a channel. But there often is a channel anyway, and it is just unknown.
Intelligence agencies go to a great deal of expense to make sure there is
no channel through which information can be leaked. Our problem is much,
much more difficult because we have a channel, but want to make sure it is
only used for certain purposes.
Putting it in different terms, how can the government make sure those
"government use only" stamped envelopes are only used for government
business? 'Government business' includes interacting with the general
public through mail or email, so eliminating the channel over which
non-government business might be conducted is not an option. Is is
possible to make a stamp so that the envelope cannot be used for a
non-government purpose? Now take it one step closer: How can they make
sure that government computers are only used for government business?
Can a computer be built that can only be used for government business?
There is no scheme in which the rules can't be broken by someone intent on
breaking them. The only path is to detect them, and prosecute them. In
the case of spam, detection is easy, but not automatic. Prosecution is
now possible. Its still a whack-a-mole game. It won't end unless you can
get past the virus infection to the virus operator, and hopefully, there
aren't really too many virus operators. Of course, we aren't stopping
spam either in a very real sense, but rather abusers who are annoying and
mailbombing people. But by my count of my inbox, if you stop those
people, I can certainly handle the rest which amounts to maybe 1% of my
current junk mail.
BTW, my previous posting provided a rationale for proposing the following
requirement for any current or future mail system:
- Users do not want requirements to pay for sending email or to be
otherwise burdened in any way in order to stop spam. Stoping spam
should not be a user's problem.
The "for pay" idea is just another scam from the people who would love to
get a percentage of the pay. While I'm sure Microsoft and others would
just love to get a cut of this (I know I would), it doesn't do anything to
stop spam, and if implemented, would simply (and wrongly) charge users
whose computers were virus infected. I doubt that it would be widely
implmented, anyway. It would also be the end of free services like
hotmail and yahoo, though I'm certain MS would give up hotmail in a hot
second for a cut of probably billions or trillions per year in email fees.
Though, perhaps one could bring a fraud or rackateering case against
Microsoft for profiting from its insecure computers, but I'm doubtful of
** covert channel, sneaky channel, whatever your term--'covert channel' is
a term favored by OS scientists in analysis of Operating Systems--the
information theory part of it is generally applicable, and the concept has
been researched in different fields and applications using slightly