Hi, I would like to offer a concept, as one of the tools
necessary for a solution to this problem.
OBSERVATIONS: Firstly some observations about the other
tools we have at our disposal:
1. Text filters (reject messages if "string" found):
- they may block/delete wanted messages (false negative)
- they may allow unwanted messages (false positive)
- spammers work actively to defeat such filters
- they therefore create additional work to check for these
exceptions
2. Blacklists (reject messages from senders on the list):
- they are reactive (applied after the unwanted message arrives)
- they may exclude wanted senders if too broad
- they are of limited use if email addresses can be spoofed
3. Whitelists (accept messages from senders on the list):
- there must be some way of receiving from a new sender
- they are of limited use if email addresses can be spoofed
Note that the tools are of limited use, because of email spoofing.
In fact, I would assert that authentication is the heart of our
problem. If a spammer can fake the FROM address of my best friend
(or your friendly tax dept), it will be very hard to automatically
delete that message - you're going to have to check it just in case.
CONCEPT: And now the concept...
The New Zealand government has developed a specification for
securing Internet email (authentication/encryption/integrity),
between agencies, using S/MIME gateways.
http://www.e-government.govt.nz/see/mail/index.asp
This system is in use by over 50% of government agencies in New Zealand
already. It will be adopted by 98% of government agencies by December
2003. Agencies have chosen to implement it either with commercial off
the shelf packages, or through the development of an open source version.
The specification is an interpretation of several RFCs:
http://www.e-government.govt.nz/docs/see-mail-bus-req-2-2/chapter1.html
If an ISP were to adopt the system, then a customer's FROM
address, could match the email address(es) associated with the
username/password of the ISP account. In this way, we could authenticate
all messages between that ISP's customers and any other system user.
Because it happens at a server level, the customer never sees
the complexity of PKI. The servers automatically establish
and maintain links with new servers they discover (so long as
the server's CA is trusted).
Over time, whitelists and blacklists then become very useful. Users
can choose not to receive any "anonymous" (non-authenticated) messages.
Senders who abuse their position can be put on a blacklist, and any
future authenticated messages from them are ignored.
More importantly, I can be sure that I will always receive messages
from people I trust without some filter getting in the way.
Obviously there will be issues to resolve. For instance, free mail
companies such as Hotmail will probably be ignored by most people.
Regards,
Mike Pearson, S.E.E. Manager http://www.see.govt.nz
Phone : +64 (4) 495-6769
Fax : +64 (4) 495-6669
Mobile: +64 (21) 631-731
mailto: mike(_dot_)pearson(_at_)ssc(_dot_)govt(_dot_)nz
************************************************************************
E-government Unit, http://www.e-government.govt.nz
STATE SERVICES COMMISSION http://www.ssc.govt.nz
Te Komihana O Nga Tari Kawanatanga
Level 4, 100 Molesworth St
PO Box 329, Wellington 6015,
NEW ZEALAND
************************************************************************
This email and any replies are subject to the Official Information Act
1982, and may be made available under that Act.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg