From: tjacobs(_at_)redsword(_dot_)com
...
Short of the protections offered by some "fancy crypto solutions",
what is to keep a spammer from using the public algorithm used in
generating tokens to generate his own?
I don't think digital signatures involve fancy crypto solutions,
at least not if based on a public key published with the subscription
confirmation.
If you know of a way that a spammer can generate its own authenticating
tokens in such a scheme, you should publish it and become famous.
Obviously it would result in
a huge number of failures, but the fact that spammers now use
dictionary attacks (and worse) suggests that they would be just as
willing to try that approach.
Please read about digital signatures.
Brute force ictionary attacks involving a few 1000 or 1,000,000 names
are one thing. Brute force attacks on public key signatures that
involve an SMTP transaction per test are something else entirely.
You couldn't begin to start a single attack before the human race has
disappeared.
...
Ideally, what I would like to see is some approach that requires
large CPU overhead for sending a large number of messages, because
this should at least throttle the bulk mailers.
Why penalize legitimate bulk mailers such as the IETF?
The IETF, CERT, and many other outfits are bulk mailers.
There are a couple
of variations to this approach that I think might be workable, such
as a mail protocol where the sender first sends a "i'm about to send
a message" message, and the receiver generates a key pair, sending
the arbitrary "public" key to the sender, who then uses it to encrypt
the message,...
Please read about simple crypo-based authentication.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg