On Tue, 11 Mar 2003, Vernon Schryver wrote:
From: Matt Sergeant <msergeant(_at_)startechgroup(_dot_)co(_dot_)uk>
That's wrong, even if you tie email addresses to official government
identities such as U.S. social security numbers. As I said, Ralsky
and other spammers would never run out of social security numbers with
which to authenticate his spam. He could pay a "homeless person" to
use certificates based on the person's social security numbers for 2
or 3 weeks of spam. At the end of 2 or 3 weeks when that certificate
is widely blacklisted, he could hire another "homeless person."
You're focusing far too much on the perfect here. I said "stronger
ability to blacklist". Not perfect, but stronger.
How does authentication give stronger blacklisting? Blacklisting
by domain name and IP address works pretty well today.
Mandatory auth (and assuming its trustable auth, however that is
implemented) means the spammer can no longer use open proxies (unless he
auths against his own servers via an open proxy) nor open relays. That
means he has to have fixed resources. Yes, the larger spammers can setup
fake ISPs and so on, but they are the minority (in my spam traps) because
this is difficult to do (and *still* results in fixed resources, albeit
with a greater freedom to move around within his slash-space). So at the
end of the day auth buys you a reasonable level of certainty that the user
is who they say they are, which means you can more effectively hit a wider
swathe of the spamming population with your blacklists.
That all requires a huge infrastructure change of course, and I'm not
suggesting it as a solution.
Matt.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg