OK Bob and others have made some statements about PKI and how it won't work
because the spam senders are organized.
Well so ar the gangs that do credit card fraud, offline gangs will go as far
as renting premises, setting up storefronts and doing legit business for
many months before they take in a huge amount of business, get the account
factored and run. There are instances of that online but not as many as
offline.
The fact is that providing a registered address is very hard for a spam
sender to do. The big ones simply do not want to give an offline identity,
it is hard to do that in a way that cannot be traced back, particularly if
you intend to do so repeatedly. The cost of a certificate is not going to be
a major barrier for spamhaus, but the authentication process is.
The other point is that authentication is only one half of access control.
The other half is authorization. You are not obligated to accept a message
just because it is signed or otherwise authenticated.
However a simple algorithm for choosing the parties I would whitelist would
be to take the F500 companies, the Internet 500 companies, the edu domains,
the major ISPs who implement rate filtering, etc.
All the rest of the mail would go through very tight filtering and I would
accept a very high level of false positives on the residual.
If someone really wants to contact me they can go to a hosted mail provider
that implements rate limiting and send a contact ping.
Phill
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg