ietf-asrg
[Top] [All Lists]

RE: [Asrg] Certs required to send mail

2003-03-26 12:42:49
What I have not seen an answer to is my point that bulk mailer 
software is already designed to drop connections that are too slow
and so the only effect tarpits is likely to have is on the most naive
spam senders and friendly fire on the innocent.

Another problem is that any hackback system can be abused by hackers.
We saw this in network security, attackers simply co-opted the
hack back systems to attack the targets of their choice.

How many tarpits are set up to be proof against a subversion attack?
Do they authenticate the information they use for targetting? 
What happens if someone poisons the distribution of the RBL?


        Phill

Tarpits are an interesting idea, but of course they have a 
risk.  As we
know all spam detectors have false positives, and we must be very sure
we don't tarpit a legitimate mailer.   In one case, when we 
at the EFF sent
out our newsletter including some notes about spam, 
SpamAssassin tagged it
as spam.  This would have put us in a tarpit if it used 
similar algorithms
to SpamAssassin.

However, this can work if you can make an easy system for 
legitimate mailing
lists to whitelist themselves to be immune from any 
tarpitting.   I would
recommend a wide variety of means of whitelisting, ranging 
from the basic
of getting your IP on a list, to certificates, to magic-tags etc.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg