From: Jason Hihn <jhihn(_at_)paytimepayroll(_dot_)com>
To: Asrg <asrg(_at_)ietf(_dot_)org>
Subject: [Asrg] How to defeat spam that uses encryption?
If I were a spammer (I am not) I'd start encrypting messages to throw off
content filtering. Public keys are easily obtainable and are readily
associated with good email addresses.
Well, if you were a spammer and you did that, you'd soon be out of
business. I would estimate that fewer than one in 100 e-mail users
use PGP or GnuPG at all, and even fewer than that have a public key.
So you'd drastically limit your audience.
In fact, widespread use of GPG-style encryption could help defeat
spammers. If most people only accepted encrypted messages (except
from whitelisted mailing lists and such), it would become very
expensive to spam. (Yes, I know this will never happen -- don't
bother replying.)
Also, but not quite as complex:
A few years ago, I 'invented*' a way to encode a whole web page as a long
string. This string is a variable in JavaScript. When it's opened, a
function is applied to the string where it's decoded contents are written to
the browser. Imagine a simple ROT13 decoder. What's more is Bayesian
filtering would fail because the spammer can invent pads, and ROT bases,
thereby inventing new 'words' in the dictionary all the time.
You're assuming that most people have JavaScript-enabled mail readers.
There are simpler ways to defeat filtering, checksums and such without
depending on client-side software.
Just a thought of what's to come...
Indeed. Nevertheless, forcing tricks like that on spammers forces
them to use detectable behavior. For those who reject any solutions
that simply perpetuate an "arms race", I think you'd better get over
it. For the medium-term (5-10 years), "arms race" tools will be the
only practical anti-spam tools.
--
David.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg