Vernon Schryver <vjs(_at_)calcite(_dot_)rhyolite(_dot_)com> wrote:
Although some MUAs have signature/checking capabilities, rather a lot
have no such capability. Do any of the webmail systems have such
capability? Even where an MUA has the capability, is it usable by
the average user? Plainly and simply, the signature and checking
capabilities of current MUAs are not designed to address our issue.
I think that is wrong, because I think most people use Netscape, Outlook,
or Outlook express. I know Netscape has long handled cert-signed mail,
because I've tried it. I've not tried Outlook (Express), but I've the
impression they also can do it.
Sure they have the capability. But it's an unusable nightmmare, maybe
usable for you or for me or for most asrg list members, but usable by the
average email punter (the one who may fall for the spammer's scam)? - No
way.
Anyway, we have to question whether certificates and signatures are the best
method of authentication for the spam reduction job (I'm fairly neutral).
The chain of IP addresses in Received From headers is not much different in
principal from the chain of signatures in a certificate chain. Rejecting
mail with a clearly forged certificate and rejecting mail with a clearly
forged Received From header are not much different. Currently no-one does
either.
Post Script: I suspect vernon will be very unhappy if the group
ends up supporting approaches other than one particular one; but
I'm not going to decry that particular one because it wasn't
invented here, and I just wish he would show other members of this
list that same courtesy. We are going to need to apply lots of
partial solutions and not reject anything that is useful just
because it will not solve more than 90% of the problem on day one.
Just for my own information, could you let me know which approach I
prefer?
A combination of DCC plus arbitrary blacklisting based on apparent
unverified source address, if
http://www.rhyolite.com/anti-spam/freemail.html is a reliable indication.
Now that many free providers implement rate limiting (I wish go.com would
implement it too - I get too much spam with authentic go.com email
addresses), it must be clear that the blacklisting them is not going to
block much spam if the source is verified - looks as if verification would
reduce rejection of non-spam at any site following rhyolite's advice. (It's
noticeable that your site is careful to talk about "spam claiming to be from
them", apparently accepting the position that some spam is designed to
conceal its source, a point that you have consistently argued against on
this list).
I can't think of anything that might qualify as a solution to spam
except what I think is inevitable legislation that will tax or license
bulk mail. That will not really solve the spam problem but only change
the spammers and limit the total spam in most mailboxes. I do hope
that the DCC might help with spam after that legislation, but it does
not qualify as a solution now or then.
I suspect legislation is indeed inevitable and is an esential component of
any solution to the spam problem. The current EU directive on spam
(basically: "member nations are required to bring in legislation effective
before 1 Oct 2003 to make commercial email without prior opt-in a serious
offence") is a first step. Getting China, Indonesia, Russia, and the US to
join in would help a lot since that would cover today's largest sources of
spam. With such legislation, source identification that would stand up in
court would be rather useful - that's why I think some form of
authentication is needed to back up the legislation. Reliable detection of
fake source/path information could also provide a good filter mechanism to
supplement those which already exist.
Tom Thomson
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg