ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] Proposal for transition to authenticated email

2003-05-01 14:46:34
from [David Koblas] [Permanent Link] 
Maybe I didn't explain myself fully.

The basic idea is that at the moment we _cannot_ trust any content that is
in an SMTP session (ok, maybe the originating IP address, but that a TCP
thing).  If there was a way in which a single header that would indicate the
true sender of a message, or resender for mailing lists, then systems could
be build which utilize this basic piece of validated information.

In the simplistic case, I cannot whitelist/blacklist any sender or domain
because it's possible to forge this information into a message or envelope.
While a spammer could get their own certificate and sign 100,000 email
messages, it does cause them to both expend time/energy/money in doing so
and also provides a way in which large quantities of messages can be
refused/deleted based on the ability to validate the sender.  You could also
have simple systems that if the sender is "new" that the message is deferred
for some period of time before it's delivered, thus letting probe accounts
create decisions about the message prior to it's final delivery.

David,
--koblas

From: "Ken Hirsch" <kenhirsch(_at_)myself(_dot_)com>

From: "David Koblas" <koblas(_at_)mailfrontier(_dot_)com>

I've been reading this discussion for a while and I have one core

question,

which is why is this an "antispam certificate".  At the end of the day,
we've all got a slightly different idea of what is and isn't acceptable

as

a

message (yes, there is a very large common ground).

Why not focus on Verifiable/Validated senders and let other systems

worry

about the policy for specific senders.  It strikes me that it would be

easy

to have a system that adds a single new header "ValidatedSender:
user(_at_)isp(_dot_)com; ...stuff including signature..."  Then other 
systems could
make a policy decision based on that _verifiable_ header.


By itself, it doesn't mean anything.  Every spammer will insert it on

their

own and send through an open relay.  A spammer could have 10,000 accounts

on

hotmail and each one would be a legitimate hotmail account.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Proposal for transition to authenticated email, Ken Hirsch
Next by Date:  Re: [Asrg] A New Plan for No Spam / Velocity Indicator, Barry Shein
Previous by Thread:  Re: [Asrg] Proposal for transition to authenticated email, Ken Hirsch
Next by Thread:  Re: [Asrg] Proposal for transition to authenticated email, Vernon Schryver
Indexes:  [Date] [Thread] [Top] [All Lists]