Hi Bob,
I think you are mixing issues here. (i.e. technical and
economic)
Yes. I was agreeing with you technical suggestion of signing.
But thinking about its application to solve the real world
problem it seemed relevant to talk about economics.
The point is to allow a receiver to verify that the
claimed sending server is, in fact, the one that sent the
message. The method will verify spammer's machines just as
well as non-spammers.
Yes i understood that part.
Sure, we could make it more expensive for everyone to send
mail in order to squeeze out the spammers. But, we'll squeeze
out a large number of other people at the same time. Using
such a blunt method should only be considered if there are no
alternatives.
Yes. If there is a low cost solution to make it harder to create
new 'verified sender domains' that's preferable: i just did not
have a good low-cost suggestion.
Right. So, don't refuse them. Simply mark them
as "suspect." Then, let the mail clients deal with presenting
them, filing them in "gray inboxes" etc.
Yes that's equivalent to what i meant by "ability to increase
probability of an email being spam if sender is not verified."
which you seemed to disagree with later on.
Wrong. You don't have to make domain creation expensive
in order to have confidence in white/black domain lists as
long as you can verify the source of a message. My proposal
allows you to have confidence in the utility of your lists
even though it adds zero cost to domain creation.
You lost me here. Here is what i meant and may be my thinking
is flawed but let me try again: the spammer can create every
day at sunrise a _new_ domain and its associated free signing cert,
then spend the day happily spamming. At the receiving end, i see
a new sender domain which is 'signed or verified' but i dont
know yet it is a spammer because that domain appeared today so
it is not in my black list yet. By the time i put it in my black
list the spammer has already moved on and start using a fresh
verified sender domain.
This is exactly what spammers are doing today with domains in
spamvertised URLs: they use one or more new domains daily.
Making it more difficult to create new verified domains
(using economics or not) would make black listing much more
valuable in a world with verified senders.
Any anti-spam method that relies on the fact that
spammers might not follow some technical guidelines is doomed
to failure. You must assume that spammers will follow all of
the technical rules -- they just don't follow the moral or
legal rules. Any other set of assumptions will result in
systems that are trivial to get around - simply by following
the rules.
Agree: the increased probability i was mentioning is similar to
what you were suggesting above ("Gray inbox"). But you are right:
one still needs defenses for the verified senders: your proposal
makes blacklist an effective defense against verified senders,
with the caveat i mentioned above.
Thanks
jean
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg