From: Bob Wyman <bob(_at_)wyman(_dot_)us>
...
why is it any harder for a spammer to get a signed,
throw-away domain name than to get a throw-away personal
or other certificate?
Why should it be hard? As far as I can see, there are only
two useful reasons to verifying the identity of a sending
server: First, so that you can build white/black lists and
Second, so that you can detect false statements in mail
headers. Of the two, the first is clearly the most important.
Both of these two benefits arise from verification whether it
is cheap or expensive.
That's a subversive notion, or at least contrary to the standard
rational for authentication as a spam solution that is based on the
idea that signatures are almost free and that spammers can't get
signatures or will be disavowed by their CAs or blacklists.
I also doubt it's necessary. Most of the senders that you might
whitelist already use practically unforgeable tokens, namely the IP
addresses of their SMTP clients. The remaining senders that you might
add to your whitelist are likely to have other sufficient marks,
sometimes including digital signatures. On the other side, many of
the senders you might blacklist are already easily blacklisted by
their IP address or sending domain.
What's the point of looking for lies in headers? Most of the spammer
header lies were in Received headers, but seem to be out of style.
Spammers tha send from their own systems have no reason to fake Received
headers, and neither do those using open proxies. The other header
statements that most people mean when they say such things involve
the envelope or From sender, but I don't see how you could usefully
detect real lies there. If signatures became necessary, then spammers'
$8 domain name registrar would provide them. As you said, signatures
verify spammers's STMP clients just as well as everyone else's.
A combination of IP address blacklists (including DNS BLs) and local
whitelists can be awfully effective, and requires no changes in the
mail system or other people's behavior. That doesn't imply that
looking for improvements is not good, but any proposal that does
not do better than ~80% is a waste of breath.
The ASRG standard dichotomy between the silver bullet of the moment
and 50 spam/day/user is false. No one need receive more than a very
few spam/week if they'll use the current mechanisms.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg