Hi Everyone,
I'm new to the group, and have spent the past year or so working on the
DSPAM project (http://www.nuclearelephant.com/projects/dspam/), as well
as working with the spamfilt group (a private group of other anti-spam
tool developers, mathematicians, and scientists). I recently put
together a draft we're submitting for RFC at
http://www.ietf.org/internet-drafts/draft-spamfilt-inoculation-00.txt
after the next meeting is over.
Anyhow, I had a few comments to inject into this discussion that may or
may not be helpful. Being new to the list, some of these things may
have already been discussed.
I had been discussing the concept of an authenticated SMTP system with a
few individuals for quite some time. We've gone over many different
scenarios from using cipher keys in DNS records to full blown digitally
signed SMTP. Ultimately one problem still remained: The public would
demand that authentication be something that can be easily implemented
(whether it be on a domain-name level, or even per-user), but if that's
the case then spammers, being that their nature involves both unethical
and sometimes illegal practices, would easily be able to create new
"authenticated" domains, companies, or users on a daily or weekly basis
to circumvent this mode of spam prevention. It's a great concept, but
in order to work we would need to find a way to prevent spammers from
being able to authenticate on this system, and being that every country
has their own set of laws (or lack thereof) about spam, identification
practices, etc., implementing any type of authentication will only make
it more difficult until spammers come up with a system of adapting to
this new environment (e.g. either authenticating a new domain, company,
or person every few days, or finding a way to steal existing
identities).
My other concern with removing anonymity are the massive number of
issues it opens up for 1. government big-brother monitoring, 2.
significant liability issues, and 3. further commercialization of the
Internet by evil companies. The reasoning behind this is that any
authenticated system that made it impossible for a spammer to simply
generate their own keys, etc., would require the implementation of some
form of a central registry and identification process, which leads to
all of these issues, and even further privacy issues down the road. Not
to mention, full blown authenticated mail puts companies like Hotmail in
a precarious situation. I'd personally rather have spam sent to my
email box than have to deal with any of these bigger headaches.
Basically what I'm saying is that an authentication mechanism will stop
spammers in the present-day environment of sending spam, however since
this authentication mechanism must be made available to any entity
sending legitimate email, spammers would easily be able to adapt to
operate in an authenticated SMTP environment, even if you apply the
"shotgun" theory of chasing after them.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg