I don't know if it is what Philip meant, but I understood
it that way that
such a system has to have hard rules and only these rules
decide about
inclusion or not. Addons like "but we may not include you
if we don't like
the name of your company, even if all the other rules are
fulfilled" in
inacceptable.
That's exactly what I meant. It was an echo of sentiments
expressed by others here.
This is my main complaint against some of the folk who appear
to be looking to enter this market. They seem to think that
they can run an accreditation service as if it was a blacklist.
If you allow room for discretion you are going to find that
you are forced to use it in favor of the vast majority of your
customers. Relying parties won't be able to quantify the level
of trust you are providing. The results are very bad.
Exactly my point. I didn't say a list has to include all
email users, but
all those in compliance with the rules for inclusion, spammer or not.
There could be empirical rules for determining who is a spammer.
Sending quantities of email to honeypots would be an example.
That is an empirical rule.
Think SSL/TLS: Everyone can buy a certificate signed by a CA as long
as the domain/server he wants to buy it for is theirs and they can
authenticate themselves via official documents like a
company register
or something like that. This authenticates the host, but it does not
rate him good or bad.
However it is easier and safer for e.g. the receiver to
build a blacklist
based on this authenticated data.
So the reputation/accreditation system should be open to everyone.
My personal opinion is that there are much lighter-weight ways to do
authentication for this purpose,
You don't need to have digital signatures for this purpose. You merely
need to make the cost of breaking the auth scheme higher than the benefit.
If we take the highest value spam - phishing, the payoff for a successful
message is about $2, being the black market price for a hijacked credit
card. The conversion rate for this spam is pretty high, call it 1%. That
gives a value of 2 cents/message.
Breaking a 512 bit digital signature would cost in the tens or hundreds
of thousands of dollars. It is clearly secure. But breaking the DNS
authentication mechanisms such as SPF would cost a significant amount,
I have not seen bulk cracking of DNS machines, unlike end user machines
they do not usually run other code, you can't really download a virus.
If the machine has to be bespoke hacked we are talking about a $50 hack
minimum, so you have to send 2,500 spams from that domain to recoup the
cost.
But if you send out a large volume of spam you will start to hit spam
pots and the hijacked domain name's reputation will be killed.
OK the IP based authentication does not put the most technically
sophisticated spammer with criminal connections out of business, but
it does put most of the field out of business. 2 cents is much more
than the cost of clickthroughs.
depends what you mean by "international". There have been
attempts to get
US/EU agreement on the topic, but they have failed because
the US side
doesn't want to do anything that might actually stop the
spammers from
spamming.
Thats not really the case. The EU had existing privacy legislation
for dealling with junk mail. This was extended to cover spam.
The US did not have junk mail legislation, it acted against spam
alone. As a result the can-spam act was narrowly drawn to attack
only the worst of the worst spammers.
Sure the US has to do more here, it has to write legislation to
deal with what is now the secondary problem of merely irresponsible
emailing rather than bulk sending of forged mail. But I would not
want those rules written at this time.
Phill
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg