However, this is an anti-spam group and within the context of fighting
spam, how will this help? The problem that I have is that there are
several identity schemes here and none of them address the point of
what do you do, once the identity is established. There is IP
identity, domain/IP identity (LMAP/MARID), more heavier cryptographic
identities, etc. All of these lead into the same point - once the
identity has been established, what happens then?
This is a question to the entire group, not you directly.
(1) Sign email so that you have a handle for the sender.
(2) Create a standard header that provides information for an 'opt-out'. And
can be used automatically by a computer. That data needs to also
include the RCPT value
that was used as the target. Legal spammers and mailing lists
would use this.
Now you can get off of lists by clicking an OPT-OUT button on a
future MUAs
that says 'take this RCPT TO' value and remove it from your lists'.
(3) Create a protocol for for black lists much like the IM complain buttons.
It does not matter why thousands of people 'complain' about the
email (or IM)
If thousands of people complain, add the cert to the black list.
Have the protocol track if the user says 'spam', 'offensive', or
whatever.
Allow the black list subscribers to select they do not care about
offensive
complaints and only want a mostly spam free inbox. We have PG-13
PG-17 and it got this rating for 'adult content' or whatever. No
censoring
of the address, just a meta tag. One, two, or a few may get mis
tagged a few times.
But thousands of people says 'offensive' would be a good hint to
others.
Who would hold this data? The same people that make money selling
the much less accurate black lists now. If you do not like them, do
not subscribe.
(4) Some kind of SPF record is needed. If someone steals my S/MIME cert
and the matching password. They COULD send spam as me. But with
some kind of SPF record, they would have to do that from my domain.
Now I can retake control of my cert (a) cancel it (b) blacklist my
own cert as 'stolen' (c) call my admin and say that 'someone'
from 'our'
domain has stolen my cert and password and is sending email as me.
MUCH more controllable and trackable.
(5) If some kind of virus figures out how to use my cert / password.
Same solution as (4).
--
Doug Royer | http://INET-Consulting.com
-------------------------------|-----------------------------
Doug(_at_)Royer(_dot_)com | Office: (208)520-4044
http://Royer.com/People/Doug | Fax: (866)594-8574
| Cell: (208)520-4044
We Do Standards - You Need Standards
smime.p7s
Description: S/MIME Cryptographic Signature