ietf-asrg
[Top] [All Lists]

RE: [Asrg] S/MIME

2004-03-22 06:00:07


Yakov Shafranovich wrote:

However, this is an anti-spam group and within the context of fighting
spam, how will this help? The problem that I have is that there are
several identity schemes here and none of them address the point of what
do you do, once the identity is established. There is IP identity,
domain/IP identity (LMAP/MARID), more heavier cryptographic identities,
etc. All of these lead into the same point - once the identity has been
established, what happens then?

This is a question to the entire group, not you directly.

It's rather a question of what you do if you can't establisj identity,
surely? Most of the spam I receive has forged From: address (822 header, not
821). If there was an easy way of determinig that an address was forged (a
way which would cater for mailing lists) I would use it and discard all the
mail with forged adresses.  I know this will raise howls of rage from the
undisciplined roamers but I don't care - if they can't be bothered to sort
out their roaming in a disciplined manner (for example From: wherever they
are, with a Reply To: header to identify their base; or secure tunneling to
their base from wherever they are; or use S-Mime; or whatever, depending on
what the authentication method is) then I don't care if I don't see their
mail.  I also know that (unless spammer practises change a lot) such a
mechanism would eliminate most of the spam I receive.

The other useful thing about sender authentication is that it makes law
enforcement easier.  That will help reduce spam too.

Finally, there are plenty of blacklists out there which use email sender
lists (and MS of course provide a nice mechanism for dummies to blacklist
senders in their MUA offererings).  With sender authentication these
blacklists will cease to be a disaster (since they won't contain the forged
addresses).  Maybe they won't be useful, but they will at least be less
harmful than today so the mechanism will reduce the damage done by spam.

To me, that's a good enough reason to want some sort of easy and reliable
sender identification.

Of course it doesn't help with phishing spam, or with anuy sot of spam,
where the sender is using an address he owns - execpt that he might now be a
little easier to trace for law enforcement purposes.

Tom


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>