In deciding which email to receive (or allow to bypass strong
filtration), would you trust an irrevocable certificate from TrustE?
How about one from Verislime? How about a revocable certificate from
Spamhaus?
If you want your email to be received, which of those would you buy?
The bottom line, again, is that certificates (like SPF) ultimately DO NOT SOLVE
THE PROBLEM of spamming for the terribly simple and obvious reason that
machines
possessing valid certificates will be infected by spambot zombies (in fact,
since they're "certificated" they will be widely sought-after zombie targets).
So your "certificate-approved" machine gets infected, and now it's pumping out
"certificate-guaranteed" spam like there's no tomorrow. And that
"certificated"
mail is sailing past all the spam filtration.
Certificates, like SPF, E-postage, and other such lame ideas, simply don't
solve
the problem. They do NOT guarantee that mail is, or is not, spam.
The sad part is that they don't really even come close to that.
The nice thing about my approach... don't allow most users (i.e. those users
without a GENUINE, AGREED NEED) to send you HTML-burdened mails (force the mail
to plain ASCII text) and similarly don't allow most users (other than those
you've negotiated with and approved in advance) to send you attachments (and
open that window, guardedly, for only a few trusted senders and a few specific
attachment types).
THEN, for the stuff that has gotten through (and where most of the tricks for
obscuring content have been denied to the sender), you put it through a good
content filter which will identify the stuff as spam if it looks like spam.
It ultimately doesn't much matter if the last ten messages (or a thousand) that
sender sent were legitimate. And if they're SPF-certified, and
certificate-guaranteed too. If this one (possibly sent post-infection) is
spam,
it gets nailed. As it should.
That's part of what's good about my system. It doesn't much care who
guarantees
(or used to) that the sender was once (and maybe still is) a good guy. Even
"good guys" need to respect the limited size of my Inbox, and not waste my
resources, and also respect the other policies I've established for what I'm
willing to allow them to send me. If they don't play by my rules, then with
very high likelihood they don't get access to my E-mail Inbox. PERIOD.
My scheme virtually eliminates spams and worms being sent successfully (to ME
at
least) in E-mails, and to a very large degree regardless of who the sender is
(whether supposedly, or in fact).
My scheme also will reduce (received/stored) spam volumes (compared to today's
HTML-burdened spam volumes) by something like 70-80%, simply by virtue of
t-canning the worthless and superfluous HTML-burdened component. (While still
allowing HTML-burdened mail from those occasional senders that have made a
genuine, compelling argument for it that convinces me to open the (MY!) window
wide enough to let THEIR use of it through.)
Making that first filtering of the HTML junk happen also greatly increases the
effectiveness of the content filtering of what's left, since there are very
many
fewer tricks left available to spammers and abusers for obscuring the true
content of their unwanted messages.
So many of these unworkable/ineffective antispam schemes are being proposed
that
simply DO NOT SOLVE THE PROBLEM since they presume that "good guys" are always
really "good", that spammers only send from "bad" machines, that machines with
"certificates" cannot be zombie-ized, that spammers must of course use bogus
From: addresses, or even that they send from their own machines at all. What
crazy la-la land are such deluded engineers living in, anyhow? Talk about a
serious case of denial!
Gordon Peterson http://personal.terabites.com/
1977-2002 Twenty-fifth anniversary year of Local Area Networking!
Support free and fair US elections! http://stickers.defend-democracy.org
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg