Hi,
unfortunatley I didn't find the time to attend the IETF in
Paris, not even to follow discussions in Jabber etc.
But I read in a german computer magazine's newsticker that a
'brandnew' proposal was made by german University of Karlsruhe
(newsticker says it "circulated", whatever this means), which is
called "SAVE" (Spam Protection by Using Sender Address Verification
Extension). Slides at http://www.tm.uka.de/itm/publications.php?id=112
If I read the slides correctly, their idea is to increase the cost of
sending e-mails with mathematical puzzles, which is seen as acceptable
for a few e-mails, but not for mass e-mails. Mails from an unknown
(=not-yet-whitelisted) sender are put in a 'holdbox', and the
receiving MTA sends a challenge consisting of a puzzle back to the
sender. The sender then has to proof his sincerity by solving the
puzzle, either a mathematical one by automatically expending costly
computation time, or by solving a puzzle made for a human (an image
which you have to read numbers from, like on some web registration
forms).
As far as I can see, this looks almost exactly like the e-mail stamp
proposal Bill Gates made on several conferences and several interviews
before Microsoft came up with CallerID/SenderID. They also proposed to
increase costs by challenging the sender with mathematical puzzles
with the assumption, that this is not a burden for regular e-mail but
a barrier for spammers. The only differences I can see are
- If I remember well, Gates was talking about mathemtical puzzles
only, not human-solvable ones. But I guess if such human-solvable
puzzles are made on a large scale base with standard software, it
won't take long time until the software to automatically solve them
will appear.
- I've never seen precise specs about Gates' proposal, but I
always thought that they immediately rejected messages with the
challenge in SMTP. In contrast, SAVE proposes to first accept the
message, then drop it in the hold box and send a separate mail with
the puzzle back to the sender, in order to challenge and sort of
authenticate him/check existence of sender address.
That is a difference, however, it appears to be highly
questionable. The authors themselves propose to give the recipient
read access to the holdbox (of course, without explaining how
recipients are to have access to the receiving MTA), just in case
the recipient was waiting for an expected or important e-mail. So it
puts the burden on the recipient to continuosly watch all that spam
folder for important but still kept back e-mails. Requiring the
recipient to manually walk through the complete spam folder
regularly is not exactly what I consider an anti-spam-solution.
Furthermore, this appears to be unlawful under german law. As you
might have heard, a german higher court recently decided that even
at a university it can be crime to suppress or delay someone else's
e-mails. Ironically, the SAVE proposal comes from the very same
faculty of the very same university the court decision was about. So
I am kind of surprised that they still come up with such a
proposal.
But beyond these two minor differences, SAVE looks pretty much like
Gates' proposal. Can anyone give me a hint why this is said to be
'brandnew' ? Has this been a talk in a IETF session?
regards
Hadmut
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg