Russ Housley <housley(_at_)vigilsec(_dot_)com> writes:
This news article will be of interest to members of this IETF mail list.
Probably off-topic, but I just have to add my $0.02: This was debated on the
cryptography list a week or two back, and before that in another forum, the
general feeling ranged from it being almost completely ineffective through to
marginally effective, and nothing like the optimistic:
Once rolled out, e-mail authentication is "going to have a major impact" on
spam, says Miles Libbey, antispam product manager for Yahoo Mail. "That's
not to say the spammers won't adapt...but it's a critical thing to have in
place."
in the article. The protocols mentioned in the article are all some variant
on the "build a big wall around the Internet and only let the good guys in",
which will never work because the Internet doesn't contain any definable
inside and outside, only 800 million Manchurian candidates waiting to
activate. For example MessageLabs recently reported that *two thirds* of all
the spam it blocks is from infected PCs, with much of it coming from
ADSL/cable modem IP pools. Given that these "spammers" are legitimate users,
no amount of crypto will solve the problem. I did a talk on this at the
AusCert 2004 conference where I claimed that various protocols designed to
enforce this (Designated Mailers Protocol, Reverse Mail Exchanger, Sender
Permitted From, etc etc) will buy at most 6-12 months, and the only dissent I
got was from an anti-virus researcher who said it'd buy weeks and not months.
See the cryptography list archives and
http://www.cs.auckland.ac.nz/~pgut001/pubs/dammit.pdf for more on this.
Peter.