From: Fred Baker <fred(_at_)cisco(_dot_)com>
... I think that boils down to "provide a global PKI" in this solution,
and presumes that spammers are incapable of using one. That might be a
great research topic. Too bad nobody has ever thought of it before; we
could really use the outcome of that research. (OK, so it's a lame attempt
at humor...)
It's been years since it was possible to be amused by the number of
people who assume that spammers are more ignorant and less competent
than they are, and so propose spam "solutions" predicated on spammers
being unable to register as many names, keys, identities, or whatever
as needed or as many as everybody else can.
...
host in each mail domain (mailid.example.com) be able to assert that its
domain had or had not sent an email within a given recent time period
whose MD5 hash, when divided by <vector of prime numbers> resulted in
<vector of remainders>. I could write that up in an internet draft if folks
think it makes sense. That would be a more global procedure that didn't
require a PKI and only addressed spoofed addresses.
That's not a powerful solution, because it assumes the existence of
a central mail authenticator for every domain that might send mail.
As long as most SMTP clients don't have such authenticators, the
spammers would simply avoid the few that do, just as they already
avoid providers that break the financial kneecaps of spammers.
As far as I can tell, the familiar claim that most spam carrying
surprising header or envelope From adddresses is forged is mostly wrong.
The claim seems to be based in large part on the knowingly misleading
descriptions of the situation by free mail providers. The free providers
claim that almost all spam implicating them is "forged." If you read
the fine print in their announcements of terminated accounts, responses
to spam reports, and related messages, you'll discover that free provider
spam is "forged" in the same sense your picture postcards would be if
you were evicted from your home while travelling.
That suggests that such authenticator servers would help reduce spam
using free provider drop-boxes. However, a better solution that does
not involve the rest of the network subsidizing the advertising agencies
that are the free providers is to reject all mail apparently from free
providers. Doing extra processing that is made necessary only because
the free providers cannot be bothered enforce sufficiently painful
terms and conditions on their users is a subsidy. The free providers
could stop spammers from using their services if they would launch
lawyers, require bonds (e.g. creditcard numbers), or any of many
other things, but anything would cost them money.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com