Iljitsch van Beijnum wrote:
Just adding authentication only solves a very small part of the
problem: we can then accurately whitelist known senders.
Two points:
1) besides white listing, the approach also provides irrefutable
evidence to law enforcement about spam sources.
2) it is clear from the related threads that many would rather continue
the lively exchange debating nirvana, rather than tackle the small parts
of the problem that are technically achievable.
A new interpersonal batch communication system certainly
sounds like a
good idea. The problem with email is that it is incredibly ill-suited
for transferring larger files. A new protocol should be able
to do much
better in this area. However, this doesn't have much to do with spam
issues and might make the whole thing much more complex.
We can always make it more complex than necessary, but it is pointless
to compare the complexity of a new system that does the job with a
system that is proven to be open to abuse.
No one believes that a house lock keeps out all intruders,
and indeed
some do get in. But we *do* believe that house locks reduce
the threat
to a socially acceptable level.
The trouble is that on the internet, you can go from house to
house and
try to break locks and nobody will stop you. In the real world, you
wouldn't be able to do that for very long.
Adopt draft-hain-ipv6-pi* as the standard addressing plan, provide
automated intrusion detection reporting, and Internet prowlers wouldn't
be able to attack for very long either.
So let's show some adaptability of our own and plug those SMTP holes.
Or simply leave SMTP to the spammers and move on.
Why look at individual messages? How much non-bulk mail can someone
possibly need to send? 10 messages per hour? 100? 1000?
@ 5kB/message on a 10MB/sec link, 2k/sec.
That's why it's important to look at ALL mail rather than just copies
of one message. Spammers by now know how to make messages look
different even though they're essentially identical.
Exactly how would you coorelate email across multiple accounts, on
multiple service providers?
Someone's "home MTA" sould be able to simply rate limit the number of
messages an individual user gets to inject into the global email
distribution system. Then all we need is a system to differentiate
between trusted MTAs and rogue ones run by spammers.
Why would a spammer limit themselves to a single MTA, or account. Run
VMware on a laptop, and there could easliy be 10 parallel rate-limited
sessions going on. If the rates are low enough, each virtual system
could automatically log into another account on another MTA, then come
back when the timer goes off.
Tony