www.spamassassin.org is a cost based system which is quite useful but
has many false positives too....
The best system I have found is tmda.sourceforge.net which concept is
used on a couple of commercial individual systems...
The concept is quite simple...
Someone unknown to me send me an e-mail. I do not receive this e-mail
yet but an automatic reply ask the person to perform a task to
authenticate itself... Like replying to a specific address after reading
the message (something like a simple Turing test to prove the person is
human). The e-mail of this person is then added to my whitelist, I
receive this person e-mail as well as all subsequent e-mails....
Any person that wants to talk to me will follow the procedure... any
spammer will not bother to follow the procedure because suddenly it
costs him time therefore money... Remember it is a Turing test so a
machine cannot pass it....
Now what digital signing should bring, the power to sue because of the
traceability.
Cheers
On Thu, 2003-06-05 at 05:55, Stephen Sprunk wrote:
Thus spake "Michael Thomas" <mat(_at_)cisco(_dot_)com>
It depends on what you mean by signing. Signing a message in and
of itself ought not hurt anything modulo software bugs, etc. But the
real question is what does the receiving program (MTA, MUA) do
with that signature? At the very least it could verify the signature,
but then what? If it doesn't verify do you drop it? (transitive trust
comes into play, but most likely). Does it do anything beyond that?
Well, if you use a score-based anti-spam system, the lack of a signature
could "cost" a message a few points, but that's about it.
The root problem here is we're trying to define an authentication system
without also defining the authorization or accounting systems to use it.
--
Franck Martin <franck(_at_)sopac(_dot_)org>
SOPAC