On 25 Feb 2004 at 12:16, Neil Carpenter wrote:
the value in having the list processor sign all posts
is simple. guaranteed identification of the list
traffic for any recipient who decides to verify
signatures.
This seems to solve a non-problem. Unless there are spam messages that
where the sender has, for instance, forged the existing "Sender:
owner-ietf(_at_)ietf(_dot_)org" header, signing these messages will add
nothing of
value. It seems much more likely that a spammer would simply send
e-mail to the ietf(_at_)ietf(_dot_)org list & allow the list itself to
propagate it
than that they would specifically forge that header.
again, i'm not imagining that having the list
processor sign all mail will stop spam from entering
the list. the problem i need to solve is how to stop
spam from being sent *directly* to me. accepting only
email with whitelisted signatures will solve my
problem.
btw, i thought you needed to be subscribed to the ietf
list prior to being able to post to the ietf list?
On 25 Feb 2004 at 11:26, Stephen Sprunk wrote:
You have yet to demonstrate the problem you are trying to solve even
exists.
I've gotten over 2700 spams this month, and zero of them have "ietf"
anywhere in them, either header or body. Thus, I see no compelling
reason for the ietf's list software to sign anything when a simple MUA
filter on the Sender: line already achieves 100% accuracy.
see above response. also, from my perspective digital
signature verification is simpler than maintaining a
filter list. i'm tired of the spam/anti-spam arms
race. i'm going to deploy a solution that is
unspoofable.
On 25 Feb 2004 at 12:06, Vernon Schryver wrote:
From: gnulinux(_at_)pacinfo(_dot_)com
Having the latest tools means nothing, unless
they are used right. Are
i'm using them correctly
I, for one, am unconvinced. I have had no trouble
filtering unwanted mail from this list, thanks to
procmail. My various filters have no trouble
dealing with more than 99.9% of the unsolicited bulk
mail including viruses and worms directed at my
mailbox. For my mail, my filters have a total false
positive rate (legitimate rejected divided by total
legitimate) of less than 0.1%. Whether your filters
are doing as well as you want them to does not seem
like a concern of the IETF.
i have ~98% accuracy thanks to bayesian filtering. i
haven't calculated my false positive rate, but i get
false positives. even *one* false positive is
unacceptable. even if my filter accuracy was 99.99% i
would still need to trawl my spam folder to check for
false positives. and as the spam volume continues to
grow trawling the spam folder takes more and more
time. i need to stop false positives and digital
signatures are one possible solution.
...
the value in having the list processor sign all
posts is simple. guaranteed identification of the
list traffic for any recipient who decides to
verify signatures.
I think it would be simpler for all concerned and in
this case just as effective if the IETF list
processor would offer to do SMTP-TLS and for an
appropriate cert to be published on http://ietf.org/
However, I would not suggesting that for any
practical or operational reason. It would merely
set a good example.
i'm not familiar with SMTP-TLS but i will go read
about it. FWIW, i think that digitally signing all
list messages would also set a good example, and it
too is a simple implementation.
david