On Wed, 2004-02-25 at 12:39 -0600, wayne wrote:
But mailing lists mangle the email body some. And spammers morph
their spam some. I don't see any obvious ways to distinguish these
two cases. Especially when you consider the number of weird and/or
broken mailing list software out there and the fact that spammers will
actively try and make their spam indistinguishable from mailing lists
mangling.
I'm very confused by this. What I received from you is mangled slightly
by the mailing list. The list software added the few lines at the bottom
with subscription info, etc.
Given the scheme suggested, my MUA would be able, for example, to
display the first 40-odd lines which are _your_ contribution in one
colour, while displaying the list-added parts in another or perhaps even
hiding them entirely.
It's not clear to me how a spammer could send a mail which contains
_your_ 40-odd lines, intact and still matching the strong cryptographic
signature, but which is sufficiently modified to be useful as spam.
And even if they _did_, my MUA could be configured not to _show_ the
added text unless I explicitly ask it to for this particular mail.
Bear in mind that the list software or the MTA _could_ be updated to
sign the _whole_ message, footers and all. It wouldn't be _needed_ for
third parties to update anything in order to render my scheme nonbroken,
but if they were to implement such signing (as the owner of the Sender:
address) then they could cause my MUA to display the footer _with_
having to be asked.
There is also the replay problem
Which is of limited use if they _have_ to replay with the same message
body, and the additions are immediately identifiable and hence
discardable.
Mailing lists send the same email to many people. Spammers send the
same spam to many people. Someone sending a message to a mailing list
has to be able to have their email go to many people without
problems. A spammer sending a message to themselves can't be allowed
to send this email to many people without problems. Again, I don't
see any obvious ways to distinguish these two cases.
There is no distinction, surely? The aim is merely to ensure that the
spammer cannot easily pretend to be someone other than who they really
are, and neither can the poster to the mailing list.
--
dwmw2