--On Sonntag, Juni 20, 2004 12:26:20 -0400 Meng Weng Wong
<mengwong(_at_)dumbo(_dot_)pobox(_dot_)com> wrote:
[...]
Here's one more:
given DOMAIN, attempt to connect to https://www.DOMAIN/.
If an HTTPS connection succeeds, and the certificate for
DOMAIN is valid, that makes it somewhat more likely that
the sender is a good guy.
And if the sender turns out to be a bad guy, the information
in the SSL certificate will help the feds track them down.
This leverages the existing multimillion dollar
infrastructure already in place for HTTPS, and makes it
useful in the war against spam.
The idea is nice, but many people will not like the need to do a HTTP
query. Of course you could reject with a 4xx code, schedule the domain to
be tested by another daemon and used this (cached) result later when the
sender tries again.
Unfortunately certificates are still quite expensive (at least here in
Germany) and thus make hardly sense for individuals who want/need to get
some kind of accreditation for their personal domain. Even for a business
getting a certificate for every domain used in email *and* running a
webserver with that certificate (implying an ip address used for only this
purpose as certificate validation would fail otherwise) will increase the
operational cost of a domain by an order of magnitude.
Ralf Döblitz