[thelist] Serious antispam measures

Ken Schaefer ken at adOpenStatic.com
Mon Apr 19 04:33:13 CDT 2004


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: "Kasimir K" <evolt at kasimir-k.fi>
Subject: Re: [thelist] Serious antispam measures


: > Sounds tiring for the scant quantity of legit email I get. And what
:  > about my poor mother? I have found the subject line route to work
:  > pretty well, and it didn't have to be that complex.
:
: Trying to find logically solid ways to this utterly fascinating problem:
:
: In order to distinguish between legitimate mail from illegitimate
: you must require legitimate senders to include in the message
: something, that illegitimate senders are unable to include. This
: included thing must also be something that you are able to filter
: automatically.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Definately. Personally I think this'll require a multi-layer approach. For
example, much spam can be halted by doing reverse DNS lookups on the
purported sending domain. If the DNS says "that host is allowed to send mail
on behalf of domain 'xyz'", then you accept the mail.

Now, this doesn't stop spammers registering their own domains, or signing up
with an ISP that publishes their entire IP address space as valid for
sending mail.

So, the legitimate sender needs something that a spammer can not duplicate
    -or-
The generation of the "thing" needs to be so "expensive" that it is not
worth the while of the spammer to attempt to generate their own.

The trust heirachies that are used in certificate based authentication would
be an example of how we might be able to accomplish this. The sender
encrypts something with their private key (or even generate a hash of the
message using their private key). The recipient decrypts this with the
sender's public key.

However this does not help at all with "unknown" users. Spammers could get
their own certificates, and generate their own "hashes".

So, how do we overcome this? Possibly the only way is by giving up much of
the anonymity that we see on the 'net. At some point, real physical people
(or legal entities), will need to be tied to online personas. At that point,
it will be easy to definitively block certain senders. Short of identity
theft, or fraudulently creating new legal identities, it will be difficult
for an identified spammer to continue to have their mail received.

However, I doubt many netizens will accept this.

Of cource, none of this helps with a user's machine that has been "owned" by
a spammer. The owned machine is capable of acting as the user, sending out
mail as if it was the user. To get around this, you start needing some kind
of "protected" operating system, where users can't have their machines
infected by viruses etc without knowingly doing so - but most people seem to
rebel against the idea of having DRM/Code Signing built into the
hardware/software of their machines. The brouhaha over Palladium is an
example.

Here is a research paper put out by Martín Abadi, Andrew Birrell, Mike
Burrows, Frank Dabek, Ted Wobber of UCLA, Microsoft Research, Google, MIT
and MS Research respectively. It describes a "ticket" based approach, which
appers to use trusted heirachies again (a central trusted ticket server is
required to be paid to request a service usage).

Cheers
Ken



More information about the thelist mailing list