[thelist] Serious antispam measures

Ken Schaefer ken at adOpenStatic.com
Tue Apr 20 00:24:20 CDT 2004


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: "Edwin Horneij" <edwin at lanset.com>
Subject: Re: [thelist] Serious antispam measures


: On Apr 19, 2004, at 6:23 PM, Ken Schaefer wrote:
:
: > Personally, I think there needs to be a more fundamental
: > reform of the messaging infrastructure that fixes the spam
: > problem. All these other things are good, and should be
: > used as additional layers of defense, but  they're
: > really bandaids. If you look at all the really robust
: > authentication protocols out there (like Kerberos),
: > you don't need these bandaids. They're
: > simple, and they work.
:
: I'm curious, given that it would not be technically difficult,
: why some authentication protocol hasn't been implemented.
: Can you point to a site with a primer on the issue? Maybe
: something for people like me who don't really understand how
: SMTP or email authentication works. TIA.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The main problem with SMTP, in relation to spam, is that SMTP is designed to
accept mail from everyone (else, how could people contact you?). Adding
authentication into the mix presents difficulties in the sense that "how do
I know you are who you say you are"? You can say you are "x", but how do *I*
know that?

Now, there are some protocols (SSL, Kerberos, and TLS) that already exist
that get around this. They use trust heirachies. You have something (that
can be verified) from someone I trust. Hence I trust you are who you say you
are. This is the way server (and client) certificate work for SSL (they are
issued by mutually trusted Certificate Authorities). In the Keberos world,
both the client, and the server, trust the Kerberos KDC (Key Distribution
Centre) which holds one half of a key pair for both the client and the
server.

The next problem however related to the first problem (namely that SMTP is
designed to accept mail from everyone). You say you are "x", but what you
sent me is spam. So, I'm going to block further transmission from you. Cool.
So, you go and signup for another certificate. Now you are "y", and I verify
that you are "y", but what you sent me is spam. So I block you again. So you
assume a third identity. Now you are "z" (and so on, infinitum).

I can see two ways around this. Either the online identity needs to be tied
to a physical or legal entity, which means you can't continually sign up for
"new" identities. However, I suspect that many on the internet today would
rebel against such an imposition as an invasion of privacy/destruction of
the anonymity of the 'net.

    -or-

You start making it economically unfeasible to send commercial spam
(obviously, this won't stop those people who like to send out unsolicited
junk mail where they don't care about the commercial implications). Again
you have a mutually trusted "bank". You need to prepay to send email. The
recipient can refund your prepayment if they find your mail worthy. If they
don't, you lose your money (so, it's a bit like posting a physical letter -
except you can potentially get your money back). This is the basis behind
the research paper I posted earlier.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
: Another thing I'm curious about is why the authorities don't combat
: spam by punishing the companies that use it to advertise. They have to
: have some real-world point of contact in order to get the recipient's
: money, after all, and they, at least as much as the owner of the server
: where the message originated, are responsible for the email. Is there
: some legal issue I don't understand?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Here are some current problems:
a) In many jurisdictions, sending unsolicited email isn't a crime. So that's
the first thing that needs to be rectified
b) You still need to prove that the "seller" somehow knew, or approved, the
sending of the unsolicited junk mail. They may have outsourced it to some
org, that outsourced it to another, who contracted it to a third org, and so
on, across multiple jurisdictions. Who do you prosecute? How much will is
cost to do so?

Cheers
Ken




More information about the thelist mailing list