[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Mail Server Registries and Foreign Sender Authentication: A Proposal
On Wed, 28 Mar 2007, Randy Smith wrote:
> The biggest problem, IMO, is not the open system but the anonymous
> one. One reason spam works so well is that its so very easy to lie
> about who the sender is.
This is myth, stated since at least 1996, probably earlier. 10+ years of
anti-spam work shows that one does not need to know "who" is sending
mail to effectively complain. One only needs the IP address and a time.
Their ISP knows who they are, or they don't. The ability to lie is
That's as good as that identity information gets, too. Privacy laws
would preclude anything else.
The biggest problem is that the real commercial bulk emailers comply
with CAN-SPAM, and thus aren't a problem, while the miscreants send pure
annoyance with no commercial purpose, but it takes a bit of research to
figure that out. One really needs to find out who the miscreants are.
I've identified a few: they were pretending to be anti-spammers. They
still pretend to be anti-spammers.
> I don't think there's any reason why a mail admin couldn't setup their
> own registration server but as the recipient, I need to have some way
> of knowing that I can trust the registry, hence the web of trust built
> around server keys.
This was tried and didn't work. 'Trust' for email sending, extends to
everyone, and the system is still subject to abuse, albeit
cryptographically signed abuse, and now you have a problem with key
management, and you still need their ISP to translate a real identity to
a crypto key, which they still can't do without a court order or
warrant. And a new account comes with a different crypto key, and keys
will be stolen by viruses and rooting. Same problem, many dollars
later. But good if you are selling crypto-email systems and consulting.
I showed in 2003 that information theory PROVES that the miscreant
abusers cannot be stopped by technical means, because a communications
system that is free from abuse [that is 'can't be abused' in contrast to
just 'isn't being abused'] is also free from covert channels, and hence
contrary to a thereom of information theory which states that a
communication system can't be proven free of covert channels. Covert
channels are always possible. It is always possible to abuse a
So, whack-a-mole is as good as it gets. Actually, that's not a strong
enough statement. This is better: Whack-a-mole is as good as it CAN get,
without upending information theory. Since information theory is tied
to thermodynamics, and is physically and mathematically sound, that
probably won't happen.
What to do? Get good a whack-a-mole. Indeed, we can get better at
that: standard forms for abuse complaints comes to mind. Maybe a
standarized web app for submitting such forms, that can be supported by
every ISP complaint/ticket system as a standard interface.
It is quite ironic that the people who talk most about reputation
systems have no problem associating _themselves_ with very
disreputatable people and court-proven liars, people pretending to be
anti-spammers, but obviously not. I suspect there is a story there,
somewhere; amid the people who pretend to be anti-spammers while
engaging in abuse and lies for their personal gain. A long time ago, I
said that someday, when the script kiddies get to be adults, and the
statute of limitations expires on their activity, that they will come
forward and spill their beans on who, what, why and when. I think the
"Kevin Mitnicks" of the script-kiddie spamming world will want to tell
their stories. The first generation of script kiddies should be coming
of age and beyond the statute of limitations pretty soon.
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 344 9000