PK & Re: Is spam really a problem?
From sunder@brainlink.com Thu Feb 19 15:43:54 1998
Information Security wrote:
From sunder@brainlink.com Wed Feb 18 15:58:46 1998
Anonymous wrote:
I see discussion of spam here and everywhere on the net. But who finds it a *real* problem, and why?
Why are you asking the cypherpunks list?
I didn't. Anonymous did.
Seth Breidbart (Mr. BI>20 == SPAM) insists it is a valid style of attribution to give it once at the top. My question was obviously directed at "Anonymous". So you don't get confused again, I'll keep repeating the attributions:
From sunder@brainlink.com Thu Feb 19 15:43:54 1998
Information Security wrote:
From sunder@brainlink.com Wed Feb 18 15:58:46 1998
There are nice technical solutions to this. If sendmail didn't transport things unauthenticated it could be done, but at a cost in CPU cycles on mail servers:
Have every sendmail server use a PK scheme to talk to every other server and authenticate the connection. Have every sendmail server accept mail only from those whose key is verified.
Nonsense.
We (NANA) already know where spam comes from, and when we complain about it, they are terminated.
Until someone else gets a throw away $10 account and uses it to spam, right? By the time you track'em down, they already gave up that account. All ISP's do is to delete the spamming account, which the spammer doesn't care about anyway. So you achive nothing.
Talk about achieving nothing: what does server-to-server authentication have to do with overcoming spam from throw-away accounts? Hey, at least ISPs are making money from terminating accounts. ;-)
From sunder@brainlink.com Thu Feb 19 15:43:54 1998
Further one can generate fake headers and you would not know exactly where it comes from, though you could have some idea since it would be one of many sites it was relayed from. One could send messages from an ISP that doesn't mind spammers who won't help you track down the bitch that just slimed your machine, etc.
Jeez, take a breath between thoughts, will ya? It is standard practice to trust only the last "Received" line. What of it? Again: what does server-to-server authentication have to do with known unhelpful ISPs?
From sunder@brainlink.com Thu Feb 19 15:43:54 1998
Information Security wrote:
PK authentication would change nothing.
Show a single spam with a forged IP address.
IP addresses won't be forged, but one could send a mail with extra Recieved-By: headers, etc.
And how would throw-away accounts be affected by your proposed massive change in SMTP protocol?
From sunder@brainlink.com Thu Feb 19 15:43:54 1998
Information Security wrote:
PK authentication would only lead us down the road of everyone being tattooed with barcodes of our own making - and incredibly dumb idea.
It would be like requiring a smart card for Internet access.
Bullshit. PK auth with a central repository would be Big Brotherish. Having each user gen their own PK pair is what I suggested.
But these keys must be registered somewhere: whether it's at a centralized site or distributed, *requiring* everyone to have a digital signature for Internet access is twisting this elegant crypto-related technology: to number each and every one of us, and is exactly what will make CDA legal, because as soon as it's in place attributes such as "age" will be attached. Required identity repositories are a bad idea.
Relaying is a big problem.
What, you want _me_ to solve the UCE problem? Okay. I think if Brad (EFF Director) Templeton's whitelist system were made available at the firewall/enterprise level, then widely deployed, spam would be dead. It's a handy little bot-reply mechanism that asks unknown authors to verify they aren't sending UCE, else face a monetary penalty. Replying correctly automatically causes the original email to go through. Thus achieving the legal right to sue the spammer without the legislation CAUCE is pushing. The most important part of this design is that it requires no control-freak changes to the Internet. Don't suggest solutions that *require* digital signatures of everyone. Sheesh. This might work too: Throttle email going through the ISP's mailserver. Maybe 5/minute limit, flagging attempts to go faster to the admins. As for direct PPP connectivity, upgrade router software to throttle. (Port SMTP traffic) Certain people, at the ISP's choice, would have a higher limit, for mailing lists and such. ---guy Think.
Information Security wrote:
Until someone else gets a throw away $10 account and uses it to spam, right? By the time you track'em down, they already gave up that account. All ISP's do is to delete the spamming account, which the spammer doesn't care about anyway. So you achive nothing.
Talk about achieving nothing: what does server-to-server authentication have to do with overcoming spam from throw-away accounts?
Gives you a way of tracing the spammer and avoiding forged headers.
Hey, at least ISPs are making money from terminating accounts. ;-)
Hey, ISP's do suffer damage from spammers. If they let too many spammers on, they'll get black listed and none of their users will be able to send mail to some sites that chose to drop all mail from spam supporting ISP's. This way it's an incentive for them to drop spammers.
And how would throw-away accounts be affected by your proposed massive change in SMTP protocol?
There being a contract between the ISP and the throw away account requiring the payment of damages caused, it would provide teeth to prevent spamming. If spamming occurs, the spammer gets to pay for their advertising. Right now, spamming is relatively free for the advertiser.
But these keys must be registered somewhere: whether it's at a centralized site or distributed, *requiring* everyone to have a digital signature for Internet access is twisting this elegant crypto-related technology: to number each and every one of us, and is exactly what will make CDA legal, because as soon as it's in place attributes such as "age" will be attached.
No, there is no need for a central server. It's more than enough to require the user to gen keys of a certain minimal length. This takes CPU time to do and enough so to prevent spamming. If they use the same keys, the servers will recognize and count the total, thus limiting them to a fixed number of posts.
Required identity repositories are a bad idea.
None are needed. Just valid public keys linked to the IP of the incoming messages. i.e. a public key along with the ip the shit comes from signed with the private key is enough. If the ip doesn't match the connection IP, the connection gets dropped. The fact that there's a public key means that the receiver server can track ip to keys. Maybe throwing a secured form of identd might help as well.
What, you want _me_ to solve the UCE problem?
Okay.
Erm, if you chose to, have fun doing it. These are suggestions for a cryptographic solution as opposed to a congressional fuck you up the ass and kill your rights solution.
I think if Brad (EFF Director) Templeton's whitelist system were made available at the firewall/enterprise level, then widely deployed, spam would be dead.
Sounds good to me, except that it's a huge pain for the senders to send any messaage to anyone.
It's a handy little bot-reply mechanism that asks unknown authors to verify they aren't sending UCE, else face a monetary penalty.
The most important part of this design is that it requires no control-freak changes to the Internet.
As does my scheme.
Don't suggest solutions that *require* digital signatures of everyone.
Pushing crypto over legislation is worthwhile in any case, and pushes towards anonymous reputation capital systems.
This might work too:
Throttle email going through the ISP's mailserver.
Maybe 5/minute limit, flagging attempts to go faster to the admins.
With a count of users. If Dick Spammer is spamming someone he doesn't much give a shit about 5 minute delays. It only prevents massive massive spams. As long as the sysadmins don't notice you can send a fuckload of mail even with 5min delays.
As for direct PPP connectivity, upgrade router software to throttle. (Port SMTP traffic)
Yep.
Certain people, at the ISP's choice, would have a higher limit, for mailing lists and such. ---guy
Yep.
Think.
Erm, Think Different. (I always did prefer Apple over IBM.) -- =====================================Kaos=Keraunos=Kybernetos============== .+.^.+.| Ray Arachelian |Prying open my 3rd eye. So good to see |./|\. ..\|/..|sunder@sundernet.com|you once again. I thought you were |/\|/\ <--*-->| ------------------ |hiding, and you thought that I had run |\/|\/ ../|\..| "A toast to Odin, |away chasing the tail of dogma. I opened|.\|/. .+.v.+.|God of screwdrivers"|my eye and there we were.... |..... ======================= http://www.sundernet.com ==========================
participants (2)
-
Information Security -
sunder