PK & Re: Is spam really a problem?

Information Security guy at panix.com
Fri Feb 20 14:16:47 PST 1998



   >   From sunder at brainlink.com Thu Feb 19 15:43:54 1998
   >   
   >   Information Security wrote:
   >   
   >   >    >   From sunder at brainlink.com Wed Feb 18 15:58:46 1998
   >   >    >
   >   >    >   Anonymous wrote:
   >   >    >   >
   >   >    >   > I see discussion of spam here and everywhere on
   >   >    >   > the net. But who finds it a *real* problem, and
   >   >    >   > why?
   >   > 
   >   > Why are you asking the cypherpunks list?
   >   
   >   I didn't. Anonymous did.  

Seth Breidbart (Mr. BI>20 == SPAM) insists it is a valid style
of attribution to give it once at the top.

My question was obviously directed at "Anonymous".

So you don't get confused again, I'll keep repeating the attributions:


   >   From sunder at brainlink.com Thu Feb 19 15:43:54 1998
   >
   >   Information Security wrote:
   >
   >   >    >   From sunder at brainlink.com Wed Feb 18 15:58:46 1998
   >   >    >
   >   >    >   There are nice technical solutions to this.  If sendmail
   >   >    >   didn't transport things unauthenticated it could be done,
   >   >    >   but at a cost in CPU cycles on mail servers:
   >   >    >
   >   >    >   Have every sendmail server use a PK scheme to talk to
   >   >    >   every other server and authenticate the connection.
   >   >    >   Have every sendmail server accept mail only from those
   >   >    >   whose key is verified.
   >   > 
   >   > Nonsense.
   >   > 
   >   > We (NANA) already know where spam comes from,
   >   > and when we complain about it, they are terminated.
   >   
   >   Until someone else gets a throw away $10 account and uses it to 
   >   spam, right?  By the time you track'em down, they already gave up
   >   that account.  All ISP's do is to delete the spamming account, which
   >   the spammer doesn't care about anyway.  So you achive nothing.

Talk about achieving nothing: what does server-to-server authentication
have to do with overcoming spam from throw-away accounts?

Hey, at least ISPs are making money from terminating accounts. ;-)



   >   From sunder at brainlink.com Thu Feb 19 15:43:54 1998
   >
   >   Further one can generate fake headers and you would not know exactly
   >   where it comes from, though you could have some idea since it would
   >   be one of many sites it was relayed from.  One could send messages
   >   from an ISP that doesn't mind spammers who won't help you track down
   >   the bitch that just slimed your machine, etc.

Jeez, take a breath between thoughts, will ya?

It is standard practice to trust only the last "Received" line.

What of it?

Again: what does server-to-server authentication have to do with
known unhelpful ISPs?



   >   From sunder at brainlink.com Thu Feb 19 15:43:54 1998
   >
   >   Information Security wrote:
   >    
   >   > PK authentication would change nothing.
   >   > 
   >   > Show a single spam with a forged IP address.
   >   
   >   IP addresses won't be forged, but one could send
   >   a mail with extra Recieved-By: headers, etc.

And how would throw-away accounts be affected by your proposed
massive change in SMTP protocol?





   >   From sunder at brainlink.com Thu Feb 19 15:43:54 1998
   >
   >   Information Security wrote:
   >    
   >   > PK authentication would only lead us down the
   >   > road of everyone being tattooed with barcodes
   >   > of our own making - and incredibly dumb idea.
   >   > 
   >   > It would be like requiring a smart card for Internet access.
   >   
   >   Bullshit.  PK auth with a central repository would be Big Brotherish.
   >   Having each user gen their own PK pair is what I suggested.

But these keys must be registered somewhere: whether it's at a centralized
site or distributed, *requiring* everyone to have a digital signature for
Internet access is twisting this elegant crypto-related technology: to
number each and every one of us, and is exactly what will make CDA legal,
because as soon as it's in place attributes such as "age" will be attached.

Required identity repositories are a bad idea.



   >   Relaying is a big problem.

What, you want _me_ to solve the UCE problem?

Okay.

I think if Brad (EFF Director) Templeton's whitelist system were
made available at the firewall/enterprise level, then widely
deployed, spam would be dead.

It's a handy little bot-reply mechanism that asks unknown authors
to verify they aren't sending UCE, else face a monetary penalty.

Replying correctly automatically causes the original email to go through.

Thus achieving the legal right to sue the spammer without
the legislation CAUCE is pushing.

The most important part of this design is that it requires
no control-freak changes to the Internet.

Don't suggest solutions that *require* digital signatures of everyone.

Sheesh.


This might work too:

Throttle email going through the ISP's mailserver.

Maybe 5/minute limit, flagging attempts to go faster to the admins.

As for direct PPP connectivity, upgrade router software to throttle.
(Port SMTP traffic)

Certain people, at the ISP's choice, would have a higher limit,
for mailing lists and such.
---guy

   Think.







More information about the cypherpunks-legacy mailing list