[Asrg] Re: [Politech] Congress finally poised to vote on anti -spam bill [sp]

[Bill Stewart]

At 06:02 AM 11/25/2003 -0800, Hallam-Baker, Phillip wrote:
> > Especially for domains, it's important to do some validation,
> > though in the absence of widely-deployed DNSSEC, it's hard to
> > do automatically.
>
>DNSSEC is not happening,  [...]
>We do not need DNSSEC, we just need a notice in the DNS.
>It would be a relatively easy task to walk the .com zone
>and dump out a list of all the zones which contain a
>'do not spam' TXT property record.

I suppose you could do that, though it's probably harder
to coordinate that for subdomains, whose owners are less likely
to be directly managing their DNS records.


> > There's a scalability problem that has to be solved,
> > which is how to prevent a DOS-by-signing-up-too-many-addresses attack.
>
>I do not expect that to be a problem, that would be a
>problem for the contractor. Limit the number of direct
>registrations from a particular IP address within a given
>time interval.

You'd probably want to do special cases for large domains
like AOL, etc., where the users have limited gateways to the internet.
You're still vulnerable to DDOS-type attacks by armies of zombies,
though of course they've got lots of other bad things they can do.

>It is likely to result in the cost of the system being
>considerably more than the cost of a couple of mid range
>servers and some software. This is not a new phenomena.

Too true.  It's too bad, because you'd only need a couple
hundred million records for the US, and signing up is the
only part that's got real-time performance constraints.