Spam Spotlight on Reputation
Bill Stewart
bill.stewart at pobox.com
Wed Sep 8 00:40:31 PDT 2004
At 03:15 PM 9/6/2004, Hadmut Danisch wrote:
>On Mon, Sep 06, 2004 at 11:52:03AM -0600, R. A. Hettinga wrote:
> >
> > E-mail security company MX Logic Inc. will report this week that 10 percent
> > of all spam includes such SPF records,
>
>I have mentioned this problem more than a year ago in context of
>my RMX draft (SPF, CallerID and SenderID are based on RMX).
>Interestingly, nobody really cared about this major security problem.
>All RMX-derivatives block forged messages (more or less). But what
>happens if the attacker doesn't forge? That's a hard problem. And a
>problem known from the very beginning of the sender verification discussion.
It's not a hard problem, just a different problem.
Whitelisting your friends and aggressively filtering strangers
is an obvious technique for reducing false positives
without increasing false negatives,
but it fails if spammers can forge identities of your friends.
RMX-derivatives help this problem, and they help the joe-job problem.
If a spammer wants to claim that they're the genuine spammers-are-us.biz,
well, let them.
I find it more annoying that there are spammers putting PGP headers
in their messages, knowing that most people who use PGP assume PGP-signed mail
is from somebody genuine and whitelist it.
----
Bill Stewart bill.stewart at pobox.com
More information about the cypherpunks-legacy
mailing list