1998-02-24 - Re: PK & Re: Is spam really a problem?

Header Data

From: sunder <sunder@brainlink.com>
To: Information Security <guy@panix.com>
Message Hash: 3296d195be9964ea5a0a5e0132d2a7510857f1b1fb4a323162a184f291c518f7
Message ID: <34F21824.8FFA08B3@brainlink.com>
Reply To: <199802200602.BAA18990@panix2.panix.com>
UTC Datetime: 1998-02-24 00:49:12 UTC
Raw Date: Mon, 23 Feb 1998 16:49:12 -0800 (PST)

Raw message

From: sunder <sunder@brainlink.com>
Date: Mon, 23 Feb 1998 16:49:12 -0800 (PST)
To: Information Security <guy@panix.com>
Subject: Re: PK & Re: Is spam really a problem?
In-Reply-To: <199802200602.BAA18990@panix2.panix.com>
Message-ID: <34F21824.8FFA08B3@brainlink.com>
MIME-Version: 1.0
Content-Type: text/plain


Information Security wrote:

>    >
>    >   Until someone else gets a throw away $10 account and uses it to
>    >   spam, right?  By the time you track'em down, they already gave up
>    >   that account.  All ISP's do is to delete the spamming account, which
>    >   the spammer doesn't care about anyway.  So you achive nothing.
> 
> Talk about achieving nothing: what does server-to-server authentication
> have to do with overcoming spam from throw-away accounts?

Gives you a way of tracing the spammer and avoiding forged headers.
 
> Hey, at least ISPs are making money from terminating accounts. ;-)

Hey, ISP's do suffer damage from spammers.   If they let too many spammers on,
they'll get black listed and none of their users will be able to send mail to
some sites that chose to drop all mail from spam supporting ISP's.  This way
it's an incentive for them to drop spammers.

> And how would throw-away accounts be affected by your proposed
> massive change in SMTP protocol?

There being a contract between the ISP and the throw away account requiring
the payment of damages caused, it would provide teeth to prevent spamming.  If
spamming occurs, the spammer gets to pay for their advertising.  Right now,
spamming is relatively free for the advertiser.
 
> But these keys must be registered somewhere: whether it's at a centralized
> site or distributed, *requiring* everyone to have a digital signature for
> Internet access is twisting this elegant crypto-related technology: to
> number each and every one of us, and is exactly what will make CDA legal,
> because as soon as it's in place attributes such as "age" will be attached.

No, there is no need for a central server.  It's more than enough to require
the user to gen keys of a certain minimal length.  This takes CPU time to do
and enough so to prevent spamming.  If they use the same keys, the servers
will recognize and count the total, thus limiting them to a fixed number of
posts.
 
> Required identity repositories are a bad idea.

None are needed.  Just valid public keys linked to the IP of the incoming
messages.
i.e. a public key along with the ip the shit comes from signed with the private
key
is enough.  If the ip doesn't match the connection IP, the connection gets
dropped.
The fact that there's a public key means that the receiver server can track ip
to 
keys.  Maybe throwing a secured form of identd might help as well.
 
> What, you want _me_ to solve the UCE problem?
> 
> Okay.

Erm, if you chose to, have fun doing it.  These are suggestions for a 
cryptographic solution as opposed to a congressional fuck you up the ass
and kill your rights solution.

> I think if Brad (EFF Director) Templeton's whitelist system were
> made available at the firewall/enterprise level, then widely
> deployed, spam would be dead.

Sounds good to me, except that it's a huge pain for the senders to send
any messaage to anyone.
 
> It's a handy little bot-reply mechanism that asks unknown authors
> to verify they aren't sending UCE, else face a monetary penalty.
 
> The most important part of this design is that it requires
> no control-freak changes to the Internet.

As does my scheme.

> Don't suggest solutions that *require* digital signatures of everyone.

Pushing crypto over legislation is worthwhile in any case, and pushes
towards anonymous reputation capital systems.

> This might work too:
> 
> Throttle email going through the ISP's mailserver.
> 
> Maybe 5/minute limit, flagging attempts to go faster to the admins.

With a count of users.  If Dick Spammer is spamming someone he doesn't
much give a shit about 5 minute delays.  It only prevents massive massive
spams.  As long as the sysadmins don't notice you can send a fuckload of
mail even with 5min delays.
 
> As for direct PPP connectivity, upgrade router software to throttle.
> (Port SMTP traffic)

Yep.

> Certain people, at the ISP's choice, would have a higher limit,
> for mailing lists and such.
> ---guy

Yep.
 
>    Think.

Erm, Think Different.  (I always did prefer Apple over IBM.)

-- 

=====================================Kaos=Keraunos=Kybernetos==============
.+.^.+.|  Ray Arachelian    |Prying open my 3rd eye.  So good to see |./|\.
..\|/..|sunder@sundernet.com|you once again. I thought you were      |/\|/\
<--*-->| ------------------ |hiding, and you thought that I had run  |\/|\/
../|\..| "A toast to Odin,  |away chasing the tail of dogma. I opened|.\|/.
.+.v.+.|God of screwdrivers"|my eye and there we were....            |.....
======================= http://www.sundernet.com ==========================





Thread