Re: How do you stop outgoing spam?

[Valdis.Kletnieks () vt edu]

On Tue, 10 Sep 2002 19:18:59 +0200, Iljitsch van Beijnum said:

> Or we throw out SMTP and adopt a mail protocol that requires the sender to
> provide some credentials that can't be faked. Then known spammers are easy
> to blacklist.

It's nice to say "we make it easy to blacklist spammers".  The problem is
that those systems that *HAVE* made it easy to blacklist spammers are *ALWAYS*
taking heat for making it easy - remember how ORBS was held in little high
regard?  And even the MAPS people have had their share of legal hassles.

We don't even have to throw out SMTP - there's STARTTLS, AUTH, PGP, and
so on.  The problem is that we don't know how to do a PKI that will
scale (note that the current SSL certificate scheme isn't sufficient, as
it usually does a really poor job of handling CRLs - and the *lack* of
ability to distribute a CRL (which is essentially a blacklist) is the crux
of the problem.  There's also the problem of distributing valid credentials
to half a billion people - while still preventing spammers from getting
any.  The DMV hasn't learned how to keep *teenagers* from getting fake ID's,
why should we expect to do any better in keeping a motivated criminal from
getting a fake credential?

It's not as easy as it looks. As Bruce Schneier talked about in "Secrets and
Lies", where he does a hypothetical threat analysis regarding getting dinner
in a restaurant without paying, most of the attacks actually have nothing to
do with the part of the transaction where money changes hands...

-- 
                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                Virginia Tech

Attachment: _bin
Description: