[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] How to defeat spam that uses encryption?

To: Jason Hihn <jhihn@paytimepayroll.com>
Subject: Re: [Asrg] How to defeat spam that uses encryption?
From: J C Lawrence <claw@kanga.nu>
Date: Tue, 01 Apr 2003 14:22:58 -0800
Cc: asrg@ietf.org
In-reply-to: Message from Jason Hihn <jhihn@paytimepayroll.com> of "Tue, 01 Apr 2003 16:47:06 EST." <NGBBLHANMLKMHPDGJGAPOEDKCGAA.jhihn@paytimepayroll.com>
List-archive: <https://www1.ietf.org/pipermail/asrg/>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=unsubscribe>
References: <NGBBLHANMLKMHPDGJGAPOEDKCGAA.jhihn@paytimepayroll.com>
Sender: asrg-admin@ietf.org

On Tue, 01 Apr 2003 16:47:06 -0500 
Jason Hihn <jhihn@paytimepayroll.com> wrote:

>> Boffo's MUA auto-replies with a token (which is really a dated source
>> address).

> Thus verifying the existence of the receiver...

...

> Boffo can sell the address to spammers, who will get a first
> provisional token, have it revoked and then change their identity and
> get a new one.  Boffo can do that too.

Yes-ish, tho I suspect that verification of the validity/existence of an
address is not worth much any more.  The requirement for operating the
domain and MX for the duration of the process may be difficult.

More interestingly (for me) what it doesn't address are slow rolling or
distributed campaigns.  Consider:

  Spammer registers and operates a few thousand domains (which is really
  not that expensive).

  Sub domains of those engage in a slow rolling process of generating a
  consent request and sending individual spams at a rate of a hundred
  per day per machine (messages are individualised to for hash
  stomping).

  As a pack they can deliver many millions of spam a day, but avoid any
  appearance of concentration at recipients by hash distribution across
  the cluster.

>> List servers and legit marketing groups the like can auto-establish
>> the token arrangement at subscribe time, and auto-renew as tokens
>> expire.

> Looks like you've just reimplemented DHCP but for mail? (Leases
> essentially)

Yup, that too.

> I see one possible future is analogous to TCP between consenting
> parties, and UDP between non-consensual ones. Consenting parties tent
> not to mind to know each other (usually) and with non-consensual ones
> the receiver should not have to be known to exist. Your scheme
> requires that.

Ahh, use pseudo-UDP for initial contact and pseudo-TCP for exchanges
among friends, with promotion or degradation across barrier being
controlled by that end of the pipe...  Cute.  That rather requires
building in double-blind anonymous operation at the core...

-- 
J C Lawrence                
---------(*)                Satan, oscillate my metallic sonatas. 
claw@kanga.nu               He lived as a devil, eh?		  
http://www.kanga.nu/~claw/  Evil is a name of a foeman, as I live.
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

Follow-Ups:
- RE: [Asrg] How to defeat spam that uses encryption?
  - From: Jason Hihn

References:
- RE: [Asrg] How to defeat spam that uses encryption?
  - From: Jason Hihn

Prev by Date: Re: [Asrg] spamstones
Next by Date: Re: [Asrg] spamstones
Previous by thread: RE: [Asrg] How to defeat spam that uses encryption?
Next by thread: RE: [Asrg] How to defeat spam that uses encryption?
Index(es):
- Date
- Thread