[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] About that e-postage draft [POSTAGE]

To: asrg at irtf.org
Subject: Re: [Asrg] About that e-postage draft [POSTAGE]
From: John Levine <johnl at taugh.com>
Date: 12 Feb 2009 21:58:41 -0000
Cc:
Delivered-to: asrg at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:subject:in-reply-to:cc:mime-version:content-type:content-transfer-encoding; s=k0902; i=johnl at user.iecc.com; bh=1ZL18XiBSpvc2MFA3P+tzzPanOoPCy2pb56N7jZADi4=; b=RF9g9m23sowz1NNaleIw1NRAqLe0FBLERzaTaZ5MWprXGr6F67tLhV6ZdX42sBDZX43zirOS8vWd4j24t5ZzA6HJR+vwfCTo7LAzCc00a6iwiVofGFrMeeCHodPvCSOLosJHFN8PlKgvwyVm0mfntiksPUr58rCC7dP6Cj4KuLg=
Dkim-signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:subject:in-reply-to:cc:mime-version:content-type:content-transfer-encoding; s=k0902; bh=1ZL18XiBSpvc2MFA3P+tzzPanOoPCy2pb56N7jZADi4=; b=ASrCRGtnUhHYUXoSjjDh+DtJWdaRicU0Nlup7P57kXIRRHFGJCoafcb/rWHl9c1Mzs1SdW06M9vxfkSdyAZyKL/INdRlxkrHTky3cVLCXVdmR/yrhaklFi0CQ6YfWETJApQYlOfluT1U1w946X2LaAscnIz1AnI40d1IMqdFI7k=
In-reply-to: <20090212142133.GV52653 at verdi>
List-archive: <http://www.irtf.org/mail-archive/web/asrg>
List-help: <mailto:asrg-request@irtf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-post: <mailto:asrg@irtf.org>
List-subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
List-unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
Organization:
Reply-to: Anti-Spam Research Group - IRTF <asrg at irtf.org>

>   A receiving MTA asking its "bank" to redeem a token is a
> transaction whether or not the token is forged, and the "bank" needs
> to recover that transaction cost. I suspect sending MTAs that
> deliver bad tokens will get blacklisted quickly; but I can imagine
> ways to reduce the need for a "transaction" with the bank to verify
> that a token is plausible.

My standard spam model is that the bad guy buys one stamp and uses
that one genuine stamp on a thousand messages (transactions, whatever)
at the same time.  It's really easy to verify that a stamp is real
using digital signatures, but there's no way to tell if it's already
been used other than asking the issuer.

It is possible to defend against this threat, but not cheaply, since
the defense requires a robust transaction system that can serialize
the thousand requests, approve one, and reject the other 999, while
still providing service to the rest of their customers.  Through the
magic of botnets, the thousand messages come from a thousand different
MTAs, of course.

>   (Need I remind our readers that receiving email _already_ provides
> no revenue?)

Indeed, but banks don't work for free.  (Well, not deliberately.)  You
want someone to provide stamps, you've got to make it worth his while.

>   I can imagine many models. ...

Indeed.  Now beef some of them up with some realistic estimates of
transactions costs, and the costs of dealing with screwed up and
fraudulent transactions.

R's,
John

Follow-Ups:
- Re: [Asrg] About that e-postage draft [POSTAGE]
  - From: mathew
- Re: [Asrg] About that e-postage draft [POSTAGE]
  - From: Rich Kulawiec
- Re: [Asrg] About that e-postage draft [POSTAGE]
  - From: John Leslie

References:
- Re: [Asrg] About that e-postage draft [POSTAGE]
  - From: John Leslie

Prev by Date: Re: [Asrg] About that e-postage draft [POSTAGE]
Next by Date: Re: [Asrg] About that e-postage draft [POSTAGE]
Previous by thread: Re: [Asrg] About that e-postage draft [POSTAGE]
Next by thread: Re: [Asrg] About that e-postage draft [POSTAGE]
Index(es):
- Date
- Thread