[ILUG] spam: requiring signed email

Justin Mason jm at jmason.org
Mon Feb 9 19:16:50 GMT 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Paul Jakma writes:
>Just curious... could spam be killed by requiring an encrypted
>attachment to every email? Basically:
>
>- introduce a mime section/content-thingy to allow for the
>(sender,recipient) tuple to be attached to an email, encrypted. Ie to
>allow for a mime section to allow a client to verify the sender has
>put some effort into sending this email to the client's user.

Computational proof-of-work scheme.  See hashcash.   It does *exactly*
this but a little bit more nicely, I'm afraid. ;)   It's supported in
SpamAssassin 2.70 dev version.

Problems:

- - recipient has to tell their spamfilter what addresses they expect to
  receive mail on.
  
  For me, that's "anything at jmason.org, anything at taint.org, jmason at
  cpan.org, jm at apache.org".  If you include mailing lists, then that
  includes "these mailing lists: camram-spam, SpamAssassin-users,
  SpamAssassin-dev, SpamAssassin-cvs, ilug, social at linux.ie, etc. etc.
  etc. etc." repeat for several hundred addrs I think ;)  
  
  We're thinking of ways around this, probably by using data from
  sa-learn.

  Otherwise spammers can "mint" one token for the sender/recipient pair,
  where recipient is "everyone at world.com", and unless the recipient
  checks that they do expect to receive mail at world.com, it'll get 
  through.

  You could avoid this by using a globally shared double-spend db.  but
  that means network traffic to a single point of failure, and a race
  condition for when a mail is sent to a mailing list and cc'd to a
  recipient directly.  it's not workable.

- - Second: there's a good chance spammers now control enough CPU power
  around the world in r00ted win32 boxes -- probably more than most of the
  supercomputers in the field --  to generate sufficient hashstamps to do
  exactly what they're doing anyway.  This is a *big* issue ;)

Also, Gareth Eason says:

> nd 99% (totally guessed statistic) of spam like that would be equally 
> easily removed by only allowing incoming mail from people in your 
> addressbook - a setting many MUAs already have.

The reason this doesn't work is because there's no authentication in
email.  It's trivial for a spammer to guess that "jm at jmason.org" is in
"jm at jmason.org"'s address book, for example, and forge mail from that
address when sending to that addr.

We had this rule in SpamAssassin's autowhitelist but added IP-based
authentication for this reason, because spammers figured this out and
started using "from-and-to-identical" spamming.

This is also why sender-verification-over-SMTP is a bad idea; it also
encourages that.   In fact any system that verifies sender address,
instead of verifying some fact about the email itself, does this.

- --j.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFAJ9yiQTcbUG5Y7woRAl0AAJ0WoJOfveHKQSKLLn4+LUFrL8cX0QCgtU3f
Uvxi5S55dOkhI5nYhGz5RtE=
=LvWb
-----END PGP SIGNATURE-----

More information about the ILUG mailing list