[ILUG] spam: requiring signed email
jm at jmason.org
Mon Feb 9 19:16:50 GMT 2004
-----BEGIN PGP SIGNED MESSAGE-----
Paul Jakma writes:
>Just curious... could spam be killed by requiring an encrypted
>attachment to every email? Basically:
>- introduce a mime section/content-thingy to allow for the
>(sender,recipient) tuple to be attached to an email, encrypted. Ie to
>allow for a mime section to allow a client to verify the sender has
>put some effort into sending this email to the client's user.
Computational proof-of-work scheme. See hashcash. It does *exactly*
this but a little bit more nicely, I'm afraid. ;) It's supported in
SpamAssassin 2.70 dev version.
- - recipient has to tell their spamfilter what addresses they expect to
receive mail on.
For me, that's "anything at jmason.org, anything at taint.org, jmason at
cpan.org, jm at apache.org". If you include mailing lists, then that
includes "these mailing lists: camram-spam, SpamAssassin-users,
SpamAssassin-dev, SpamAssassin-cvs, ilug, social at linux.ie, etc. etc.
etc. etc." repeat for several hundred addrs I think ;)
We're thinking of ways around this, probably by using data from
Otherwise spammers can "mint" one token for the sender/recipient pair,
where recipient is "everyone at world.com", and unless the recipient
checks that they do expect to receive mail at world.com, it'll get
You could avoid this by using a globally shared double-spend db. but
that means network traffic to a single point of failure, and a race
condition for when a mail is sent to a mailing list and cc'd to a
recipient directly. it's not workable.
- - Second: there's a good chance spammers now control enough CPU power
around the world in r00ted win32 boxes -- probably more than most of the
supercomputers in the field -- to generate sufficient hashstamps to do
exactly what they're doing anyway. This is a *big* issue ;)
Also, Gareth Eason says:
> nd 99% (totally guessed statistic) of spam like that would be equally
> easily removed by only allowing incoming mail from people in your
> addressbook - a setting many MUAs already have.
The reason this doesn't work is because there's no authentication in
email. It's trivial for a spammer to guess that "jm at jmason.org" is in
"jm at jmason.org"'s address book, for example, and forge mail from that
address when sending to that addr.
We had this rule in SpamAssassin's autowhitelist but added IP-based
authentication for this reason, because spammers figured this out and
started using "from-and-to-identical" spamming.
This is also why sender-verification-over-SMTP is a bad idea; it also
encourages that. In fact any system that verifies sender address,
instead of verifying some fact about the email itself, does this.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Exmh CVS
-----END PGP SIGNATURE-----
More information about the ILUG