Re: Re: Re: Re: Re: (OT) Fighting spam

How about putting an extra header in the mail headers. Lets call it "X-check". It would contain some sort of cryptographic hash, and when the 50000 people who Jane mass mails, will check to see if it matches Jane's id in their database. It it dosn't, Jane gets emailed for a confirmation. If she forged the return address, she will never generate a confirmation, and the 50000 recipients will dump her mails to /dev/null; and Joe will never receive a thing.

Look I'm don't want to argue the fine points of this. Maillists seem to be able to function with this sort of checking without spammers getting in. So I would say that the mail headers are the key to this. If the "return-path" dosn't match the "sender", or if something is amiss in the "X-check" header, then drop the message.

The whole thing could probably be done with the current pgp keysservers. Just put in the X-check header, something that Joe can check with public keys.

You will never be able to stop mail bombs, or DOS attacks.

My original point was this type of software is starting to popup. Some are as crude as to put and encrypted string in the subject line, which both the sender and receiver can decode. Joe can just drop anything without the encrypted string in the subject line; and he can also decrypt the line, and see if he gets the email address of the "alleged sender". He can drop anything he wants.

If you don't like the idea, thats fine. But i would rather be in control of it as a user, rather than have some ISP's filter deciding things.

As far as LARTing joe for 50,000 responses, what do you do about "innocent joe" receiving a 50000 count mail bomb? of the claimed sender.

Comment on Re: Re: Re: Re: Re: (OT) Fighting spam

Replies are listed 'Best First'.
Re: Re: Re: Re: Re: Re: (OT) Fighting spam by Paul Smith (Initiate) on Nov 17, 2003 at 21:50 UTC
Look I'm don't want to argue the fine points of this. Maillists seem to be able to function with this sort of checking without spammers getting in. So I would say that the mail headers are the key to this. Actually, mailing lists only do crude checking, and are open to abuse. Normally they work surprisingly well, but it's really more by luck than management. Normal spammers don't go to the effort of faking a sender's address, but they could do if they wanted to. However, a malicious user could fake an email address and send a message that pretends to be from one person, when it's really from another. I've been on several lists where this has happened. In fact, someone who knows a lot about email can usually get a good idea whether the sender is legitimate, but it can be a bit time consuming (doing WHOIS lookups on IP registries etc) to protect the reputation of the wronged list user, but it's not something that mailing list software generally does automatically (it's quite hard to do reliably)	[reply]
Re^6: (OT) Fighting spam by MidLifeXis (Monsignor) on Nov 17, 2003 at 22:12 UTC
The whole thing could probably be done with the current pgp keysservers. Just put in the X-check header, something that Joe can check with public keys. If everyone used PGP, I would be able to drop the message after DATA if the PGP signature did not match, and we would not be having this exchange. As far as LARTing joe for 50,000 responses, what do you do about "innocent joe" receiving a 50000 count mail bomb? of the claimed sender. I didn't say Joe receiving 50K messages, but rather generating the 50K CR messages. What the user receives is not necessarily within his control; what the user generates is. By generating CR messages with some false positives, you are still doing cost shifting (someone else is paying your costs) to process your mail, which is exactly why spaming is looked upon the way it is. Anyway, I have made my point, and this is the last I plan on responding to this. There are other forums where this has been discussed, and discussed, and discussed (see SPAM-L, for example). PM is ~~probably~~Definitely not the place.	[reply]