At 17:38 30/12/2003, Perry wrote:

In my opinion, the various hashcash-to-stop-spam style schemes are not
very useful, because spammers now routinely use automation to break
into vast numbers of home computers and use them to send their
spam. They're not paying for CPU time or other resources, so they

True. But, as Ben noted, the user of the machine could and should care about the resource. Now one may claim that many users don't pay attention to viruses stealing huge amounts of their CPU time. So I agree that the `waste CPU time to pay for sending mail` may have limited effect to stop spam. I also rather dislike the notion of wasting resources to send every e-mail. But where I quite disagree with you is when you say...
1. "We need public key authentication of all mail". Well, I'll point
out that large integers are cheap and plentiful. "Authenticated"
spam is pretty much as bad as non-"Authenticated" spam. If we use

IMHO, your conclusion is wrong: cryptographic authentication could be a critical tool to stop spam; someone in our community should do this (write the software) already... How? E-mail (at least from new correspondents) must be signed by an `anti-spam mail certification authority (ASMCA)` - often the ISP of the sender. Recipient's mail client (or server) will reject mail (from new correspondents) not certified by a trustworthy ASMCA. If the mail was not rejected but later identified (by end user) as spam, the recipient client/ISP will not only know not to trust the sender's ASMCA, they will also have `proof` that this ASMCA approved (signed) this spam, so they can inform other ASMCA's and mail client/servers.

- ASMCA's have strong incentive not to approve spam. They'll use appropriate measures, mainly: filtering tools and punishing spammers (blocking accounts, charging fines, etc.)
- End users whose machines were broken into will be notified by their ASMCA (usually ISP), when it detects the spamming by filtering tools or by complaints, and will (1) know there's a problem and take measures to get rid of the spamming trojan horse and (2) maybe be a bit more careful about the machine in the future.

Desired side effects:
- users will also enjoy e-mail authentication (and confidentiality could be added trivially) - which in particular will make it a bit more difficult for e-mail viruses to propagate.

What's the bug in this simple solution? If anybody wants to implement I'm willing to assist in developing/validating the protocols.

Best regards,

Amir Herzberg
Computer Science Department, Bar Ilan University
Homepage (and lectures in applied cryptography, secure communication and commerce):

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to