In my opinion, the various hashcash-to-stop-spam style schemes are not very useful, because spammers now routinely use automation to break into vast numbers of home computers and use them to send their spam. They're not paying for CPU time or other resources, so they
True. But, as Ben noted, the user of the machine could and should care about the resource. Now one may claim that many users don't pay attention to viruses stealing huge amounts of their CPU time. So I agree that the `waste CPU time to pay for sending mail` may have limited effect to stop spam. I also rather dislike the notion of wasting resources to send every e-mail. But where I quite disagree with you is when you say...
1. "We need public key authentication of all mail". Well, I'll point out that large integers are cheap and plentiful. "Authenticated" spam is pretty much as bad as non-"Authenticated" spam. If we use
IMHO, your conclusion is wrong: cryptographic authentication could be a critical tool to stop spam; someone in our community should do this (write the software) already... How? E-mail (at least from new correspondents) must be signed by an `anti-spam mail certification authority (ASMCA)` - often the ISP of the sender. Recipient's mail client (or server) will reject mail (from new correspondents) not certified by a trustworthy ASMCA. If the mail was not rejected but later identified (by end user) as spam, the recipient client/ISP will not only know not to trust the sender's ASMCA, they will also have `proof` that this ASMCA approved (signed) this spam, so they can inform other ASMCA's and mail client/servers.
- ASMCA's have strong incentive not to approve spam. They'll use appropriate measures, mainly: filtering tools and punishing spammers (blocking accounts, charging fines, etc.)
- End users whose machines were broken into will be notified by their ASMCA (usually ISP), when it detects the spamming by filtering tools or by complaints, and will (1) know there's a problem and take measures to get rid of the spamming trojan horse and (2) maybe be a bit more careful about the machine in the future.
Desired side effects:
- users will also enjoy e-mail authentication (and confidentiality could be added trivially) - which in particular will make it a bit more difficult for e-mail viruses to propagate.
What's the bug in this simple solution? If anybody wants to implement I'm willing to assist in developing/validating the protocols.
Computer Science Department, Bar Ilan University
Homepage (and lectures in applied cryptography, secure communication and commerce): http://www.cs.biu.ac.il/~herzbea
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]