"Anton Stiglic" <[EMAIL PROTECTED]> writes: >I think cryptography techniques can provide a partial solution to spam.
No they won't. All the ones I've seen are some variant on the "build a big wall around the Internet and only let the good guys in", which will never work because the Internet doesn't contain any definable inside and outside, only 800 million Manchurian candidates waiting to activate. For example MessageLabs recently reported that *two thirds* of all the spam it blocks is from infected PCs, with much of it coming from ADSL/cable modem IP pools. Given that these "spammers" are legitimate users, no amount of crypto will solve the problem. I did a talk on this recently where I claimed that various protocols designed to enforce this (Designated Mailers Protocol, Reverse Mail Exchanger, Sender Permitted From, etc etc) will buy at most 6-12 months, and the only dissent was from an anti-virus researcher who said it'd buy weeks and not months. The alternative proof-of-resource-consumption is little better, since it's not the spammers' resources that are being consumed. There is one technological solution which would help things a bit, which is Microsoft implementing virus throttling in the Windows TCP stack. Like a firebreak, you can never prevent fires, but you can at least limit the damage when they do occur. Unfortunately I don't see this happening too soon, both because MS aren't exactly at the forefront of implementing security features (it took them how many years to add the most basic popup-blocking?), and because of liability issues - adding virus throttling would be an admission that Windows is a petri dish. The problem we're facing is social, not technological, so no there's no technological fix. The problem is that neither users nor vendors have any natural incentive to fix things. In the long run, only legislation will help: penalise vendors for selling spam-enabling software (MS Outlook, via viruses/worms), and penalise users for running software in a spam-enabling manner (open relays). This is equivalent to standard corporate-governance legislation that sets auditing/environmental/due diligence/etc requirements. Unfortunately this is unlikely to pass in the US (where it matters most) due to software industry lobbying, it'd require an Enron-style debacle to pass over there, perhaps a virus-induced reactor meltdown or something similar. (Much of the above was lifted from "Why isn't the Internet secure yet, dammit?", http://www.cs.auckland.ac.nz/~pgut001/pubs/dammit.pdf, with the section on spam starting at page 5. Apologies for the PDF link, but there are some diagrams in there that don't translate well to text). Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
