On Thu, Jun 30, 2005, Uri Even-Chen wrote about "Re: A new venture - preventing spam": > Thanks for the compliments. I have been studying the subject of spam > during the past few years, and I'm aware of other solutions. Spam > filtering is a common solution, and we all use them, but it's not > perfect. It has problems of false positives and false negatives. I > also checked other solutions and they are not perfect either. No > solution is perfect.
Indeed. Like I said, even a less-then-perfect solution is enough to turn the spam "major problem" into the spam "minor annoyance". Of course, the more perfect the solution, the better :-) > SPF, as well as DomainKeys, are concerned on signing domain names. They > have many flaws, but the main one (I think) is that they do nothing to > prevent spam. A spammer, using his own (newly registered) domain name, > can send millions of legitimate messages through them. My idea is to Indeed. SPF is less about reducing spam per se, and more about reducing "From:" address spoofing. The most serious kind of false-negative in ordinary spam filters is phishing-type scams. If just one of those goes through to your inbox, and you think that your bank indeed wants you to "click here" and enter your password, then you're screwed. Also, the most serious kind of false positive in spam filters is usually people with whom you work with and such - so people often add entire domains to their white list, only causing a barrage of spoofed mail (like viruses) to come to your mailbox. SPF aims to take care of these kinds of problems, while other techniques take care of the other problems (hijacked machines, mass mailed crap, porn messages, etc.). So SPF is not a solution against spam - it is just part of an entire solution that you can build. > sign the whole E-mail address, and limit the number of legitimate > messages a user can send per day. This will mean creating a new > protocol which will either replace SMTP or work on top of it. It will > be similar to SPF and DomainKeys, with the difference of signing the > whole E-mail address and limiting the number of messages per day. The > main challenge is to convince users and sys admins to use this new protocol. Maybe we shouldn't really discuss all the details on this list (after all, it's supposed to be a linux list), but I (and Eran) already mentioned why a cryptographic confirmation of who sent the mail isn't always desired. SPF strikes a delicate balance: you can be quite sure that the mail indeed comes from the domain it says it does, but you have to trust this domain owner not to falsify the user's name. Also, you know that the mail comes from a certain domain, but you can't *prove* it to anyone else (because the "proof" - the email itself - could be something you simply made up). This means that as a user, you have "plausible deniability" (your email can't be taken against you in court). This is a desirable property, for most people. > Mailing lists will not be able to use this new protocol, but a different > new protocol will be created for them. The new protocol will enable > mailing lists to send mail only to users who confirmed their > subscription. A mailing list admin will not be able to transfer his > subscribers to another mailing list. Users will be able to unsubscribe > using the protocol, without having to ask for "permission" from the > mailing list admin. I'm interested to hear some day how you plan to do this :-) In particular, I wonder if you are you relying on a central "Trent" (trusted company that runs this entire email business) to do all the book-keeping, limitations, and so on, or keeping the decentralized structure of email? Also, I wonder, how your scheme prevents a spammer from opening 1,000 email accounts and send (signed addressed) emails from all of them. I think you may end up having the same problem you report on SPF: that you can be sure of the domain, but if you don't know the domain is trustworthy you really can't be sure about the identity or non-spaminess of an individual user on that domain. > I'm looking for people who will help me form a profitable business from > this idea. Profitability is one goal, solving spam is another goal. Of Good luck. May the source be with you :-) -- Nadav Har'El | Thursday, Jun 30 2005, 24 Sivan 5765 [EMAIL PROTECTED] |----------------------------------------- Phone +972-523-790466, ICQ 13349191 |Software is like sex, it is better when http://nadav.harel.org.il |it's free -- Linus Torvalds ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
