On 04/09/14 16:18, Mike Hearn wrote: >> >> That is more plausible than it might be as I think that a lot of spam >> filtering is done based on the reputation of the sender. > > > Sending *domain* not user. No spam filter I'm aware of tries to calculate > inbound reputations on a per user basis.
True. This is probably due to a number of factors (including not enough per user data) but perhaps it would become possible if the sending user could be authenticated to the recipient spam filter? DKIM and SPF only really authenticate the sending domain as some domains allow users to send email as if from other users at the same domain (they shouldn't but it used to be possible here). >> Senders using an authenticated encryption system could have their >> reputation more >> tightly determined than is possible at present. > > > Senders already authenticate their mail streams using DKIM and are expected > to police it. In other words, if a spammer signs up for 100,000 spammy > Gmail accounts and uses them to send a lot of spam, that hurts Gmail's > reputation and can result in their IPs being blocked. Yes. However I heard (2nd hand last week) that someone at Microsoft was complaining that this was unfair. I disagree, but techniques which make it easier to deal with spammers at badly run but 'too big to fail' ESPs might be useful? > For this reason large ESPs all do outbound spam filtering as well, and > require a fairly high degree of insight into what their users are doing. > E.g. if a major provider generated and published public keys for all their > users then allowed encrypted mail to be sent, this would be bad for their > users (more chance of receiving spam) but perversely also bad for everyone > else, because then they'd find it harder to stop spam being sent *from* their > networks and thus it would hurt their reputation. > > The problem of spam filtering and end-to-end encryption is tightly linked, > IMO. I cannot see major webmail providers deploying working E2E crypto at > scale given the way the email network handles abuse, today. Indeed. Maybe there is something which can be done with a web of trust style reputation system 'existing contacts of mine who don't send me spam say that this new person has sent them legitimate email' No idea how to implement that, particularly how to do so in a privacy preserving and user friendly way. Without content, cleverer filtering using metadata might help. Daniel
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
