On Sunday, Sep 22, 2002, at 15:18 US/Pacific, Phil Tanny wrote: > White listing software would maintain a list of everybody we > would like to receive mail from. It would log in to an > email server and download any emails that were from someone > on our "white list". It might then delete all the other > messages. Or better yet, it could send an autoreply to > senders of all the rejected messages offering an apology and > an alternative means of contact. > > The rejected senders could be directed to a web page form. > This form could be coded so the destination address is not > harvestable, and so that human interaction would be required > to operate the form.
Ah - like TMDA (http://tmda.net/)? If such a program becomes widespread enough to seriously hurt spammers I'd be surprised if it took a year for spamware vendors to figure ways to automatically respond to the current systems' autoreplies or web pages. The other problem with this is that the From address is forgeable - if I set my From address to something like [EMAIL PROTECTED] or a popular mailing list's signup address it's probably going to get through to most people. A little more thought suggests that trying (support|admin|root|MAILER-DAEMON) in the user's domain or reusing addresses scraped from the same domain will probably be even more successful (that autoreply offers a nice way of confirming receipt, so you can guess relatively quickly). Cryptographic signing can solve the forging issue but it really needs the web-of-trust or aggressive use of x509 user certificates *and* revocation lists to be effective. The web of trust approach would require much wider deployment and better user interfaces than anything we have now; it also fails to handle widely separated users well. Besides, what fraction of mail would make it through if you simply restricted your mail to messages having a valid PGP signature of any sort? The client support just doesn't seem to be here at the level we'd need to make this usable on a wide scale. There's one delaying tactic I'd expect to work (requiring the user to manually rekey a nonce shown as part of an image with a noisy background to validate a public key). Outside of the obvious challenges for people with colorblindness or bad eye-sight, I think even that would fail surprisingly quickly - if you can generate it, they'll probably figure out a way to fake it. Still, it might buy us a few years to clean up rogue networks before Moore's law makes it easily reversible. I'm not sure operators of mailing lists or large sites would consider that a worthwhile trade for the hassle it'll create for them. Chris _______________________________________________ spamcon-general mailing list [EMAIL PROTECTED] http://mail.spamcon.org/mailman/listinfo/spamcon-general#subscribers Subscribe, unsubscribe, etc: Use the URL above or send "help" in body of message to [EMAIL PROTECTED] Contact administrator: [EMAIL PROTECTED]
