Re: [tlug] Using autoresponse

["Stephen J. Turnbull" <stephen@??>]

Sigurd Urdahl writes:

 > I think we need to accept both that spam is part of our reality now, and 
 > that the best thing we can do is to actually try and make the best of 
 > the situation, reducing the negative effects (e.g effective filtering). 

 > Fighting spam have to happen at the root of the problem, where the money 
 > is. This can be done through customer awareness,  by making spam less 
 > effective due to filtering and tarpitting, and of course through 
 > criminal prosecution where that is possible.

Customer awareness: c'mon.  You're posting to a list in the land of
the ore-ore sagi and Yubari City, where Monkasho's pet "science and
engineering university" is filled with Professors of Computer Science
(gag, barf) whose windows boxes are regularly infected with viruses
(including viruses whose *first* instance was caught by my filter
which was written months before the virus was, mind you).  The
customers are *wilfully* ignorant.  And I don't think the U.S. or even
Finland is likely to be much better.

Tarpitting?  Doesn't affect the effectiveness of spam until you cut
into the effectively infinite supply of CPU cycles and bandwidth
available to spammers (ie, the installed base of Windows).  That
leaves filtering and prosecution, which are likely to be less
effective than U.S. immigration controls.

Actually, without general sender cooperation the only effective way to
make spam uneconomic is to charge by the packet for delivery.  We
don't want to go there.

 > >> The premier, and most effective, frontier against spam is in the
 > >> recieving end.
 > >
 > > It has become necessary because people on the sending end aren't
 > > prepared to do squat their side.
 > >   
 > You are kidding? how do you propose we implement a system that makes 
 > sure it's impossible to send spam, in a way that the spammers won't work 
 > around in less time than people worked around for instance the DRM in 
 > HD-DVD and Blue-Ray?

Impossible is a straw man.  The question is raising the price, and
that is going to require cooperation by *all* senders to achieve
genuine verifiability (ie, the auth protocol just don't cut it).

A lot of it is quite simple.  For example, domain keys, cf
www.dkim.org.  Now, a lot of people think that domain keys or SPF will
make it possible to filter out spam, but as you point out that is not
going to work.  For example, I've seen reports that spammers in the
U.S. who (at least as far as can be detected) comply with regulations
on UCE are already adding valid DKIM signatures to their mailings.

However, once DKIM is prevalent, (1) my.com to my.com spoofing will be
impossible for phishers and (2) "friends & family & financial
institutions" will become mostly identifiable, cutting down on the
most painful false positives and false negatives.  It will be possible
to keep whitelists of trustworthy domains they way we currently keep
blacklists of known spam sources.  "Transitive trust" is not good
enough for financial transactions, of course, but for spam filtering I
suspect it will do.

Of course DKIM currently has a known bug: the DNS is not yet secure,
but it's not obvious that suborning the DNS can be as cheap as
pwnzring a Windows box as a zombie.

Beyond that, there's actual sender signatures (PGP, S/MIME).