Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • ... because there are perfectly legitimate reasons to want to send mail anonymously or from a throw-away account. For example, I might want to send mail to a corporation criticising their customer service, but not want them to have my real address anywhere on file. Or I might want to ask a question about my embarrassing disease on a mailing list. Or a question about an area I'm meant to be an expert in, and I'm afraid my employer might fire me if they find my post in the list archives.

    No, the way to stop spam seems to me to be to make it too expensive to send. I don't mean too expensive in terms of money, but in terms of computer resources and time. Which, of course, boils down to money really. Using a scheme like hash-cash, senders' machines can be made to solve a puzzle involving some Hard Sums before they are permitted to send mail. If the puzzle takes 30 seconds to solve, that's sufficient. I don't care if my individual messages are delayed that long. A spammer will care though, because if it takes 30 seconds to solve the puzzle required for each recipient, they're limited to sending just 2800 messages a day, rather than the tens of thousands they send an hour now.

    This won't break mailing lists either, because all legitimate mailing lists are opt-in. So the user knows to expect bulk email (SOLICITED bulk email) from that source, and can exempt it from having to do the Hard Sums. Because all legitimate mailing lists are *confirmed* opt-in, the confirmation message could say something like "you need to add FOO to your whitelist. When you've done that, do BAR to confirm your subscription". People who don't exempt the list from the challenge/response system should get a single message telling them that they've screwed up, and then have their list membership suspended.

    This does of course require support in software - on the server and in clients - for it to gain mass acceptance, but while that's a big problem, it's not insurmountable.

    There's still the issue of spammers using hordes of zombie machines to send their spam, rather than bulk-mailing it themselves. Spammers won't care about the victims of their worms and viruses having to expend cycles. I favour making it illegal to use a computer in an irresponsible manner, just like it's illegal to use a car or a gun irresponsibly. Once a few hundred ignorant users have been locked up to become Bubba's Prison Fucktoy pour encourager les autres expect to see the number of virus and worm infestations plummet.

    • Calculating the signature wouldn't be a difficult problem that takes 30 seconds to calculate. But it would slow sending email down a little. An important feature of the system would have to be that something is calculated for every single recipient address. Also, there would have to be a mechanism that prevents calculating the signatures in advance. Perhaps the receiving servers sends a nonce that must be included in the signature.
      • The hashcash FAQ is here [hashcash.org].
        • I was thinking about using something similar for the authentication of sending to recipients. One lack of that scheme is that it doesn't include the sender in the calculation. It still allows forging the sender address. I was also thinking about having the receiving server send a nonce that need to be included in the calculation. This makes it difficult to precomputer

          One reason to put the authentication in the SMTP protcol is that the sender and recipient addresses are well defined there. Email clie

    • This won't break mailing lists either, because all legitimate mailing lists are opt-in. So the user knows to expect bulk email (SOLICITED bulk email) from that source, and can exempt it from having to do the Hard Sums.

      And if I fake being the mailing list sender?

      I don't know what the answer is (I'm not sure if there is "an answer" or even a set of services which together might be "the answer") to fixing email, but for a Hard Sum to work, those machines/addresses which are exempted need to be authentica

      • Not sure how you'd authenticate listservs - by ensuring that the sender is one of a known set of IPs, perhaps.

        I don't have a problem with authentication if there is an anonymous alternative which is at least as widely available. However, getting Hard Sums widely implemented strikes me as being easier than getting a world-wide trust relationship and authentication scheme working. For one reason why that's such a difficult problem, look at who is one of the supposedly trustworthy CAs for SSL certificates.