why "penny black" etc. are not very useful (could crypto stop spam??)

Amir Herzberg amir at herzberg.name
Thu Jan 1 02:46:17 EST 2004 

At 17:38 30/12/2003, Perry wrote:

>In my opinion, the various hashcash-to-stop-spam style schemes are not
>very useful, because spammers now routinely use automation to break
>into vast numbers of home computers and use them to send their
>spam. They're not paying for CPU time or other resources, so they

True. But, as Ben noted, the user of the machine could and should care 
about the resource. Now one may claim that many users don't pay attention 
to viruses stealing huge amounts of their CPU time. So I agree that the 
`waste CPU time to pay for sending mail` may have limited effect to stop 
spam. I also rather dislike the notion of wasting resources to send every 
e-mail. But where I quite disagree with you is when you say...
<snip>...
>1. "We need public key authentication of all mail". Well, I'll point
>out that large integers are cheap and plentiful. "Authenticated"
>spam is pretty much as bad as non-"Authenticated" spam. If we use

IMHO, your conclusion is wrong: cryptographic authentication could be a 
critical tool to stop spam; someone in our community should do this (write 
the software) already... How? E-mail (at least from new correspondents) 
must be signed by an `anti-spam mail certification authority (ASMCA)` - 
often the ISP of the sender. Recipient's mail client (or server) will 
reject mail (from new correspondents) not certified by a trustworthy ASMCA. 
If the mail was not rejected but later identified (by end user) as spam, 
the recipient client/ISP will not only know not to trust the sender's 
ASMCA, they will also have `proof` that this ASMCA approved (signed) this 
spam, so they can inform other ASMCA's and mail client/servers.

Results:
- ASMCA's have strong incentive not to approve spam. They'll use 
appropriate measures, mainly: filtering tools and punishing spammers 
(blocking accounts, charging fines, etc.)
- End users whose machines were broken into will be notified by their ASMCA 
(usually ISP), when it detects the spamming by filtering tools or by 
complaints, and will (1) know there's a problem and take measures to get 
rid of the spamming trojan horse and  (2) maybe be a bit more careful about 
the machine in the future.

Desired side effects:
- users will also enjoy e-mail authentication (and confidentiality could be 
added trivially) - which in particular will make it a bit more difficult 
for e-mail viruses to propagate.

What's the bug in this simple solution? If anybody wants to implement I'm 
willing to assist in developing/validating the protocols.


Best regards,

Amir Herzberg
Computer Science Department, Bar Ilan University
Homepage (and lectures in applied cryptography, secure communication and 
commerce): http://www.cs.biu.ac.il/~herzbea

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list