UCE - a simpler approach using just digital signing?

[John Levine]

>That's basically what I'm using, just without the digital signature 
>part: each person/organisation/website/whatever gets a different email 
>address for communicating with me (qmail makes this easy to implement)

I do that too -- I bet half the people on this list do, and there's
lots of free and commercial services like Yahoo and Spamex who will
let you do it.  But it's not much of a solution to spam because it
requires significant manual work to maintain the addresses, and only
deals with places where you individually give them the address to send
mail to.

>Another scheme (that could be combined with the above one to solve only 
>the CC party problem) would be accepting only PGP mail and use a 
>manually updated white list

This has the same fundamental problem as Zoemail and any other white
list system.  It's really easy to implement a white list.  Unless your
name is Paypal, the amount of mail forging your address is vanishingly
small, and the utterly insecure From: line address works just fine for
practical purposes.  I use that to manage my 12 year old daughter's
mail.

But whitelists replace the spam problem with the equally intractable
introduction problem, deciding whether to accept the first message
from someone you don't know.  People have been thinking about that for
a long time (indeed, for millenia in contexts other than e-mail) and
the snarky comments I made yesterday about wonderful anti-spam ideas
apply here, too.

The ASRG is still eager to hear from people who want to do just about
anything related to spam other than hash over known-ineffective old
ideas. See http://wiki.asrg.sp.am.

R's,
John


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com