On Tue, 10 Sep 2002 19:18:59 +0200, Iljitsch van Beijnum said:
Or we throw out SMTP and adopt a mail protocol that requires the sender to provide some credentials that can't be faked. Then known spammers are easy to blacklist.
It's nice to say "we make it easy to blacklist spammers". The problem is that those systems that *HAVE* made it easy to blacklist spammers are *ALWAYS* taking heat for making it easy - remember how ORBS was held in little high regard? And even the MAPS people have had their share of legal hassles. We don't even have to throw out SMTP - there's STARTTLS, AUTH, PGP, and so on. The problem is that we don't know how to do a PKI that will scale (note that the current SSL certificate scheme isn't sufficient, as it usually does a really poor job of handling CRLs - and the *lack* of ability to distribute a CRL (which is essentially a blacklist) is the crux of the problem. There's also the problem of distributing valid credentials to half a billion people - while still preventing spammers from getting any. The DMV hasn't learned how to keep *teenagers* from getting fake ID's, why should we expect to do any better in keeping a motivated criminal from getting a fake credential? It's not as easy as it looks. As Bruce Schneier talked about in "Secrets and Lies", where he does a hypothetical threat analysis regarding getting dinner in a restaurant without paying, most of the attacks actually have nothing to do with the part of the transaction where money changes hands... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech