LWN.net Logo

Advertisement

TrustCommerce

E-Commerce & credit card processing - the Open Source way!

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LK2008: The values of the Linux community

LWN.net Weekly Edition for October 9, 2008

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

The MIT 2004 Spam Conference

The MIT 2004 Spam Conference

Posted Jan 22, 2004 15:02 UTC (Thu) by farnz (subscriber, #17727)
Parent article: The MIT 2004 Spam Conference

I noticed very few people discussing the possible gains from using OpenPGP as a way to limit e-mail spam. Simply put, signing messages with a valid signature is non-trivial; forging a signature is even harder. At this point, any unsigned mail is suspicious; any mail that's signed by someone I trust (because I trust the signer) or encrypted to me (which is an operation per recipient) is definitely not spam. Any mail signed by one of the listed keys is definitely spam. Any mail whose signature is from an unrecognised key is suspicious.

It doesn't take much to distribute a list of keys known to have been used by spammers, since keys are small (typically a few kilobits), and can fit into a DNS-based RBL. The only way round it is to somehow obtain a trusted key (which is likely to be hard, since a key is only trusted if I have said I trust it, or enough people whose keys I trust highly have said it's trusted), or to encrypt messages to the recipient, which is an operation per recipient, and drives up the cost of spam considerably.

Of course, this system has a major problem (probably insurmountable, as with most of these technical/social problems): how do we get all users to use OpenPGP?

(Log in to post comments)

The MIT 2004 Spam Conference

Posted Jan 22, 2004 15:42 UTC (Thu) by trutkin (guest, #3919) [Link]

That sounds pretty similar to the "stamp" idea that was mentioned in the conference where
the time needed to generate a stamp is prohibative to mass mailings.

The MIT 2004 Spam Conference

Posted Jan 22, 2004 19:16 UTC (Thu) by farnz (subscriber, #17727) [Link]

You're right, it is similar. The difference is that most of the infrastructure needed is already available. Mozilla Mail has the EnigMail extension. KMail handles OpenPGP messages. Evolution handles OpenPGP. There are plugins available for Outlook and Outlook Express. "All" (but it's a big all) that's needed is users to switch to signing all their mail, and encrypting where possible, and changing MTAs to look at PGP signatures is worthwhile.

Granted, this is very much a Final Ultimate Solution to the Spam Problem, but it brings other side benefits as well as solving spam (it solves the problem of proving someone sent an e-mail, and it solves any issues with e-mail security.

The MIT 2004 Spam Conference

Posted Jan 29, 2004 12:34 UTC (Thu) by AdamInPoland (guest, #19036) [Link]


The other difference is that the stamp system can be setup fairly tranparently by sysadmins, thus overcoming the social barriers to implementing OpenPGP. It doesn't have to be obligatory, but stamped mail could start out by being another factor that a filtering system looks at. That way, it can very quickly become a standard.

Obviously getting everyone to use PGP is a better solution, but while we're waiting for a solution to that one, stamping to me seems like a big part of the answer.

The MIT 2004 Spam Conference

Posted Jan 29, 2004 12:40 UTC (Thu) by esjatharvee (guest, #19038) [Link]

one of the things I hope to accomplish within the framework of the camram project is an opportunistic signature system. Two parties introduce themselves using proof of work stamps, then continue using signatures on e-mail as proof of identity. Opportunistic signatures increases the barriers against spammers ability to forge but do not create a centralized identity system which can be used for censorship or control.

For more information, take a look at www.camram.org.

---eric

The MIT 2004 Spam Conference

Posted Jan 30, 2004 20:40 UTC (Fri) by jmason (guest, #13586) [Link]

farnz -- it has occurred to people before, as have other public-key-based auth methods.

The problem is key distribution. Without solving that, it'll help a small number of techies correspond with their existing groups of friends -- and that problem is already solved, for example with SA's autowhitelist. It's the mail from someone *new*, or from some automated mail-generating app, that's the problem.

(BTW we have a bug open in SpamAssassin's bugzilla to implement opportunistic PGP keychecking using the user's keyring anyway, if you fancy helping out ;)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds