LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

A tempest in a toybox

LWN.net Weekly Edition for January 26, 2012

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

82% of email is spam

82% of email is spam

Posted May 7, 2004 3:13 UTC (Fri) by neilbrown (subscriber, #359)
Parent article: 82% of email is spam

Maybe the best way to beat this statistic is to simply generate more genuine mail. If everybody subscribed to a few high-volume mailing lists..... :-) (I must admit that linux-kernel is one reason that my spam ratio is quite low. "host -t MX cse.unsw.edu.au" might give you a hint at another).

But on a more serious side, I'm coming to the conclusion that the only long-term solution to SPAM must involve white-listing. i.e. I *only* accept mail from addresses (SPF-verifiable addresses) that I trust. This would require MUA support so that anyone I send mail to automatically gets white-listed, and things like that.

It would also mean that when people (e.g. companies) ask for your Email address, their would need to give your their email address in return (We will only send you mail from info@clever-company.com.) which you would have to white-list.

If people who you don't know want to send you mail, that has to be possible, but it also should be expensive (roughly the cost of a postage stamp or a 'phone call). This might involve finding a common correspondant to introduce you, or it might involve some "proof-of-cpu-power-spent" similar to HashCash, or it could even involve an exchange of money (e.g. I will read your mail if you can prove that you have bought a $1 e-postage stamp from World Vision). It could use any other challenge-response that a recipient is happy to impose on potential senders.

The big problem today with challenge-response is that you risk sending challenges to innocent third-parties whose address has been used inappropriately. This is where I think SPF really gives value. With SPF, I can tell if I can trust a return-address, and so I can know if it is safe to send a challenge.

If the MTA add an appropriate header with SPF status, this can all be done in the MUA.

This doesn't address the bandwidth/server-load problem. It isn't clear to me that there can be a better total solution to that than pushing the whitelist+challenge-response into the MTA (there are lots of partial solutions which can heurisically drop a lot of bad mail, but they will eventually cause the spammers to get smarter).

(Log in to post comments)

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds