Thrusted mail ? [LWN.net]

Thrusted mail ?

Posted May 7, 2004 11:22 UTC (Fri) by bockman (guest, #3650)
In reply to: Thrusted mail ? by dd9jn
Parent article: 82% of email is spam

Uhm, maybe my usage of e-mail is anomalous, but 99% of the mail I receive, at work and at home, belongs to one of these categories:
- people I know (and then I can get their publick key)
- mailing list or newsletted which I subscribed to (and also here, a public key could be distributed by the mailing list )
- Spam/viruses (ok, viruses could also come from known people, but spam usually doesn't)

Once per month, or even less, I may receive a mail from an unknown person, that wants to get in touch with me.

Therefore, for me would be very easy to define a list of 'good signatures' that could be used to filter my mail (possibly at server level). If I don't want to loose the mail from unauthenticated sources, I could isolate it in a separate mail folder, to check when/if I want. This mail folder could collect spam, but at least it is nicely isolated (and if I get too much annoyed, I could simply bounce unauthenticated mail).

Now, I understand that people, and especially business, can use e-mail to get in touch daily with unknown people. But I believe that a lot of people have an e-mail behaviour very similar to mine.
Consider also that you don't need the same 'level of thrust' used for secure transactions (you are just talking by e-mail, not doing finantial transactions). Therefore you could also exchange public key by mail, when you start corresponding with someone else.

(Log in to post comments)

Thrusted mail ?

Posted May 7, 2004 12:37 UTC (Fri) by dd9jn (subscriber, #4459) [Link]

It is not only businesses receiving a lot of mail from yet unknown people but also people from the Free Software community, especially authors and maintainers. There is as well the problem of resending and forwarding messages.

Mailing lists are another problem. Of course the mailing list software could sign all message to be send out but that won't help. For a closed mailing list this will currently help but I have already encountered faked From addresses (which are the current way of authenticating subscribers) which led spam slip through. Open mailing lists (everyone is allowed to post) are already nice spam exploders and it won't help to have a signature applied by the ML software. Over short or long we have to change the authentication of mailing lists anyway to a stronger one (i.e. only accept signed posts), but this will require manual approval of subscription requests to sort out spammers. For some mailing lists this will not be possible at all - think of a help list for the signing or MUA software ;-).

Thrusted mail ?

Posted May 8, 2004 16:56 UTC (Sat) by giraffedata (subscriber, #1954) [Link]

Your system doesn't even require signatures. It's exactly what I do today, based on the from: header. The from: header is successfully forged (i.e. has one of the 2,000 addresses in my white list) in less than 1% of my spam.

But I still have a big problem. I route the stranger mail to a special folder, which I check daily, but there are 250 spams a day. I've had to start automatically deleting some of it (e.g. any all-html email), but that's risky.

I think people who believe the only interesting email they will get is from acquaintances lack imagination. You can't just delete mail from strangers; you have to spend some time looking at it to see if it's spam.

I occasionally have my outgoing emails bounced by overzealous spam filters, and in every case the recipient would have been glad to get my email.