From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <002701c3719f$de0145f0$3129ff87@bl.belllabs.com> From: "david presotto" To: <9fans@cse.psu.edu> References: <200309021608.h82G8Wj21273@augusta.math.psu.edu> Subject: Re: [9fans] re: spam filtering fs MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Date: Tue, 2 Sep 2003 18:16:31 -0400 Topicbox-Message-UUID: 2a5e31f8-eacc-11e9-9e20-41e7f4b1d025 What smime (and pgp) can achieve is digital signing so that spammers can't masquerade with From:'s of people in your white list. ----- Original Message ----- From: "Dan Cross" To: <9fans@cse.psu.edu> Sent: Tuesday, September 02, 2003 12:08 PM Subject: Re: [9fans] re: spam filtering fs > > Another way of achieving authentication for email is to implement and > > use S/MIME or PGP. I'm not sure either that or "import ... /mail" solves > > the computational cost of spam if the bad guys create invalid signatures, > > but it does make a white-list filter more effective. > > I see the two as complimentary. Just because you're securing the contents > of the wagon by wrapping them in a patrol of the King's men-at-arms doesn't > mean you shouldn't also endeavor to clear out the highway robbers. > > > Any volunteers to implement S/MIME for Plan 9? A couple of us here at > > Bell Labs have worked on it off and on, but there aren't enough free > > hands here to get it done promptly. Step one is to implement CMS (also > > known as PKCS#7 or rfc2315) starting from the ASN.1 goo in > > /sys/src/libsec/port/x509.c or, if you prefer, by porting an ASN.1 > > compiler. > > Help! I'm melting! > > > By the way, I've happily used PGP for many years but decided that S/MIME > > was more likely to catch on because it is already moderately well > > supported by default in Outlook and Netscape/Mozilla. > > I thought there was an effort to merge OpenPGP and S/MIME in some way? > S/MIME requires a lot of scaffolding to use effectively; PGP has a much > lower startup cost. That said, I'm not a big fan of either. Most > people don't need that level of privacy (despite what they may think, > no one's out to get them and the FBI could care less about their D&D > campaign plans). For cutting down on spam, this seems like cutting > butter with a chainsaw. A much simpler method would be to just put an > X- header with some sort of agreed upon token into one's email. Is it > secure? Not really, no, but it'll defeat 99% of the wannabes, and > that's a lot of bang for the buck. Of course, either would be nice to > have for other reasons (everyone knows the government *really is* out > to get Boyd, for instance...). > > A way to exchange tokens: instead of doing it via email, generate an > image for an unknown user, put it on a public web server somewhere, and > send them a URL. Once they get there, have them send back a > description of the image and then send them a token. This defeats > auto-harvesters that are smart enough to send you back a reply to our > ``send this string back if you're not a spammer'' token. This will > work for a while until the spammers start to implement image > recognition software. > > - Dan C. > >