From mboxrd@z Thu Jan 1 00:00:00 1970 Message-Id: <200309021608.h82G8Wj21273@augusta.math.psu.edu> To: 9fans@cse.psu.edu Subject: Re: [9fans] re: spam filtering fs In-Reply-To: Your message of "Tue, 02 Sep 2003 09:56:05 EDT." <3c71aba4e63ff62b9994dfa980885f02@plan9.bell-labs.com> From: Dan Cross Date: Tue, 2 Sep 2003 12:08:32 -0400 Topicbox-Message-UUID: 293fa50e-eacc-11e9-9e20-41e7f4b1d025 > Another way of achieving authentication for email is to implement and > use S/MIME or PGP. I'm not sure either that or "import ... /mail" solves > the computational cost of spam if the bad guys create invalid signatures, > but it does make a white-list filter more effective. I see the two as complimentary. Just because you're securing the contents of the wagon by wrapping them in a patrol of the King's men-at-arms doesn't mean you shouldn't also endeavor to clear out the highway robbers. > Any volunteers to implement S/MIME for Plan 9? A couple of us here at > Bell Labs have worked on it off and on, but there aren't enough free > hands here to get it done promptly. Step one is to implement CMS (also > known as PKCS#7 or rfc2315) starting from the ASN.1 goo in > /sys/src/libsec/port/x509.c or, if you prefer, by porting an ASN.1 > compiler. Help! I'm melting! > By the way, I've happily used PGP for many years but decided that S/MIME > was more likely to catch on because it is already moderately well > supported by default in Outlook and Netscape/Mozilla. I thought there was an effort to merge OpenPGP and S/MIME in some way? S/MIME requires a lot of scaffolding to use effectively; PGP has a much lower startup cost. That said, I'm not a big fan of either. Most people don't need that level of privacy (despite what they may think, no one's out to get them and the FBI could care less about their D&D campaign plans). For cutting down on spam, this seems like cutting butter with a chainsaw. A much simpler method would be to just put an X- header with some sort of agreed upon token into one's email. Is it secure? Not really, no, but it'll defeat 99% of the wannabes, and that's a lot of bang for the buck. Of course, either would be nice to have for other reasons (everyone knows the government *really is* out to get Boyd, for instance...). A way to exchange tokens: instead of doing it via email, generate an image for an unknown user, put it on a public web server somewhere, and send them a URL. Once they get there, have them send back a description of the image and then send them a token. This defeats auto-harvesters that are smart enough to send you back a reply to our ``send this string back if you're not a spammer'' token. This will work for a while until the spammers start to implement image recognition software. - Dan C.