From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <66da6c9b445553becc9e3195ef487bb0@proxima.alt.za> To: 9fans@cse.psu.edu Subject: Re: [9fans] re: spam filtering fs From: lucio@proxima.alt.za MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Date: Wed, 3 Sep 2003 11:13:59 +0200 Topicbox-Message-UUID: 2b0f41dc-eacc-11e9-9e20-41e7f4b1d025 On Wed, Sep 03, 2003 at 10:24:54AM +0200, Fco.J.Ballesteros wrote: > > > not frightened off getting a certificate. And some form of recourse > > in the event of someone stealing the e-mail address, and that's the > > hard part, sadly. > > Not just the sad, but also the common part. Most of the spam I get > seems to use addresses from someone else. > > I'm afraid that certifying the from address would not work. > I hope bayes is right. This is the scenario I think would work: My mail exchanger accepts mail that is "certified" and for which it has the certificate public key. Certified mail contains either a signature in the body as with PGP or a header of some description, encrypted with the sender's private key so it can be decrypted and validated. A preferable form of encryption would be at the SMTP protocol level, but this is a different model. The message may convey the public key in the headers as suggested by the Privacy Enhanced Mail (PEM) RFCs, but then there has to be a CA in the certificate hierarchy that validates the trust. If trust cannot be validated, I suggest that a group of public certificate servers, probably including the existing PGP public key servers, should be queried for the certificate/public key. If the certification cannot be established in this fashion, then the difficult procedure comes into action. Here we expect the exchanger to submit a request to a preferred public certificate server that causes the sender to be polled. If the sender replies with a valid certificate (or public key), it is stored in the public server and forwarded to the exchanger, if not, then within some time limit the exchanger is notified. I hope I didn't abbreviate the above beyond usefulness, I'll be happy to expand if I haven't been clear in any way. And I will of course be interested in flaws as well as improvements. ++L PS: At the SMTP level, I would suggest an exchange between servers that has contractual value. In other words, the sending exchanger ought to accept legal liability for mail it insists in forwarding. Legislation to this effect would have to be enacted, naturally.