<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

Re: automated spam detection


Lars Marowsky-Brie writes:

> That might actually work, just accept signed email. Of course, you
> have to always know who sents you mail beforehand so you can add
> their key, and since they can't send you mail yet, you will have to
> exchange keys via some other media.

I think that you need more than authenticated sources of messages.
What you need is for the message to carry with it some kind of
guarantee that it is wanted (and as such should be disregarded in any
attempt to detect bulk mail).

I think you can do this by some kind of arrangement whereby the user
signs the list public key when they subscribe - then each sent message
is signed by the list private key and includes the signature
originally generated by the recipient.

The user's ISP checks the user signature (they need to know the user
public key) and the message signature; the fact that the user has
signed the list key is interpreted as authorization for the list to
send mail to the user as part of a bulk mailing.

The downside is that each list message is inflated by the size of two
signatures (more if you want to do connection re-use with multiple
SMTP RCPT commands per message).

You'd have to ask a real cryptographer how to do this properly
though...

ttfn/rjk





<<< Chronological >>> Author    Subject <<< Threads >>>