More on spamming..

On Wed, 1 Oct 1997, Stephan Hermann wrote:

> One (technical) idea can be, to install two smtp server:
> One, who can only receive mails for known domains and IPs.
> This SMTP Server use second relay smtp server for delivering the mails to
> the customers.

This would require a way to distribute which domains belong to which IP
number and this alone is a huge technical and administrative problem which
would make it hard to be solved. Considering that each person wants their
own domain these days to get a "cool" e-mail/webserver address you will
have to have a list of more than 10 million domains and some domains use
more than one outgoing mailserver so you will probably have to store
at least 8 bytes of address info (in IPv4) per domain. If you also want
fast lookups in this database you'll have to add space for some huge
indexes (50% extra?).

But while we are talking about fundamental technical changes to the SMTP
standard, why not simply add an digital signature to each mail your SMTP
server guarentees to be spamfree, your public key could be sent out via
the DNS and it should be signed by a trusted third party (like RIPE). Each
SMTP server that don't want to recieve spam, simply filters away all mail
without a signature, with an incorrect signature or those that have a
signature from an untrusted SMTP server. To get your public key signed by
the trusted parties, you have to sign a contract there you guarentee not
to send spam through this SMTP server. Those that use your SMTP server as
a relay would obviously have to sign such a contract with you.

Old SMTP clients (without spam protection) can still recieve all their
mail (they'll not list the signature command in their EHLO response) but
they will have to relay their mail via some new SMTP server.

Most ISPs use sendmail today and if the support was added to sendmail most
internet connected sites could relay their mail through their provider if
the provider can authenticate their client.

I am far from a legal expert but I don't think there are many countries
there it is illegal to digitaly sign a message as long as the plaintext is
provided with the encrypted data or it is known how to produce the
plaintext and verify that the plaintext and the data is the same.

Some facist countries prevent their citizens to export implementations of
well known cryptoalgorithms (and to use some algorithms because of
different patents) so the sendmail patch would probably have to be
implemented in a free country where people are not prevented from
exporting the patch or the patch could be based on one of the well known
crypto programs like PGP or SSLeay, which in turn would have to be gotten
from different places depending on the laws of the target language.

> For the first smtp server anyone can use qmail (http://www.qmail.org/),
> which has an anti-spam filter (checking some to:/from:/sender:-addresses,
> so the first smtp server can be used as a filter for customer spamming and
> don't function as relay for spammers.

Even though I myself prefer qmail I must say that it can be added to
sendmail quite easily (once you've banged your head against the batbook
enough...). There are links to these rules from www.sendmail.org. 

/Sebastian

See http://www.hogia.net/keys/sa-pgp.asc for public pgp key.