-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Let me chime in with the view from MIT, a rather high profile institution that values freedom of expression. We are also the home of the W3C (which will factor in later) and PGP Distribution. I personally get a lot of spam. But I also get a lot of complaints from people who believe they received spam sent from or relayed via MIT. I get more of the later then the former... The complaints fall into the following categories: o Complaints because an mit.edu e-mail address appears in the from field, but it is forged. o A net 18 host appears in some Received-by line, but it doesn't exist and that header line is a forgery. o Some anti-spam tools scan HTML and report to the end-user the owner of each URL as a beneficiary of the spam. Well some spammers include the URL for our PGP download site, so I hear about that. o My favorite however are the people who complain about the www.w3.org URL found in things like: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";> <html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en"> (tee hee). My point: The spammers are not stupid and will design counter measures the deflect challenges to other, usually innocent, parties. Be those challenges legal or technical. Karl's "slow tcp" stack solution will only work if a lot of people do it. If a lot of people do it, the spammers will just add a timeout, and your work is neutralized. Spammers may be stupid, but the people writing their tools are not! Folks, this is a *hard* problem. And perhaps the hardest part is getting enough consensus to move forward *and* getting the necessary new software deployed. -Jeff -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.7 <http://mailcrypt.sourceforge.net/> iD8DBQE9WXlf8CBzV/QUlSsRAhm0AKD1bo5bxkUW8Ecnf14UavlbdzDc+gCcDl8k fm0LAszJXoCSrofZWFudOXk= =KNKl -----END PGP SIGNATURE-----