> From: Fred Baker <fred@cisco.com> > ... I think that boils down to "provide a global PKI" in this solution, > and presumes that spammers are incapable of using one. That might be a > great research topic. Too bad nobody has ever thought of it before; we > could really use the outcome of that research. (OK, so it's a lame attempt > at humor...) It's been years since it was possible to be amused by the number of people who assume that spammers are more ignorant and less competent than they are, and so propose spam "solutions" predicated on spammers being unable to register as many names, keys, identities, or whatever as needed or as many as everybody else can. > ... > host in each mail domain (mailid.example.com) be able to assert that its > domain had or had not sent an email within a given recent time period > whose MD5 hash, when divided by <vector of prime numbers> resulted in > <vector of remainders>. I could write that up in an internet draft if folks > think it makes sense. That would be a more global procedure that didn't > require a PKI and only addressed spoofed addresses. That's not a powerful solution, because it assumes the existence of a central mail authenticator for every domain that might send mail. As long as most SMTP clients don't have such authenticators, the spammers would simply avoid the few that do, just as they already avoid providers that break the financial kneecaps of spammers. As far as I can tell, the familiar claim that most spam carrying surprising header or envelope From adddresses is forged is mostly wrong. The claim seems to be based in large part on the knowingly misleading descriptions of the situation by free mail providers. The free providers claim that almost all spam implicating them is "forged." If you read the fine print in their announcements of terminated accounts, responses to spam reports, and related messages, you'll discover that free provider spam is "forged" in the same sense your picture postcards would be if you were evicted from your home while travelling. That suggests that such authenticator servers would help reduce spam using free provider drop-boxes. However, a better solution that does not involve the rest of the network subsidizing the advertising agencies that are the free providers is to reject all mail apparently from free providers. Doing extra processing that is made necessary only because the free providers cannot be bothered enforce sufficiently painful terms and conditions on their users is a subsidy. The free providers could stop spammers from using their services if they would launch lawyers, require bonds (e.g. creditcard numbers), or any of many other things, but anything would cost them money. Vernon Schryver vjs@rhyolite.com