> From: Valdis.Kletnieks@vt.edu > ... > Possibly what is needed is a hybrid approach: > > 1) If you're a "big" mail server, you can probably prevail on your DNS > admins to list you in whatever DNS-based verification system (in our entire > 2 /16s of address space, there are less than 10 boxes that would have a major > resource issue, but would benefit froma DNS-based solution. > > 2) If you're not listed in the DNS, you have to do a compute-intensive proof. > > What would people think of that idea? Is the goal to block spam? If so, what do you do about third case of senders that don't participate with either #1 or #2? For the first years, most of the 10,000,000s of legitimate SMTP clients (sending mail servers) will do neither #1 or #2, because their operators will not have heard about it. You will have to configure your receiving mail servers to require #1 or #2 only in exceptional cases. When the operators of the other 10,000,000s of servers finally hear about the new regime, they'll generally to not get around to installing either sort of proof of virtue, because their mail is working without it and they have real problems to worry about, from installing the latest security patches to thinking about considering IPv6. Even people who turn on requirements for #1 or #2 for incoming mail to reduce spam will often delay supporting it on outgoing mail, because no one competent likes to break things that are working. In other words, such tactics might work for the exceptional cases of biggest, otherwise hopeless sources of (not really) forged spam such as Hotmail as a sort of half-blacklisting, but I can't see it working in general. Moore's law causes a bunch of problems for the computing idea. There is at at least a factor of 100 in CPU speeds of current hosts. How do you ensure that the fastest commodity CPU that a spammer might use is forced to slow down more than the limit already imposed by network bottlenecks without making old systems useless? Vernon Schryver vjs@rhyolite.com