On Mon, 9 Feb 2004, Ed Gerck wrote: > > Dean Anderson wrote: > > > On 10 Feb 2004, Franck Martin wrote: > > ... > > When you realign your anti-spam efforts from control of business to > > control of techno-terrorists, the problem is quite a bit different, and > > you can see also that things like signing and other things aren't going to > > work. > > Signing doesn't work because it cannot provide a load per recipient, > just per sender. Encryption with the recipient's public-key (as I am > proposing) works because the spammer must encrypt each message > for each recipient. This applies to lawful spammers as well, finally > adding friction to email by creating a mandatory "fee" (burdenwise) to > send messages. Then using the IETF list as an example, you would need the entire list of recipients and their public keys, and you would need to send a message either directly to each of them, one by one, or send a single message with a session key for each recipient (thousands). This isn't going to work. Second, even if the above weren't a problem, one still has the problem that a virus infected user will still be sending messages, just like everyone else. You can't make it more expensive without shooting yourself in the foot. In information theory-speak, you can't prevent a covert channel** unless you have no channel at all. Covert-channel detection is a whack-a-mole game. The whack-a-mole characteristic can't be avoided, except by having no channel at all. Then your problem is to be sure that there really isn't a channel. But there often is a channel anyway, and it is just unknown. Intelligence agencies go to a great deal of expense to make sure there is no channel through which information can be leaked. Our problem is much, much more difficult because we have a channel, but want to make sure it is only used for certain purposes. Putting it in different terms, how can the government make sure those "government use only" stamped envelopes are only used for government business? 'Government business' includes interacting with the general public through mail or email, so eliminating the channel over which non-government business might be conducted is not an option. Is is possible to make a stamp so that the envelope cannot be used for a non-government purpose? Now take it one step closer: How can they make sure that government computers are only used for government business? Can a computer be built that can only be used for government business? There is no scheme in which the rules can't be broken by someone intent on breaking them. The only path is to detect them, and prosecute them. In the case of spam, detection is easy, but not automatic. Prosecution is now possible. Its still a whack-a-mole game. It won't end unless you can get past the virus infection to the virus operator, and hopefully, there aren't really too many virus operators. Of course, we aren't stopping spam either in a very real sense, but rather abusers who are annoying and mailbombing people. But by my count of my inbox, if you stop those people, I can certainly handle the rest which amounts to maybe 1% of my current junk mail. > BTW, my previous posting provided a rationale for proposing the following > requirement for any current or future mail system: > > - Users do not want requirements to pay for sending email or to be > otherwise burdened in any way in order to stop spam. Stoping spam > should not be a user's problem. The "for pay" idea is just another scam from the people who would love to get a percentage of the pay. While I'm sure Microsoft and others would just love to get a cut of this (I know I would), it doesn't do anything to stop spam, and if implemented, would simply (and wrongly) charge users whose computers were virus infected. I doubt that it would be widely implmented, anyway. It would also be the end of free services like hotmail and yahoo, though I'm certain MS would give up hotmail in a hot second for a cut of probably billions or trillions per year in email fees. Though, perhaps one could bring a fraud or rackateering case against Microsoft for profiting from its insecure computers, but I'm doubtful of that. --Dean ** covert channel, sneaky channel, whatever your term--'covert channel' is a term favored by OS scientists in analysis of Operating Systems--the information theory part of it is generally applicable, and the concept has been researched in different fields and applications using slightly different names.