Re: How Not To Filter Spam

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> From: Ed Gerck <egerck@xxxxxxx>

> > If a complete stranger is the sender of an incoming message, then
> > crypto keys are irrelevant to determining the message is unsolicited
> > bulk.  
>
> No. In PGP, for example, I accept a key based on who signed it and
> when. If I can trust the signer(s), I may use a key from a stranger.

That sounds like the old "authentication solves spam" hope.  It was
wrong before SMTP-AUTH and it is still wrong.  If the sender is a
stranger, then by the definition of "stranger" you can know nothing
more than that the key works.  You cannot know whether the stranger
is one of Alan Ralsky's myriad of aliases delivering spam.


> > The PGP mantra that a good key does not imply that the sender or the
> > message is good applies here.
>
> Define "good key" and you'll define what the key is good for.

The ancient PGP mantra refers to keys that "work," as in the results
of decoding using the indicated public keys yield a valid messages.
The key can be good, but a good key tells you nothing more than that
the sender of the message knows the corresponding private key. 

Would you trust every PGP key from the IETF key signings to guarantee
that a message is not spam?  Some IETF participants have been unashamed
senders of unsolicited bulk commercial advertisements.  The person I'm
thinking of objected to his entry in my blacklist by insisting that
although he had sent the triggering message, it was not spam because
he had not sent more than one copy per mailbox.  He might have since
changed his definition and stopped sending unsolicited bulk mail, but
it would be silly to think everyone who gets a PGP key signed at an
IETF key signing party is someone from whom you want to receive mail.

Given who will pay certifiers, the IETF key signings are far less
bad guarantors of non-spam than commercial certifiers.  Consider
privacy policy certifiers and see one of the several versions of
http://enterprise-security-today.newsfactor.com/story.xhtml?story_title=Online_Privacy_Policies_Misleading

] An analysis of Web sites carrying those seals found that the
] companies running them ask for more personal information -- and
] protect it less -- than sites that have no seals.


Vernon Schryver    vjs@xxxxxxxxxxxx


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]