On 25 Feb 2004 at 12:16, Neil Carpenter wrote: > > the value in having the list processor sign all posts > > is simple. guaranteed identification of the list > > traffic for any recipient who decides to verify > > signatures. > > This seems to solve a non-problem. Unless there are spam messages that > where the sender has, for instance, forged the existing "Sender: > owner-ietf@xxxxxxxx" header, signing these messages will add nothing of > value. It seems much more likely that a spammer would simply send > e-mail to the ietf@xxxxxxxx list & allow the list itself to propagate it > than that they would specifically forge that header. again, i'm not imagining that having the list processor sign all mail will stop spam from entering the list. the problem i need to solve is how to stop spam from being sent *directly* to me. accepting only email with whitelisted signatures will solve my problem. btw, i thought you needed to be subscribed to the ietf list prior to being able to post to the ietf list? On 25 Feb 2004 at 11:26, Stephen Sprunk wrote: > You have yet to demonstrate the problem you are trying to solve even > exists. > > I've gotten over 2700 spams this month, and zero of them have "ietf" > anywhere in them, either header or body. Thus, I see no compelling > reason for the ietf's list software to sign anything when a simple MUA > filter on the Sender: line already achieves 100% accuracy. see above response. also, from my perspective digital signature verification is simpler than maintaining a filter list. i'm tired of the spam/anti-spam arms race. i'm going to deploy a solution that is unspoofable. On 25 Feb 2004 at 12:06, Vernon Schryver wrote: > > From: gnulinux@xxxxxxxxxxx > > > > > Having the latest tools means nothing, unless > > > they are used right. Are > > > > i'm using them correctly > > I, for one, am unconvinced. I have had no trouble > filtering unwanted mail from this list, thanks to > procmail. My various filters have no trouble > dealing with more than 99.9% of the unsolicited bulk > mail including viruses and worms directed at my > mailbox. For my mail, my filters have a total false > positive rate (legitimate rejected divided by total > legitimate) of less than 0.1%. Whether your filters > are doing as well as you want them to does not seem > like a concern of the IETF. i have ~98% accuracy thanks to bayesian filtering. i haven't calculated my false positive rate, but i get false positives. even *one* false positive is unacceptable. even if my filter accuracy was 99.99% i would still need to trawl my spam folder to check for false positives. and as the spam volume continues to grow trawling the spam folder takes more and more time. i need to stop false positives and digital signatures are one possible solution. > > ... > > the value in having the list processor sign all > > posts is simple. guaranteed identification of the > > list traffic for any recipient who decides to > > verify signatures. > > I think it would be simpler for all concerned and in > this case just as effective if the IETF list > processor would offer to do SMTP-TLS and for an > appropriate cert to be published on http://ietf.org/ > > However, I would not suggesting that for any > practical or operational reason. It would merely > set a good example. i'm not familiar with SMTP-TLS but i will go read about it. FWIW, i think that digitally signing all list messages would also set a good example, and it too is a simple implementation. david