[linux-elitists] On spam, stamps, and hygiene
Karsten M. Self
Fri Feb 6 20:35:41 PST 2004
on Fri, Feb 06, 2004 at 11:37:59PM +0100, Eugen Leitl (firstname.lastname@example.org) wrote:
> On Fri, Feb 06, 2004 at 01:36:06PM -0800, Mister Bad wrote:
> > So, I find it wondersome that so few of these media discussions
> > bring up the issue of digital signatures. Signed mail is not forged
> > mail. Signed mail
> Which: inline'd, or maimed? Latter will be stripped, cause much
> anguish among >60% of MUA base, or outright bounced or rejected.
...which is why there is a (draft) RFC standard detailing how GPG/PGP
MIME attachments should be handled.
The 60% crowd _does_ have PGP support options available to them, as well
as the less useful and transparent SMIME standard.
> > does not break SMTP, MIME, or other standards. Signed mail does not
> > require a central authority to authenticate mail. Signed mail is
> > better.
> Chugging out certs by the metric shitload is cheap; so is setting up
> faux trust networks. Trust is just an integer. It's only good if it's
> close to node that are you. But that's highly nontrivial to deploy
> blanketly, in a world that even can't handle plain signatures right.
For many users, most mail is from known correspondents. Signed mail
with known trusted signatures is useful. A signature of and by itself
_isn't_ particularly useful -- it's just a large integer, and these are
cheap, as Eugene states.
Trust relationships can be useful though. I found the trust web between
myself and a correspondent in Australia is only three nodes deep, with
multiple paths between us (in both directions). In a world in which PKI
is more widely used, either ad hoc or intentional certificate
authorities can help this issue. E.g.: your employer might serve as a
certifying authority, which, for suitably large values of employer (and
trusted...) would make for a relatively useful signature.
This gets to one side of the problem with spam: spoofing senders, and
trusting content. It doesn't really do much to address the sheer
_volume_ of the crap. Not to say that PKI isn't useful, it's just not a
Keeping tabs on who's running blatantly abusive networks is a big part
of this. If I haven't posted these already, the two links below show
the amount of spam I'm receiving by ASN (autonomous system number), and
cumulative spam. Data are Jan 15 - Jan 31, 2004. The top 100 of ~480
ASNs are shown.
Spam volume by ASN, top 100 contributing ASNs
Cumulative spam volume by ASN, top 100 contributing ASNs
What's significant: a small number of badly managed networks contribute
overwhelmingly to spam volumes.
IP => ASN mapping: http://www.routeviews.org/
host -t txt <reversed IP>.asn.routeviews.org
Karsten M. Self <email@example.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Digital signature
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20040206/36262079/attachment.pgp
More information about the linux-elitists