Time to check the rate limits on your mail servers

Edward B. Dreger eddy+public+spam at noc.everquick.net
Sat Feb 5 20:38:42 UTC 2005


JH> Date: Sat, 5 Feb 2005 19:18:53 -0000
JH> From: Jørgen Hovland

JH> A cryptographic signature would be a perfect guarantee as it can be
JH> used for direct identification and authorisation if you were

No, it's not direct.  You trust whoever signed the key.

Note that I agree PGP key signing is less prone to attack than unsigned
SPF.  The severity of the difference is a matter for discussion...


JH> guaranteed that the only user of the signature was infact you and
JH> not the spyware on your machine. The implementation is everything.

A cryptosig can ensure that the ISP didn't alter the message.  AFAIK,
most MUAs pull cryptosigs from the registry/configs.  Could malware do
the same?  You bet.


JH> To prevent spyware using your signature you can for example use some
JH> sort of local signature engine and a fingerprint reader. It isn't

Specifics, please.  You'd need to ensure that the fingerprint reader
would operate at a protection level that the spyware couldn't access.
That's currently an unrealistic assumption.  A worthy goal, but a bit of
a stretch these days.


JH> possible to steal the private key because only the engine can decode
JH> it. Emails can only be signed with that signature by the engine, and
JH> the engine needs your fingerprint first. But who really wants to
JH> stick your thumb in the reader for every email you send?

*shrug*  Put a print reader on a keyboard... hold down finger/thumb a
few seconds to authenticate... flush the queue for messages created
prior to auth...


[ snip ]


JH> Now that you are identified and authorised - I can still send you
JH> spam! How can I stop you from doing it? I can remove your

Exactly.  You can still send spam, but the sender is accurate.  IMNSHO
there is benefit in quickly determining *who* is responsible.

I don't claim to have the FUSSP.  The lack of such does not mean that
partially-effective measures are worthless.  (Hint:  Nothing in the
history of mankind has stopped murder.  Should we discount all laws,
punishments, et cetera?)


Eddy
--
Everquick Internet - http://www.everquick.net/
A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 785 865 5885 Lawrence and [inter]national
Phone: +1 316 794 8922 Wichita
________________________________________________________________________
DO NOT send mail to the following addresses:
davidc at brics.com -*- jfconmaapaq at intc.net -*- sam at everquick.net
Sending mail to spambait addresses is a great way to get blocked.
Ditto for broken OOO autoresponders and foolish AV software backscatter.




More information about the NANOG mailing list