Spam.

Bill Nash plug-discuss@lists.plug.phoenix.az.us
Tue, 1 Oct 2002 18:50:34 +0000 (UTC)


So of late, more and more has been hitting my inbox. Being the creative
and sometimes not nice person I am, I started thinking about ways to
legitimately cut down on spam, while making spammers scream in pain. Doing
some role reversal, I started
thinking about some of what keeps spammers in business:

	- Difficult to block for various reasons
	- Anonymity
	- Open relays

A few beers into the whole mess, I started thinking about the good ol US
Postal Service, mostly because some jackass forwarded me that FUD about
the USPS taking over email services for the whole Internet. Add in the
recent rash of discussions about key signing, and a potentially worthy
idea was born.

This is a loose and sketchy concept. Some areas involved here I am not an
authority on. It's intended to spark discussion, so please, pick apart and
let me know where I'm off base, misguided, out of crack, et cetera.

First off, why aren't mail servers talking to each other over encrypted
streams? Everyone is talking about encrypting mail to each other, and
exchanging keys, so why not do it with the mail servers themselves as an
additional step of security?

This leads to another step. Why not tie mail server 'identities' into a
Certificate Authority/PKI? Better yet, why not have that CA/PKI
administered by a Federal insitution that very few dare muck with, who can
also make use of the revenue? That's right, our friends, the USPS. You too
can be a USPS sysadmin, and make use of your guns!

All kidding aside, and please, suppress the knee jerk 'Government
regulation is bad!' If you're going to argue, come prepared with a valid
point and some sanity. I'm not talking about regulation. I'm talking about
accountability. The internet runs on a couple of factors: packets and
trust. The trust has been abused to the point of lunacy. All this
considered, what sucks most about the whole concept, and what could be
done better?

Here's an example of how I see the process working. Sample ISP A, called
AOL, decides to save money by reducing the amount of traffic on their
networks. They find that cutting spam will do this, by 90%. The toggle a
bit on their mail server and say, 'OK, authenticated mail servers only, as
identified by the USPS PKI.' Poof. All mail ceases to flow. While not what
they wanted, they've met their goal.

However, legitimate ISPs will see this and think, "Not a bad idea. Where
do we sign up?" They use a large stick to pry a sysadmin out of his cube,
and say, "You will venture forth into the sunlight, to the post office,
where things are sent on paper, and you will register our mail servers."
Said sysadmin drives his Datsun to the post office, walks in, fills out
appropriate paperwork, shows an ID so they have someone to pin the keys
on, and set him up an account with which he can register keys from his
mail servers. Just like key signing should be done, in person and
verified.

Suddenly, mail servers are no longer anonymous. They belong to a specific
person who had to show federally recognized identification, who can be
prosecuted for violation, say California spam laws, or simply beaten if
caught in a dark alley.

Ok, so I can guess right off, privacy advocates just took me off their
Christmas lists. That, or I'm getting a metric ton of fruitcake this year.
Even if USPS PKI/CA administration isn't viable (though for government
agencies, it might be), why can't something like this exist independantly?
A collaboration between major ISPs would be enough to kick it off, and
then it's open season on spammers. The RBL becomes infinitely more
effective, and mail servers can stop talking to strangers.

Some interesting ripple effects of this, however. What happens to free
email suppliers like yahoo and hotmail? Conventional ISPs have a billing
record to tie user accounts to. Hotmail has an IP address, which we all
know isn't the most reliable thing. Yes, this kinda removes the anonymity
aspect of email, but (oh god, here comes a can of worms) what's the point
of anonymous email? I see the Caller ID/Call Blocking argument applying
here.

Alright, this is getting long, so. Hm. Where's my beer?

- billn