email hashes in PGP keys as protection against spam
Robert J. Hansen
rjh at sixdemonbag.org
Mon Oct 5 19:47:35 CEST 2009
I have removed the IETF list from the follow-up. I don't think this
proposal is ripe for consideration by the specification community.
>> The description is on my web site:
Proposals like this come up a lot. I have yet to see one which I think
really understands the problem.
Spam depends on:
1. High volume. If the spammer can't spam millions
upon millions of emails, the spammer loses.
2. Permissive SMTP. The SMTP protocol has nothing
in it to constrain spammers.
3. Financial instruments. Spammers have to get paid
4. Email lists. The spammer has to have some way to
5. Permissive law enforcement. Spammers thrive on
the lax enforcement of anti-fraud and anti-spam
6. User interaction. The user has to see the spam.
What we can handle via technical means are #s 1, 2 and 6 (graylisting,
SMTP security, and Bayesian spam filtering). Those three work pretty
well. Graylisting alone reduced my spam by 99%; between that and a good
Bayesian filter, I can go for a week or more without seeing one.
Targeting #s 3 and 5 requires significant government intervention. We
can't do that by ourselves; we have to get law enforcement to
participate, too. In today's climate, that's just not happening.
Targeting #4 is a lost cause. Taking away one resource is pointless,
given how many resources the spammers have. Even if you remove all of
them, the spammers can still use statistical models of email addresses
to get messages out without impairment.
More information about the Gnupg-devel