email hashes in PGP keys as protection against spam

Robert J. Hansen rjh at
Mon Oct 5 19:47:35 CEST 2009

I have removed the IETF list from the follow-up.  I don't think this
proposal is ripe for consideration by the specification community.

>> The description is on my web site:

Proposals like this come up a lot.  I have yet to see one which I think
really understands the problem.

Spam depends on:

	1. High volume.  If the spammer can't spam millions
	   upon millions of emails, the spammer loses.
	2. Permissive SMTP.  The SMTP protocol has nothing
	   in it to constrain spammers.
	3. Financial instruments.  Spammers have to get paid
	4. Email lists.  The spammer has to have some way to
	   target people.
	5. Permissive law enforcement.  Spammers thrive on
	   the lax enforcement of anti-fraud and anti-spam
	6. User interaction.  The user has to see the spam.

What we can handle via technical means are #s 1, 2 and 6 (graylisting,
SMTP security, and Bayesian spam filtering).  Those three work pretty
well.  Graylisting alone reduced my spam by 99%; between that and a good
Bayesian filter, I can go for a week or more without seeing one.

Targeting #s 3 and 5 requires significant government intervention.  We
can't do that by ourselves; we have to get law enforcement to
participate, too.  In today's climate, that's just not happening.

Targeting #4 is a lost cause.  Taking away one resource is pointless,
given how many resources the spammers have.  Even if you remove all of
them, the spammers can still use statistical models of email addresses
to get messages out without impairment.

More information about the Gnupg-devel mailing list