spam and crypto (was: Re: what is killing PKI?)

Hauke Laging mailinglisten at
Fri Oct 5 03:55:24 CEST 2012

Am Fr 05.10.2012, 02:00:36 schrieb MFPA:

> Anyway, I would anticipate spam volumes to be lower if all messages
> were encrypted. Would the spammers invest the cpu cycles to encrypt
> their messages to each and every recipient?

They don't have to. They don't even have others to spend this CPU time. The 
point is that a spammer would not encrypt to protect the contained information 
but because he is required to adhere to the format rules of encrypted messages 
in order to get his mails read.

So the CPU effizient spammer

1) encrypts all messages with the same session key. This forces him to send 
identical messages but that is hardly a problem. This frees the spammer from 
doing the symmetric encryption of the message but still causes that CPU load 
of asymmetrically encrypting the session key to each of the recipient keys.

2) stores the "encrypted session key" packet for each recipient so he can send 
other spam messages without per-recipient CPU consumption

3) if we try to detect spam by detecting reused session keys (by e.g. storing 
the hashed of all session keys) then the spammer can still save a lot of CPU 
power by not using the same but just similar session keys, differing just in 
the last byte. If I understand asymmetric encryption correctly then most of 
the encryption effort could be shared then between the keys. The spammer would 
have to transmit the encrypted session key block along with the recipient 
email address. That is a multiple of the data amount of just the addresses but 
still not much.

And if we go even further and check not just for equal but for similar session 
keys then the spammer still has the possibility to better use his resources by 
preparing session keys and encrypted sesseion keys packets for future.

IMHO the solution of spam is not encryption but signatures. The better 
solutions are not even crypto related. If the US and EU governments started 
treating foreign spammers the same way like "terrorists" we would soon see no 
more spam. A less violent option is the creation of a second email 
infrastructure. Make (by law) certain addresses (subdomains) accessible only 
by ISPs who fight spam (e.g. have to pay for spam from them). Then anyone can 
decide whether and how many email accounts he wants to have in the "Do what 
you like, get what you don't like" and the clean mail nets. Done (with small  

PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20121005/5bff6604/attachment.pgp>

More information about the Gnupg-users mailing list