Spam Philosophy (was: Re: [lug] Getting mail out of the Qwest/MSN mire)

[Nate Duehr]

Sean Reifschneider wrote:

> Are you saying that one person cannot ever get more than one key?
> What if that key gets stolen?  Hey, I know, let's use your social security
> number to authenticate you!  If they can get more than one key, what
> is to prevent spammers from obtaining many keys, which make them look
> like many people?

Standard authentication rules.  Something you have (key), something you 
know (password), something you are (biometrics)... each one being a 
higher level of authentication.  Key-only auth would be more suspect 
than auth with the other two.

> Sure, I can blacklist the entire Interweb, and then whitelist only the
> people I want to hear from.  That will make my e-mail virtually spam-proof.
> It will also make it nearly impossible for you to communicate with anyone
> new.

Not really unless you're carefully reviewing headers.  I can spoof any 
address I like from here.  The headers will show it came from my server, 
and the reply address will go to your real white-listed friend, but I 
still got my spam into your inbox.

> Authentication to the sending "entity" doesn't really help, we already have
> authentication to the sending entity of Yahoo and QWest DSL users, and
> that's how this whole discussion got started.

I don't think we really have authentication to a person on Yahoo or 
Qwest DSL users.  We have authentication to a username.  Big difference.

> In most cases for the spam I get, that's easily available.  The hop that
> sent the message to me is either the end user or the transport, I don't
> really care about the other hops it may have taken along the way.  Usually
> there aren't many hops anyway.

Why don't you care what other hops it took?  Wouldn't it be nice to know 
who's harboring the spammers upstream?

Nate