- From: Al Gilman <asgilman@iamdigex.net>
- Date: Thu, 03 May 2001 11:44:41 -0400
- To: steveg@pa.dec.com (Steve Glassman), Cem.Karan@usa.alcatel.com (Cem Karan)
- Cc: Aaron Swartz <aswartz@swartzfam.com>, www-talk@w3.org
[This is a little wooly, but I think it's time to share it and stop trying to write a shorter letter. - Al] At 03:38 PM 2001-05-01 -0700, Steve Glassman wrote: > >If the server doesn't automatically bounce the non-hash cash messages, >then the recipient eventually has to screen the non hash cash messages >and they are spammed. > >So you are spammed if you do and spammed if you don't. > >Steve > >p.s. There are other alternatives worth discussing, but I didn't want to >step on my tag line :-) > I think that there are better things to do with the advertiser's "earnest CPU" expenditures than just busywork, breaking a hash. The extra-effort part in one alternative that I was wondering about was simply to sign the letter addressed to you individually, in a way that involves your address in the computation of the signature along with the contents of the message so as to make it impractical to generate one signature for multiple recipients. Security upgrades on this can be considered, including that they have to use not your address but a one-time token that you issued them, that they have to provide a certificate authenticating that they are who they say they are, etc. Yes, this nixes anonymous mail. Checking that the signature is kosher is a price you are willing to pay to know that the sender is bona fide interested in talking to you, and not just flooding the IP waves for a return rate in the low parts per million. This creates a "certified mail" mode that you will read ahead of the random walk-ons. Nothing I can think of eliminates, for me, the need to make the final determination to read something or not to read it myself. Mail from technologically-lagging strangers is included in what I want to read. But spams from bogus opt-out lists that are just looking for me to reply to show I am a real mailbox -- I can do without even opening those messages. So I would really appreciate being able to distinguish low-budget gigamailers from conservative businesses who are eager to demonstrate that they are a real, going concern and are willing to winnow down their recipients list until they don't mind cranking on individual signatures for the messages. I believe a scheme something like this would appeal to the ethical business community, and drawing the line between scammers and real businesses is likely to resonate better with Joe Public as well. The mailing list problem is handled in two parts. To post to the list you have to credential yourself as a known article. This can be done by the certified mail route or various variations on that. Basically this means that you are well enough identified so that a) repeated abuse of lists can be tracked and b) adverse publicity can be applied if you habitually abuse lists. Once accepted for list distribution, a post is signed by the list. Inbox filtering distinguishes between mail from known lists where the signature may be generic across recipients and mail from unknown parties where the signature must be specific to the message you got including the addressing. So the key is authentic information as to origination, plus individual attention of some moderate computational cost paid to the message addressed to _you_. That's the pipe dream of the hour in this department. Al
Received on Thursday, 3 May 2001 11:39:14 UTC