On Wed, 18 Feb 2004, Dave Crocker wrote:
> Tony,
>
> TH> a legitimate message from someone I have corresponded with in the past. The
> TH> only way to detect a fraud at the MUA would be to have a verifiable
> TH> signature from Alain (this was trapped at my MTA due to the exe file).
>
> yes, but no.
>
> first, there is an increasingly heated debate between folks who want to
> sign the message (TEOS, DomainKeys), versus others who want to secure the channel
> between
> sender and receiver (RMX, LMAP, SPF, etc.).
What does it matter what the resolution is? Neither solution eliminates
the spam channel, and solves the problem, as information theory shows.
Its just a silly debate over two schemes to thread a needle that can't be
threaded.
> Once that debate is resolved, there is still the matter of compromised
> system. The message might actually come from the purported author's
> system, but still not be from the author because it has been taken over
> by evil forces. So, even with perfect automated validation, the content
> still might not be valid.
Right. And it might also be valid and still spam.
--Dean
