On Sat, Feb 18, 2012 at 2:07 AM, Adrien de Croy <[email protected]> wrote: > > > On 18/02/2012 8:44 p.m., Giovanni Panozzo wrote: >> >> Il 18/02/2012 08:24, Adrien de Croy ha scritto: >>> >>> >>> We can't presume everyone has a full time internet connection. >> >> >> 100% agree. Store and forward is still required in some part of the >> world. I developed XATRN (http://xatrn.panozzo.it), and there are >> still very some (few, very few) users that use it with intermittent >> Internet connection. Yes, I think that the future will be for >> always-on connections, but there is no full world coverage of such >> kind of Internet access. >> >>>> They authenticate over sasl using some fancy >>>> federated authentication protocol (project moonshot) before being >>>> allowed >>>> to post to my inbox. >>> >>> >>> Personally I'd be tempted to mandate use of X.509 (SSL) client certs and >>> TLS. >> >> >> Maybe X509 can be one of the weapons against spam. But today spam >> comes from a "stolen" webserver (injectet PHP script) or from "stolen" >> PC (zombie PC, zombie network). >> Spam NEVER comes from the sender itself. SPAM comes from a stolen >> account :( > > > plenty of spam comes from the sender not stolen accounts. That's why the > spammers do things like register their own domains and SPF records. > > >> Yes, better knowing the stolen account can help in fix the problem, >> linke telling the user to run antivirus/reinstall OS, or the webmaster >> to check its .PHP files. But I don't think that identifiyng the user >> with X509 cert or some other federated authentication will help. > > > the server will have a cert. It can be seen as spamming, and its cert can > be revoked. That will cut it off. > > Having to get another cert will provide an incentive for the admin to care > about it.
You seem to believe that all servers can always be entirely free from sending spam. That's pretty funny. Given that spam is in the eye of the beholder, there are plenty of messages which are spam to some and not to others. Do you consider the latest commercial offer from Target or Amazon as spam? Plenty of people mark it as such, even if they opted-in to receiving it. How about spam sent from a hijacked account? How many hijacked accounts a day do you think there are on a service with 1B email users? Or how much money do you think a spammer is willing to spend to buy an account, even on a free service? Or do you think its actually possible to force everyone who wants an email account to pay for it at this point? And if so, how much money? $5/year is cheap in parts of the world, and really expensive in others, should poor parts of the world be relegated to the email ghetto because their accounts are so cheap that spammer abuse them constantly, while they have the least resources to keep them out? And do you think that every person who runs a mail server wants to spend $100/year on a certificate? We already do it, but its not a big deal to us. How many people run servers on their personal box? Which is all pretty irrelevant, for most users today spam is already a solved problem. They don't see how much effort we put into it, and they know nothing about it until their account gets hijacked or one of their friends does and they get a mugged in London message. Or when some filter gets too aggressive and they don't get a message. Or when some company still thinks the spam world is black & white and uses a blacklist against their server. Any effort they would have to make to whitelist senders before they can send them mail is something they aren't likely to understand the need for. As for getting the Facebooks of the world to open up their social connection information to solve the spam problem for you, well, good luck with that. If you're Yahoo or Microsoft you can pay enough money to get access to that, and maybe its in the ToS to use it that way. Brandon _______________________________________________ imap5 mailing list [email protected] https://www.ietf.org/mailman/listinfo/imap5
