[Spambayes] Email Certificates of Approval

Robert Woodhead trebor at animeigo.com
Thu Mar 13 20:02:36 EST 2003

Forgot to post this to the list

At 2:48 PM -0500 3/13/03, Eric S. Johansson wrote:
>Robert Woodhead wrote:
>>Been toying with a new, complementary idea for spam reduction. 
>>Wanted to pass it by you before unleashing it on the unsuspecting 
>>Comments much appreciated, of course.
>several major problems with this proposal.  It fails if:
>a registrar fails to list a spammer as a spammer

Well, SSL fails if a registrar doesn't do his job and issues bogus 
certs.  At some point, you have to trust someone.

>CRL reporting latency is too great

Not really that much of an issue.  Remember, this is just another 
data point.  If someone starts broadly spamming using a cert, enough 
users will note it to get the word out before most of the recipients 
grab it from their mailserver.

>virus lifts certificates from various machines
>the implementation follows all of the usual security human factors 
>failures (i.e. passphrases etc.)

Yes, but you're going to have these problems with any system.  Heck, 
a virus could grab your mailserver password and the evil spammers 
could reconfigure you as a relay.

At a certain point, you have to just say "this is good enough", and 
you can get there.

>it also fails because it doesn't allow truly anonymous speech and 
>opens the door for elected and non elected governance controlling 
>your ability to e-mail.

First of all, one could create anonymous certificates.  But the flip 
side is, users may decide to give less weight to an email from an 
anonymous source.  That's their choice.

99.999999999% of all email is not anonymous.  And note that anonymous 
remailers could get certs and certify that the source of the email 
(one of their users) is not a spammer.  Finally, all such a scheme is 
really saying is "if you are willing to certify who you are, your 
recipients will be more willing to trust that what you are sending is 
not spam".

Bluntly, the anonymity of email -- or more precisely, the ease of 
obscuring the origin of email -- is one of the major flaws in the 
current email system design that makes spam so easy to inflict on us 

>simple proof of work stamps get around all of these problems and 
>still put a big burden on the spammer.

Proof of work is an interesting idea.  But if it is worth enough, 
custom silicon can easily give 100x or even 1000x the throughput of a 
general-purpose processor.  And also keep in mind that there are 
legitimate emailers who need to send out a lot of email.

At 12:05 PM -0800 3/13/03, T. Alexander Popiel wrote:
>1. A single fee of $50 per registration would not be sufficient to
>    support the registrar; there are ongoing costs which only an
>    up-front fee cannot address, unless certificates expire... which
>    is horrible for the reputation aspects of the system.  The
>    registrar would have to be a subscription service, much like the
>    DNS registrars... but likely with higher costs because they
>    wouldn't be able to securely delegate authority (or perhaps
>    they could securely delegate... but people wouldn't believe it
>    was secure, so wouldn't trust it).  I doubt people will want to
>    pay $50 every couple months just to have a reputation.

It's unclear at present what the costs might be, but this is a valid 
concern.  I'm not thinking of something that has to be frequently 
renewed (unless it gets revoked).  Also, most cert owners would be 
mailserver operators anyway.

>2. The registrar could be infiltrated, bribed, or otherwise compromised.
>    Not helpful.  There would be no provable protections against such,
>    so the registrar would have to be a trusted party (in the negative
>    connotation of "you trust them because there's no way to verify
>    their veracity").  I think that keeping my own database would be
>    preferable.

So can DNS registrars.  So can SSL registrars.  But note that such a 
compromise will be immediately obvious, so there is a great incentive 
for the registrar to play fair.

>3. Many people pay good money to be jerks.  That's pretty much the
>    definition of email marketing... the spamhouses charge a pretty
>    penny for running one of the blast-o-grams.  An additional $50
>    per blast-o-gram for a new reputation token is minor compared
>    to the $1k-$10k+ per mailing...

Point well taken.  But note that I was talking about people buying 
certs to use to trash the reps of others.  As for the blastogram 
operators, after a while they'll find they can't buy certs from the 
registrar anymore.

>4. Adding a message signature to the Received headers (which is
>    effectively what you're doing) would be a wonderful thing... but
>    there's no need to centralize the signature keys.  Even if each
>    mail handler had their own privately kept & guarded keys, it'd
>    help tracking immensely.


>5. If people are foolish enough to not scan their tagged-as-spam
>    mailboxes for important things like their boss's name as sender,
>    then they deserve to have the company go belly-up. ;-)  More
>    generally, completely ignoring the tagged-as-spam stuff is
>    dangerous and dumb, because _NO_ system is going to be perfect.
>    Sorting the messages by sender makes it fairly easy and quick to
>    dispose of them.

I agree, but even the vigilant screw up occasionally.  I scan the 
sender/title of all of my spam (it gets filtered to the bottom of the 
inbox), but even with whitelisting, an occasional email from a legit 
sender (who has never emailed before, and is clueless enough to not 
put a nice descriptive subject line) gets by.

>6. I also think you're overstating the reaction speed of such a system;
>    if a spammer has a new certificate for each mailing (or each day),
>    then most people will not have read the message (and registered it
>    as spam) at the time when other people's mailers or procmail scripts
>    need to classify it... classification always happens before reading,
>    and classification is usually immediately after receipt, while
>    reading is delayed some arbitrary amount.

With enough users, this problem goes away.

>7. If you put in something saying that certificates under a certain age
>    (or with only a few votes) are suspect, then you unfairly penalize
>    new (or casual) email users, while merely inconveniencing the
>    spammers (who then have to pre-buy and age their certificates, and/or
>    ballot-stuff them).

Hadn't thought to do that.

>8. Ballot-stuffing would be a major problem, and if done at a reasonable
>    rate it'd be nearly impossible to detect.  (How do you distinguish
>    between you and forty clone machines ballot-stuffing at about 20
>    votes per day vs. someone who regularly communicates via email to
>    everyone in his workplace or on a local mailing list?)

Ballot stuffing is an issue, but consider that to stuff more than one 
ballot on a particular email, you'd have to have multiple 
certificates.  Unless someone puts together a gang of like-minded 
dipwads, all stuffing, the "popiel is a lousy scumbag" votes are 
going to get overwhelmed by the "popiel is a nice guy" votes. 
THere's probably some cute things that can be done to detect stuffing.

Appreciate the comments, keep them coming.



Robert Woodhead, CEO, AnimEigo     http://www.animeigo.com/
http://selfpromotion.com/   The Net's only URL registration
SHARESERVICE.  A power tool for power webmasters.

More information about the Spambayes mailing list