North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Time to check the rate limits on your mail servers

  • From: Edward B. Dreger
  • Date: Sat Feb 05 15:39:51 2005

JH> Date: Sat, 5 Feb 2005 19:18:53 -0000
JH> From: Jørgen Hovland

JH> A cryptographic signature would be a perfect guarantee as it can be
JH> used for direct identification and authorisation if you were

No, it's not direct.  You trust whoever signed the key.

Note that I agree PGP key signing is less prone to attack than unsigned
SPF.  The severity of the difference is a matter for discussion...

JH> guaranteed that the only user of the signature was infact you and
JH> not the spyware on your machine. The implementation is everything.

A cryptosig can ensure that the ISP didn't alter the message.  AFAIK,
most MUAs pull cryptosigs from the registry/configs.  Could malware do
the same?  You bet.

JH> To prevent spyware using your signature you can for example use some
JH> sort of local signature engine and a fingerprint reader. It isn't

Specifics, please.  You'd need to ensure that the fingerprint reader
would operate at a protection level that the spyware couldn't access.
That's currently an unrealistic assumption.  A worthy goal, but a bit of
a stretch these days.

JH> possible to steal the private key because only the engine can decode
JH> it. Emails can only be signed with that signature by the engine, and
JH> the engine needs your fingerprint first. But who really wants to
JH> stick your thumb in the reader for every email you send?

*shrug*  Put a print reader on a keyboard... hold down finger/thumb a
few seconds to authenticate... flush the queue for messages created
prior to auth...

[ snip ]

JH> Now that you are identified and authorised - I can still send you
JH> spam! How can I stop you from doing it? I can remove your

Exactly.  You can still send spam, but the sender is accurate.  IMNSHO
there is benefit in quickly determining *who* is responsible.

I don't claim to have the FUSSP.  The lack of such does not mean that
partially-effective measures are worthless.  (Hint:  Nothing in the
history of mankind has stopped murder.  Should we discount all laws,
punishments, et cetera?)

Everquick Internet -
A division of Brotsman & Dreger, Inc. -
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 785 865 5885 Lawrence and [inter]national
Phone: +1 316 794 8922 Wichita
DO NOT send mail to the following addresses:
[email protected] -*- [email protected].net -*- [email protected]
Sending mail to spambait addresses is a great way to get blocked.
Ditto for broken OOO autoresponders and foolish AV software backscatter.