[messaging] Hashing entries in a transparency log

Daniel Thomas drt24+messaging at cam.ac.uk
Thu Sep 4 08:57:09 PDT 2014 

On 04/09/14 16:18, Mike Hearn wrote:
>>
>> That is more plausible than it might be as I think that a lot of spam
>> filtering is done based on the reputation of the sender.
> 
> 
> Sending *domain* not user. No spam filter I'm aware of tries to calculate
> inbound reputations on a per user basis.

True. This is probably due to a number of factors (including not enough
per user data) but perhaps it would become possible if the sending user
could be authenticated to the recipient spam filter? DKIM and SPF only
really authenticate the sending domain as some domains allow users to
send email as if from other users at the same domain (they shouldn't but
it used to be possible here).

>> Senders using an authenticated encryption system could have their
>> reputation more
>> tightly determined than is possible at present.
> 
> 
> Senders already authenticate their mail streams using DKIM and are expected
> to police it. In other words, if a spammer signs up for 100,000 spammy
> Gmail accounts and uses them to send a lot of spam, that hurts Gmail's
> reputation and can result in their IPs being blocked.

Yes. However I heard (2nd hand last week) that someone at Microsoft was
complaining that this was unfair. I disagree, but techniques which make
it easier to deal with spammers at badly run but 'too big to fail' ESPs
might be useful?

> For this reason large ESPs all do outbound spam filtering as well, and
> require a fairly high degree of insight into what their users are doing.
> E.g. if a major provider generated and published public keys for all their
> users then allowed encrypted mail to be sent, this would be bad for their
> users (more chance of receiving spam) but perversely also bad for everyone
> else, because then they'd find it harder to stop spam being sent *from* their
> networks and thus it would hurt their reputation.
> 
> The problem of spam filtering and end-to-end encryption is tightly linked,
> IMO. I cannot see major webmail providers deploying working E2E crypto at
> scale given the way the email network handles abuse, today.

Indeed.

Maybe there is something which can be done with a web of trust style
reputation system 'existing contacts of mine who don't send me spam say
that this new person has sent them legitimate email' No idea how to
implement that, particularly how to do so in a privacy preserving and
user friendly way. Without content, cleverer filtering using metadata
might help.


Daniel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140904/ab3de841/attachment.sig>

More information about the Messaging mailing list