Re: Article Announcement: Can Microsoft End Spam?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 06:56 AM 7/6/2003, Ed Allen Smith wrote:

>Of course, it would be most helpful if Microsoft were to actually
>work toward what it's claiming it wants, instead of _against_
>stopping spam (UBE). See:
>http://news.zdnet.co.uk/story/0,,t269-s2136652,00.html
>http://dynamic.washtimes.com/print_story.cfm?StoryID=20030629-103835-
>5128r http://www.bayarea.com/mld/cctimes/news/6244003.htm
>http://www.sacbee.com/content/politics/story/6960914p-7910017c.html

Hey Ed, et al-

I can't see how you can even remotely discern "_against_ stopping spam"
from SB 186. Have you read the amended draft? Senator Bowden has *greatly* exaggerated the facts in her reaction. SB 186 is very similar to
now dead SB 12, and it is hardly a proclamation of "Let There Be Spam" as
her press release was titled. Currently, the draft does not include the
"no spam" registry, but it is not finished yet.

The problem with both drafts is that it addresses after-the-fact spamming
with what amounts to a fine- monetary damages. And while they both built
in stipulations for one to recoup attorney fees, you've got to catch the
actual spammer first. Most spams are spoofed, and the bill does not do
anything to help us with that.

As I say in the article, we have to fight spam with technology and law. Spam Database comparison and other analysis methods will help, but to
really impact spam, we need to find a workable solution in the area of
authentication and authorization at the server level. The no-spam registry
will only work for "legal" spammers. Where MS comes in is in the design of
something akin to a certificate verification system. To me, what would
really work would be to have free server certs available as part of the
Exchange Server licensing and to build a trusted sender infrastructure from
there. Systems could be set up to deny all unverifiable email, or whatever.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

And this is the type of system MS is working on. It is not for them to be
able to dictate what spam is or isn't, it is for them to be able to construct a global system of verification. If they can pull that off, it
will pay off in Server and Exchange licences. The law would come in requiring "legal" spam-bag companies to register with the certificate authority- the technology comes in at the server level. Further, this type
of model better supports differences in state law. Receiving server certs
would identify what state they are in- senders could have send rules based
on that- of course, the receiving system could globally block all spammer-owed certs, as well as all mail that was not validated.

Besides, we have a very, very long way to go with this- after all, in this
case, we're just talking about 2 bill drafts for a single state!

T

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPwmUeIhsmyD15h5gEQLL7ACgyv4pzIq31xic5yo4RcUoCGoevX0AoLN7 txQ/lU1KXAQUk8iWgIMsPuVq
=2EDw
-----END PGP SIGNATURE-----