Spam, even with the tools to filter it out, is a gigantic PITA. It eats up tons of bandwidth and as filtering systems are imperfect we are left still having to quickly parse questionable emails. The following is an email verification system that could eliminate most (sorry not all) spam. Not mark it, but eliminate it.
- The system proposed here does not require any human intervention – it is all automatic.
- The system proposed here does not require any kind of established relationship (as PKI does) between mail servers.
- The system proposed does not require any software or action on mail clients – just a program added to the mail server.
- The system proposed here does one thing – it insures that an e-mail message truly comes from the mail's from address. This would stop about 99% of existing spam.
- Stops mail that pretends to come from eBay, your bank, etc.
So how does this work? All identification and authentication (I&A) and in the computer industry is presently handled by one of three methods (or a combination thereof): username and password, physical token (such as a smart card), or PKI. This process adds a fourth method. The basic method is:
- When a system receives a message
- and the system does not trust the communication channel
- where the message could have been generated from a source other than the source specified
- or it could be from the source specified but was edited in transit
- and there is a way to independently contact the specified source.
- Then the originating system generates a hash (message digest) of the message and stores that hash with the sender's identification,
- with this information stored in a cache for a set period of time.
- When the receiving system wishes to verify the message it
- generates a hash of the message
- determines the specified sending system from the message
- contacts the sending system using its own method of looking up the sending system – it does not use information in the message to connect to the sending system – only to get the claimed name of the sending system.
- queries the sending system, passing it the first half of the message hash and the specified sender
- the sending system replies listing messages with that first half of the hash – returning the all complete hash codes that match, and were sent by this user from this system,
- or replies that it was not sent by this user from this system, and the age of the cache of saved users/digests.
The keys to this system are the following:
- Each sent message has a record of the hash code and sender of the message stored for a short period of time. This requires both a very small amount of data storage and a small message for each verification.
- The receiving system can contact the sending system using the identification of the sender in the message but contacting the sender independent of the message contents. In other words, while the message may lie about where the message came from, the message is not used to determine how to contact the sending system to verify the message.
The beauty of the above is it provides the means to verify the source of an e-mail. This is a very valuable feature for spam (as most spam is sent from a bogus address). And it does so with a light-weight method of verifying the source of an e-mail without the overhead of PKI or any kind of established relationship. And the entire implementation is done in the server software so it would be a small effort to add this.
Anyone see a reason why this wouldn't significantly reduce spam?
