2 Sep 2003 berend   » (Journeyer)

It seems a lot of spammers and viruses are using my email address as the reply address... Got swamped by messages saying I have a virus. I therefore decided it was time to start signing my mail seriously. Upgraded to the latest GNU Privacy Guard (GPG), and the latest mailcrypt. Uncommented the lines in my .emacs and my mail is signed from now on. Put a URL in my signature to my public key. There does not seem to be a field in a message header for it.

Software that replies when it thinks I sent a virus will probably be disabled pretty soon. As well as the replies that an email address does not exist, or that the mailbox is over its size limit. Sigh. The end of email is near I'm afraid.

We really should have a server were people can send their email address and public key too. When a mail server receives a message claiming to have a reply address from someone, it should check with that server to see if that email address exists. Next it should validate the public key for the message. That would make it impossible to forge email addresses, if that server is reliable. To make sure the email addresses on that public server are reliable, we need to employ some trust. I.e. you can only store an email address and public key if another person, or two, can vouch for you. Perhaps use the existing public key servers and trust rings??

Lately, I have become pessimistic about antispam techniques. I no longer believe Paul Graham's approach to fight spam is going to work. Bayesian filtering is pretty easy to defeat if people start to use it seriously. If I was a spammer I just would hire a few hackers to distribute a few viruses that allow me to sent email all over the world. Next I would use the infected machines for some serious spamming: just send serious messages to everyone in the world. Take messages from mailing lists at SourceForge or Yahoo Groups. If people start to move those messages to their spam archives, they will slowly but surely decrease the effectiveness of their Bayesian utilities. And just by the sheer volume they can guarantee that messages get through, as long as they're varied enough. My spamfilter might block things about gardens or popmusic, but sure doesn't block messages about Eiffel yet.

Bayesian tools might have worked, if not for Microsoft and basically for the entire computer profession. It's all sloppy coding and use of sloppy languages that can't even guarantee you don't have a buffer overflow. Writing secure code is already hard enough even if you don't have to worry about mistakes with some pointer or a statically allocated array. We have so many infected computers now, that Bayesian filters simply can be spammed to death. Berend's law: what can happen, will happen.

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!