Mark,
The reality is that it is not difficult to get a spoofed certificate. Even a trusted one.

I have demonstrated this using a number of high end certificates.

Here is the flaw. Verified certificates. I get email from all over the earth. Most companies do. The practicality is the flaw. Add to that, Microsoft have had false signing certs and many others as well have.

The Google and other certs have been well compromised and the damage was already extensive in some areas, it was far from quick and highly ineffective.

Next, not all SMTP is company based. MANY organization have their own including many home users.

You have not even noted DNSSec as this is a necessary feature for such a scheme to function correctly.

Finally, there remain more holes in this than a sieve. Mark, I would suggest some time spend with a good pen tester. This is simple to bypass.

Next Mark,
Much of the SPAM is through compromised clients. How does this stop or address this?

So the SPAM we see with valid domain extensions sent through Google, Yahoo, etc.

Please explain how sending this via SSL and stopping network systems from seeing traffic and removing it will aid in stopping SPAM?

Hi Craig,

You appear to be suggesting nothing can be done - if this is the case then why was DNSSec implemented - why bother using SSL at all - why not just give access to criminals to internet banks and be done with it.

The role of engineers and computer scientists is to propose solutions. The solution that I have proposed will work over time, and yes as you point out with the recent SSL problem mentioned in the article there will be set backs along the way.

I can remember a time when we had tens of thousands of road deaths and injuries each year. Then action was taken over time, seat belts with associated fines for not wearing them and so on. Now with many millions more cars the death and injury rate is a fraction of what it was in the early 70s.

The problem of SPAM can be reduced to a fraction of what it is now. I have never claimed the problem would be 100% fixed.

DNSSec is an important part of the solution required to secure the Internet. I was writing about SMTP and do not discount the use of DNSSec to provide an important building block for secure SMTP. There are other building blocks required as well.

If you read the article closely you will see that I have mentioned several times that providers of SMTP servers that are alerted to SPAM originating from their SMTP server would then be able to identify the customer that sent the SPAM, and take appropriate action, such as educating the customer on how to secure their systems. An appropriate fee for this service may also be levied, as would a levy be put onto the SMTP service provider - even if it is Google or Yahoo.

The use of SSL certificates for transmission of email between SMTP servers will permit the email to be traced back to the originating SMTP server. This is key to resolving this issue. If a SMTP server does not have a SSL certificate then it would not be able to send email to any other SMTP server.

A combination of secure SMTP between SMTP servers, education and fines will address the problem of SPAM at the source, as this should be the focus rather than leaving the problem to the end user.

If home users have SMTP servers then they need to take appropriate action to ensure their SMTP server is not a source of SPAM. Responsibility is something that we all need to be reminded of occasionally.

If you wish please contact me directly to discuss this.

Mark,
I did at not point suggest that nothing can be done.

I stated that your solution will not work and is simply to bypass and much more complex than you seem to think for the protocol.

"SMTP server would then be able to identify the customer that sent the SPAM"

They can now. Economics.1. End users do not care 2.

I will look up your details later and send, but I can tell you many reasons why this is flawed.

Craig,

again you have stated something that is wrong. Companies and end-users do care. They care because people in society do want to do the right thing and they do not want to be party to criminals fleecing billions of dollars of unsuspecting citizens.

When somone in your family or someone you know falls foul of criminals operating over the network, your tune will change, you will feel outrage, and dare I say it, you will demand that something be done.

regards,
Mark Gregory

Do people really care?

Well, being that over 95% of SPAM comes from compromised systems, I would say that people care, but not enough to do anything. Most of these systems still do not patch and do not have anti-virus software.

Mark, your "solution" is flawed as you have no idea how SPAM works. It uses compromised servers. These are servers that are owned, that are on blacklists and that are managed now by all those people you say will do something that already are not.

Until you actually attempt to understand the problem, you will have no hope in helping make solutions to it.

Craig,

thank you for expressing your views. It is a pity you don't appear to want to take the opportunity to write an article and to put an alternate approach.

Making disparaging remarks publically is not appropriate. Please if you persist in responding stick to technical comments.

regards,
Mark Gregory

Mark,
At no point have I stated I would not write an article or paper.

Mark, what I have stated is based on fact alone. They are appropriate.

Mark, you do not have an approach. This simplistic model you are pushing here has no hope for what you are saying it will solve.

I have asked a few pertinent questions, you have ignored them. You hide in the notion that "people want something done". So are we to do any wasteful and inappropriate "solution" no matter how flawed simply as "people want action"?

As Bruce initially responded:
"Spam is a cultural, economic and political challenge rather than one that's readily addressed through a quick technical fix"

Mark, your solution is as Bruce stated "naive".