2010-06-01

e-mail SPAM defense techniques

The following ideas are full of bugs and probably already discussed somewhere else. I don't claim they are original. I only claim I never googled them :)

1st method
E-mail is only accepted from:
Private/personal e-mail: Senders that complete a captcha. The captcha is generated by the receiver server, and extensions to existing protocols(SMTP) will enable transfer and display by e-mail clients to be completed on e-mail send.
Enterprise/mailing lists: E-mail is only accepted from authenticated sender domains, with proper trusted certificates.

Problems: would partially break current e-mail system.

2nd method
Private domain case(ex: johndoe.me):
Each time John wants to give his e-mail to someone/somewhere, he will use is e-mail server, or even a off-line device with a cryptographic algorithm to generate a unique address for that situation, ex, 98ads7@johndoe.me.
Later, when John wants to give away is e-mail again, he will create a new address, ex, fdsr432@johndoe.me, also unique for that transaction.

With this method there are two defenses against spam:
1 - Few addresses at johndoe.me are valid, so a random attack is harder.
2 - If John wants to give is e-mail to a untrusted site, that he suspects that can end in a spam list, he can rest assured that if that e-mail ends compromised, he can just block it at his e-mail server.

Shared domain case(ex gmail.com):
The extension for the private domain case is to use a subdomain instead of the name, so the same e-mail addresses for John could be:
johndoe@98ads7.gmail.com
johndoe@fdsr432.gmail.com


Problems: adds complexity for the user.

No comments: