Vernon Schryver
vjs@calcite.rhyolite.com
Tue, 11 Sep 2001 14:24:42 -0600 (MDT)
> From: "Brian J. Murrell" <dcc-list@interlinx.bc.ca> > ... > > It is possible in theory to use only certified spam traps and detect > > spam with the DCC, but I've doubts about keeping the traps sufficiently > > secret to make that work in practice. > > Really? I have spamtraps that have been fed for years now. How do > you think the spammers would "find them out"? Spam traps that cause more than the sending of a few complaints to ISP's been quite rare. Some have used for body filtering, but they've been even more rare, and their filtering has not been important in the larger scheme of things. They were not important enough to cause significant false positives, including those of mine at that corporate gateway that rejected up to 15,000 messages/day, to tempt anyone to use the potential for false positives for mischief. How spammers (or more importantly, others) would discover spam traps feeding major DCC networks is less important than the motive that an effective body filtering system like the DCC provides for discovering them. Secrets are very hard to keep, except when they are like spam traps have been, of little value. That's why I keep talking about examples like bad guys forwarding CERT advisories to DCC spam traps. If you think about it for a while, you'll note more plausible, less public, and more serious threats. It's good engineering, not paranoia or cynicism to assume that Murphy was an optimist and that "they" will do whatever you make possible. > > DCC clients only send checksums. If you have even the slightest > > doubt about that, and even if you have not doubts, you should > > check the source to see that it is true. > > That is true. But I trust you Vernon. :-) And I don't see it as a > big deal anyway even though I am a privacy zealot. I'm a privacy nut, and I think you should trust no one with your privacy, including me. I'm not joking but absolutely serious about that. > ... > > The words in a message are not the only private things that one > > might want to shield. The fact that something was said can matter. > > Yeah, well, if I was in espionage, maybe I would care. :-) Do you dabble in the stock market, perhaps through an IRA or 401K account? If so, you should care enough to worry about such things. Knowing only that the CEOs of HP and Compaq are exchanging email could be valuable. Such knowledge can affect your fortunes even if you don't have it. > ... > I don't think so (worth worrying about) but that is my opinion and my > case. I think the DCC is sufficiently private to not worry, but everyone must pay attention to such things. Liberty and more have often been lost through inattention and expediency. Vernon Schryver vjs@rhyolite.com