[GrahamL]

I'm at Defcon and was able to catch this talk. Someone asked this exact question after the talk—how can you deal with spam if you you can't scan encrypted messages for trigger words on the server. I'll try to explain what I remember: Ladar mentioned that DIME heavily encourages the use of DNSSEC, so you can verify the sender is definitely coming from the domain they're representing which should reduce spam. He also said everything we're currently doing on the server-side like keyword scanning can be done on the client side. Pretty sure he also acknowledged that it's a nontrivial problem and that the team is still investigating.

[melvinmt]

"everything we're currently doing on the server-side like keyword scanning can be done on the client side"

See the problem there?

[nostrademons]

I think they mean scanning on the receiver's client, not the sender's. There's no security problem there - a spammer with a rogue client will just send spam that's blocked by each client, and if you don't want to get spam, upgrade your client.

I am still doubtful that this will work - spam filtering a la GMail requires a good deal of aggregated data, being able to piece together related e-mails from many people's inboxes. It's effectively the reverse problem as NSA surveillance: instead of piecing together patterns in messages to highlight them, you piece together the patterns to block them. And so anything that blocks the NSA will make the spam filters we've come to depend upon non-functional. But that's because of lack of data, not because of client insecurity.

[GrahamL]

As nostrademons said, I meant on the receiving client, not the sender. Other than it being a potentially difficult nut to crack I don't really see any technical reason it'd be infeasible. Is that what you meant?