It isn't hard to create a key, upload it to the keyservers, and sign your backdoored glibc.

So unless you can trust the entity who signed the package, it's all moot.

Obviously, the debian project could sign the package using the Debian Package Signing Key, but you've just changed the problem from "how can an end user know that this key is worth trusting" to "how can debian know that this key is worth trusting". This is (probably) solvable, but still quite hard.

Note that the technology is easy, but the processess to back it up aren't.

Exim's security architecture has changed significantly since then, so many of the problems you mentioned have gone.

I delete spam regularly, but when Ive seen a few identical or near identical from one sender, I collect them. After I've got a handful, they get sent to their ISP. I follow up with a phonecall a few days later.

I've found that both the spammers' accounts, and the websites they advertise, have been pulled a few days later.

Ok, I dont kid myself that *I* did this. Maybe loads of other people complained too. I hope so. But if everyone did this once in a while... less spam? Certainly, it makes me feel better!

Now we also need to educate our friends and relatives to check hoax virus warnings before they propogate them...