Do we really need email anymore? If we don't solve the spam problem soon, maybe killing email is the best solution. Most of the people I email, I can talk to on IRC/iChat/web discussions/RSS feeds/whatever.
About 5% of the email I get is NOT junk. Why bother anymore? I used to think of different ways to fix SMTP and the infrastructure, but maybe it's time to just stop using it. Remember when you thought you couldn't live without Usenet?
I'd talked about this earlier in a post to use perl: Pandora Awakens.
Another thought I have had run through what passes for my brain, is that we've certainly spent a whole lot of time tracking down the spammers themselves.. but they are NOT THE HEART OF THE PROBLEM! The heart of the problem is the people and companies paying the spammers
But I also agree that the present e-mail system has got to go and preferably be replaced by something far more secure.
Re:I've brought up similar thoughts myself..
chromatic on 2003-09-04T02:42:54
I also agree that the present e-mail system has got to go and preferably be replaced by something far more secure.What, specifically, are you going to throw out?
Much of my job requires being able to receive e-mail from people I don't know yet. A fair chunk of my job means sending e-mail to quite a few people. I want both to be possible with a minimum of fuss!
Just about every system I've seen proposed seriously has had flaws that would make it much more difficult for people like me to do our jobs.
Re:I've brought up similar thoughts myself..
pudge on 2003-09-04T02:51:05
If we do keep email (sigh, I can dream!), my thoughts run along the lines of being strict in how SMTP servers are authorized to speak to other servers, sorta like an SSL certificate. If you want to send email to me, you need to send it through an SMTP server that you are authorized to send through, that is certified to talk to another server, etc.
If your SMTP server is used for spam, its certification will be revoked. You can seek certification elsewhere of course.
This system is similar to what we have now, but more formalized, with a central authority, like with SSL and DNS.
It would not solve the problem outright, but might go a long way toward controlling it.
In addition, I want significant criminal and civil penalties for spammers.
Re:I've brought up similar thoughts myself..
Dom2 on 2003-09-04T07:07:45
You would be thinking of the recent AMTP proposal? It's flawed, because it doesn't discuss the PKI aspect of using certificates.-Dom
Re:I've brought up similar thoughts myself..
pudge on 2003-09-04T14:53:26
I was thinking of no specific proposal, but yes, something along those lines.Re:I've brought up similar thoughts myself..
Matts on 2003-09-04T07:47:20
Spammers currently use stolen credit cards to buy services. They hijack the computers of innocent victims to send their stuff. They sell illegal goods.
What makes you think they won't extend that to bulk buying certificates? Or hijacking someone else's certificate (as is already happening with some of the smarter open proxy spammers)?
A certificate based email system only hurts the innocent. People like me who run their own SMTP server but can't afford a cert.Re:I've brought up similar thoughts myself..
pudge on 2003-09-04T14:55:05
What makes you think they won't extend that to bulk buying certificates?
I see no reason any certificates would need to be "bought" in the first place.
Or hijacking someone else's certificate (as is already happening with some of the smarter open proxy spammers)?
Then those certificates get revoked, and you come up with better methods to prevent such hijacking.
Re:I've brought up similar thoughts myself..
Dom2 on 2003-09-04T18:45:05
Anybody who thinks that certificate revocation is possible using the current infrastructure should spend a long time reading Peter Gutman's homepage.-Dom
Re:I've brought up similar thoughts myself..
ziggy on 2003-09-04T15:34:38
Does that include SPF and AMTP? What's wrong with them?Just about every system I've seen proposed seriously has had flaws that would make it much more difficult for people like me to do our jobs.Re:I've brought up similar thoughts myself..
chromatic on 2003-09-04T17:52:28
My comment was ambiguous. I distrust every proposal I've seen for replacing SMTP. SPF goes a long way to solving the real problem: spoofing.
(By identifying spoofed senders easily, server-side filtering can drop messages. If spammers can't spoof anymore, they can be traced. That's when fraud charges come in.)
Re:Spam is not email
pudge on 2003-09-04T14:55:53
The only way to cut it down is to make it expensive (in time, space, CPU or money) to send bulk messages.
If you are talking about pay-to-send email, then that will effectively kill email as a killer app. Kill email to save it? I think not.Re:Spam is not email
rafael on 2003-09-04T15:22:41
"Expensive" has many meanings. I a spammer has to deploy huge resources in CPU or connectivity to send thousands of messages, spamming won't be an effective business anymore. It works with the current model of email because all the difficult work is done by the mail relays -- they work out which messages are deliverable or not, they route them, they bounce them, etc. etc. but the spammer may as well stick random characters in his To: and From: fields. Impose some constraint on those fields and spamming will be more difficult.I'm not claiming that this is the only solution, or even that it's a solution at all. That's just an observation. It's too easy -- cheap -- to spam.
Re:Spam is not email
pudge on 2003-09-04T15:39:27
Yes, I am all in favor of making it harder/more expensive. I am just unwilling to extend that to an actual bill for sending email for normal users, even if it is only a "small amount," which is, in my experience, normally what people mean when they talk about making email "expensive" for spammers.
Also -- not that I feel bad for these people -- but who is going to pay the bill for virus spams, if we have pay-to-send email? People who are unwittingly sending out thousands of emails a day are not going to want to pay, Microsoft is not going to want to pay, and the ISPs are not going to want to pay...
Anyway, yeah, putting significant constraints on what can be in the From: (and like) fields, doing authentication of servers, all these things will, once set up on the ISP end, be transparent to the users, but will be significant blocks to spammers. Will it solve the problem entirely? Of course not. But I am getting over 1000 spams PER DAY on some days (including yesterday, where I received 1200 total emails, and about 100 of them were not spam), and averaging right now maybe 800 spams a day.
I do not want a complete solution, I do not want a solution that can't be worked around, because -- apart from the apparent truth that it is not possible -- I would be quite pleased with simply significant relief, rather than complete relief.Re:Spam is not email
rafael on 2003-09-04T22:16:52
OTOH if spamming via mail becomes less effective, will this open the door to comment spam ?Re:Spam is not email
pudge on 2003-09-04T22:28:14
Yes. But that is easier to control, on a given site. For Slash, we could add a Spam moderation reason, and use Bayesian analysis -- once those moderations are meta-moderated to be Fair -- to recognize future Spam comments.Re:Spam is not email
drhyde on 2003-09-05T08:36:12
Have you read about Hashcash?Re:Spam is not email
jdavidb on 2003-09-04T16:58:09
Actually, I find slash-style moderation to be the most effective method of separating wheat from chaff. I love slash message boards far more than email for communication, for this reason. There's all kinds of spam and trolls on slashdot, but I never see them because I browse at +4.
Re:Spam is not email
rafael on 2003-09-04T20:13:32
For informal discussion, slash has proven to be more effective than, say, Usenet. But I mainly use email for getting work done; that involves archiving, attachments (patches), search, classification, off-line availability, etc.On the other hand I read lots of perl.org mailing lists via NNTP -- the ones that I don't need to archive or search carefully. NNTP newsgroups, requiring some authentication to post, would be an effective replacement to SMTP mailing lists, if the From: header is carefully replaced by some identifier not related to an actual email address. (of course this prevents from contacting directly and privately the posters, but I imagine that subscribers can make their email contact info available to trusted parties that have set up an account via some authenticated mechanism.)
Re:Spam is not email
drhyde on 2003-09-05T08:32:26
Slash more effective than Usenet? Maybe for you, not for me. I still use Usenet every day, and I see little in the way of spam or other abuses. I find Usenet far easier to use than Slash-based websites. No doubt it depends to a large extent on the groups you read.
Re:"Freedom of Speech" must die...
jhi on 2003-09-05T11:50:47
Uhhh. Sorry, Louisiana... I meant Boca Raton. It really is Friday, earlier today I called what is commonly known as "blue" as "red"...
Re:"Freedom of Speech" must die...
pudge on 2003-09-05T13:59:24
Yeah, but the number of politicians who accept this lobby's money^Wline of reasoning is rapidly shrinking, as literally everyone who is online is being deluged by this menace. There's widespread support for SOME legislation to curb the tide... though we've still yet to see any significant action.
