Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Certified Email Not Here to Reduce Spam

Posted by ScuttleMonkey on Tue Apr 11, 2006 07:14 PM
from the you've-got-spam dept.
Spam IT
An anonymous reader writes "Goodmail CEO Richard Gingras surprised Legislators and advocacy groups today when he announced that the CertifiedMail program being implemented by AOL and Yahoo is not meant to reduce spam. Rather than helping to reduce spam Gingras claimed that the point is to allow users to verify who important messages are really from, like a message from your bank or credit card company."
+ -
story

Related Stories

[+] Pay-per-email and the "Market Myth" 295 comments
Bennett Haselton has written a thoughtful piece on the latest developments in the pay-for-email schemes making the rounds from some of the big players in the world of AOL. This one is really worth your time, so please click on and read what he has to say.
[+] Your Rights Online: Opposition to AOL's 'Email Tax' Growing 164 comments
An anonymous reader writes "The Register is reporting that opposition to AOL's proposed 'Email Tax' that would create a two tier email filtering system is growing. DearAOL.com, representing such organisations as the EFF and Craigslist, has written an open letter to AOL asking them to reconsider. "
[+] Your Rights Online: AOL Won't Budge on Email Tax 277 comments
deman1985 writes "InformationWeek reports that AOL has no intentions to budge on its use of certified email. The company today released a statement apparently in response to the vast amounts of criticism over the past week from consumers and various organizations. From the article: 'We believe more choices, and more alternatives, for safety and e-mail authentication is a good thing for the Internet, not bad,' said an AOL spokesman. 'Everything that AOL has in place today free for e-mail senders remains -- and will only improve.' The programs critics aren't so optimistic, but that doesn't seem to be hampering the company's plans. In a quote that could only be labeled short and sweet, AOL announced, 'Implementation of this timely and necessary safety and security measure for our members takes place in the next 30 days. Mark it on your calendars.'"
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Certified Email Not Here to Reduce Spam 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Also (Score:5, Interesting)

    by MankyD (567984) on Tuesday April 11 2006, @07:17PM (#15109756) Homepage
    Perhaps also to work as an effective, if limited, white list. Not only will it tell you what emails are "important" but it would certainly be an easy to way to keep a small-sized good-guy mailing list.

      • Re:Also (Score:5, Interesting)

        by tsm_sf (545316) on Tuesday April 11 2006, @08:26PM (#15110117) Journal
        Maybe we need an anti-phishing motto along the lines of publishing's "money flows towards the writer" (aka Yog's Law [sff.net]). Something like "you travel to the bank, the bank doesn't travel to you" to discourage unsuspecting email link clickers.

  • Thats my motto. (Score:5, Insightful)

    by Bill, Shooter of Bul (629286) on Tuesday April 11 2006, @07:17PM (#15109757) Journal
    Its much easier to succeed, if you never try anything difficult.

  • CAKE! (Score:4, Informative)

    by Omnifarious (11933) * on Tuesday April 11 2006, @07:20PM (#15109773) Homepage Journal

    CAKE [cakem.net]

    But, I've not had much time to work on it since I've been employed. :-( And it's a much nicer, decentralized solution to this problem that has potentially much less weight and wider applicability than PGP.

  • Won't help a bit (Score:5, Insightful)

    by Opportunist (166417) on Tuesday April 11 2006, @07:20PM (#15109777)
    Remember the paper from Harward [harvard.edu] dealing with phishing and why it works?

    People don't even notice security features. They don't notice HTTPS, they don't notice certificates, they don't even notice bogus URLs. Why should they notice a "verified" mail (or lack of this verification)?

    And those who do already know how to deal with phishing mails, they are already capable of discriminating between fraudulent and legit mails.
    • This is a big waste of time and will easily be circumvented by spammers/fishers by 'faking' to be an authorized message. They'll just make it look very similar and the average senior citizen will happily give their personal data away.
      May I point out that by combating spam one would 'implicitly' combat messages from data fishers? ;-)

  • Money (Score:4, Insightful)

    by Dorion caun Morgul (851570) on Tuesday April 11 2006, @07:22PM (#15109793)
    It's all about money. I just can't wait until I get to pay 33 cents to send my Parents an email.

  • In other words, we'll still get spam (Score:5, Insightful)

    by GrumblyStuff (870046) on Tuesday April 11 2006, @07:23PM (#15109794)
    So this is just a paid for whitelist?

    Hello, McFly?! If I'm expecting emails from my bank, I'll be putting them on my safelist anyway! Them and everyone in contacts, emails for forum notifications, newsletters that I want.

    This doesn't seem to be doing anything other than making money for someone else.
  • Why not joining bluesecurity.com and report SPAM automatically? At 370K members, it's guaranteed to slow down the spammer's website (spam victims' slashdotting!) until they opt-out the complainers out of their lists.

    They got even a Firefox extension for reporting spam with Yahoo, Hotmail and GMail.
  • In other words, CertifiedMail is here to certify the delivery of spam by the "important" spammers who have the resources to pay for it.

  • There Will Be Spam (Score:3, Insightful)

    by Gamzarme (799219) on Tuesday April 11 2006, @07:32PM (#15109849) Homepage
    Oh yes, there will be spam..it seems to be here to stay.
    Just like every other problem the 'bad guys' face when exploiting the rest of the population, they will find away around this too.

    The news will be that if this practice does go into wide usage, spammers will turn toward draining large, anonymous bank accounts to fund their e-mail influxes.
    This 'tax' will only create more problems than necessary.

    My advice: leave what isn't broken alone and if you do have problems, then I suggest you install a good e-mail filter to pick out the spam that does get through.

  • My bank ?.... (Score:3, Interesting)

    by i.r.id10t (595143) on Tuesday April 11 2006, @07:35PM (#15109863)
    My bank or CC company, or just *any* bank/cc company ?

  • Anyone detect hypocrisy? (Score:5, Interesting)

    by suv4x4 (956391) on Tuesday April 11 2006, @07:43PM (#15109912)
    Goodmail's service is built around one single idea: easy to pitch to CEO's of large mail providers.

    The providers get paid, and they get a good excuse for charging those fees. End of story.

    If Goodmail's intentions were genuine, they wouldn't charge the "businesses" for every separate mail provider, but create globally valid certificates and then discuss with mail providers of accepting them.

    However who would care to accept the certificates if he doesn't get the dough (the fees)? So there, we arrive at what Goodmail did.

    Can you imagine paying up completely independently to every single ISP in the world so it can accept your SSL certificate? Yea, it's THAT bad...

  • Yeah, this is what we've been saying all along (Score:4, Interesting)

    by wile_e_wonka (934864) on Tuesday April 11 2006, @07:53PM (#15109977)
    This really isn't news. This is just an acknowledgment of the deceit behind their earlier statements. They did a real crappy job of deceit though, as everyone saw this as something that wouldn't block spam. Instead I'll have spam with little blue ribbons that was paid for. And then I'll have spam that I can't tell apart from my normal mail because it wasn't paid for, but it made it through the spam filter (except really we all cann t311 1t apart fr0m 0ur normal mail for the 0b>i0us reasons).
  • The only real solution to stop from being misled by online con artists is to examine each link in a chain of Internet communication to ensure it is from a trustworthy, reliable source.

    Email address, Web URL, refering party -- each should be bulletproof BEFORE you extend your trust. Otherwise, you might get scammed.

    Take this article. We know it's reliable and trustworthy. How?

    Well it was submitted by "anonymous reader," who has posted many a fine gem on this here site.

    Then it was filtered by an "editor" named "ScuttleMonkey." How can you not trust a monkey? Monkeys rock!

    Then, when you click on the link, you see you have been taken to "Spam Daily News," a bastion of journalistic integrity that makes the New York Times look like the New York Times before Judy Miller got fired.

    Finally, the whole thing originated from a little place we like to call "Slashdot." I think the quality of this brand needs no elaboration.

    So as you can see, it is not hard to recognize a secure, reliable, not-at-all-misleading-or-shady chain of Internet links. Happy surfing!

  • They presented to my organization (Score:5, Interesting)

    by StanSmith (100966) on Tuesday April 11 2006, @08:14PM (#15110069) Homepage
    I spent an hour beating them up on a number of issues, much to the embarrassment of my 'far too ready to sign anything' CTO.

    Their VP kept harping on how "it will tell users they can trust your mail". My point that the real challenge was getting users NOT to trust things was not well received, to say the least. I also mercilessly attacked their constant assertion that their widget is "unspoofable", on the simple grounds that a similar widget in a similar location would be sufficient to fool many users.

    My CTO has been asking me when we're going to implement Goodmail ever since. Khaaan!

  • Not to curb spam? Then this is BS (Score:4, Interesting)

    by moochfish (822730) on Tuesday April 11 2006, @08:25PM (#15110111)
    Wait. I don't get it. If the purpose is to ensure the sender really IS the sender, why do I have to pay up again?? If I'm the BankofSlashdot and I send emails to my customers from the email accountdetails@bankofslashdot.org, why is it they can't just add me to a registered senders list with my server's IP recorded? Why's that suddenly cost money?

    If the purpose isn't to reduce spam, what does this new pay-for-being-recognized service offer that current ISPs don't already? Most ISPs will begin taking actions against your spam if you start spamming without contacting them anyway, and you are looking at legal trouble if you spam with forged headers or people who have opted out. Through whitelists and regulations, the framework is already in place for the legit spammers to spam. AOL already has whitelists. AOL already negotiates and limits email volume with mass email marketers. AOL already uses blacklists. And this whole thing isn't even mandatory!

    So I'm really not sure what this pay system is supposed to do except earn AOL an extra dime at no added cost.
  • The US Postal Service demoed just such a thing many, many years ago. They had an email encryption and delivery service to verify that the message was not altered. I suppose the problem in certifying the sender and receiver and proving delivery (to a person - not a mail spool) were technical issues they couldn't handle.

    The difference of the USPS vs. Goodmail is that the USPS has official legal authority for such thing as mail tampering and proof of delivery.

    I suppose if they were to offer the service now, Goodmail would buy a law to prohibit to USPS from competing against a private business as Sen. Santorum is trying to do with the weather service.
  • GnuPG / PGP signing, with peer-based levels of trust. Or even better: get the public key direct from your bank when you first log in to your account. Added bonus, you have the option of turning on encrypted email.

    This might bring up the question of encrypted spam, but your keyring would act as a whitelist. If some random person sent you an encrypted or signed message, then you would be presented with a message asking if it should be accepted.

    All we need is a simplified way to do this for the general public. Too bad Thunderbird doesn't come with Enigmail preinstalled. We'd probably need something else for webmail. (FF extension?)

  • Why can't personal certificates do this? (Score:4, Informative)

    by AusChucky (967709) on Tuesday April 11 2006, @10:01PM (#15110513)
    Can I ask what happened to using Personal certificates?? Why, when we use SSL certificates to verify that a website we are visting is actually the true company, can't we use personal certificates to verify that the email we are reciving is actually from the company?? Surely they could configure their mail servers to filter out email on this basis without requiring a 3rd part solution that makes you pay for it. Hate to state the obvious but this is just the big companies way to getting their hands in on a great free thing that the internet provides

    • Re:Secondary Effects (Score:5, Insightful)

      by dgatwood (11270) on Tuesday April 11 2006, @07:23PM (#15109797) Journal
      Only if all of the banks and credit card companies use it, only if it is sufficiently standardized, and only if users are smart enough to notice that the message isn't "verified".

      The problem is, if most of the users were smart enough to realize that, we wouldn't have phishing because people wouldn't fall for it in the first place. I mean, it isn't exactly hard for users to realize that http://666.43.123.666/bankofamerica/mylogin.php [666.43.123.666] isn't a valid BOA website. If they can't figure that out, why do you think this will be any different?

      *sigh*

      • Re:Secondary Effects (Score:5, Interesting)

        by brass1 (30288) <SlrwKQpLrq1FM@w[ ].net ['hat' in gap]> on Tuesday April 11 2006, @09:12PM (#15110305) Homepage
        Actually none of the ISPs have any interest in reducing spam. They make to much money off of the spam operators and the sites that host the products provided by the spammers. Taking actual measures to reduce spam would cost the ISPs to much money.

        Spammers steal to advertise a "product." They steal resources from anyone they need to advertise their product. You don't suppose these people run the other parts of the their business the same way? Legitimate IPSs don't enjoy hosting spammers in any fashion. This is why nearly all spamming done using cracked botnet zombies (baring a sizable chunk of mainsleaze spam). A quick check of the spam in my Junk folder indicates that most spammers host their websites on non-US systems, or are broken. On a nearly weekly basis I watch a small shared webhosting provider get hosed when his spamming customer lies to him, then screws him out of payment when the webhoster's provider gets involved. The vast majority of the ISPs in the civilized universe want spammers to loose IP connectivity. The largest of sites spend *millions* blocking spam both inbound and outbound.

        Instead, they want to make money from legimate companies that want to get their messages to end users. This is a win win for the ISPs, but does nothing for end users.

        It's a win for the users as well. The AOL mail client will be able to tell the user that the mail they're reading is indeed from Bank of America, and that other piece of mail is not from BoA. If AOL and Yahoo! know that BoA's mail all has goodmail tokens, and BoA mail shows up that doesn't have mail, it must therefore be a phish (seriously, go look at Goodmail's website [goodmailsystems.com] complete with the AOL mail client screen shots [goodmailsystems.com]). AOL's goodmail implementation is ONLY for transctional mail. That was the basis of Gingras' statement.

        The handwaving about AOL charging to deliver mail is, of course, interesting. One would think that AOL is going to make out like bandits on all of the spam they'll be delivering now. That's simply not the case. The goodmail system is designed to support itself, not AOL or Yahoo!. Goodmail will be charging enough to keep themselves in business and keep the accreditation program working. I somehow doubt there's much left in the cost structure to kickback to AOL in any amount they can measure.

        As discussed many times here the only way to defeat spam is to choke off the money flow to the people that use spam to advertise. There are two ways to stop the flow of money. First is to go after the spammers and advertisers. So far this has proven ineffective.

        Is the strategy ineffective or is our execution of the strategy ineffective? We have weak anti-spam laws that do more to enable the practice than to actually put a stop to it. We have standards bodies that can't come up with effective reputation and sender authorization systems, leaving ISPs to invent their own solution (see goodmail). We have transit providers who don't have the guts to de-peer a rouge network who won't clean up what they're transiting.

        Second way is to go after the idiots that actually buy stuff from spammers.

        Wow. You don't actually think people *buy* real stuff from spammers? And that the spammers are really selling the stuff they're advertising? Ok, maybe the pharma spammers, but the rest of them? Not so much. These people are theves. They steal for a living.

        Going back a week in my Junk box, I see pharma spam, penis pill spam, p0rn spam, mortgage spam, 419 spam, and pump-n-dump spam. Exactly what products are being sold in the spam I've gotten in the last week? Of the things in my list that even sound like products (drugs, penis pills, p0rn, and mortgages) none of those are products that need to be sold by cost shifted advertising. If you have to resort to these tactics to see these products, there's something wrong with the products. That's assuming

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.