Would you Warranty Your Email? 395
Kurt writes "A team from the University of Michigan is proposing an economic solution to spam. Instead of relying on technical solutions or government regulations, they use a sender warranty system. In some cases, they argue, it can even be superior to a perfect filter with zero cost, and no errors. Their working paper is available at SSRN. With the caveat that some infrastructure is necessary (isn't it always?), they also claim their approach restores control to the recipient, halts spam, and creates a marketplace for valuable information exchange."
Would you Warranty Your Slashdot Posts? (Score:5, Interesting)
I think this could work. But it sounds like a pain to implement.
(fp)
Re:Would you Warranty Your Slashdot Posts? (Score:3, Insightful)
Re:Would you Warranty Your Slashdot Posts? (Score:3, Funny)
Re:Would you Warranty Your Slashdot Posts? (Score:5, Interesting)
Then does starting at +5 and going down really make a difference from starting at +1 and going down, in that respect?
Two problems I can think of: reading at +5-only becomes just as bad as reading at -1 until enough moderators run through the _entire_ thread culling out the stupid. The penalty for "voiding your warranty" (as proposed by the parent-parent) isn't worse than getting modded down regularly.
Possible solutions? Warranty puts you up to +X where X is a preference setting. Maybe the default threshold you read at. People who have liked what you said in the past will see you at +X+1 (friend/foe system). The first mod-down removes the warranty completely and pushes the post to +Y where Y is what the poster would have posted at without warranty.
expose the mod-bombers! (Score:3, Interesting)
Who are these mod-bombers? I mean, what does it take to earn the wrath of people on Slashdot? Who takes Slashdot that personally?
Myself, if I've got mod points, I mod up when I find value to the post, I mod down if I feel it's overrated, and very rarely I'll mod down for other reasons.
How do these mod-bombers get mod points? doesn't the meta moderation
Re:Would you Warranty Your Slashdot Posts? (Score:2, Funny)
Re:Would you Warranty Your Slashdot Posts? (Score:2)
Re:Would you Warranty Your Slashdot Posts? (Score:2)
Yeah, but M2 doesn't work.
Re:Would you Warranty Your Slashdot Posts? (Score:2)
(let's see if I'm going to have to explain this one)
Re:Would you Warranty Your Slashdot Posts? (Score:3, Informative)
Overrated (the favorite tool of the modbomber) isn't subject to M2. (Neither is Underrated, for that matter.)
Don't speak ill of moderators... (Score:5, Interesting)
And yet, there are moderators who will mod down anything that goes against the "geek norm", regardless of content. On some recent thread about movies, I posted what I thought were reasons why LOTR-ROTK was just a good movie and not fantastic. I was modded as a troll faster than you can download a picture of Natalie Portman. See for yourself [slashdot.org] Now granted, I didn't go on in great length about my points, but I still think that if you can let go of the fanboy fanaticism and look at it honestly, what I said holds. I was by no means trolling.
The problem with moderators is that meta-moderating is just a little-too-late. And even if it did work well, it wouldn't be able to stop biased moderating. Or it would plunge it into the void of predictable moderating. Or are we already there? There is a mod of "Troll", but not of "Karma Whore".
Re:Don't speak ill of moderators... (Score:5, Interesting)
Personally I think there should be a special "controversial" tag to a post. It doesn't give points one way or another, but identifies posts where (gasp) you might not like what the person is saying! Those are often the posts I want to see, not the same old opinions rehashed over and over. You could then set up a +3 to posts marked "controversial", or if you're an establishment type and don't want to hear anything that challenges your views, you mark it down -3.
Re:Don't speak ill of moderators... (Score:5, Insightful)
where (gasp) you might not like what the person is saying!
I find this is where MetaModeration enters the picture for me.
Moderating, I get so few points (how are you ever going to do a good moderating job with just 25 points, I mean) that I'll use them up quickly, mostly doing +1 on well-written, well-reasoned posts that I agree with, and maybe 10-15% of the time pushing trolls and flamebaits down into the basement.
But Meta Moderating I've re-inforced +1 ratings that other Moderators have given to well-written comments that oppose my own views.
Is there anything more boring than listening to like-minded people? Are we so insecure that we need constant ego inflation that "we're right. we're good. we're valued."?
Re:Don't speak ill of moderators... (Score:4, Interesting)
Actually, yes -- that, in my observation, is the quintessential geek psychosis, for geek types who don't have a life outside of "traditional" geek pursuits.
It's whence comes that ivory tower perspective we've all seen from [insert-OS-here] bigots. It's what fuels the idea that there are geeks and lusers -- that is, someone to feel superior to (meaning anyone who doesn't share the geek's understanding of the topic, or who might, gods forbid, disagree with the Approved geek opinions.)
Not to pick on geeks, since the same mindset appears in other specialty fields as well, but most other fields don't so actively select for this narrow-minded bigotry by not only publicly roasting nonconformists, but also thinking it's perfectly good social behaviour to do so.
IOW, kids who bully in meatspace can usually be made to feel embarrassed about it afterward. Hereabouts, the response to being called on such behaviour is "But he's a moron, and he deserved it!"
As to "warrantying my posts" or my email or anything else that falls out of my brain -- as slashdot so amply demonstrates, ANY system that relies on anyone's opinion of what's worthwhile or not is going to apply unfair pressure against whatever is currently perceived as dislikeable, unworthy, or defective. Survey-taking outfits recognise that those who are willing to take surveys already have certain biases, and they allow for this bias when parsing survey results. That's a bit harder to do in an uncontrolled environment, where bias is applied by those deciding what's worthy or not.
BTW, I never mod down -- that would be a waste of mod points.
Re:Would you Warranty Your Slashdot Posts? (Score:3, Informative)
Re:Would you Warranty Your Slashdot Posts? (Score:4, Interesting)
This way any mod bombing would be obvious. Since you are taking a direct financial loss due to poor moderation, you need to know 'who' is causing it.
Kinda like you can't sue people anonymously.
Re:Would you Warranty Your Slashdot Posts? (Score:4, Interesting)
-matt
Why not use PKI authentication instead? (Score:5, Insightful)
If I start rejecting all email which is not from a verifiable sender, I'll quickly cut spam, and impose some costs onto those who wish to sent me email. I'm willing to pay those costs when it becomes my turn to send an email. I would start with the recent authorized sender protocols, in addition to Public Key Infrastructure, to begin to authenticate a sender.
Once PKI starts to take hold, there would be an incentive for the spammers to start creating throw-away identities, which we could counter with a reputation system for the sender's domain. We could also create a "web of trust", automatically managed by our mail servers, or ourselves, to nip the counteroffensive.
So, there it is... my alternative... sign and validate all email.
--Mike--
Re:Why not use PKI authentication instead? (Score:5, Insightful)
Email is one of our last few partially anonymous methods of communication. Emailing (and posting) as "Anonymous Coward" is a seriously useful thing and taking it away from people will probably be more disasterous than originally imagined.
Hotmail (Score:5, Insightful)
There was some drama recently around an anonymous e-mail communication this past few weeks at my roommate's place of employ. What did the sender use? Hotmail.
Hotmail, yahoomail, and other free mail services use ciphers to identify people as human beings, and track IP's to resist automated signup scripts, but the medium is still essentially anonymous. Except for the IP address of the sender, which can be masked via a little wardriving or a trip to the library, the system is as anonymous as the sender wishes.
Re:Why not use PKI authentication instead? (Score:4, Insightful)
Re:Why not use PKI authentication instead? (Score:5, Insightful)
You are only required to be identified if the receiver requires it
While you have every right to "free speach"... you have no right to force someone to listen to said speach.
Quite frankly, I don't want any "Anonymous Cowards" in my home.
I go to Slashdot... and other web sites. But, I bring my mail into my house. At least, in the social sense of things.
So, right off the bat... to me there is a huge difference between encountering information I might not want to encounter because I went somewhere, and encountering the same information because it was sent to me.
it's a shame... (Score:5, Insightful)
I agree completely and emphatically. Email is not a free-speech/privacy issue, and i think people are forgetting that.
There is no provision in the constitution that guarantees an audience for free speech, yet this is precisely what anonymous email does. It puts a burden on me, the recipient, to sort through the garbage of others.
If you want more anonymous speech, get a blog, post to a web board, post to usenet.
Your freedoms stop when they infringe on the freedoms of others. Your freedom to be heard is wholly consitutionally blocked with my right to post a no soliciting sign.
I see no reason why I can't effectively put a similar sign on my email box. (let alone my meatspace mailbox)
the only reason bulk mail persists, is because it's effectively privately subsidizing the outdated and inefficient USPS. Spam, on the contrary, is wholly an economic drain on the delivery system. there is no benefit to anyone to retain spam, except those corporations who wish to have no responsibility to maintain an honest opt-out policy.
sure, spam finds willing recipients, so someone must want this garbage - but so do door to door salesmen. And I'm perfectly within my rights to forbid them from coming onto my property. a right which does not in any way infringe on their right to be heard, or their ability to simply bug my neighbor.
Re:Why not use PKI authentication instead? (Score:5, Insightful)
One might also argue that shielding yourself from that which you find offensive is bad for the mind. If you shy away from extremes, inevitably your comfort zone shrinks, and you become close-minded. It's only by trying to see the viewpoints of those who disgust you that you can come to truly new realizations about how the world works. Treading the trodden moral paths doesn't take you into uncharted lands, though it does guarantee you a pretty average and "normal" life.
Secondly, the problem is that if a pki system were to take hold to identify senders, eventually it would become required to be identified just for someone to SEE the mail you're sending to them. Although it is possible to devise a system where the net identity of someone is thrustworthy while at the same time not revealing their real life identity, it is ridiculously unlikely that such a system would be promoted by the big isp's. They've already got the riaa and friends breathing down their neck wanting identification of customers, they're not going to back a system that helps people stay anonymous while comitting crime.
Too bad the founding fathers didn't recognize privacy as a right that could be threatened. Until a few decades ago, it wasn't feasible to tie together the knowledge the world has amassed on someone into one large fount of dirty details. Today it is. Most people can have their lives ruined just by the not-so-secrets that are spread around the globe about them (don't believe me? think about everything you've ever purchased with a credit card, now think about everyone in your life knowing about those purchases... unnerving, isn't it?).
There are two ways out of this, force privacy by law, or admit there is no privacy and stop holding people's pasts above their heads. Both are unlikely, and any other system leads to major abuses.
Re:Why not use PKI authentication instead? (Score:3, Insightful)
There are one very important dif
Re:Why not use PKI authentication instead? (Score:3)
I agree, Anonymous Coward is a very important feature that doesn't need to be scraped lightly. For intance ever now and then someone will says something so assine that I'll just have to log in as "Anonymous Coward" and call them a dumbass or even point out there are medications for thier problems.
This serves two purposes, first dumbass finds out how stupid that he is and should really seek professional help. All the time while allowing me to save my valuble and hard earned karma for trolling like it sho
Re:Why not use PKI authentication instead? (Score:3, Interesting)
Your argument is flawed. PKI and "web of trust" are in essense incompatible. PKI is hiarchic in its design : depending on a root CA to sign certificates. "Web of trust" (like in PGP) does not ha
Re:Why not use PKI authentication instead? (Score:3, Informative)
Technically, anyone can make themselves a root CA, just like anyone can set up their own DNS root. [twiki.org] It's a simple matter of consensus, the roots are as valid as the users believe the are.
--Mike--
Re:Why not use PKI authentication instead? (Score:3, Informative)
"Trust gets personal with Thawte's Web of Trust (WOT)"
This is not a discussion of the Web of Trust concept as a whole, but of Thawte's use of the terminology in their little setup. As they are trying to make money off the deal, you can expect them to be slightly skewed.
Note also that their system starts by awarding Trust Points for showing up in person. The Web of Trust PKI concept doesn't care WHO you are, so much as that you are the same person every time, and if you are
Re:Why not use PKI authentication instead? (Score:2, Interesting)
Once a reliable sender verification system exists, then is the proposed system of any extra value (except to the people running the escrow network)?
I saw this presentation at MIT, and it reeked of a VC presentation. I bet the term "the VISA of the email network" comes up a few times in their actual biz presentation.
Re:Why not use PKI authentication instead? (Score:3, Informative)
-russ
Re:Why not use PKI authentication instead? (Score:5, Funny)
Hash: SHA1
There's a slight problem
email, you'll have to be willing to handle unsigned email as well as
signed. That leaves the signing people worse off than the non-signing
people (more pain, no gain).
Difficult deployment problem.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1
iQA/AwUBQCOn5jjI/tvlmNBeEQLIdwCfTzU3AFyy3vAyqJ1
Yl8AGPs6HHxEEGJfkmV857m1
=XHyf
Re:Why not use PKI authentication instead? (Score:3, Interesting)
The government could simply make a word ("warrentemail" for example) and a law that includes the exact legal definition of the word as it relates to email.
The legal definition would state that all people that put this word in the subject line of their email warrant that either a)the email is for personal, non-business purposes only or b) if it is for business purposes then the sender has a preexisting relationship with the rec
Bah (Score:5, Funny)
Laugh, it's a joke!
Re:Bah (Score:5, Funny)
Re:Bah (Score:2)
how about a physical solution? (Score:5, Funny)
if you stop sending me spam now, I won't kill you
Sounds good, but... (Score:5, Funny)
Bad idea (Score:5, Insightful)
Forcing someone out into the open by the use of such 'warranties' imposes a chilling effect on free speech through email.
I hate spam, but I hate the idea that important speech could be stifled by the use of badly considered spam 'solutions'.
Re:Bad idea (Score:5, Insightful)
Re:Bad idea (Score:2)
There is a difference: the first is sent individually, the latter in quantity. You don't have to have a prohibition based on content. It should focus on mass mailings alone. I don't have a solution beyond th
Re:Bad idea (Score:2)
I've said it before, and I'll say it again. The only solution is to be able to take action against the people who advertise their products in this manner.
Make reasonable anti-spam laws (for instance, standardized subject tags for advertisements, valid and truthful headers, etc.) and allow us to go after the companies whose e-mail marketers don't follow the law.
Re:Bad idea (Score:2, Insightful)
The difference between email and postal mail is that email is FREE! Oh, and postal mail is easier to send anonymously because there aren't computers recording header information. (It's up to the sender to put their return address.) Now imagine how much junk mail you'd receive i
Re:Bad idea (Score:3, Insightful)
I think that anonymity is _very_ important, just as you do. But I don't think it applies in my inbox any more than it applies in my house. If you are going to make a direct 1-to-1 communication to me (an intimate event) I have the right to know who you are.
If you want anonymity, then use a public forum, like Slashdot. Or put it on the web.
I think the usefulness of having verifiable senders outweighs the benefits of anonymity in this case. In fact, email, a certainly useful medium,
Re:Bad idea (Score:2)
--Mike--
Or maybe I've just got PGP on the brain today?
"Children should be seen and not heard." (Score:5, Interesting)
Which would lead to --
"Children should be seen and not heard." (Because they cannot be held accountable for what they say.)
"The nail that sticks up, gets hammered down." (Because you can't voice dissent without drawing attention to yourself and your family.)
Effective free speech requires anonymity -- There's usually needed a period of underground "pot-stirring" in order to add momentum to a movement.
For example: Let's say your boss regularly beats the shit out of you when you walk in the door in the morning. But it's your first job, so you don't know if it's normal or not. But your family depends on your income. You could post anonymously on some forum asking "Hey everyone! Do your bosses kick your asses in the morning like mine?" / or sign your name and likely get a bigger ass whopping along with being fired.
Summary (Score:4, Informative)
This is just lame. The amount of "infrastructure" required is totally ridiculous.
They ignore the fact that email is a general communications media / People who do not like eachother do email because it's practical / but under this nutty system, people would only email people they trust not to "steal" their money in escrow. Mailing lists, anyone?
Once again, someone thinks that you can "solve" spam for the recipient at a huge penalty to a legitimate sender.
Arrg! I hope they didn't get paid to write this tripe.
Gotta agree. (Score:3, Insightful)
And because you ARE talking about money, it would have to be secure.
Secure? (Score:2)
Not only is this the perfect solution to the Spam problem, this is the perfect solution to my jobless problem.
Now if you'll excuse me, I've got some mail from the University of Michigan to mark as spam.
Re:Summary (Score:2, Insightful)
It seems like everyone is coming out with their own pay email scheme these days. and they always boil down to 2 things
i wish these people would stop writing these elaborate papers when the solutions are so clear
Re: (Score:3, Insightful)
Re:Summary (Score:2)
Its a good job they didn't warrant their paper or I'd be a little richer by now 8)
Re:Summary (Score:4, Insightful)
I agree that the infrastructure would be considerable - but I for one, remembering how useful email was a decade ago, would be willing to pay whatever it takes to establish a system in which any individual can contact me easily but where a few dozen arrogant cretins don't bother me every few hours with their typically criminal mass mailed proposals. I like the idea of warranties far more than I like the idea of micro-payments which (in my opinion) are likely to prove a far more significant burden for honest email users.
vacuous (Score:4, Funny)
Would you mind writing a little more and saying a little less. I found this description too short and full of specific information.
-Colin [colingregorypalmer.net]
Nice thought; won't work (Score:5, Insightful)
The primary problem I see with this is getting enough people to start using this system. The majority of people probably aren't going to bother with it unless they have to, which means that most emails will be accepted whether or not it costs the sender money, good or spam, because most of a given recipient's contacts will not have the escrow set up. Unless creating the escrow account is mandated, which makes it no different than most of the 'tax' systems, I don't see this model working any better than what we have today.
What looks good in an academic paper doesn't always translate into the real world. Would their idea work? Yes, with sufficient participation. Will there ever be sufficient participation? No. Look at pgp keys/signatures. There are means of validating the sender's identity now that would stop spam, but they are not used because it requires people to opt-in and most people don't care enough (no matter how much they complain about spam).Re:Nice thought; won't work (Score:2)
1. Setup email-escrow acount.
2. Sign up for as many news letters, free offers, etc that you can find.
3. Claim that none of the resulting email was requested.
4. Buy a house with the money you just got.
Re:Nice thought; won't work (Score:4, Funny)
marketplace (Score:2, Insightful)
There we go. It creates a marketplace!
If it didn't, wouldn't it be one worthless invention?
Could somebody please sum this up??? (Score:4, Interesting)
Re:Could somebody please sum this up??? (Score:2)
-russ
Simplified. (Score:5, Informative)
You receive my email, but you've set a monetary level to be checked before it is delivered to you. If I didn't put enough money in my account to meet your level, it doesn't get delivered.
Now, you read my email and don't like it. You get to collect the money I have in my account at the level you set.
If you do like my email, I go on a whitelist.
Example #1: I put $1 in my account, you set your level at $5. None of my email will ever be seen by you.
Example #2: I put $5 in my account, you set your level at $1, you get my email. You don't like my email, you collect $1 from me.
Example #3: I put $5 in my account, you set your level at $1, you get my email. You like my email, so I go on your whitelist.
Simple, really. In theory.
In practice, almost impossible to work.
Stupid idea. (Score:3, Insightful)
The sender deposits money with a third party to send an email. Once enough money is in, the email is delivered to the recipient.
The recipient can choose to take the money for whatever reason (needs a beer etc). If the recipient doesn't do anything, after a while the money returns to the sender.
The recipient can put the sender on a white list which means the sender doesn't need to put up money.
The authors/proposers say that the alternative of making everyone digitally sign their email
Re:Could somebody please sum this up??? (Score:2)
Step 2: Convince Windows users put money in an escrow account to warranty their good behavior
Step 3: Have Gator send spam through the Windows user's machine to the University of Michigan
Step 4: Profit
this is so not the way to go (Score:3, Insightful)
I for one think that there are some things that can not be solved simply by attaching a price tag to it.
do you want to polute? how much money do you have to buy pollution credits?
do you want to send email? how much money do you have to buy a warenty?
do you want to get laws passed how much money do you have to "lobby" with.
sigh...:(
Re:this is so not the way to go (Score:2, Funny)
Isn't that why spam exists in the first place?
Re:this is so not the way to go (Score:3, Insightful)
You want to get off the planet, you're going to have to expend some energy. Same is true for bio-systems. You want to find some food, are you going to expend just a little energy and eat the grass right next to you, or are you going to expend a lot of energy and go hunt a buffalo? You want to attract a mate, how much energy are you willing to spend to do it?
We use money because i
Re:this is so not the way to go (Score:3, Funny)
> creating a free and open market?
Yeah, why don't we just pass a law against spam?
Oh, wait...
Re:this is so not the way to go (Score:3, Insightful)
The price on the tag isn't always in terms of cash money, but it's always there.
Your first question is valid, though. Here's one answer:
When beneficial actions need to be encouraged, or malicious acts discouraged, one can either attach a price tag to those acts or enable independent identification and enforcement processes. The former ("price tags") are enabled through the use of a marketplace involving those acts, while the latter ("processes
Maybe I'm out of the loop (Score:2)
because I *have* been busy lately, but isn't this the same idea Bill Gates proffered a couple of days ago? Yeah, I know. It wasn't his idea originally, either, since I remember talking about this on
First, secure every machine. (Score:5, Insightful)
-russ
Viruses and mailing lists (Score:2, Interesting)
Mailing lists would be a bit difficult too, not to mention usenet gateways. If I mail a gateway and it posts to usenet, does that count as one email? What about the other way around: I post to usenet, does the gateway owner have to cover the cost of the message going to all subscribers... I shouldn't, I didn't even send an email.
A Simple Solution to the spam epidemic? (Score:5, Interesting)
Then people who get this nonsense in their inboxes can get together and take the companies who use spammers (and the spammers themselves) to market their junk to court. Once the companies who use this service start getting served with class action court orders to stop or else, they should soon get the message.
Of course, there's nothing to stop the spammers moving/subcontracting to e.g. India or some other place where sending unsolicited emails isn't illegal, but it's a start. Ultimately we can hopefully have a worldwide ban against the sending of unsolicited commercial emails.
Get The Geeks Out Of It (Score:5, Interesting)
Spammers have gotten to the point where they're breaking into people's machines to get them to illicitly send spam. Look at that carefully -- you can't even trust your friends not to spam you anymore. If you don't think Spyware is going to adapt to a spam transport, you're not paying attention. Ultimately, we need criminal prosecution for fraud that follows the money (because money transfers are really well traced). The money link needs to be broken.
Nothing else has even a hope of working.
--Dan
Re:Get The Geeks Out Of It (Score:5, Informative)
I am having to spend $8000 this month to build a new mail server.
Why?
Because 80% of the mail traffic to my system is unsolicited spam and now I need more resources to handle the mail services for my legitimate users because 80% of my resources are dealing with crap.
Because the authorities don't prosecute the spammers, people like me have to pay for the resources they consume even though I didn't invite them to exploit my resources in this manner.
Something needs to be done, and it has to do with enforcement, not figuring out yet another boneheaded way to inject profit motive into the SMTP stream.
false positive/negative definition? (Score:2, Informative)
I think of this in terms of being tested for HIV. If someone has a false positive, that means they have incorrectly been identified as having the virus being checked for. Doesn
Thanks, but no thanks (Score:5, Insightful)
After having introduced the concept of "whitelists" for known senders the article continues:
In the case of strangers, the warranty mechanism is more suitable. Analogous to a standard bond mechanism, delivering email to an inbox requires an unknown sender to place a small pledge into escrow with a third party. In the case of screening, recipients determine the size of this bond, which they can dynamically adjust to their opportunity costs. The email is delivered only after the recipient receives suitable confirmation that the bond has been posted. When the recipient opens the email, she may act solely at her discretion to seize the pledge. Taking no action releases the escrow after a period of time.
IMHO this means the end of mailing lists - what would prevent me from signing up (automatically, of course) to thousands of mailing lists and collecting all the bonds placed for messages posted through these lists ?
"Of course mailing list operators would first get your approval that you let through all their messages".
This is where it starts getting complicated. And complexity is exactly what I don't want with email - it is simple, and shall remain simple.
Therefore I am perfectly willing to put up with the current spam levels - hey, I can deal with those five to ten messages a day which pass through my Bayesian filter. On certain days I get more than that in my smail box.
Shorter List (Score:3, Interesting)
Let us not forget what William Henry Gates III said [1], "I don't care what the information superhighway looks like as long as I've got a tollbooth on it." Everyone is making suggestions to charge for email not because the ideas are technically superior but because they want to be the tollbooth collecting a microcent for every piece of email running across the 'net. Unless|until there are certain issues taken care of online, micropostage will not solve the spam problem although it may still drop money in someone's open pocket (and they will likely not care about spam once that happens).
[1]ca. 1995-96 just after he returned from his annual sojourn and realized Microsoft almost missed the Internet boat.
Better links (Score:5, Informative)
---
Proud UofM Alumnus
My suggested spam solution. (Score:2)
(okay - I don't really do that, but I would like to if only more folks cared enough)
More info, in a less technical format (Score:5, Informative)
Thede Loder
University of Michigan.
Re:More info, in a less technical format (Score:5, Insightful)
And I would say at least these apply:
(Quoted from the site above)
# You have discovered the Final Ultimate Solution to the Spam Problem (FUSSP).
# You are the first to think of the FUSSP.
# You started looking for the FUSSP after observing that it is impossible to filter more than 99% of spam with fewer than 0.1% false positives by currently available mechanisms.
# You don't plan to make a fortune from the FUSSP, but you do expect fame as its generous and public spirited netizen inventor.
# You are deeply hurt and angry because you are not respected as "spam fighter."
# People don't see the value of the FUSSP because they have axes to grind, are jealous, or are too stupid to understand it.
# You learned how to stop spam during the more than six whole weeks you've been fighting it.
# The FUUSP assumes that your attention is so important that strangers, other than advertisers, from will pay money to send you mail.
# You cannot name several potentially fatal flaws in the FUSSP.
# All you need to do to get the FUSSP implemented and deployed is to publish an RFC or get a law passed.
# You don't recognize any significant difference between deploying and implementing the FUSSP.
# You plan to publish an RFC mandating the FUSSP but have never heard of RFC 2223 or RFC 2026.
# Inventing the FUSSP did not require that you know the difference between RFC 821 and RFC 822 or that they have been replaced by RFC 2821 and RFC 2822.
# You don't know the relevance of "consensus" or "IESG approval" to publishing RFCs.
# Spammers won't ignore, subvert, or exploit the FUSSP if you publish it as an RFC.
# The FUSSP depends on spammers or mail recipients changing their behavior without any immediate gain.
# The FUSSP won't be effective until it has been deployed at more than 60% of SMTP servers and that's not a problem.
# Your job is done after having explained the FUSSP to the IETF or The Industry..
# Programmers will drop everything to implement the FUSSP.
# You know that SMTP has no authentication and have never heard of SMTP-AUTH, SMTP-TLS, S/MIME, or PGP.
# You know that the failure of SMTP servers to authenticate the SMTP clients of strangers is a major bug in SMTP instead of an expression of a primary design goal.
# The FUSSP requires a small number of central servers to handle certificates, act as "pull servers" for bulk mail, account for mail charges, or whatever, but that is not a problem.
** Well, in this case worse -- It requires a whole banking system!
# The FUSSP requires that anyone wanting to send mail obtain a certificate that will be checked by all SMTP servers.
# You have found that most Internet users would be happy to pay $5/month to avoid spam and do not know the prices of anti-virus software or data.
# You have never heard of RFC 2554 or RFC 2487 and the FUSSP includes fixing the lack of authentication in SMTP.
# The FUSSP involves replacing SMTP.
# Your definition of spam differs significantly from "unsolicited bulk email."
# You frequently use math, statistics, and information theory, and almost as frequently notice people hiding grins or stifling laughs.
Verifiable Senders (Score:2)
Just secure the medium. Anony
This so clever-clever scheme has one problem... (Score:3, Insightful)
Right.
If they aren't this just opens fresh avenues for abuse.
For example, you receive an email saying "Your PayPal account will be suspended if you don't reply." You find that in order to reply you will have to post a bond of $0.0001, which is the going rate for such things, so you do so without thinking about it. Later, you discover that due to some cunningly-engineered HTML, the part of your screen that you THOUGHT was telling you that the bond was $0.0001 was somehow faked, and that really you posted a bond of $1000 which the sender has collected.
Or whatever.
Uh no. (Score:5, Insightful)
Basically this idea annoys everyone and solves nothing. There would be a lot of rich people who simply spend all day signing up on lists and then collecting the "fine" when they get e-mails.
The way to stop spam that doesn't require messing with STMP is to use web-forms. The web-form on my mail server is written in PHP and is basically a custom e-mail client. It connects to the mail server and sends to exactly one address that's hard coded in the script. Giving it random letters and numbers would prevent spammers from guessing it and users wouldn't care because they don't have to remember it. My particular PHP script only sends text only e-mails as well.
If you use a non-generic web-form with a unique filename and unique variables, it makes it quite impossible for spammers to make bots to whore their spam automatically.
What would be really clever if you want to prevent bots entirely you just have an array of images. And an array of questions, one for each picture. And the user has to answer the question like "what color is the apple?"
No amount of image scanning by a bot is going to figure that out.
Then instead of telling people an e-mail address you just give them your domain. It's still SMTP so you can contact people out side the script if you want.
The other method I use on the server side is filtering domains that spammers use to host their product pages or images. I've gotten hundreds of e-mail attempts according to RinetD's logs and only a couple spams with domains I hadn't added to the filter yet have gotten through. Since the PHP script goes through the mail server and doesn't actually send the e-mails itself, all the spam prevention is also applied to the web-form. And since no legitimate e-mails use those domains, I've had 0% collateral damage.
I get virtually no spam and have yet to break SMTP or charge anyone anything just to send me an e-mail. It's really not that hard.
Ben
Shorter and Easier to read Description (Score:4, Informative)
That site has a shorter and easier to read description of the ideas presented in the paper. The paper is really a technical economics paper, not a mass-market thing. The one-pager is much easier to read, and its the same people.
Quick way to tell if any new system will work (Score:2, Insightful)
If so, it won't work.
Looks, spam, spam mail, telemarketers all exist today due to profits. People profit from them, so people will continue to do it.
"But take away the profit then!" far easier said than done. And even if you could, I would argue that you shouldn't. At least not legislatively. Let's see someone be half as creative in the private market as the spammers are. If they are creative, and their system works, then they get to be rich beyond belief. What
zero cost, well 'cept for the infrastructure (Score:2)
Sounds to me like Christmas presents ...SOME assembly required. Ya! sure! ...
And on an almost related note........ (Score:2, Interesting)
Hotmail.com has added some interesting new filtering to their 'spam blocking' tools. Essentially, they're blocking mail based on the content of the message (what you send), but they won't tell you why it was blocked. There's a magical formula there somewhere. It is not blocked by IP address, as some messages go through and some do not.
This is occuring from *all* senders, in *all datacenters*.........It's a hotmail specific problem. Here's a microsoft.com employees response to the
Escrow Management (Score:2, Insightful)
Trojans, Viruses, etc. (Score:4, Interesting)
It seems that this warranty, escrow account system would not work well with hacked computers, viruses, et cetera. Here's a simple example; please tell me that I'm wrong. My grandma makes a reasonable attempt to secure her system but leaves some holes. Some hacker, working for a spammer, gets in her system and installs a nice little backdoor program. The spammer starts emailing people from her computer until the money in grandma's escrow account can no longer cover the warranties. The recipients are obviously angered by receiving this spam and collect the money on the warranty. How is she going to get her money back?
I don't need to belabor this point, but does this plan assume that all email sent from a user's account was purposefully sent by that user? If so, I can't support that. Virus writers and hackers aren't going away. Computers may become more secure; users may become more experienced. But our increasingly interconnected world is simply too complex to eradicate every security hole.
Another one bites the dust (Score:3, Informative)
Seriously, though: Spammers have been breaking into computers for years now. The current international spam mafias run bot-networks of several hundred-thousand machines each.
So sending mail will cost money (stamp, warrenty, tax - no matter the mechanics). Why exactly should the spammers care? It's not like they're sending from their machines or spending their money.
The serious, working solution to spam is two words: Jail time.
current solution better (Score:3, Interesting)
How often do you get an email from a complete stranger that you really want to read. For most personal accounts you have a limited set of email buddies, a lot like an instant messenging service.
Building this list is the big issue.
Say you buy something from amazon.com, or another site. The web application needs to be able to add itself to your friendly list. Of course this does not happen automatically, but with something you click. A simple standard would not be that hard to devise so any mail client could recieve the message. Upon receiving the message the user is asked if the email is a friendly. At this point the program could check for a valid MX record, and a slew of other tests to see if the record is valid and issue a warning, or give the green light.
Now if the email is webmaster, or your the kind of person that does get lots of emails from people on the Web, like a CmdTaco you need some
more tools. But current spam checkers matched with MX lookup could seriously limit the number of records. You could also do some kind of verification routine where your email program sends an auto-response with one of those pictures. This has gotten worked around with letting porn surfers answer the question for you, but I'm sure it won't be long before people write bots to answer the porn guys wrong.
MX lookup I think will be the first step. If you can reverse an address, then ask that server if the email is authentic, and even give a CRC/timestamp to see if the email came from it. This would make it harder to run your own email server, but if you doing this you probably know what the hell MX records are.
Great Idea, Spammers would love this! (Score:3, Funny)
<spammer> Crap, this warrenty plan for email has destroyed my spamming. .ru. Spammer then invokes warrenty, quickly withdraws money, and continues the cycle with a new virus.**
<spammer> **thinks**
<spammer> **Writes email virus that causes the infected computer to send email to a dummy account in
Your idea is borked, methinks.
Would you Warranty Your Email? (Score:3, Interesting)
No, I wouldn't. It's an interesting approach, but I'd never participate in it. It will COMPLETELY break the way things work, and make communications much more complicated. For example, friends/family/colleagues send me a ton of crap. Let's suppose for a minute that I set my cost as $50 per message. I have multiple addresses, so when people forward some ridiculous chain mail on some topic that I vehemently disagree with them on, I get multiple copies. So let's say I get three copies of this chain mail from someone. With the click of a button, I can set a friend out of $150. Obviously, they wouldn't remain a friend for long, and maybe there's something to be said for making people think twice about forwarding me crap.
But now consider a corporate setting. Let's say I'm really sick of spam at work, and set the price to $500 a message. My boss sends me mail informing me of budget cuts; I'm angered by it, and thus flag it as spam, charging my boss $500.
And I won't even get into the potential for abuse, where I try to impersonate someone else sending me spam, charging random people insane amounts of money.
And this just won't work. Spammers have a 'spam and dump' mentality -- they're sign up for a server, or find a new open relay, dump a ton of spam, and move on. I would fully expect spammers to completely disregard this, running up hundreds of thousands of dollars of debt on a credit card they used to purchase the server. They never pay the bill, and move on. In some strange way, it's kind of like the "If you outlaw guns, only outlaws will have guns" -- spammers will find ways around this, and we'll only inconvience people trying to send legitimate e-mail. And the basic premise sounds to have a ton of potential issues.
If the technology existed, problem would be solved (Score:3, Interesting)
The domain hosts then become responsible for the activities of the spammers, because the discovery of the spammer and their account address becomes trivial. Deal with the problem, or be black holed. Or, alternatively, the spammer can be locked out at the db level.
No where does charging the spammer become necessary. The spammer is simply locked out. E-mail stays free. Nobody gets charged when hacked.
Personally, I would support a domain-sender-message verification system, whereby a message is Md5'd (or some quicker form of hashing) on its way out and stored in a database for each 12 hour period. Upon receiving the mail, the recipient's mail server queries the reported sender's mail server with the message's listed Md5 key. The mail server goes through the databases for the last 3 12 hour periods (in reverse order) and searches for the listed key. If the key matches, it gives a positive response. If not, the message is destroyed.
Bingo, verification that the message originated in the particular domain, and that domain is responsible for the activities of its constituents. If that domain owner refuses to take action, their domain and their IP addresses would be blacklisted.
Re:Lawyer's take on warranties (Score:2)
Re:They're still missing the best solution. (Score:3, Funny)
Shouldn't that be Federal-pound-you-in-the-ass prison?
Re:stuff (Score:3, Informative)
nope (Score:2)
Any solution to stop spam must be designed to ALLOW emails that are closest to spam, i.e., solicited bulk email.
It's not hard to block everything from your inbox except message from your friends. But that's not the real problem now, is it?
Re:how to fix email (Score:2, Informative)