Beat Spam By Not Using Email 314
judgecorp writes "We had a press release - by post of course - about a scheme that eradicates spam and viruses. It's not email, oh no. It's digital mail or dmail, a private system that no one else can send messages to. Assuming it's genuine (and the PR person is called Mike Hardware) it uses XML and SQL to build a 1980s bulletin board, to sell to niche markets (such as very close-knit families). Our story is here, and if you don't hear from us again, it's because we are busy emailing ourselves with our two free dmail addresses. Peter Judge, Techworld"
New concept same stuff... (Score:4, Insightful)
D-Mail, G-Mail, PurplePokaDotMail are just more examples of someone trying to create, patent, exploit, etcetera when there are far more ethical and lucrative methods of making money. Of course this relies on people getting thier heads out of thier proverbial asses, but what can you do?
eMail replacement. (Score:3, Insightful)
Drop email. Drop SMTP. Change the ports it uses. Change the entire system, and scrap what's gone before and start again. Make it PURPOSELY incompatible.
Unless of course you want to keep getting spam. If so, keep using email as it is.
Um, isn't this just a webpage? (Score:5, Insightful)
Well, duh (Score:3, Insightful)
Re:Same as Usenet (Score:2, Insightful)
Re:eMail replacement. (Score:5, Insightful)
IMHO completely dropping email as we have it now is the only way against spam. No matter what's been done so far has kept existing email infrastructure as legacy. A new extension on top of email might get some play, but it's all irrelevant while the same system is still able to be used for spam.
This comes up every time someone mentions spam. You simply cannot have a decentralised, free, messaging system without a small minority of people abusing it.
Think of it as the price you pay for having a decentralised, free line of communication. This is a social rather than technological problem and I'd rather have spam than a tightly controlled mail solution that could be taken away from me or cost me more money.
Re:Same as Usenet (Score:2, Insightful)
But they're also much more annoying to use - first you have to find a decent forum. Then you (often) have to register. Then you find that actually you get flamed for posting a newbie question - but the search is so useless that you can't find the answer that was posted last week (and it's all .asp and not indexed by google).
Then you go back to usenet.
Re:Another idea (Score:3, Insightful)
I guess it has something to do with me keeping my email addresses to myself and my contacts, whereas my street address can be found in public directories. Oh, and I don't think I could install a decent spam filter on my smailbox, either.
Re:New concept same stuff... (Score:4, Insightful)
Re:eMail replacement. (Score:3, Insightful)
I rarely receive e-mails from more than a small group of people (hey, the web design world in North Dakota isn't exactly buzzing with potential clients), so it's no problem for me to first get the e-mail address of a client before I allow their incoming messages.
Which replacement? (Score:4, Insightful)
* Sending message should be free or extremely cheap
* It should not be required to receive an invitation to talk to somebody
You can quibble with those requirements if you want to design a new system, but if you follow them any system you propose risks being spam-ridden. The spammers will not say, "Oh, gee, they've all moved to a different port and protocol, let's forget it then." They'll adopt any new protocol, faster than users will.
So what about present email are you willing to give up? Converting from "free" to "extremely cheap" sounds promising, but it's still prone to the army of zombies, and exchanging trivial amounts of cash is still difficult and expensive.
There are various ways to introduce blocks in the "anybody can talk to anybody" system. Some systems email you back when you send me a message for the first time, which at least proves the existence of a back path and to a small degree a real human (not a zombie) on the other end. Bayesian filters provide extra points to people who have emailed you before without excluding people you've never heard of.
Or maybe we weaken the second requirement by distinguishing between promiscuous and non-promiscuous addresses. My friends email me at one account, and if I could I'd give each of them a separate address. People I trust less get different accounts. People who break the trust find that the address disappears, and because those addresses aren't promiscuous, relatively few other people are inconvenienced by that. I've effectively whitelisted those addresses.
But I also monitor info@foo.com email addresses, which really do want to take email from anybody in the world. I can't drop those when they get spammed, because many people are expecting to get to me through them. But if we made promiscuous addresses rare, we could use more whitelists and perhaps change the balance.
Perhaps if your average spam-buying-jackass@comcast.net were able to receive mail only from people he'd whitelisted, he'd get less spam and the spammers would give up. But that would be wildly inconvenient for him.
The point is, most of these could be built on top of SMTP, and any SMTP alternative you propose is going to have either promiscuity or conveninence problems. Just dropping SMTP just moves the problem to a new protocol but with massive infrastructure pain.
Re:eMail replacement. (Score:4, Insightful)
The problems is that any system with the features we demand of email has the faults of email.
The crux of it is - do you want someone you haven't heard of before to be able to email you?
If the answer is "yes", then you get spam.
If the answer is "no", you get something fundamentally different from email. You can also already implement this, by using a whitelist for both email addresses and originating mail servers (to filter forged friends' addresses).
Authenticating users and rubber-stamping their mail at mailservers doesn't help, because there are always untrustworthy mailservers run by ISPs who don't know enough or don't care enough to fix them. This is half of the source of the _current_ spamming problem. So, any decentralized email-like system is vulnerable to having spamming users and compromised mail servers exist. Compromised mail servers bring back forging, and you're pretty much back to square one. It gets a little harder to convincingly forge a sender address from a different mail server, but you can _already_ filter for that by using a server whitelist or using a DNS lookup (forward or reverse) for server lines in inbound mail.
Having a centralized mail server makes it harder to insert bogus traffic, but creates a huge bandwidth bottleneck, and concentrates power over mail in a way that's unlikely to be acceptable.
In just about any scheme, you can also get compromised user machines spewing mail from their own accounts with legitimate sign-in to any type of mail system at all.
In summary, the spam problem isn't going away under any system that serves the same purpose as email. You can also modify a standard email system to get most of the benefits of the different types of system that _would_ be more spam-resistant. So, there doesn't seem to be much point in proposing a system-wide overhaul.
If you want private conversation... (Score:3, Insightful)
Besides, all a company has to do is close off their email gateway and they can accomplish the same thing this new 'innovation' provides.
Re:eMail replacement. (Score:5, Insightful)
that wouldn't be free & decentralised anymore.
if you want to have the ability to receive messages from total strangers, you have the ability to receive totally useless messages(spam) from them as well.
New Section (Score:3, Insightful)
Lame Product Announcements
Re:New concept same stuff... (Score:3, Insightful)
This scheme is "disgusting" because it capitalizes on the fact that their customers don't know enough about their existing mail software to configure it do to the exact same thing. The only difference between "dmail" and minor Exchange Server deployment change is that the "dmail" scheme is proprietary and comes with vendor lock-in.
Frankly, I think any IT manager that doesn't know enough to have an SMTP system configured to be "private" doesn't know enough to evaluate commercial mail solutions. But I could certainly be wrong, and maybe someone should write the 1-page HOWTO on this.
So.. it's MS Exchange with no SMTP connectors.. (Score:3, Insightful)
No typing @domain.com. No viruses. No spam. Gee, those things sure are easy to provide when you have 200 users and no internet e-mail connection.
Re:New concept same stuff... (Score:1, Insightful)
Right. Because nobody can send and receive attachments through web-based email systems like yahoo and hotmail... oh wait. The only way to fight spam is turn off the internet completely. And as long as you have diskette drives and USB ports, you can't prevent employees from mailing sensitive documents, or bringing in viruses. Remember, viruses existed way before the net became popular.
Re:eMail replacement. (Score:5, Insightful)
-
You have to trust that the certificate providers that you're going to "trust" are properly dealing with spamming customers. Because otherwise, it would be relatively easy to send spam, it's just that you guarantee that you can know the email address of the person who's spamming you. Or, rather, you can guarantee that the email address which was on the outbound message matches the one that the provider issued. This means that you can still get spam, it's just that you know an email address was successfully provided at oen point for that spam.
-
What about phishing scams where they take your password? You think they won't find a way to get the private key for your certificate store, and then use your certificate to run joe jobs against you? Think again. As long as you have clueless users out on the internet, they'll be able to do crappy things with anything which relies on user-level security.
-
What do you do with webmail systems? There's no way outside of something like ActiveX for me to client-side sign my outbound email, and even if there was, there wouldn't be a way to deal with the whole kiosk problem (I want to walk up to an internet browser and be able to check my email). I could offload the signing onto the webmail system, but then that's not terribly secure, because the people I send email to can't necessarily trust that it was me (and not Yahoo Mail) who actually drafted the email. Also, if I have a simple password, again, that could be cracked, and anybody could send email as me.
While this one might seem a unique problem with things like Hotmail and the like (which you might not want to allow mail from anyway), think of the number of corporate users who rely on things like Outlook Web Access (which will soon support client-side signing, but only if you're running MSIE on Windows and are at a machine where you can control the hardware to get your private key pair installed correctly).
So while S/MIME and equivalent systems are useful in the fight against spam, they aren't panaceas because the rest of the infrastructure (particularly webmail systems) can't deal with them.Re:eMail replacement. (Score:2, Insightful)
Re:eMail replacement. (Score:3, Insightful)
There are several problems with this scheme. It solves the problem of spam (more or less), but creates new ones.
The first is that it gives power (which will be converted into money) to the certificate signing authority. This is currently a problem with https, as even though anyone can set up a web server using SSL, for it to be usable buy the public, you must pay an often very high tax to one of a very few signing authorities. This problem would be much, much worse with email.
The second is that once you have given this power to the signing authorities, you must trust them completely. It only takes one established authority going bad (e.g., by being bought out by someone unscrupulous) to ruin this scheme in any of a number of ways. You can 'untrust' that authority, then, but most people probably won't know how to, or won't be inclined to.
Finally, this scheme attempts to eliminate spam by eliminating anonymous email. However, there are legitimate uses for anonymous email (whistle-blowers, political dissidents), and it seems to me that trying to eliminate obnoxious commercial speech is not enough of a justification to eliminate these kinds of speech as well. It might be possible to get around this by means of remailers, but then the remailers must be either trusted as well, or be vulnerable to use as spam relays.
In an odd way, this is exactly what is happening.. (Score:3, Insightful)
In essence, IM services are "walled E-Mail gardens". I know people who aren't totally tech savvy who use services like AIM and don't use E-mail. Granted, these tend to be "gramma" types who use messaging services to chat with the kids and grandkids, but the principle remains.
And for those who say it dosen't work: AIM + whitelisting works wonders.
It may sound a bit odd to a few of us "geeks", but some people only want to hear from people they know (i.e. have been formally introduced to). Spam is only encouraging a behaviour that people already practice on the phone (with Caller ID and/or answering machines) and their front door (with the little peep-hole).. if I don't know you, I ain't gonna talk to you.
Thanks, marketing departments of the world, for helping to create a more insular society.
There was money in it once upon a time (Score:2, Insightful)
quite a market for private email ("InfoPlex" anyone ?
Prize to the first person who tells me what FILGE stood for
Of course, the market existed because people wanted email,
not because they wanted to avoid spam....but I have had
thoughts lately of setting up a closed email system
or at the very least a whitelist syste to allow my kids
to have "safe" email. The idea is not all that weird.
---eludom
Re:cr (Score:3, Insightful)