Beat Spam By Not Using Email

judgecorp writes "We had a press release - by post of course - about a scheme that eradicates spam and viruses. It's not email, oh no. It's digital mail or dmail, a private system that no one else can send messages to. Assuming it's genuine (and the PR person is called Mike Hardware) it uses XML and SQL to build a 1980s bulletin board, to sell to niche markets (such as very close-knit families). Our story is here, and if you don't hear from us again, it's because we are busy emailing ourselves with our two free dmail addresses. Peter Judge, Techworld"

Slashdotted

[Nos.]

So I can't read the articles, but I don't see anything here that setting up a whitelist only mail server doesn't do

What a stupid idea

[hoggoth]

This is functionally equivelant to using a whitelist-only filter on your email, only worse in every way.

Re:New concept same stuff...

[l4m3z0r]

A private mail exchange system is an awesome Idea, I'm sure tons of companies have home grown solutions already using email systems configured to not receive/send mail to people outside the company. This looks very intriguing to companys whose individual employees need to send lots of mail to eachother but not outside the company. Not only does it fight spam/viruses, but it helps keep documents confidential by not allowing employees to mail sensitive data around the net, it helps curb use of company resources for personal interests, and it decreases the amount of intervention IT staff will have in the daily operations of its employees. Less viruses mean less visits from IT staff which means more productivity accross the board. What can you be disgusted about when there is already a demand for the product? They arent trying to force something unwanted to anyone, they are recognizing legitimate need and demand and catering to it. Bravo.

Re:New concept same stuff...

[SkyWalk423]

There is nothing unethical about parting morons from their money. And I might also add, it's a quite lucrative endeavor!

Slashdot suggesting "closed" rather than "open"?!?

[LostCluster]

The strength of SMTP/POP3 e-mail system is that you can get e-mail from people that you've never heard of... the weakness of the SMTP/POP3 e-mail us that your inbox is wide open for anybody who wants in, and that means spammers who you never heard of and would rather never hear from.

Of course, a closed invitation-only community will stay mostly spam-free because anybody who does spam will get booted rather quickly, and the community will move on without them.

We've already seen blog spam when no registration is required to post a comment... but blogs that require commenters register are mostly spam-free because no spam bot is good enough to remember to register at a zillion sites.

In short, there are times where "closed" systems are better than "open" ones. And isn't it interesting that they tend to come to /. in the form of a story in this puke-brown section that totally clashes with the normal geek-green. :)

How is this a solution?

[artemis67]

This is nothing more than a fancy white-list, from what I can tell (the TechWorld article is slashdotted.)

Yes, a closed system that has user authentication built-in from the start has been proposed many, many times. The problem is getting the rest of the world to adopt such a system.

Just like the idea of charging a fractional penny to send an email and collecting a fractional penny when you receive one, so that email costs and revenues are balanced for the average person, but costs are astronomical for the spammer. Interesting idea, now how do you convert the planet over?

The solution to spam seems easy enough; it's the implementation that's the problem.

Re:eMail replacement.

[Anonymous Coward]

This is why I like Jabber [jabber.org]. Open like email, works like email, but with the added bonus of presence information and required authorization to add somebody to your list. (People can send you messages if they're not added, but you can easily block them.)

Hooray for Jabber!

PGP

[Doc Ruby]

With a close-knit group, why not use PGP encryption for authentication of the sender? The close-knit group can scale to include hundreds of thousands, millions of people. And it doesn't need any other software, while reaching all the people on unenhanced email, as well as all the email integrated applications.

cr

[smallguy78]

Challenge response seems to do the same thing - block all email except the ones you want through. Works well for me (I use http://www.spamarrest.com/ [spamarrest.com] which is pretty good for $30 a year, saves me downloading the emails first)

I've been spam free for three years...

[Anita Coney]

Here's how:

I opened an account with usa.net. I ONLY use it for friends and family I trust.

Via my ISP I create other accounts, e.g., one for Newegg, one for Amazon, etc. If I ever buy from someone and that account starts getting spam, I can cancel it immediately. It has only happened once.

I also give out a secondary email account to friends and family to test them. If they don't sign me up for crap and don't forward me crappy jokes, I then give them my real account.

Like my subject says, I've never received any spam in my usa.net account. The only spam I've got in the last three years was in an account I opened to use the pcmag.com forums. Needless to say that one was immediately cancelled and I use a fake address there now.

Different requrements, different solution

[Anonymous Coward]

This is great because email was really trying to meet two differing and conflicting sets of requirements for two different problems.

1. The 'old-style' email where anyone could send a message to everyone, that all the traditional MTAs (mail transfer agents) supported. Anonymous messaging is desirable in this system.
2. The 'new-style' email where everyone wants to silently drop messages from spammers they don't like; and corporationos want to silently drop messages they don't want employees to get, etc. Anonymous messaging is scary in this system (corporations don't like it); and in contrast, control is a key feature.

The first requirement's needs were very well met by sendmail, etc; and really don't need to be forced in a corporate environment.

Nothing really met the second (intentionally lossy (some would say broken)) requirements for corporations who wanted to make sure that many mails did not get delivered.

I welcome the day that all the guys with different requirements from sendmail simply move on to some other messaging system rather than try to screw with something that's worked well for decades (SPF, etc).

Re:eMail replacement.

[photon317]

Actually, you can have a decentralised free messaging system that's immune to the types of abuses we see today (spam). We already have the smtp email foundation to build it on top of, and it's pretty damn simple to do. If *everyone* would just get valid, signed certificates to authenticate themselves as a given entity with a given email address, then *everyone* could turn on a switch in their mail client that says "reject all mail that isn't signed with a cert which matches the sender's address and that's signed by an authority I trust". If you make spam completely accountable to a real-world entity via cryptography, it largely solves the problem, because the problem is so easy to solve at that point.

There's already some competing standards for this stuff, and Enigmail (in moz and thunderbird) supports at least two of them. I'm pretty sure you can get an email cert from one of a few authorities pretty cheaply.

So, it really comes down to convincing the users, which is largely the job of email client vendors. When you first set up your account in Outlook, Thunderbird, or whatever, there should be a dialog box to the effect of:

Please click "Use Existing" to use an existing email certificate for this account, or click "Create" to create a new certificate....

With pointers to signing authorities and an explanation that the user would be doing their part to prevent spam if they would just take this simple measure.

Eventually everyone notices that all their legit email is signed, and starts turning on that "kill all unsigned mail" option in their mail client, and poof goes the spam problem.

Re:New concept same stuff...

[danharan]

For intra-company document exchanges, re-inventing email is IMO a poor fit. Having a searchable centralized archive of all documents in an intranet can save a lot of time- that's what intranets are for.

Jabber, tunnel SSH and Putty

[JohnnyGTO]

Any Sys Admin that can't set up a Jabber server and for extra security force users to tunnel in using something like OpenSSH ought to have his pay grade re-evaluated.
For those out there using Windows, simply tunnel into the server using Putty.

It's for file swapping...

[1u3hr]

From dmails's "background information", page:

"secure messaging system which was instantaneous and able to transfer large files rapidly...a safe and secure platform which can not be penetrated by unwanted visitors or observers...exceptionally fast medium for accessing and exchanging large files such as music, images and film, with huge capacity. For starters, each dmail address will have one gigabyte of space... argeted at several niche sectors where its properties are particularly relevant. These include education, friends/family, teenage and corporate markets"

The *IAAs are going to love this if it takes off. But it has the same vulnerability as any "closed" system, it's brilliant at the beginning but if it grows beyond a certain number you get trolls and spammers.

Re:New concept same stuff...

[xedx]

Using Jabber is very approriate for a corporate/company setup and imho better than a private mail system. We can send messages, chat, send files and even have alerts like news etc. Gotta love jabber.

No spam in SlashDot discussion forums?

[ziegast]

This may sound blatantly naive, but given that SlashDot is a relatively open forum, why is it that we see hardly any spam at all in the SlashDot forums? Compared to virus-writing, it seems to be a trivial task to write a spambot that posts "Anonymous Coward" messages or even signs up real accounts before posting to forums.

Granted, we have trolls, offtopics, and flamebaits, but I have never seen anything close to what typical spam looks like when moderating and reading "flat" at level 0.

D15cr337 V14gr4 4 U! [cowboyneal.org]

Dmail isn't doing anything new. If SlashDot were a Usenet group, it'd be spammed just like the rest of the groups. If everyone had a different method of contacting them, it'd be too hard a problem for spammers to reach everyone.

Re:New concept same stuff...

[JAgostoni]

Even more so than that most email systems have a configuration option (sometimes even per-user) that can disable public/internet email exchange. Even Microsoft Exchange has that! At my company, internet email is actually turned off by default until the user takes a "training" course on how to use the Internet properly. Interestingly enough, the words "spam" appear nowhere in that training.

a better solution

[SnowDog74]

I've been experimenting with several methods simultaneously on my POP-mail accounts to see which works better... and my obvious conclusion is that several methods operating concomitantly are the best solution. But I'm still experimenting to determine what sets of methods, and the most effective order...

It's important to use the email filter rules much in the same way you'd use a firewall rulebase... as a sequential set of rules that increase or decrease in specificity depending on how you want to prioritize mail.

Some addresses need to receive from everybody. i.e. If you have an info@blah.org, you are expecting mail from unexpected sources. Then some addresses are personal. But here's where it gets interesting.

Years ago in high school, I had a civics teacher who looked like Mr. Burns from The Simpsons. Every year he begins the first day of class with these words:

MAN IS GREGARIOUS BY NATURE.

Indeed... We are social creatures. We also like feeling important. That is part of the reason I'm wasting my time on message boards pontificating on subjects that the people who already understand don't need to know, and the people who don't probably won't care for my opinion! But it makes me feel important that I have something to say.

So too is the nature of this thing called e-mail. Most people do not want to implement the easiest form of security (implicit deny-all w/a whitelist) because, hey, who knows... you might receive an important message from someone you don't know.

For example:

YOU MAY ALREADY HAVE WON TEN MILLION DOLLARS!

So there you are. The problem is, people aren't easily convinced that there are no truly important messages except those from people they alerady do know, who have business or personal interests with them that they already are aware of. Why? Well, probably because that would require admitting to ourselves that we're less famous or less important in the grander scheme of society than we fancy ourselves to be.

WHAT? WHAT? WHAT? OKAY!

Spammers and most mail servers are like audio equipment salesmen, they don't know when to shut up. That being said, I found that a challenge-response rule works well, but doesn't solve the bigger problem.

Sure, a challenge-response rule, if properly implemented, will drop inbound mail that doesn't pass the test... but there's just one problem.... two actually...

1. When a spammer gets an autoack challenge from a mail server they are attempting to send to (because C-R is not readily implemented at the application layer), now they know there's a box there. Their bulk mailer scripts don't care that there may not be a real person there... they'll waste your bandwidth all the same.

2. When an autoack challenge goes out to, say, a generic address that sends you maybe a confirmation of a credit card payment, that system sends an autoack back to you. Unless you are actively policing your rules every day, you're multiplying the amount of bandwidth being wasted by causing an autoack loop that doesn't stop until someone kills their autoacks or changes their ruleset. Waste of time, and resources.

So, until password authentication, or even DNS authentication (verifying that the rDNS for the sender's IP matches the senders e-mail address to confirm it wasn't spoofed) becomes an integral part of the application, challenge-response won't work very smoothly for most endusers who lack the scripting skills to build their own mail server running a C-R script far smarter than any deliberately vulnerable Microsoft application will ever be designed to offer--for obvious commercial reasons.

As this site [worldofends.com] can attest, making such specific functionalities part of the internet protocol itself is not a good idea. Challenge-response should exist at the application layer.

HEY, I THINK I GOT IT! A good security policy is to implement several layers of security. 1. The first layer of ru

Orkut + Gmail = ...

[MastaBaba]

Private email network. If you only allow mail from people registered with Orkut, you can always trace who's spamming you, if they are, and throw them off Orkut.

How I (Almost) Eliminated Spam

[Mignon]

A while back I switched email addresses.

The only spam I have received has been of the Outlook virus variety, where someone with my address in their address book sends spam pretending to be someone else in their address book. I didn't open the attachments, and don't use Windows anyway, so it wouldn't have mattered. I've received maybe half a dozen such emails in a couple of years. That's it.

Here are the reasons I think I've managed to avoid spam:

• My new address is on a domain that I own, and the domain name is not a dictionary word, proper name, etc. So I think it's kept my domain "under the radar" of spammers.
• My old address is the administrative contact for my domain.
• My new address doesn't appear on my web site.
• My new address doesn't appear on Usenet.
• My new address doesn't go to any commercial interests.

I'm aware of several weaknesses of this approach - it's "security" through obscurity, people can't click a mailto: link on my site, and I have to maintain an account that receives spam, but the tradeoff is worth it to me. It's a little like wearing galoshes (rubbers, to those UK-ers) over nice shoes - a little more trouble, but it keeps my nice shoes clean, so I'm happy with the trade-off.

For example, when I place an order on a web site and it sends a confirmation, I know I can quickly find it among the spam and chuck the rest. I use a web-based email to scan those, so I never open the junk.

If anyone has any suggested improvements, I'm all ears.

Re:A simple solution

[RoundTop-VJAS]

Up here in canada Rogers did something like that on their cable system... and it pissed me and almost every other user off to no end.

The problem is...what if you check your work e-mail from home and try to send out from it. It gets rejected. So suddenly you have to have another SMTP server to go through.

By the way, the reason Rogers put that in place was the fact that their SMTP server was being used for spamming. The problem was it wasn't the internal users spamming. Their mail server was sitting ass-open on the internet. Everyone was sending through it. After enough people complained they finally openned it up internally again. (they had a bunch of monkeys running their network).