Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Spam

Attention Bonds Gain Momentum 213

Thede writes "Hi all - the ABM, a proposed solution to spam first posted to /. back in February, is gaining some momentum and refinement. It has been presented it at the Federal Trade Commission, the ACM, the National Bureau of Economic Research (NBER), and at the ITU in Geneva earlier this month. The original post referenced an academic article that not so accessible. We now have a short FAQ and a very detailed Q and A that covers a lot of the issues raised over the last five months. Next step (barring gaping holes) is to get a standards effort going - and most of the needed standards already exist."
This discussion has been archived. No new comments can be posted.

Attention Bonds Gain Momentum

Comments Filter:
  • by Jason1729 ( 561790 ) on Sunday July 25, 2004 @05:17AM (#9793557)
    to get the bond, then why can't they use the same technique to simply stop all unauthenticated email. If the sender is forced to use their real name, spam will stop pretty fast.
    • Counterfit Escrows? (Score:2, Interesting)

      by pentalive ( 449155 )
      Would it be possible for me to own my own escrow service and make counterfit escrows?
      • Sure, but my bond company not unlikely to accept your signatures. If they do it would only be aftyer approving you and signing a contract.

        So either I'm bouncing your unknown signature or my bond company is reasonably confident that they can sue your bogus bond company. It's generally invisbly handled as far as the end user goes.

        -

    • simply put they want to make a profit

      FAIL - you have to get consumers to sign up to a service that their friends do not use
      (transition will just be a nightmare )

      sorry but why not provide companies with something they want...

      like emails that are encrypted
      (and maybe for bonus points self destruct)

      companies dont like their comunications flying around for all to see

      companies dont like the idea that those msg's could go to court

      in the end it comes down to what you can sell !

      regards

      John Jones
      • "like emails that are encrypted"

        http://www.hushmail.com/ already provides this.
      • simply put they want to make a profit
        FAIL - you have to get consumers to sign up to a service that their friends do not use


        They only make a profit by taking a cut when I seize a bond. You know what? I don't mind them skimming a percentage when THEY ARE GIVING ME MONEY.

        Now I admit when I sign up with an ISP I'm going to have to deposit a little money in order to be able to send email to strangers. But you know what? A dollar or two deposit is plenty to cover normal usage, probably eaten by my ISP itself a
    • Could open up a new can of worms. I rather like being Bios Hakr. I'd really have a hard time posting to groups like this if I had to go by my real name.

      There are also about 10,000 other privacy concerns. With your idea, you might as well use your social security number as your global user name...and your mom's maiden name as your password. That way, when you piss off someone, it's easy for them to find you.
      • No, you can still be anonymous. You just need to deposit a dollar or two with one of these services. You can keep reusing that anonymous bond so long as no one deems your mail spam and seizes it ten cents at a time. And if they do seize it, well all they know is who you deposited the bond with, not who you are.

        -
    • I think ABM and SPF would complement each other:
      • SPF doesn't stop someone from creating a new hotmail account and then sending out hundreds of spams. ABM does.
      • You get an e-mail from paypal.com asking you to run an attachment to update your account information. ABM doesn't help you to find out that it's not really from paypal. SPF does.
    • Agreed. This is yet another FUSSP [rhyolite.com]:
      • The FUSSP assumes that your attention is so important that strangers will pay money to send you mail.
      • Spammers won't ignore, subvert, or exploit the FUSSP if you publish it as an RFC
      • The FUSSP won't be effective until it has been deployed at more than 60% of SMTP servers and that's not a problem
      • You think that a violation of an RFC by an SMTP client or server is good and sufficient reason to reject all mail from the system's domain
      • The FUSSP requires a small number of c
      • And I haven't even STARTED on the horrors of trying to run a free mailing list (with or without a confirmation email at signup).

        How about this: a legitimate email list would have its own bond, which is a bit larger than normal email bonds. To sign up, you have to send an email to the list subscription address, and when you do, your bond is collected (which you are warned of in advance), even though you are whitelisted.

        When the mailing list then sends you messages, if you ever confiscate the mailing list'
        • send an email to the list subscription address, and when you do, your bond is collected

          Again, this pre-assumes strong authentication of senders. If we had that, we wouldn't need bond money. The only reason for all the complicated maillist signup procedures now is to verify that the sender address really did send the request. Eliminate forgery and the problem goes away.

      • The FUSSP assumes that your attention is so important that strangers will pay money to send you mail.

        If you want mail from strangers then set the bond to zero or near zero.

        Also realize that if the sender is a stranger then by definition THEY are sending mail TO a stranger. I dunno about you, but I generally don't type up and send random mail to strangers unless prompted by some non-trivial motivation. If I have enough motivation to type up a mail to a stranger I'm also motivated enough to risk a 5 or 10
  • Hi all - the ABM, a proposed solution to spam first posted to /.

    A spam solution that attempts first posts on Slashdot? I think it failed it.
  • Won't work, again (Score:4, Insightful)

    by Julian Morrison ( 5575 ) on Sunday July 25, 2004 @05:27AM (#9793584)
    Short summary: it's an intermediated version of "pay me to read, and I'll pay you back if it's not spam"

    Bug summary:
    - too many people will keep the money regardless
    - the services of escrow agents are not freebies
    - nobody will bother to use it when regular email is cheaper, already deployed, and infinitely less fuss
    • Once you get a rep for keeping the cash regardless nobody will email you.

      And if you factor in the bond when deciding whether an email is spam then you're more likely to read it.

      I'm not convinced, largely because I want to see what the email situation is like once SPF comes into force. But I don't think it's easily dismissable.
    • Yeah, this is full of holes. And the worst thing is that it can mess with my wallet. No thank you.

      A probably better solution IMHO would be:
      ISPs block their users SMTP port (so you can't run your own mail server) unless you pay a small extra monthly subscription fee for an extra service. Most people do not want to run their own e-mail server anyway. Then ISPs add virus and spam blocking on their own source SMTP server.

      This is sort of like the snail mail company x-raying mail for bombs and irradiating it

    • Here's a better design. Incoming email. Whitelisted? Y/N Y - deliver. N - check monetary amount attached. Greater than monetary amount for anon email? Y/N. Y - deliver, keep money. N - bounce mail, money.

      No need to pay anyone back. If you want to send me email, and you're not on my list, send me 15 cents with your email. For normal people, that's too cheap and too easy. For a spammer, that suddenly makes their 2 million email address spam run cost 300,000$ if they actually want people to see it.
    • Good short summary.

      Here's my thoughts on your bug summary.

      1. Too many people will keep the money regardless. The only time a bond is posted when you get an e-mail from someone you don't know or don't like. If an old, forgotten friend e-mails you, you'll refund their money; if a marketer e-mails you, you'll keep it. What's the problem here again?

      2. The services of escrow agents are not freebies. Preventing spam isn't free either, and major ISPs and businesses already spend millions of dollars a year on it
  • by Anonymous Coward
    There has to be a working micropayment system and if there isn't one yet, can I be the one who skims 10% of every bond?
  • Next step (barring gaping holes) is to get a standards effort going

    Just watch. There will be just one "gaping hole", and a snake will crawl out of it, and sue everyone for patent infringement.

  • by panurge ( 573432 ) on Sunday July 25, 2004 @05:36AM (#9793606)
    First, look at the opportunities for fraud. Say I set up a porn site with an email address. You email me and the system asks you to post a huge bond to get the message through, say $1000. Somewhere out there will be id10ts who haven't configured their systems properly. The bond gets posted, I mark your message spam. Result: legal profit. Or if I get lots of replies, I can just set the bond to say 49c and then collect lots of small sums from people.

    Second, who else will profit from this? The escrow companies. Do we really want bankers in charge of the email system? They will simply see this as an opportunity to print money. Before long, you won't be able to contact your mobile phone provider, electricity company etc. without posting a bond - and they will own the escrow companies, and you will be paying them an annual subscription to use their escrow account. It's as good a scam as having special rate phone lines, which means when you call them they get part of the cost of the call.

    Third, increased email traffic around the system due to the challenge/response cycle will partly compensate for any reduction in spam.

    The only way to fix spam is to make it unprofitable for the people who pay the spammers. Given that Joe Sixpack is the idiot who buys from spam and so makes the system possible, and that he will no more be able to set up an escrow account than he is able to understand to install Firefox to remove annoying popups,and Thunderbird for the junk mail filter, the system won't work - the majority of users will be unaffected, the ones who are affected are probably corporate users with spam blocking tools in place already.

    • 1: Your escrow account will only have a nominal amount (say 50 cents), and thus prevents this type of scamm.

      2: Who e-mails porn sites? Most web-sites that charge for service ike Transgaming, have you fill out a web form, which you then supply your e-mail address. People will wise up very soon (like one messg and 1 cent) and not e-mail dubious sites.

      3: It's not designed to be a profit system, but your ISP could hold your money, say as a small deposit with your account.

      4: From the concerns you raise, I'm

      • Er. yes, I did read the original proposal. And the latest explanation.

        You don't seem to understand that the criminals and fraudsters will put a great deal of effort into finding ways to profit from the system. The development of premium rate numbers is a good example. Who would have expected in the first place that $45/min lines would emerge, or that fraudsters would find ways to get PCs to dial them automatically? Or seen the conflict of interest of the telecoms companies (zero interest in stopping the fr

      • People will wise up very soon

        I have some counterevidence against this claim accumulated during the several past centuries.

    • by wobblie ( 191824 )
      Correct, however, it would cut down on Spam traffic which is a tremendous drain on the internet backbone. Spam blocking tools do nothing to alleviate that.

      That said, I don't like this ABM thing at all. Spammers will always find a way around restrictions.

    • I can see sense in making it unprofitable to sell via spam but the minimal cost makes it worth their while. For example, the cost of acquiring a list of two million addresses is not that much more than acquiring fifty thousand.

      If you cut the Joe Sixpack's from buying via spam from 5% to 1%, it's not difficult for a spammer to spam five times the number of people to maintain their sales level.

      That said, a public education campaign wouldn't be a stupid idea and I don't think it would hurt. I get a lot of sp
  • What's with these technical solutions and poor names (ABM)? Another example of smart people with no marketing department!

    I can see the marketing tag line now... "To get rid of spam, take 'a B.M.' "

    • Acronym overload strikes again... I thought of ABM as in anti-ballistic missile - someone fires a missile at you, and you launch another missile that intercepts it and blows it up before it can hit its target. A nice metaphor, but it's not how this system is supposed to work at all. Spam isn't like one big missile. It's millions of little ones. What would you do if someone was doing that to you in real life? Try to swat the missiles out of the sky? No, you'd find the launch sites and nuke them.

  • by azaris ( 699901 ) on Sunday July 25, 2004 @05:40AM (#9793614) Journal

    From the FAQ:

    Q: What prevents the recipient from claiming the bond, regardless of the message value?
    A:. Nothing, other than perhaps etiquette and good judgment, prevents claiming a bond.

    <sarcasm>Yeah, etiquette and good judgment worked so well with the old e-mail system.</sarcasm>

    They propose an automatic bond posting system where for example if the bond is less than $0.50 (by the way what happens if I don't use dollars, who determines the the rate of exchange?) the bond is automatically posted. So:

    1. Set bond to $ 0.01 to ensure automatic bond posting.
    2. Subscribe to 10,000 different mailing lists.
    3. Profit!

    • They propose an automatic bond posting system where for example if the bond is less than $0.50 (by the way what happens if I don't use dollars, who determines the the rate of exchange?) the bond is automatically posted. So:

      1. Set bond to $ 0.01 to ensure automatic bond posting.
      2. Subscribe to 10,000 different mailing lists.
      3. Profit!

      I'm not an expert, but this could be prevented by having the mailing list program refuse to post a bond. The effect of this would be that only someone who has the mailer in

      • I'm not an expert, but this could be prevented by having the mailing list program refuse to post a bond.

        Of course, but the end result will be that almost no one is willing to post a bond of any kind. Since sending e-mail to someone is not a service that most people are willing to spend a dime or even the effort of acknowledging a challenge-response to post a bond, either the bond system will fall out of use or people will resort to only accepting mail from whitelisted senders.

        I doubt the latter will ev

        • Of course, but the end result will be that almost no one is willing to post a bond of any kind.

          Why not? I would post a bond of £0.05 to email a friend, any time. The chances are, she will email me back and we'll be all square. Afterwards, I get added to her whitelist and we're fine. What's the problem?

          The question is, would a commerical company spend £0.05 to send me an unsolicited email? I don't know about you, but I rather like that question.

  • Frankly I think it would be simpler to just use "pay per email". Something could probably be rigged up with paypal in short order, and if your time/attention is important enough that all this fuss is worth people's bother, they'd find it simpler to just pay you up front and no messing.

    For example, I can easily imagine major CEOs having publicly accessible emails with a $1000 reading charge. Those who ought to contact them, or who really care to be heard, could afford to pay.
  • by sdeath ( 199845 ) on Sunday July 25, 2004 @06:02AM (#9793649)
    (As a side note, what happens if you receive mail without an associated bond? 12.2Q in the Q&A says "Well, you could still read it", which OBVIATES THE ENTIRE FUCKING POINT!!! Yet another idiotic spam "solution", in other words. Oh well. Here's where it scores on the Spam Solution Checklist:)

    Your post advocates a

    ( ) technical ( ) legislative (x) market-based ( ) vigilante

    approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

    ( ) Spammers can easily use it to harvest email addresses
    (x) Mailing lists and other legitimate email uses would be affected
    ( ) No one will be able to find the guy or collect the money
    ( ) It is defenseless against brute force attacks
    ( ) It will stop spam for two weeks and then we'll be stuck with it
    (x) Users of email will not put up with it
    (x) Microsoft will not put up with it
    ( ) The police will not put up with it
    (x) Requires too much cooperation from spammers
    (x) Requires immediate total cooperation from everybody at once
    (x) Many email users cannot afford to lose business or alienate potential employers
    ( ) Spammers don't care about invalid addresses in their lists
    ( ) Anyone could anonymously destroy anyone else's career or business

    Specifically, your plan fails to account for

    ( ) Laws expressly prohibiting it
    ( ) Lack of centrally controlling authority for email
    ( ) Open relays in foreign countries
    ( ) Ease of searching tiny alphanumeric address space of all email addresses
    (x) Asshats
    ( ) Jurisdictional problems
    (x) Unpopularity of weird new taxes
    ( ) Public reluctance to accept weird new forms of money
    ( ) Huge existing software investment in SMTP
    ( ) Susceptibility of protocols other than SMTP to attack
    ( ) Willingness of users to install OS patches received by email
    (x) Armies of worm riddled broadband-connected Windows boxes
    ( ) Eternal arms race involved in all filtering approaches
    (x) Extreme profitability of spam
    (x) Joe jobs and/or identity theft
    ( ) Technically illiterate politicians
    (x) Extreme stupidity on the part of people who do business with spammers
    ( ) Dishonesty on the part of spammers themselves
    (x) Bandwidth costs that are unaffected by client filtering
    ( ) Outlook

    and the following philosophical objections may also apply:

    (x) Ideas similar to yours are easy to come up with, yet none have ever
    been shown practical
    ( ) Any scheme based on opt-out is unacceptable
    ( ) SMTP headers should not be the subject of legislation
    (x) Blacklists suck
    (x) Whitelists suck
    ( ) We should be able to talk about Viagra without being censored
    ( ) Countermeasures should not involve wire fraud or credit card fraud
    ( ) Countermeasures should not involve sabotage of public networks
    (x) Countermeasures must work if phased in gradually
    (x) Sending email should be free
    ( ) Why should we have to trust you and your servers?
    ( ) Incompatiblity with open source or open source licenses
    ( ) Feel-good measures do nothing to solve the problem
    ( ) Temporary/one-time email addresses are cumbersome
    ( ) I don't want the government reading my email
    ( ) Killing them that way is not slow and painful enough

    Furthermore, this is what I think about you:

    ( ) Sorry dude, but I don't think it would work.
    (x) This is a stupid idea, and you're a stupid person for suggesting it.
    ( ) Nice try, assh0le! I'm going to find out where you live and burn your
    house down!
  • by Andy_R ( 114137 ) on Sunday July 25, 2004 @06:14AM (#9793671) Homepage Journal
    Heres 10 off the top of my head...

    1) who pays for bounce messages ?
    2) who pays for badnwidth needed for billions of bond requests?
    3) adds a number of new points of faliure to already flaky e-mail system
    4) relies on everyone knowing the 'reputation' of every possibility in the whole of the possible address-space
    5) bombarding everyone outside the scheme with bond request messages will make this the most hated thing since spam itself
    6) spammers will ddos the hell out of the infrastructure, giving it a reputation for flakyiness
    7) 'exposure is limited to the amount in your escrow account' ie it cuts you off from mail every now & then unless you top it up - people are going to LOVE having to do that
    8) Faked from fields
    9) Introduces ability to 'escrow-ddos' a company by signing up random valid names to lists who then collect on unwanted mail.
    10) 'reputation' system will quickly devolve into ebay feedback style AAAAAAAAAAA++++++++++++ garbage.

    I could go on for another page or two. Their 'Extended FAQ' says 'yes but we don't care' to half the above btw.
    • 1 No one pays for bounce mesgs - there's never a fee, just like today

      2: Spam is by far the largest user of band width in e-mail. I've seen estimates of up to 80% e-mail is spam, and 15% of TOTAL interent traffic is spam. It's basically a check that can be performed with very little data sent, on the probably the ISPs machine.

      3 This should make e-mail more trusted and less flakey.

      4: You already trust the people from work and your family/friends. Who else do you need to "trust" - if it's a real e-mail mesg

      • 1 No one pays for bounce mesgs - there's never a fee, just like today

        How do you decide what's a bounce and what's not? AFAIK, the only thing that identifies a bounce is a null sender (MAIL FROM: <>). Spammers would just need to use that to bypass the system...

        Good luck with that system, because it seems very complex, and ironing out all the details is going to take a very long time.

      • point by point on your replies....

        1. If bounces never incur a fee, then spammers will use that as a loophole, faking their target as the 'from', and mailing to a known bad address.

        2. The beneift of spam recuction only happens when the system is in place. The problem is durnig the (long) time it would take the whole world to adopt the new system.

        3. The new system fails if either the sender or recipient's escrow server is down or unreachable, or if any of the challenges and responses are lost. How can addi

      • 2: Spam is by far the largest user of band width in e-mail. I've seen estimates of up to 80% e-mail is spam, and 15% of TOTAL interent traffic is spam. It's basically a check that can be performed with very little data sent, on the probably the ISPs machine.


        There may be estimates that spam is as much as 15% of all traffic, but they aren't very good estimates.

        Spam is less than 1% of the total traffic on the internet.

        -- less is better.
      1. Who pays for bounces? - Who pays now? That's right, the receiving ISP. This changes nothing.
      2. Bandwidth? Right now, the recipient pays for bandwidth when they receive spam. As this system merely bounces a requests for warranties back and forth between servers, it uses less bandwidth than merely accepted all SPAM carte blanche and filtering on the recipient's server. This would reduce, not increase, the bandwidth used by spam - the recipient's server would simply not accept the spammer's email. Nor wou
  • ...but wouldn't similar results apply if both parties used digital signatures in their mail?

    How is this any different? Or am I missing something?
    • It is slightly different. With digital signatures, your public key has to be signed by a trusted third party. What a digitally signed message guarantees is that you know who a message is sent by. This prevents forged emails, but it doesn't prevent spam. After all, all spam has some form of contact information. It isn't very useful for someone to email you without a URL, phone number, etc. to try and buy whatever crap they are trying to sell.

      This system instead wants to prevent forging and spam by putting a
  • Does this mean we all need a credit card to sign up for gmail and other similar "free" email accounts?
  • This is an interesting theoretical design. I don't see why to put it into practice, though. "Hash Cash" accomplishes the same thing without using real money, and real money is dangerous because it's a lot more desirable than CPU time (what about iloveyou.vbs sending out high-bond e-mails to a special collection account? This is not a feature we can trust the average user to have enabled.) It also requires much more sophisticated machinery in place, like certificate authorities. (Of course, if we wanted to,
    • You could use a BOINC-based approach. For every completed work unit, you get permission to send N mails. Every recipient organization could designate a number of eligible BOINC projects (SETI or whatever).

      This would be better than real money, which would segretate against poor countries without freely exchangeable valuta.


    • "Hash Cash" accomplishes the same thing without using real money...

      They are not the same.

      This is a "sender risks" system.

      Hash Cash is a "sender pays" system.

      The difference?
      With traditional hash cash the sender applies the hash-stamp to every email.
      I.e. they always "pay" for every email sent.
      (CAMRAM includes a "friends fly free" idea, but you still pay for every email sent to a stranger)

      With a "sender risks" system, you only pay if the receiver says you should pay.
      This can be done after they read t

  • It's another special case of the same general scheme which I call "tokens". Examples of token-based schemes include whitelists, challenge-response with automatic whitelists, digital signatures, micropayments: the common factor is that the recipient chooses a token that all mail they recieve needs to contain. The token can start out simple (just requiring a special word in the subject line works wonderfully right now) and can be made more complex and expensive as the spammers adapt to it.

    The mistake these people make is the same one most "perfect token based schemes" make: they assume that they have to start with the most complex and difficult token that they "know" spammers will never adapt to right from the first day. You don't. You can start out with a simple easily forgable token and worry about switching to one of the cryptographically secure or money-based tokens later... in my case my family has been using simple tokens for a couple of years now and a grand total of two spammers... 419-ers, as it turns out... have bothered to jump through even that simple a hoop.
  • by 6Yankee ( 597075 ) on Sunday July 25, 2004 @06:43AM (#9793719)

    If companies have to put up a bond for every outgoing email, and lose that bond when recipients don't want to read it, it might even cut down on the number of clueless twits who forward the same tired old jokes, etc., from their work account.

    When someone from IT appears at their desk with a log printout and a total cost, and demands repayment on the spot, the idiot user might get the message. First offence, maybe the money gets donated to the corporate charity; second offence, the user in question gets suspended by their underwear from a 40th-floor window and left to rot.

    On the other hand, if IT weren't smart enough to figure out who was doing it (or if the user were smart enough to foil them), what would stop some disgruntled employee sending thousands of stupid jokes just to cost the company money?

  • by davids-world.com ( 551216 ) on Sunday July 25, 2004 @06:44AM (#9793720) Homepage
    Several problems with this:

    - Banks will possibly want to make money with every transaction, not just with bonds that get collected, especially if you take into account that bonds will rarely be collected. That means that banks will make a sh*tload of money just in order to prevent criminal or annoying behavior of a few spammers.

    - It's not clear how the "challenge" step involving the whitelist is supposed to be implemented. Right now, we have mail servers receive mail and store it until the final recipient (client) polls it, e.g. via IMAP/POP3/Exchange. Would this mail server have to store the whitelist and bond info? Probably yes. Privacy issues?

    - How does it integrate with the current e-mail world? Not very well. Sure, you can still accept e-mails without a bond and rank them low (i.e. mark them as potential junk). But for quite a while, people will not be able to discard these e-mails automatically. Therefore, there will be no incentive for senders to move to the bond mechanism.

    - There are many parties involved: Right now, we're talking about sender-SMTPrelay-mailserver-client. In addition to these four parties we need two escrow agencies: one for the sender, one for the recipient. these will need to be organized, so they can talk to each other - which means there is some kind of additional club involved. (We can get rid of the SMTP relay entitiy mentioned above - this can be done by the client directly.)
    The problem is that with the new entities, things can go wrong. They can simply be down (keeping me from sending or receiving e-mail!). Or their security can be compromised.
    The bottomline is: this is too complicated.

    I wonder what is better about the bond scheme, compared to the challenge-response idea that circulated a while ago, where sending e-mail is simply computionally expensive enough (unless you're on the recipient's whitelist).

    • The problem is that with the new entities, things can go wrong. They can simply be down (keeping me from sending or receiving e-mail!). Or their security can be compromised. The bottomline is: this is too complicated.

      Or the escrow can become the new VeriSign, charging a truckload of money for a service that costs nothing to provide.

      /greger

  • devil's advocate (Score:3, Insightful)

    by selderrr ( 523988 ) on Sunday July 25, 2004 @07:03AM (#9793762) Journal
    I'm gonna say something very ugly here : i find spam not to be a really serious problem. I get approx 50 spams per day, and 45 of these go straight to my MacOSX Junk folder. I hardly notice them at all. At the end of the day I quickly glance trough the folder. Never found a false positive in 1,5 years. The 5 spams that do wind up in my inbox are no problem either, since all known correspondents in my addressbook have their own sub-box. So only new peeps end up in my inbox, which is quick to scan.

    I sure as hell ain't gonna pay for something that I don't need.
    • Not ugly, just misinformed.

      First of all, some of use get thousands of spams a day. Our domains get millions of them, sometimes tens of millions of them a week.

      Your OSX filter seems to fix the problem for you, but it does not fix the problem that we are paying for the traffic of these millions of mails.

      Slowing this down has the effect of making it possible for the Internet to become cheaper and faster. (No guarantee it will, of course.)

      In addition, we're paying the upstream costs for everyone to deal w
      • okay, sorry for my singlesided point of view. I forgot that the backboners get hit harder by spam than end users.

        But my point stays : many users don't percieve spam as a big issue, and therefore will not move to this system. Additionally, youth has never lived without spam, and consider it a normality
    • I get approx 50 spams per day

      I block entire countries, I use multiple DNS-based blacklists, I have an adaptive filter that temporarily blocks mail servers that attempt to send mail to non-existent accounts, and I have several hundred lines of partially-programatically generated filter rules after that.

      I'm also using the Mail.app bayes-style filter.

      I still get more than 50 spams a day through all of that.
  • by nusratt ( 751548 ) on Sunday July 25, 2004 @07:18AM (#9793796) Journal
    even if one assumes that all the prior "there's a hole" posts are wrong . . .

    Reason #3: SPF. I didn't even need to read beyond the ABM FAQ's TOC. Just look at the length of the TOC itself. Although there's a TOC item "Will the ABM be complicated to use?", the answer is obvious without reading it. Now contrast this with SPF: how long does it take you to understand SPF, or to explain its BASIC CONCEPTS to someone else?

    Reason #2: ABM doesn't itself kill anonymity, but it makes it easier for government to do so. As one poster has already said:
    "There isn't a central database from which funds are collected that has everyone's name and bank information. The only requirement is that you have funds available to back up your email, and like it says, this can be accomplished by paying in person with cash for an anonymous e-mail account."

    It's a bitter lesson of the past three years -- or it should be, if you haven't already realized it -- that there are few limits to the extent to which government will regulate (read "criminalize") financial transactions in order to control individuals, in the guise of "fighting terrorism".
    If you don't believe this, then go to the service desk in any large grocery chain where they sell money orders, and look on the wall for the sign which describes the maximum anonymous cash transaction which can be performed without triggering a report to the government. (I'll provide additional detail and examples if anyone chooses to dispute this.)

    Implement ABM, and just how long do you think it will take for some publicity-hungry politicians to propose that all ABM payments require identification?

    Reason #1: The ITU supports it. I have no problem with organizations like IETF. But in view of recent trends of trans-national political authorities (like the EU) taking action contrary to human rights, I'm immediately suspicious of a proposal supported by an organ of the UN ("tin-foil-hat" insults notwithstanding).
    • On your reason #1: there is no claim that the ITU supports the scheme.

      The submitter (also the author of the protocol, as he makes clear) notes only that it was 'presented' at the ITU. That's got nothing to do with being supported by it (save that they generally request presentations on things they support. They also get a lot of presentations on research they don't support).

      In fact, the inclusion of then names FTC, ACM, NBER and ITU in the summary is, in point of fact, nearly meaningless. All it claim
    • how long does it take you to understand SPF, or to explain its BASIC CONCEPTS to someone else?

      "If this is spam, you get $0.50."

      I don't think ABM is hard to explain at all.

      I do think it's harder to articulate the anti-spam benefits of SPF, since SPF doesn't stop spam, it just enables better blacklisting, and blacklists are a much more unwieldly and blunt tool than whitelists. (If someone hacks your server and spams with it, for example, it can be notoriously difficult to get yourself off a blacklist even
  • by cpghost ( 719344 ) on Sunday July 25, 2004 @07:30AM (#9793832) Homepage

    Not everyone in the world does have access to universal currency. In some countries, you need special permission by the government to buy exchangeable currencies (like, say, USD or EUR). They even put a stamp in your passport if you did, so you don't buy too much! Oh, and btw., most spam doesn't come from there, but from countries with free valuta.

    Would you really want to erect yet another economic wall between "us" and "them"?

  • Too complicated, will never work. Besides - it's being considered by governments which means it's obviously never going to work as lets face it, with regard to IT, governments don't have a clue as they are fed constant lies from people who stand to make a lot of taxpayer money.
  • Privacy concern (Score:3, Insightful)

    by RhettLivingston ( 544140 ) on Sunday July 25, 2004 @07:47AM (#9793880) Journal
    I have no intention of giving my white list over to an ISP. Yes, I know they could determine who I receive email from by monitoring logs, but it just bothers me to go the extra step of doing the work for them. Step 2 is the government requiring all ISPs to have an interface that allows them to read all white lists. Mining of such a complete social map could crack through a lot of privacy.
  • Systems like this will never catch on with common consumers, they're simply too complicated.

    The simplest and most effective solution would be to have a mail server authority, much like the DNS authority is run, and then have everyone register their servers. If the server is abused, they're investigated/deleted from the registry. Users configure their mail clients not to receive mail from unregistered servers, and voila, no more spam.

    It won't catch on overnight, but it will be necessary. Such a service mi
  • This is crazy. Where there is EFT involved with fraud, there is going to be:

    • skimming (viruses/malicious ppl)
    • taxing (governments)
    • hacking
    • money laundering
    • Cayman Island bank accounts

    Then, we're going to have to set up rules for EFT regarding which banks are "good" banks in "good" countries... and which banks are "bad" in "bad" countries. And, of course, the "rogue" nations will provide EFT accounts to spammers for the appropriate amount of cash.

    Spammers will thus get into the game of money launderi

  • by richard_willey ( 79077 ) <richard_willey AT hotmail DOT com> on Sunday July 25, 2004 @09:29AM (#9794242)
    >Next step (barring gaping holes) is to get a
    >standards effort going - and most of the needed
    >standards already exist

    You do, of course, realize that IBM has already patented this same idea.
    They define this as an interrupt cost, but the basic principles are pretty much identical...

    Check out http://www.findarticles.com/p/articles/mi_m0ISJ/is _4_41/ai_94668338
  • This is another attempt to sell micropayments.
    It has the same problem as the previous: the cost of deciding if you want to pay.
    Also, if you mail someone and then get a reply that says "You have mailed who has decided he requires you to post a bond of 2 cents for him to pay attention to your mail. Please use one of the bond posting services listed at ." you are likely to decide it is not worth bothering.
  • by Anonymous Coward on Sunday July 25, 2004 @12:09PM (#9795058)

    Sure, there are things wrong with this scheme, but the problems aren't the ones most of you are talking about. Here are some I posted on my Web log [sooke.bc.ca]:

    #1: It creates a great opportunity for traffic analysis by the government, marketers, etc., because the escrow agents can collect data on who's emailing whom. The recipient gets to choose their escrow agent, so an individual participant doesn't have the option of only dealing with reputable or privacy-respecting escrow agents.

    #2: It creates a money trail alongside the email trail, making anonymity almost impossible (especially because the recipient can choose the escrow agent, see above). This issue actually could be turned to an advantage because remailers could use the bond system to collect "postage", clear postage between themselves while obfuscating the money trail, and reduce their own spam problem into the bargain, but it'll be a big headache for them, and the anonymity of the remailers to the escrow agencies is hard to maintain.

    #3: Trolling can become financially profitable. The business plan goes something like this: 1. Post something to Slashdot or Usenet that lots of people will want to respond to by email. 2. Collect a small enough bond from each responder that they'll be willing to pay it. 3. Profit! One could argue that that's an acceptable business (because you're only collecting money from the people who decide they're willing to give it to you) but I'd argue that it's a bad thing to encourage this business, because it also imposes on many people who do not want to respond to you, and damages the infrastructure for everyone. It's like saying "Selling SUVs is morally okay because I'm only selling them to people who are willing to accept the environmental impact" - hello, it's not just your customers who bear the brunt of the environmental impact!

    #4: Participants who are poor, or penniless, just can't have email anymore. That includes children, the homeless, and many people in developing countries. Moreover, even among people with nonzero disposable income, it stratifies email along economic lines: I will demand attention bonds roughly proportional to my income (because otherwise they won't have the intended effect of compensating me for time lost) and then someone with less income than me has to make a disproportionate sacrifice to talk to me, and someone with more income than me can spam me with no hardship. I have received legitimate, important email from a scholarship student in Uganda, and in an official capacity from the legal department of a multi-billion-dollar US corporation; the value of a dollar to those two parties is totally different. Note that it's not good enough to say "Oh, we just won't collect the bond from people who are poor" because they still have to have the money in order to promise it in the first place. Children have no money, not just a small amount - especially if, as would necessarily be the case, enforcement of the bonds is tied to legally binding contracts in jurisdictions where children's right to make commitments is not recognized, so the children wouldn't even be allowed to spend money this way if they got some.

    #5: If only applied to email, it'll encourage spammers to move to other media - Usenet, Web BBSes, and referrer logs, for instance. Attention bonds can't be easily applied to some of these.

    #6: If you offer to sell your time to all comers for $0.50, then you have to actually do that, and at least glance at all the messages sent to you by people who are willing to put up the $0.50. If it were actually the case that there were lots of evil perverts out there sending pornography more or less at random to innocent children out of sheer perversity (I don't believe that, but many people do), then this kind of arrangement would make it harder to block them. Even under a more realistic threat model for pornography in particular (people only sell that stuff to make money, and so will only send it to you if they think

  • Virus? (Score:2, Insightful)

    1. Write a worm-type virus.

    2. Computers infected with the worm spam random addresses.

    3. Sit back and enjoy the chaos.

    Or, even better: If authentication is weak, then have the worm email you and collect the bonds.

    I read the article and they basically say that this is possible. Their defense is that you can only lose at most the (small) amount that you keep in your ABM account. However, when your account is depleted what happens next? You can't send email anymore? How do you get your money back? Some

  • There's a community of people who think markets can solve any problem. It's sort of a libertarian/extropian axis. They keep trying to hang micropayment schemes on everything. Nobody is interested.

    The first generation of these schemes included DigiCash, CyberCash, and CyberCoin. Remember?

  • by gerardrj ( 207690 ) on Sunday July 25, 2004 @02:38PM (#9795822) Journal
    SPAM is a social problem. You can't use market, technical or legislative processes to solve a social problem. Attempts to do so lead to more problems and don't solve the original problem ie: crime, poverty, drugs, all are social problems and none have ben eliminated by any of the above means despite decades of trying.

    You need a social solution to the social problem of email spam, though some may call this a technical solution.

    numerous aliases, one account.

    You have one base email account the address/name of which you never reveal to anyone. No, not even people you trust. Too many worms harvest addresses from messages stored on infected systems.

    You then have a web and/or email interface to the mail server with which you can create email addresses on the fly which all dump their mail in the one mail account. These are not "temporary" or "one-time-use" accounts, they are however mutable at will.

    You make up an alias for your close family to use, one for your friends, one for each major company you receive email from, one for mailing lists, etc. Despite having many email addresses, all of your mail is delivered in to one mailbox and only one account needs to be checked for mail.

    If you should ever start receiving spam on a particular alias, you simply change it alerting the one or few entities that use that address. The remainder of your addresses remain unaffected.

    It's also really fun to tell the phone company that your email address is mci@my-domain.com. The look on the librarian's face was priceless when I told her my email address was library@emiaildomain.com.

    Does this require work on the part of the email user? Yes. One time for initial setup of the account(s), and then again if spam is received on an address.

    The up-side... you only receive spam once on an address, then you change the address. Spam is then stopped before the message is sent from the remote server. Anyone with their own mail server, or an ISP who supports this can start using it right now, it doesn't require any new protocols or changing of any existing ones. It doesn't place any additional burden on the network, and in fact alleviates server loads because sending back a "550 user unknown" after the "rcpt to:" takes up a lot less resources than receiving the entire message and then trying to filter it based on content.

    Is it a a perfect solution? No.
    What are the flaws:
    1. Setting up, remembering and maintaining the list of aliases. This is a problem with laziness of users, not with the idea itself. In the end it will require no more work than installing and training a learning filter.

    2. Setting up your mail client to operate with multiple outgoing addresses and only one incoming address. Some mail clients (OS X Mail.app for one) require incoming mail server info for an account (even if it will never receive mail) and require that there be a unique server/username combo for each "account". But there are workarounds.

    3. Still susceptible to brute force guessing of the main account or the aliases (which requires changing one or both). Most mail servers today have hardening against brute force attacks though. Even if your mail email address (the one you never give out) is guessed, you can have it changed and all of the aliases re-directed to the new address without having to tell anyone about it. All the aliases stay intact.

If you steal from one author it's plagiarism; if you steal from many it's research. -- Wilson Mizner

Working...