Attention Bonds Gain Momentum 213
Thede writes "Hi all - the ABM, a proposed solution to spam first posted to /. back in February, is gaining some momentum and refinement. It has been presented it at the Federal Trade Commission, the ACM, the National Bureau of Economic Research (NBER), and at the ITU in Geneva earlier this month. The original post referenced an academic article that not so accessible. We now have a short FAQ and a very detailed Q and A that covers a lot of the issues raised over the last five months. Next step (barring gaping holes) is to get a standards effort going - and most of the needed standards already exist."
If they can authenticate the sender .... (Score:5, Interesting)
Counterfit Escrows? (Score:2, Interesting)
Re:Counterfit Escrows? (Score:2)
So either I'm bouncing your unknown signature or my bond company is reasonably confident that they can sue your bogus bond company. It's generally invisbly handled as far as the end user goes.
-
they think they can make money... (Score:2)
simply put they want to make a profit
FAIL - you have to get consumers to sign up to a service that their friends do not use
(transition will just be a nightmare )
sorry but why not provide companies with something they want...
like emails that are encrypted
(and maybe for bonus points self destruct)
companies dont like their comunications flying around for all to see
companies dont like the idea that those msg's could go to court
in the end it comes down to what you can sell !
regards
John Jones
Re:they think they can make money... (Score:2)
http://www.hushmail.com/ already provides this.
Re:they think they can make money... (Score:2)
FAIL - you have to get consumers to sign up to a service that their friends do not use
They only make a profit by taking a cut when I seize a bond. You know what? I don't mind them skimming a percentage when THEY ARE GIVING ME MONEY.
Now I admit when I sign up with an ISP I'm going to have to deposit a little money in order to be able to send email to strangers. But you know what? A dollar or two deposit is plenty to cover normal usage, probably eaten by my ISP itself a
Re:If they can authenticate the sender .... (Score:3, Interesting)
There are also about 10,000 other privacy concerns. With your idea, you might as well use your social security number as your global user name...and your mom's maiden name as your password. That way, when you piss off someone, it's easy for them to find you.
Re:If they can authenticate the sender .... (Score:2)
-
Re:If they can authenticate the sender .... (Score:2)
Re:If they can authenticate the sender .... (Score:3, Insightful)
Possible solution (Score:2)
How about this: a legitimate email list would have its own bond, which is a bit larger than normal email bonds. To sign up, you have to send an email to the list subscription address, and when you do, your bond is collected (which you are warned of in advance), even though you are whitelisted.
When the mailing list then sends you messages, if you ever confiscate the mailing list'
Re:Possible solution (Score:2)
Again, this pre-assumes strong authentication of senders. If we had that, we wouldn't need bond money. The only reason for all the complicated maillist signup procedures now is to verify that the sender address really did send the request. Eliminate forgery and the problem goes away.
Re:If they can authenticate the sender .... (Score:2)
If you want mail from strangers then set the bond to zero or near zero.
Also realize that if the sender is a stranger then by definition THEY are sending mail TO a stranger. I dunno about you, but I generally don't type up and send random mail to strangers unless prompted by some non-trivial motivation. If I have enough motivation to type up a mail to a stranger I'm also motivated enough to risk a 5 or 10
Re:The solution to the HORRORS of the mailing list (Score:2)
Yeah right. The great majority of email users don't even know what a whitelist is, much less how to use one.
And even if everyone did suddenly learn to whitelist, how many weeks do you think it would take before spammers make maps of the trust networks (starting with the tens of thousands of trojaned PCs they 0WNZ0R) and spoof accordingly?
I wish the ABM guys the best of luck, but personally I don't think their idea will ever be implemented on a wide scale.
Re:What about hijacked Windows boxes? (Score:2)
Joe Sixpack should never have to put more than 10 cents in his account, because presumably he's e-mailing people who don't mind getting his e-mails, and they won't even take the 10 cents. If he loses his 10 cents because his Windows machine gets owned, that's a negligible amount of money, and now he's got the valuable information that his machine is infected. (If I was him, I'd rather find out about the problem
Re:What about hijacked Windows boxes? (Score:2)
If someone breaks into my house and steals nothing but a 10-cent postage stamp, my reaction isn't, "Damn, I wish that would stop happening. Those postage stamps cost money!"
As long as the system is not universal (in a domain range?), [...]
It's designed as an opt-in system. If you don't want to use it, you either don't install the software, or, if the software is run by your ISP, you set your bond amount to zero. It doesn't need to be
First Posted to /.? (Score:2, Funny)
A spam solution that attempts first posts on Slashdot? I think it failed it.
Re:First Posted to /.? (Score:2)
Won't work, again (Score:4, Insightful)
Bug summary:
- too many people will keep the money regardless
- the services of escrow agents are not freebies
- nobody will bother to use it when regular email is cheaper, already deployed, and infinitely less fuss
Re:Won't work, again (Score:2)
And if you factor in the bond when deciding whether an email is spam then you're more likely to read it.
I'm not convinced, largely because I want to see what the email situation is like once SPF comes into force. But I don't think it's easily dismissable.
Re:Won't work, again (Score:2)
A probably better solution IMHO would be:
ISPs block their users SMTP port (so you can't run your own mail server) unless you pay a small extra monthly subscription fee for an extra service. Most people do not want to run their own e-mail server anyway. Then ISPs add virus and spam blocking on their own source SMTP server.
This is sort of like the snail mail company x-raying mail for bombs and irradiating it
Why design it like that? (Score:2)
No need to pay anyone back. If you want to send me email, and you're not on my list, send me 15 cents with your email. For normal people, that's too cheap and too easy. For a spammer, that suddenly makes their 2 million email address spam run cost 300,000$ if they actually want people to see it.
I'd try it. (Score:2)
Here's my thoughts on your bug summary.
1. Too many people will keep the money regardless. The only time a bond is posted when you get an e-mail from someone you don't know or don't like. If an old, forgotten friend e-mails you, you'll refund their money; if a marketer e-mails you, you'll keep it. What's the problem here again?
2. The services of escrow agents are not freebies. Preventing spam isn't free either, and major ISPs and businesses already spend millions of dollars a year on it
For this to work... (Score:2, Funny)
Re:For this to work... (Score:2)
Any Gaping Holes? (Score:2)
Just watch. There will be just one "gaping hole", and a snake will crawl out of it, and sue everyone for patent infringement.
Who does this really benefit? (Score:5, Insightful)
Second, who else will profit from this? The escrow companies. Do we really want bankers in charge of the email system? They will simply see this as an opportunity to print money. Before long, you won't be able to contact your mobile phone provider, electricity company etc. without posting a bond - and they will own the escrow companies, and you will be paying them an annual subscription to use their escrow account. It's as good a scam as having special rate phone lines, which means when you call them they get part of the cost of the call.
Third, increased email traffic around the system due to the challenge/response cycle will partly compensate for any reduction in spam.
The only way to fix spam is to make it unprofitable for the people who pay the spammers. Given that Joe Sixpack is the idiot who buys from spam and so makes the system possible, and that he will no more be able to set up an escrow account than he is able to understand to install Firefox to remove annoying popups,and Thunderbird for the junk mail filter, the system won't work - the majority of users will be unaffected, the ones who are affected are probably corporate users with spam blocking tools in place already.
This has already been thought out (Score:3, Informative)
2: Who e-mails porn sites? Most web-sites that charge for service ike Transgaming, have you fill out a web form, which you then supply your e-mail address. People will wise up very soon (like one messg and 1 cent) and not e-mail dubious sites.
3: It's not designed to be a profit system, but your ISP could hold your money, say as a small deposit with your account.
4: From the concerns you raise, I'm
Re:This has already been thought out (Score:2)
You don't seem to understand that the criminals and fraudsters will put a great deal of effort into finding ways to profit from the system. The development of premium rate numbers is a good example. Who would have expected in the first place that $45/min lines would emerge, or that fraudsters would find ways to get PCs to dial them automatically? Or seen the conflict of interest of the telecoms companies (zero interest in stopping the fr
Re:This has already been thought out (Score:2)
People will wise up very soon
I have some counterevidence against this claim accumulated during the several past centuries.
FYI (Score:2)
That said, I don't like this ABM thing at all. Spammers will always find a way around restrictions.
Re:Who does this really benefit? (Score:2)
I can see sense in making it unprofitable to sell via spam but the minimal cost makes it worth their while. For example, the cost of acquiring a list of two million addresses is not that much more than acquiring fifty thousand.
If you cut the Joe Sixpack's from buying via spam from 5% to 1%, it's not difficult for a spammer to spam five times the number of people to maintain their sales level.
That said, a public education campaign wouldn't be a stupid idea and I don't think it would hurt. I get a lot of sp
poor name... (Score:2)
I can see the marketing tag line now... "To get rid of spam, take 'a B.M.' "
Re:poor name... (Score:2)
Acronym overload strikes again... I thought of ABM as in anti-ballistic missile - someone fires a missile at you, and you launch another missile that intercepts it and blows it up before it can hit its target. A nice metaphor, but it's not how this system is supposed to work at all. Spam isn't like one big missile. It's millions of little ones. What would you do if someone was doing that to you in real life? Try to swat the missiles out of the sky? No, you'd find the launch sites and nuke them.
Re:poor name... (Score:2)
This actually got off the drawing board? (Score:3)
From the FAQ:
Q: What prevents the recipient from claiming the bond, regardless of the message value?
A:. Nothing, other than perhaps etiquette and good judgment, prevents claiming a bond.
<sarcasm>Yeah, etiquette and good judgment worked so well with the old e-mail system.</sarcasm>
They propose an automatic bond posting system where for example if the bond is less than $0.50 (by the way what happens if I don't use dollars, who determines the the rate of exchange?) the bond is automatically posted. So:
1. Set bond to $ 0.01 to ensure automatic bond posting.
2. Subscribe to 10,000 different mailing lists.
3. Profit!
Re:This actually got off the drawing board? (Score:3, Insightful)
I'm not an expert, but this could be prevented by having the mailing list program refuse to post a bond. The effect of this would be that only someone who has the mailer in
Re:This actually got off the drawing board? (Score:2)
I'm not an expert, but this could be prevented by having the mailing list program refuse to post a bond.
Of course, but the end result will be that almost no one is willing to post a bond of any kind. Since sending e-mail to someone is not a service that most people are willing to spend a dime or even the effort of acknowledging a challenge-response to post a bond, either the bond system will fall out of use or people will resort to only accepting mail from whitelisted senders.
I doubt the latter will ev
Re:This actually got off the drawing board? (Score:2)
Why not? I would post a bond of £0.05 to email a friend, any time. The chances are, she will email me back and we'll be all square. Afterwards, I get added to her whitelist and we're fine. What's the problem?
The question is, would a commerical company spend £0.05 to send me an unsolicited email? I don't know about you, but I rather like that question.
Just use pay-per-email (Score:2)
For example, I can easily imagine major CEOs having publicly accessible emails with a $1000 reading charge. Those who ought to contact them, or who really care to be heard, could afford to pay.
No (Score:2)
Let's look at the checklist! (Score:5, Insightful)
Your post advocates a
( ) technical ( ) legislative (x) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
(x) Microsoft will not put up with it
( ) The police will not put up with it
(x) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
(x) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
( ) Jurisdictional problems
(x) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(x) Extreme profitability of spam
(x) Joe jobs and/or identity theft
( ) Technically illiterate politicians
(x) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
(x) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
(x) Blacklists suck
(x) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
(x) Countermeasures must work if phased in gradually
(x) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
( ) Sorry dude, but I don't think it would work.
(x) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
More holes than a siwss cheese (Score:4, Insightful)
1) who pays for bounce messages ?
2) who pays for badnwidth needed for billions of bond requests?
3) adds a number of new points of faliure to already flaky e-mail system
4) relies on everyone knowing the 'reputation' of every possibility in the whole of the possible address-space
5) bombarding everyone outside the scheme with bond request messages will make this the most hated thing since spam itself
6) spammers will ddos the hell out of the infrastructure, giving it a reputation for flakyiness
7) 'exposure is limited to the amount in your escrow account' ie it cuts you off from mail every now & then unless you top it up - people are going to LOVE having to do that
8) Faked from fields
9) Introduces ability to 'escrow-ddos' a company by signing up random valid names to lists who then collect on unwanted mail.
10) 'reputation' system will quickly devolve into ebay feedback style AAAAAAAAAAA++++++++++++ garbage.
I could go on for another page or two. Their 'Extended FAQ' says 'yes but we don't care' to half the above btw.
NOT more holes than siwss cheese (Score:2)
2: Spam is by far the largest user of band width in e-mail. I've seen estimates of up to 80% e-mail is spam, and 15% of TOTAL interent traffic is spam. It's basically a check that can be performed with very little data sent, on the probably the ISPs machine.
3 This should make e-mail more trusted and less flakey.
4: You already trust the people from work and your family/friends. Who else do you need to "trust" - if it's a real e-mail mesg
Re:NOT more holes than siwss cheese (Score:2)
1 No one pays for bounce mesgs - there's never a fee, just like today
How do you decide what's a bounce and what's not? AFAIK, the only thing that identifies a bounce is a null sender (MAIL FROM: <>). Spammers would just need to use that to bypass the system...
Good luck with that system, because it seems very complex, and ironing out all the details is going to take a very long time.
YES more holes than siwss cheese (Score:2)
1. If bounces never incur a fee, then spammers will use that as a loophole, faking their target as the 'from', and mailing to a known bad address.
2. The beneift of spam recuction only happens when the system is in place. The problem is durnig the (long) time it would take the whole world to adopt the new system.
3. The new system fails if either the sender or recipient's escrow server is down or unreachable, or if any of the challenges and responses are lost. How can addi
Re:NOT more holes than siwss cheese (Score:2)
There may be estimates that spam is as much as 15% of all traffic, but they aren't very good estimates.
Spam is less than 1% of the total traffic on the internet.
-- less is better.
Point by Point: (Score:2)
Correct me if I'm wrong... (Score:2)
How is this any different? Or am I missing something?
Re:Correct me if I'm wrong... (Score:2)
This system instead wants to prevent forging and spam by putting a
Re:Correct me if I'm wrong... (Score:2)
Re:Correct me if I'm wrong... (Score:2)
no more free email accounts (Score:2, Interesting)
There are easier ways to ''pay'' for e-mail (Score:2)
Re:There are easier ways to ''pay'' for e-mail (Score:2)
You could use a BOINC-based approach. For every completed work unit, you get permission to send N mails. Every recipient organization could designate a number of eligible BOINC projects (SETI or whatever).
This would be better than real money, which would segretate against poor countries without freely exchangeable valuta.
Re:There are easier ways to ''pay'' for e-mail (Score:2)
They are not the same.
This is a "sender risks" system.
Hash Cash is a "sender pays" system.
The difference?
With traditional hash cash the sender applies the hash-stamp to every email.
I.e. they always "pay" for every email sent.
(CAMRAM includes a "friends fly free" idea, but you still pay for every email sent to a stranger)
With a "sender risks" system, you only pay if the receiver says you should pay.
This can be done after they read t
It's just another special case of my scheme (Score:3, Interesting)
The mistake these people make is the same one most "perfect token based schemes" make: they assume that they have to start with the most complex and difficult token that they "know" spammers will never adapt to right from the first day. You don't. You can start out with a simple easily forgable token and worry about switching to one of the cryptographically secure or money-based tokens later... in my case my family has been using simple tokens for a couple of years now and a grand total of two spammers... 419-ers, as it turns out... have bothered to jump through even that simple a hoop.
Could it stop stupid forwards from work? (Score:3, Interesting)
If companies have to put up a bond for every outgoing email, and lose that bond when recipients don't want to read it, it might even cut down on the number of clueless twits who forward the same tired old jokes, etc., from their work account.
When someone from IT appears at their desk with a log printout and a total cost, and demands repayment on the spot, the idiot user might get the message. First offence, maybe the money gets donated to the corporate charity; second offence, the user in question gets suspended by their underwear from a 40th-floor window and left to rot.
On the other hand, if IT weren't smart enough to figure out who was doing it (or if the user were smart enough to foil them), what would stop some disgruntled employee sending thousands of stupid jokes just to cost the company money?
Too complex, too brittle, too expensive.Advantage? (Score:4, Insightful)
- Banks will possibly want to make money with every transaction, not just with bonds that get collected, especially if you take into account that bonds will rarely be collected. That means that banks will make a sh*tload of money just in order to prevent criminal or annoying behavior of a few spammers.
- It's not clear how the "challenge" step involving the whitelist is supposed to be implemented. Right now, we have mail servers receive mail and store it until the final recipient (client) polls it, e.g. via IMAP/POP3/Exchange. Would this mail server have to store the whitelist and bond info? Probably yes. Privacy issues?
- How does it integrate with the current e-mail world? Not very well. Sure, you can still accept e-mails without a bond and rank them low (i.e. mark them as potential junk). But for quite a while, people will not be able to discard these e-mails automatically. Therefore, there will be no incentive for senders to move to the bond mechanism.
- There are many parties involved: Right now, we're talking about sender-SMTPrelay-mailserver-client. In addition to these four parties we need two escrow agencies: one for the sender, one for the recipient. these will need to be organized, so they can talk to each other - which means there is some kind of additional club involved. (We can get rid of the SMTP relay entitiy mentioned above - this can be done by the client directly.)
The problem is that with the new entities, things can go wrong. They can simply be down (keeping me from sending or receiving e-mail!). Or their security can be compromised.
The bottomline is: this is too complicated.
I wonder what is better about the bond scheme, compared to the challenge-response idea that circulated a while ago, where sending e-mail is simply computionally expensive enough (unless you're on the recipient's whitelist).
Re:Too complex, too brittle, too expensive.Advanta (Score:2)
Or the escrow can become the new VeriSign, charging a truckload of money for a service that costs nothing to provide.
/greger
devil's advocate (Score:3, Insightful)
I sure as hell ain't gonna pay for something that I don't need.
Re:devil's advocate (Score:2)
First of all, some of use get thousands of spams a day. Our domains get millions of them, sometimes tens of millions of them a week.
Your OSX filter seems to fix the problem for you, but it does not fix the problem that we are paying for the traffic of these millions of mails.
Slowing this down has the effect of making it possible for the Internet to become cheaper and faster. (No guarantee it will, of course.)
In addition, we're paying the upstream costs for everyone to deal w
Re:devil's advocate (Score:2)
But my point stays : many users don't percieve spam as a big issue, and therefore will not move to this system. Additionally, youth has never lived without spam, and consider it a normality
Re:devil's advocate (Score:2)
I block entire countries, I use multiple DNS-based blacklists, I have an adaptive filter that temporarily blocks mail servers that attempt to send mail to non-existent accounts, and I have several hundred lines of partially-programatically generated filter rules after that.
I'm also using the Mail.app bayes-style filter.
I still get more than 50 spams a day through all of that.
The three best reasons to reject this idea, (Score:3, Interesting)
Reason #3: SPF. I didn't even need to read beyond the ABM FAQ's TOC. Just look at the length of the TOC itself. Although there's a TOC item "Will the ABM be complicated to use?", the answer is obvious without reading it. Now contrast this with SPF: how long does it take you to understand SPF, or to explain its BASIC CONCEPTS to someone else?
Reason #2: ABM doesn't itself kill anonymity, but it makes it easier for government to do so. As one poster has already said:
"There isn't a central database from which funds are collected that has everyone's name and bank information. The only requirement is that you have funds available to back up your email, and like it says, this can be accomplished by paying in person with cash for an anonymous e-mail account."
It's a bitter lesson of the past three years -- or it should be, if you haven't already realized it -- that there are few limits to the extent to which government will regulate (read "criminalize") financial transactions in order to control individuals, in the guise of "fighting terrorism".
If you don't believe this, then go to the service desk in any large grocery chain where they sell money orders, and look on the wall for the sign which describes the maximum anonymous cash transaction which can be performed without triggering a report to the government. (I'll provide additional detail and examples if anyone chooses to dispute this.)
Implement ABM, and just how long do you think it will take for some publicity-hungry politicians to propose that all ABM payments require identification?
Reason #1: The ITU supports it. I have no problem with organizations like IETF. But in view of recent trends of trans-national political authorities (like the EU) taking action contrary to human rights, I'm immediately suspicious of a proposal supported by an organ of the UN ("tin-foil-hat" insults notwithstanding).
ITU does not support it, nesescerily (Score:2)
The submitter (also the author of the protocol, as he makes clear) notes only that it was 'presented' at the ITU. That's got nothing to do with being supported by it (save that they generally request presentations on things they support. They also get a lot of presentations on research they don't support).
In fact, the inclusion of then names FTC, ACM, NBER and ITU in the summary is, in point of fact, nearly meaningless. All it claim
Re:ITU does not support it, nesescerily (Score:2)
that's what i get for speed-reading.
but reason #2 is still a show-stopper.
ABM vs. SPF (Score:2)
"If this is spam, you get $0.50."
I don't think ABM is hard to explain at all.
I do think it's harder to articulate the anti-spam benefits of SPF, since SPF doesn't stop spam, it just enables better blacklisting, and blacklists are a much more unwieldly and blunt tool than whitelists. (If someone hacks your server and spams with it, for example, it can be notoriously difficult to get yourself off a blacklist even
Segregation of poor countries (Score:3, Insightful)
Not everyone in the world does have access to universal currency. In some countries, you need special permission by the government to buy exchangeable currencies (like, say, USD or EUR). They even put a stamp in your passport if you did, so you don't buy too much! Oh, and btw., most spam doesn't come from there, but from countries with free valuta.
Would you really want to erect yet another economic wall between "us" and "them"?
Re:Segregation of poor countries (Score:2)
The problem for those countries is that they don't have enough valuta for their population. Therefore, they strongly regulate what their citizens are allowed to do with their local money. Especially, they don't allow people to export a very scare resource.
It's not that the people there were all poor (.50 USD is not that much for them either), it's that they don't have access to international money. I know it's a pain in the neck to live there.
Will never work. (Score:2)
Privacy concern (Score:3, Insightful)
Cute, but... (Score:2)
The simplest and most effective solution would be to have a mail server authority, much like the DNS authority is run, and then have everyone register their servers. If the server is abused, they're investigated/deleted from the registry. Users configure their mail clients not to receive mail from unregistered servers, and voila, no more spam.
It won't catch on overnight, but it will be necessary. Such a service mi
Mixing EFT and Fraudulent E-mail? This is insane! (Score:2)
This is crazy. Where there is EFT involved with fraud, there is going to be:
Then, we're going to have to set up rules for EFT regarding which banks are "good" banks in "good" countries... and which banks are "bad" in "bad" countries. And, of course, the "rogue" nations will provide EFT accounts to spammers for the appropriate amount of cash.
Spammers will thus get into the game of money launderi
IBM, Patents, all that rot... (Score:3, Informative)
>standards effort going - and most of the needed
>standards already exist
You do, of course, realize that IBM has already patented this same idea.
They define this as an interrupt cost, but the basic principles are pretty much identical...
Check out http://www.findarticles.com/p/articles/mi_m0ISJ/i
Just another Micropayment Scheme (Score:2, Insightful)
It has the same problem as the previous: the cost of deciding if you want to pay.
Also, if you mail someone and then get a reply that says "You have mailed who has decided he requires you to post a bond of 2 cents for him to pay attention to your mail. Please use one of the bond posting services listed at
Re:Just another Micropayment Scheme (Score:2)
Also, you are unlikely to get a reply stating that you need to pay a bond because the amount would already have been specified (for example in the address of the person you are emailing).
Missing the real problems (Score:3, Insightful)
Sure, there are things wrong with this scheme, but the problems aren't the ones most of you are talking about. Here are some I posted on my Web log [sooke.bc.ca]:
#1: It creates a great opportunity for traffic analysis by the government, marketers, etc., because the escrow agents can collect data on who's emailing whom. The recipient gets to choose their escrow agent, so an individual participant doesn't have the option of only dealing with reputable or privacy-respecting escrow agents.
#2: It creates a money trail alongside the email trail, making anonymity almost impossible (especially because the recipient can choose the escrow agent, see above). This issue actually could be turned to an advantage because remailers could use the bond system to collect "postage", clear postage between themselves while obfuscating the money trail, and reduce their own spam problem into the bargain, but it'll be a big headache for them, and the anonymity of the remailers to the escrow agencies is hard to maintain.
#3: Trolling can become financially profitable. The business plan goes something like this: 1. Post something to Slashdot or Usenet that lots of people will want to respond to by email. 2. Collect a small enough bond from each responder that they'll be willing to pay it. 3. Profit! One could argue that that's an acceptable business (because you're only collecting money from the people who decide they're willing to give it to you) but I'd argue that it's a bad thing to encourage this business, because it also imposes on many people who do not want to respond to you, and damages the infrastructure for everyone. It's like saying "Selling SUVs is morally okay because I'm only selling them to people who are willing to accept the environmental impact" - hello, it's not just your customers who bear the brunt of the environmental impact!
#4: Participants who are poor, or penniless, just can't have email anymore. That includes children, the homeless, and many people in developing countries. Moreover, even among people with nonzero disposable income, it stratifies email along economic lines: I will demand attention bonds roughly proportional to my income (because otherwise they won't have the intended effect of compensating me for time lost) and then someone with less income than me has to make a disproportionate sacrifice to talk to me, and someone with more income than me can spam me with no hardship. I have received legitimate, important email from a scholarship student in Uganda, and in an official capacity from the legal department of a multi-billion-dollar US corporation; the value of a dollar to those two parties is totally different. Note that it's not good enough to say "Oh, we just won't collect the bond from people who are poor" because they still have to have the money in order to promise it in the first place. Children have no money, not just a small amount - especially if, as would necessarily be the case, enforcement of the bonds is tied to legally binding contracts in jurisdictions where children's right to make commitments is not recognized, so the children wouldn't even be allowed to spend money this way if they got some.
#5: If only applied to email, it'll encourage spammers to move to other media - Usenet, Web BBSes, and referrer logs, for instance. Attention bonds can't be easily applied to some of these.
#6: If you offer to sell your time to all comers for $0.50, then you have to actually do that, and at least glance at all the messages sent to you by people who are willing to put up the $0.50. If it were actually the case that there were lots of evil perverts out there sending pornography more or less at random to innocent children out of sheer perversity (I don't believe that, but many people do), then this kind of arrangement would make it harder to block them. Even under a more realistic threat model for pornography in particular (people only sell that stuff to make money, and so will only send it to you if they think
Virus? (Score:2, Insightful)
2. Computers infected with the worm spam random addresses.
3. Sit back and enjoy the chaos.
Or, even better: If authentication is weak, then have the worm email you and collect the bonds.
I read the article and they basically say that this is possible. Their defense is that you can only lose at most the (small) amount that you keep in your ABM account. However, when your account is depleted what happens next? You can't send email anymore? How do you get your money back? Some
The "markets can do anything" people again (Score:2)
The first generation of these schemes included DigiCash, CyberCash, and CyberCoin. Remember?
Wrong type of solution (Score:3, Interesting)
You need a social solution to the social problem of email spam, though some may call this a technical solution.
numerous aliases, one account.
You have one base email account the address/name of which you never reveal to anyone. No, not even people you trust. Too many worms harvest addresses from messages stored on infected systems.
You then have a web and/or email interface to the mail server with which you can create email addresses on the fly which all dump their mail in the one mail account. These are not "temporary" or "one-time-use" accounts, they are however mutable at will.
You make up an alias for your close family to use, one for your friends, one for each major company you receive email from, one for mailing lists, etc. Despite having many email addresses, all of your mail is delivered in to one mailbox and only one account needs to be checked for mail.
If you should ever start receiving spam on a particular alias, you simply change it alerting the one or few entities that use that address. The remainder of your addresses remain unaffected.
It's also really fun to tell the phone company that your email address is mci@my-domain.com. The look on the librarian's face was priceless when I told her my email address was library@emiaildomain.com.
Does this require work on the part of the email user? Yes. One time for initial setup of the account(s), and then again if spam is received on an address.
The up-side... you only receive spam once on an address, then you change the address. Spam is then stopped before the message is sent from the remote server. Anyone with their own mail server, or an ISP who supports this can start using it right now, it doesn't require any new protocols or changing of any existing ones. It doesn't place any additional burden on the network, and in fact alleviates server loads because sending back a "550 user unknown" after the "rcpt to:" takes up a lot less resources than receiving the entire message and then trying to filter it based on content.
Is it a a perfect solution? No.
What are the flaws:
1. Setting up, remembering and maintaining the list of aliases. This is a problem with laziness of users, not with the idea itself. In the end it will require no more work than installing and training a learning filter.
2. Setting up your mail client to operate with multiple outgoing addresses and only one incoming address. Some mail clients (OS X Mail.app for one) require incoming mail server info for an account (even if it will never receive mail) and require that there be a unique server/username combo for each "account". But there are workarounds.
3. Still susceptible to brute force guessing of the main account or the aliases (which requires changing one or both). Most mail servers today have hardening against brute force attacks though. Even if your mail email address (the one you never give out) is guessed, you can have it changed and all of the aliases re-directed to the new address without having to tell anyone about it. All the aliases stay intact.
Re:The end of mailing lists? (Score:2)
If you don't, the sender will have a policy to refuse all requested bonds so you won't get any mail from him.
Re:The end of mailing lists? (Score:2, Informative)
The sender sends the email, no money attached. If the sender isn't on the recipient's whitelist, the recipient's mail system automatically challenges the sender to attach a bond. The sender either accepts by sending the bond and the mail goes through or the sender refuses and the mail is blocked.
So you only get to keep the money if the sender
1) is not on your whitelist and
2) you request a bond
3) the sender sends the bond
A legitimate mailing list provider would obviously rejec
Re:The end of mailing lists? (Score:2)
Re:The end of mailing lists? (Score:2)
What's the open-source no money solution?
Re:The end of mailing lists? (Score:2)
You could do a challenge-response type system that asks the sender to correctly solve a math problem in order for their e-mail to be delivered.
What would you do if in order to send e-mail to your mother, you had to solve something like:
or
Re:The end of mailing lists? (Score:2)
Re:The end of mailing lists? (Score:2)
There's the rub. How long will that be? 15, maybe 20 seconds?
Re:The end of mailing lists? (Score:2)
However, if you used a whitelist, mail from people you don't know (new e-mail addresses for old friends who forgot the passwords to their accounts, for example) never makes it. With the new system, nobody is going to want to pay money to have their e-mail potentially just marked as spam anyway (And, yes, I do realize that the recipient can negate the charges
Re:The end of mailing lists? (Score:2)
You are missing the point completely. Lets just imagine this system has been implemented and everyone has the new email software.
You visit a website and reckon its interesting enough to want to chat to the webmaster. You hand craft an email and post your usual bo
NO, this has already been thought out! (Score:2)
THe system also has built in safety to prevent someone from charging an exorbitant amount of money to your account. Your e-mail set-up rules/acount, can be set to not deliver to anyone who charges over a certain amount (again
Re:Gaaaah! (Score:2, Insightful)
Which spam are you referring to? The spam you receive, or the spam you send?
If you don't ask for any bond for mail sent to your account, all your mail will get through just fine, complete with the spam.
On the other hand, if you send out mail that the recipients regard as spam, even if you think your spam is "not that bad", the person who's email box you're cluttering is the one who gets to decide. If that "breaks your email" then face it, you
Re:Gaaaah! (Score:2)
Re:Gaaaah! (Score:2)
Sigh... For the eleventy-fifth time: You simply don't authorize the payment of any bonds. Then your mail gets through just fine to the people who know you (i.e., who have you on their whitelists), and everyone else gets to decide whether they want to see your messages despite your refusal to post the bond. After all, it's already the case that they can choose to filter or delete without reading them. Essentially, the system would
Re:Gaaaah! (Score:2)
Maybe, eventually, things will get bad enough that this or other micropayment schemes will be necessary, but you don't need to dive right in. ANY token scheme is amazingly effective against spam, even the simplest ones.
What we need is not more heavy-duty token schemes, but
Re:This idea... (Score:2)
Agreed. But how long will insert-your-favorite-anti-spam-solution-here work until it is circumvented?
Re:Is this a hoax SPAM or not ??? (Score:2)
Whether or not there is any truth in the email (I have no idea) doesn't matter. Its still spam with the intent to influence opinions. Everyone has the right to protest, but they don't have the right to FORCE me to listen to it. Sending this (or the religious or viagra variety) is forcing me to read their message. I do
Prior Art: Re:Is this a hoax SPAM or not ??? (Score:2, Informative)
claiming that the HIV virus, the virus that causes AIDS, is a virus that was manufactured in American laboratories between 1962 and 1978.
The US government's claim to invention may be invalidated by prior art. HIV was around before 1959 (though there is some [avert.org] dispute [aegis.com] ).
If you look up the patent that supposedly proves that Gallo invented HIV, you will see that it is NOT a patent on HIV, it is a patent on a method of reproducing HIV extracted from humans and it was filed after public research on HI
Re:unfair for almost everyone. just not viable (Score:3, Interesting)
You ask, "how about I am totally careless with my email address, can i then send repeated claims for bond money from all these companies that want to sell me something.[sic]" (note: when you ask a question, you should end the sentence
Whitelists are not enough (Score:2)
Yesterday.
I get several unsolicited emails per month which I actually wish to read. Granted, this is a minority of all unsolicited emails I receive, but I do occasionally get interesting personal emails from total strangers which I'm glad I got.
-kgj