Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Spam Your Rights Online

Analysis of Spam, and a Proposed Solution 370

2bot_or_not_2bot writes "Spam: The Phenomenon is a detailed analysis of spam: products, scams, viruses, obfuscation methods, etc. Failed, and doomed-to-fail, methods of blocking spam are described. A general solution is proposed that does not: invade privacy, perform wide censorship or blacklisting, or involve payment and cooperation with corporations (beyond the transport and storage of data)." Hmmm.
This discussion has been archived. No new comments can be posted.

Analysis of Spam, and a Proposed Solution

Comments Filter:
  • by Tuxedo Jack ( 648130 ) on Tuesday April 06, 2004 @02:49PM (#8782937) Homepage
    We apply Islamic law.

    They steal our time, money, and bandwidth.

    We take their hands.
    • by h00pla ( 532294 )
      I waiting for the ultimate spam solution, which is - when the total number of spam reaches 70-90% of all email sent, email is officially declared useless, people stop using it and spam stops being a problem because there's no sense sending it anymore

    • by markan18 ( 718118 ) <> on Tuesday April 06, 2004 @03:07PM (#8783189)
      Your post advocates a

      ( ) technical (*) legislative ( ) market-based ( ) vigilante

      approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

      ( ) Spammers can easily use it to harvest email addresses
      ( ) Mailing lists and other legitimate email uses would be affected
      ( ) No one will be able to find the guy or collect the money
      ( ) It is defenseless against brute force attacks
      ( ) It will stop spam for two weeks and then we'll be stuck with it
      (*) Users of email will not put up with it
      ( ) Microsoft will not put up with it
      ( ) The police will not put up with it
      ( ) Requires too much cooperation from spammers
      ( ) Requires immediate total cooperation from everybody at once
      ( ) Many email users cannot afford to lose business or alienate potential employers
      ( ) Spammers don't care about invalid addresses in their lists
      ( ) Anyone could anonymously destroy anyone else's career or business

      Specifically, your plan fails to account for

      ( ) Laws expressly prohibiting it
      ( ) Lack of centrally controlling authority for email
      ( ) Open relays in foreign countries
      ( ) Ease of searching tiny alphanumeric address space of all email addresses
      ( ) Asshats
      (*) Jurisdictional problems
      ( ) Unpopularity of weird new taxes
      ( ) Public reluctance to accept weird new forms of money
      ( ) Huge existing software investment in SMTP
      ( ) Susceptibility of protocols other than SMTP to attack
      ( ) Willingness of users to install OS patches received by email
      ( ) Armies of worm riddled broadband-connected Windows boxes
      ( ) Eternal arms race involved in all filtering approaches
      ( ) Extreme profitability of spam
      (*) Joe jobs and/or identity theft
      ( ) Technically illiterate politicians
      ( ) Extreme stupidity on the part of people who do business with spammers
      ( ) Dishonesty on the part of spammers themselves
      ( ) Bandwidth costs that are unaffected by client filtering
      ( ) Outlook

      and the following philosophical objections may also apply:

      ( ) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
      ( ) Any scheme based on opt-out is unacceptable
      ( ) SMTP headers should not be the subject of legislation
      ( ) Blacklists suck
      ( ) Whitelists suck
      ( ) We should be able to talk about Viagra without being censored
      ( ) Countermeasures should not involve wire fraud or credit card fraud
      ( ) Countermeasures should not involve sabotage of public networks
      ( ) Countermeasures must work if phased in gradually
      ( ) Sending email should be free
      ( ) Why should we have to trust you and your servers?
      ( ) Incompatiblity with open source or open source licenses
      ( ) Feel-good measures do nothing to solve the problem
      ( ) Temporary/one-time email addresses are cumbersome
      ( ) I don't want the government reading my email
      (*) Killing them that way is not slow and painful enough

      Furthermore, this is what I think about you:

      (*) Sorry dude, but I don't think it would work.
      ( ) This is a stupid idea, and you're a stupid person for suggesting it.
      ( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

      Doing the Right Thing should not be preempted by making a buck.
    • Hands? Why go for the hands? With their obsession with my privates (all the damn viagra spam), I think we ought to cut off theirs.
  • Examples (Score:5, Funny)

    by JohnGrahamCumming ( 684871 ) * <slashdot@jg[ ]rg ['c.o' in gap]> on Tuesday April 06, 2004 @02:51PM (#8782954) Homepage Journal
    I'm glad the author included so many examples of actual spam messages. I was beginning to wonder what spam looked like.

  • by Kushy ( 225928 ) * <kush @ m a r a> on Tuesday April 06, 2004 @02:51PM (#8782961) Homepage
    The best way to stop SPAM is to find the person(s) that are sending and post their personal information on the web. Everything email address, phone numbers, cell phone numbers, home address, business address, dogs name... everything there is... and let vigilante justice take over from there...

    I mean come on, if only .5% of the people (s)he sent out spam to call his cell phone and leave a nice voicemail, everyday, all day, he will start to know what it is like to be harassed and for it to cost him money out of his pocket and the grief that he caused so many...
    • by Anonymous Coward
      A few years ago Spamers would send out their phone number to call for more information. You would always get the answering machine so I would you the MSN phone that limited you to 5 minutes anyway. I would call and let the spammer listen to the music i was listening to until his box filled up. It would take a bunch of calls but I wasn't busy. I wish I could find a Perl module to auto dial these number and leave supper long messages with an electornic voice. Hmm I havent look at spam latley - I wonder i
    • by soh10r ( 148594 ) *
      I mean come on, if only .5% of the people (s)he sent out spam to call his cell phone and leave a nice voicemail, everyday, all day, he will start to know what it is like to be harassed and for it to cost him money out of his pocket and the grief that he caused so many...
      The problem with that, of course, is that spammers will then try to make it look like the spam comes from someone else--like an anti-spam activist, say.
      • Well, spam comes from somewhere and points you to somewhere (not necessarily the same places). If communities ran campaigns against the companies that advertise through spammers, notifying them that their advertisement practices aren't appreciated, then maybe (though undecidedly likely) they would stop using advertising agencies that employ spam techniques.

        "You may say that I'm a dreamer,
        but I'm not the only one."

    • I ignore any proposed solution to spam that does not consist of the simple phrase:

      The spammer will be shot in the head with two bullets.

      Now, if even .5% of spammers had their walls decorated with their own brains, that would cut down on bandwidth wastage.

    • Hmmm... might as well... it is endorsed by the editor.

      Your post advocates a

      ( ) technical ( ) legislative ( ) market-based (x) vigilante

      approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

      ( ) Spammers can easily use it to harvest email addresses
      ( ) Mailing lists and other legitimate email uses would be affected
  • There's a reason why the spam-fighters are so pessimistic about the possibilities. You can't match all of the below. (In particular, we want to manage our own mailservers, but won't let others because they are incompetent. We want to receive all non-spam email but also want no spam to get through filters. We don't want legislation and bureaucracy to get in the way. We don't want to pay per email because of our high volume mailing lists like lkml. etc etc.)

    Your post advocates a

    ( ) technical ( ) legis
  • by Anonymous Coward on Tuesday April 06, 2004 @02:53PM (#8782994)
    There's a boycott occurring [] for Microsoft's Caller ID for E-mail. They're asking for anyone developing a mail client, spam filter or mail transport agent to use a more open protocol, rather than a patented one.
    • This is an interesting page...
  • by Catamaran ( 106796 ) on Tuesday April 06, 2004 @02:54PM (#8783001)
    This is not a scholarly article. Here is his summary:


    I did not describe the details of how the proposed system would work, but I hope the proposal aspect of this article leads to more thinking about solutions to spam -- especially about solutions that avoid invasion of privacy by any form of content analysis or packet tracking, or cooperation with specific corporations, or censorship.

    The web page contains lots of images of SPAM that the author has received.

    Here is the text of his proposal:


    This section contains a proposal for SOFTWARE and SOCIAL PRACTICES that have
    the potential of greatly reducing the nuisance of spam from a person's life.


    Things required by this proposal:

    (1) A person who wishes to greatly reduce spam must install software on each computer with an e-mail client application (such as Microsoft Outlook).

    (2) A person who wishes to greatly reduce spam, when sharing his or her e-mail address, must also go through the trouble of sharing a code number.

    (3) Mailing list services must make a slight modification to their databases and mailing scripts to store and use codes in addition to e-mail addresses.

    Things that are NOT required by this proposal:

    (1) Changes to e-mail servers, e-mail protocols, e-mail content standards, or Internet infrastructure, are not required.

    (2) Existing spam countermeasures (content-filtering, IP blacklisting, anti-spam laws, etc) will not be necessary. (Such countermeasures are futile and dangerous anyhow.)

    (3) It is possible that changes to existing e-mail clients will not be required.

    Things that will NOT be directly helped by this proposal:

    (1) Internet bandwidth consumed by the futile efforts of spammers trying to make it through to people. (Once the futility becomes apparent worldwide, the spamming model may naturally be a very unattractive waste of time.)

    (2) E-mail "inbox" clogging while the spammer profession lingers on, before the futility of spamming has a chance to sink in worldwide.

    (3) People with e-mail clients and services provided by giant corporations may not experience the diminished spam until the giant corporations have a chance to update software.

    Other qualities of this proposal:

    (1) Totally open technology; not "security through obscurity".

    (2) Non-commercial, public-domain method, can be implemented by anyone without consideration.

    (3) Totally smooth transition from current e-mail clients, servers, mailing list services, etc.

    (4) Privacy preserved (no content analysis), and possibly even improved (as proposed software becomes more widespread).


    The following paragraphs describe the core concept of the method. Certain
    details will be discussed in the "Use Cases" section:

    Messages received by an e-mail client will be sorted by codes contained in the message subject fields or within the message bodies. Spam messages are extremely unlikely to contain the proper codes, and are thus diverted to an anonymous-sender category. Unlike an e-mail address alone, which is a single, unmoving target for spammers, the additional codes are generated by formulae, and are tiny, constantly-moving targets in a huge expanse of possible target locations. Furthermore, any breach of trust can instantly be traced to specific unscrupulous people, and immediately and conveniently patched. The concept can be likened to "spread-spectrum" communication, or, much more loosely, "port knocking".


    The following paragraphs describe the core implementation of the method.

    Three encrypted files are stored on an e-mail client machine:

    (1) PRIMARY FORMULA TABLE: Encrypted table with entries in the form: ( SHA hash of recipient e-mail address, primary formula )


  • Wrong (Score:5, Informative)

    by JohnGrahamCumming ( 684871 ) * <slashdot@jg[ ]rg ['c.o' in gap]> on Tuesday April 06, 2004 @02:54PM (#8783014) Homepage Journal
    From TFA:
    Salting the message with random words thwarted Bayesian filtering.
    No, it hasn't. That's utter nonsense. This entire article is filled with statements like this with no justification. How about reading my presentation [] at the MIT Spam Conference that showed that random word insertion did not fool POPFile [] (or other Bayesian filters).


    • Re:Wrong (Score:2, Informative)

      by Anonymous Coward
      I don't know what spam data you used, bit i've noticed quite a few spams getting through my bayesian filter lately... they all have more random words in sentances at the bottom than the real message at top. They do it like 'hank urged me and I to send you this flower and important notice' Bad grammer but i'm sure it's ment to look like a 'real' sentance since the computer can't 'read' like a person. It's kinda like an adlib game... they make a list of several hundred sentances with verbs and/or nouns missin
    • Seconded. (Score:5, Funny)

      by Moderation abuser ( 184013 ) on Tuesday April 06, 2004 @03:17PM (#8783299)
      My spam folder is full of mail with all sorts of crap random words.

      The one or two which have gotten through look like they could have been written by a Perl guru.

  • by Vexler ( 127353 ) on Tuesday April 06, 2004 @02:55PM (#8783018) Journal
    Here is another way of looking at it: Spammers exist because there are idiots out there who fall for "vicod1n" or "pen1s enl@rgement" or what have you. We should have users who are purchasing these products pay an additional "spam tax" on it, to compensate for the wasted bandwidth and so on. Sort of like "shipping and handling fee". Actually, it comes close to the Internet tax idea that Congress is punting about, but applied to spams.
    • by chris_mahan ( 256577 ) <> on Tuesday April 06, 2004 @03:34PM (#8783509) Homepage
      I'm going out on a limb here, but I think that actually, spam does not create enough customers of legitimate products.

      What email harvesters do is convince poorly informed people and businesses that by buying their $499.00 mailing list of two million valid email addresses, they will rake in thousands upon thousands of dollars in profits.

      It is those poor sods who send the millions of email, using the email autosender conveniently provided on the cd-rom, who are then blacklisted to hell and lose their $49/mo super gold premium windows 2003 10MB (Front-Page enabled no less) account and wonder with growing bitterness how the jerks at "MakeMegaBuxWithEmail.Com" could have flat out lied, LIED, to them...

      Then they realize they can make $499/CD by just finding another sucker...

      Of course, like all good pyramid scheme, the thing will implode under its own weight, but it has not yet run its course.

      A solution? Of course. A study needs to be made showing the average Joe that paying for a list of email addresses is a snake-oil scheme to lift money from their wallet.

      Then people can charge money for the "Don't Be Fooled By Email Scam Artists. Send $29 And I'Ll Show You How To Protect Yourself Today!!!" and spam will be a thing of the past.

      (yeah, that's it...)
  • i don't know about any IT people around here but the biggest problem that I've been facing is getting back control of Hi-jacked computers. The tools out there to fix the problem just don't cut it 3000 search bars, start page hijacking, related pop-ups, malware, programs that just wont un-install. Its bad enough that they install in the background but there should be a "law" to make programs uninstall-able. Also make them from hiding there presence.
    • by SoTuA ( 683507 ) on Tuesday April 06, 2004 @03:35PM (#8783516)
      Word. I got married a few months ago, and while me n' my wife did some place hunting we lived at her mother's house, and I managed to keep the computer more or less shipshape.

      Two months after we moved out, we went for dinner there, I had to look up something quick in google and *OMFG* the computer is barely crawling, it has half the system tray filled with icons, and it has so much malware that adaware crashes :o

      Self-installing and opt-out add-ons suck. Hard.

    • If you haven't figured out policies (either social or Windows administration related) then it's nobody's fault but your own.

      Either as the head of IT you instruct people not to install anything on their computer without consequences, or you keep Windows from installing it through policies.

      The last thing we need is more government involvement in every little aspect of our lives./p

  • I dont get it (Score:4, Insightful)

    by JeanBaptiste ( 537955 ) on Tuesday April 06, 2004 @02:56PM (#8783036)
    Spammers are not very hard to track down. The companies that use their 'services' are even easier to track down. Many if not most are in the US or EU.

    I've done it myself a couple of times, and have explained the relevant legal code from spamlaws []. I have yet to hear back from either the spammers or the authorities I have explained this to.

    I would think if law enforcement would do what it is SUPPOSED to do, spamming would be vastly reduced.
    • If only the spam I get would actually contain a sales pitch... those are easy to filter out and delete straight out at the mail server level

      With HTML turned off, all I get is gibberish spam, with gibberish sender, gibberish subject and gibberish content. Ad Nauseam.

      I'm about to throw the towel and get a new email address.

      Or a bag of rocks and spammers' addresses.
  • Negative Feedback (Score:3, Interesting)

    by OGmofo ( 189475 ) on Tuesday April 06, 2004 @02:56PM (#8783038)
    Counter Spam Measure: Negative Feedback.

    Imagine if all or some very large contingent of email clients allowed you to
    "retaliate" against spam messages. Highlight message, select "negative feedback"
    option, a daemon is spun that traces back as far as possible the route of the
    message and barrages it some fashion. By pings maybe? By directed replies? Imagine
    it does this in some scheduled fashion so as to minimize the impact on your local
    network. As 1 million disparate sources converge upon the last traceable source of
    the route of the offending spammer, some network somewhere will start to feel the
    load. Like the spokes of a wheel converging on the hub, the retaliation traffic will
    thicken as it closes in on the source. The pain increases. ISPs inundated by
    individuals expressing their right to freedom of speech, will feel suddenly inclined
    to exercise their right to refuse service to someone.

    The "negative feedback" could be dosed in a coordinated fashion if there were some
    P2P means of establishing how many individuals had received a particular spam. If a
    spammer hits only a hundred people, the dose of retaliatory traffic would have to be
    increased to be felt. If the spam hit a million, it would require only a modest
    retaliation to utterly swamp the source.

    Just thinking out loud. Could this be made to work? No one's free speech is
    curtailed, spam is dealt a serious blow.

    fight fire with fire.
    • fight fire with fire.

      No, just slashdot some poor asshole's computer that was zombied by some windows worm or whatever.

      Retaliatory measures will just bag some incompetent computer operator. Sorry. (and don't forget that the guy might be incompetent, but maybe his lawyer isn't and you are trying to DOS him)

    • I've always wanted to fill out one of these and since Slashdot provided a nice link, here we go:

      Your post advocates a

      (*) technical ( ) legislative ( ) market-based (*) vigilante

      approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

      ( ) Spammers can easily use it to harvest email addresses
      ( ) Mailing lists and othe
    • by billstewart ( 78916 ) on Tuesday April 06, 2004 @04:04PM (#8783900) Journal
      It's dangerously bad. If email messages accurately identified where they came from, and if spammers didn't maliciously forge addresses of people they want to harass, and if spammers didn't usually abuse free email systems and free web pages or forge purely bogus sender addresses (usually also at free email systems), then that would be a fine idea. Many spammers also frequently put other people's valid URLs in their mail to fake legitimacy, e.g. URLs from E-Bay's news site or the Better Business Bureau or various anti-virus companies, in addition to having their own URL for the suckers to click.
  • good and good (Score:2, Insightful)

    by maxbang ( 598632 )

    This dude has a decent idea, I guess. I've found a method that has been foolproof for the past three years. I only give out my email address to people I directly know. I've had a Hotmail address that's been spam free since 2001, not even a drop in the bulk bucket. Once or twice a year I'll get a Hotmail Services thing, but that doesn't matter to me. I keep a junk address at Yahoo when filling out online forms, posting, etc. It works for me and it works for my friends. My ISP email address has _never_ receiv

    • Re:good and good (Score:2, Interesting)

      by Gnascher ( 645346 )
      This worked great for me up until a month or so ago.

      My business partner's wife emailed me a 'get free movie tickets, just get five friends to sign up' email. I immediately dumped it into the trash, but apparently the fact that she had submitted my email to this place was all I needed to start the spam floodgates. :(

      It still isn't too bad, but I am now getting 3 - 5 unsolicited SPAMs to that address daily from various companies. No p3n1s enl@rgements yet, but I'm sure that is just a matter of time.
      • I've explained to everyone I gave my email address to that I don't want my email address submitted to ANY website. If they want to forward me something, they should copy the link and paste it into an email.

        I had one of my users submit seven other of my users' email addresses to one of these free movie tickets sites. They ended up being blocked because the site forged the initial sender's email address in the From: line. This was by one of the same people who complain about the amount of spam she gets. I ex

    • I've found a method that has been foolproof for the past three years. I only give out my email address to people I directly know.

      That works if you only communicate with a small number of computer literate friends who don't get infected with viruses or ever send out cc:'ed e-mail.

      I have the same policy and practices as you. Unfortunately, I use my email address to communicate with a larger number of people, some of which have done "stupid things" with my email address. Keeping seperate email addresses

    • I was just thinking the same thing while reading the posts. I keep one junk email, but even that doesn't get more than 2 or 3 a week now. My hotmail rarely gets one, and my isp address hasn't gotton one yet. I remember years ago, clearing out 20-30 a seems like it's improving. I never fill out a form with a real email address unless it's required that I recieve a message. For all other occurances, I use

    • That worked for me until I emailed a customer feedback comment to a somewhat large corporation which makes a product I really like. I also got a satisfactory reply from their customer representative.

      A few months later, that *expletive* customer representative forwards one of those stupid urban myth chain-letters (about some missing kid/fake amber alert), using that company's email address book, which included my email address!

      Then the spam deluge started. :(
    • The problem with your solution, is that I have never given out my email other than a hand select few whom I trust. However, I am now receiving spam by the handful daily (though overthecounter anti-spam software has been next to perfect for filtering it out).

      The problem is, that my email is somewhat generic with my first initial, last name, plus a numeric conditioner. This email was assigned by the provider. Unfortunately, many spammers, once they realize how emails are formatted for an ISP, can easily r
  • by segment ( 695309 ) <sil@ p o l i t r> on Tuesday April 06, 2004 @02:58PM (#8783078) Homepage Journal

    You know, if government really focused on penalizing the bottom end product creator for spam, I'm sure it'd be minimized drastically. For example Viagra, made by Pfizer, if they penalized Pfizer for spam and not controlling the methods of their advertising, I'm sure many companies would think twice about their methods to deliver content.

    Sure it would need some tweaking, but to go after Joe Blow unsuspecting user who's machine is probably loaded with trojans is moronic. Even a good enough trial lawyer for the most blatant spammer could probably convince a jury that the culprits machine was infected if they tried. It's obvious CAN-SPAM and other moronic laws aren't working so why not take it to the next level?

    Pentagon Plane Crash of 2000 []

    • For example Viagra, made by Pfizer, if they penalized Pfizer for spam and not controlling the methods of their advertising, I'm sure many companies would think twice about their methods to deliver content.

      Actually, it should be Pfizer going after them, since any Viagra advertised by spammers (if it even contains the drug at all) will be an unlicenced rip-off.

      Which just goes to show - even spammers who leave themselves open to prosecution under what most of us agree are overly-restrictive IP laws, still do

  • by cipher chort ( 721069 ) on Tuesday April 06, 2004 @02:59PM (#8783090) Homepage
    It should be self-evident that this solution is not workable. Anything that requires this massive type of retooling of the whole method of using e-mail is doomed to failure.

    Any proposed solution cannot cause this type of massive interruption of normal e-mail usage.
  • by Animats ( 122034 ) on Tuesday April 06, 2004 @03:00PM (#8783112) Homepage
    After scrolling through a page about a hundred screens high, containing many extracts from this guy's spam, you finally discover that this bozo has reinvented the whitelist.


    • This article is dumb. It is a whitelist, only more complicated and awkward. Every person has to establish a "secure channel" with their recipient prior to sending them mail. GREAT idea. If I've established a "secure channel" with my message recipient so that I can give him this goofy code/formula/thing, then why don't I just go ahead and give him the whole message while I've got his attention? The author says that the secure channel can even be a face-to-face meeting. Brilliant.

      Hey, buddy, let's get
    • by billstewart ( 78916 ) on Tuesday April 06, 2004 @03:52PM (#8783749) Journal
      Actually what he's reinvented is tagged email, either in the tagged-address format or tagged-subject format or not-written-clearly format. Lots of mail systems let you send mail to username+tag@domain.tld, or tag@username.domain.tld, and let the mail reader client sort or filter messages based on the tag. Most non-web clients aren't especially flexible about letting you generate a different tagged address when you send the mail, but some can do that.

      That way you can use different addresses for mailing lists, orkut, random recipients, each Slashdot posting, etc., and blacklist addresses that get abused and/or only whitelist addresses you've sent people. There are some risks - the subdomain version occasionally gets hit by dictionary attacks, so you might receive 10 million messages on an occasional really bad day (this mainly happens if your subdomain doesn't run its own SMTP server that can milter it.)

  • IM2000 (Score:5, Interesting)

    by re-Verse ( 121709 ) on Tuesday April 06, 2004 @03:01PM (#8783115) Homepage Journal
    Personally I rally liked D. J. Bernstein's (qmail, djbdns, daemontools) idea for a new mail protocol. The big difference between it and mail we have now is that only the notification of mail is sent, not the mail itself. The mail sits on the senders mailserver, waiting to be picked up, and if you want to retrieve it, your mail client does so from his server. Think about it - No more anonymous spam, since you KNOW where messages are coming from if you have to retreive them. Therefore, if spam is illegal, we can punish them... and there is no more faking of where its coming from.

    The other cool concept to that is mailing lists vs bandwidth. In old mailing list styles, a message would go out to the list, bouncing back from all people whos boxes are gone or full- witha lot of traffic. In DJs new way, there is only notification of the message sent, and then only those who really want the message download it.

    The more you think about it, the better of an idea it becomes. In the wold of terrifying ideas like "postage for emails" or "really super-mega-expensive domain names for mail only" Bernsteins has an elegance and practicality I haven't seen elsewhere.
    • Re:IM2000 (Score:5, Insightful)

      by Bronster ( 13157 ) <> on Tuesday April 06, 2004 @03:11PM (#8783230) Homepage
      The big difference between it and mail we have now is that only the notification of mail is sent, not the mail itself.


      a) Notification contains no sender-modifiable content. No way to know if you want it or not. You say yes and wind up with spam from unknown server.
      b) Notification winds up containing the entire spam as subject line, and the supposed server it's coming from doesn't exist.
      c) Spammers break into millions of unsecured Windows boxes and run 'mail servers' on them.

      Nice try, but no cigar.
      • Add to that things like the increased storage costs imposed on ISPs and thus their customers and issues like aging (how long will the ISP hold the message before collection?).
      • Re:IM2000 (Score:5, Insightful)

        by mdfst13 ( 664665 ) on Tuesday April 06, 2004 @04:53PM (#8784608)
        Your a and b options are not a complete list. In actuality, you would send a subset of the headers in the notification (the recipient could potentially pick which ones--possibly in the response to the EHLO replacement). One can certainly limit subjects in the initial notification to (for example) 50 characters, not enough to get a real message across but enough to recognize many legitimate kinds of email (for one thing, how many legitimate emails have subjects longer than 50 characters?). In regards c, it is hard to run a POP server on a desktop PC.

        Another possibility is that the notification could be just that (no content whatsoever), with you downloading the headers separately (i.e. 3 steps: notification; headers; body and full headers). That would force the server to exist, but you don't have to download the rest of the message if you do not want to do so.

        Also consider how this would work with RMX proposals (like SPF: ). If the email is not from a validated IP, then you can reject the initial notification.

        It is also worth noting that a spam method that requires illegal acts (like virus infection) is dangerous for the spammer. It is not really practical when selling everyday items, only scam emails (already illegal) or really high margin items that allow the spammer to change locations often.

        Criticizing anti-spam proposals for not completely solving the problem is missing the point. No one anti-spam method is going to eliminate spam. Each one is designed to make it harder to spam, ideally without impacting normal email. IM2000 does this, since it merely shifts from POPping from the recipient's server to the sender's server. This is harder for senders but easier for receivers in most cases. The exceptions are those where the sender does not maintain a persistent (i.e. always on) mail server (e.g. spammers). This is very rare with legitimate emails (if the sender does not have a persistent mail server, then they can't *receive* email; legitimate senders generally want to be able to receive emails in response).
    • Re:IM2000 (Score:2, Insightful)

      by ps_inkling ( 525251 )

      The big difference between it and mail we have now is that only the notification of mail is sent, not the mail itself. The mail sits on the senders mailserver, waiting to be picked up, and if you want to retrieve it, your mail client does so from his server.

      And how does this notification get to the user, eh? What's the difference between 1,000 spam messages and 1,000 spam subject lines? The user still has to sort out the difference. Especially when the subject is 'Hello' or other similar innoculous valu

    • Re:IM2000 (Score:3, Insightful)

      ...only the notification of mail is sent, not the mail itself.

      Good lateral thinking, but I don't think it would ultimately stop spam. I'd love to see more details.

      It would prevent a spammer from dumping a 100Kb email message into your inbox, but it wouldn't prevent him from dumping 100K of 1b "notification" messages in there, and it would be all the same to him. It would make it much harder to sort between the two.

      And under the current system, the spammer doesn't know anything about the recipient (or

      • Re:IM2000 (Score:3, Informative)

        And under the current system, the spammer doesn't know anything about the recipient (or even that the email address is valid) unless he does something stupid like reply or click on a web link. Under this system, the spammer would know which addresses were valid by watching which messages were picked up.

        Not entirely true. If a user is running a mail client that allows HTML mail, then the spammer can make the client request something unique from the spammer's server - an image, for example. I've seen spam

      • I would set up my system to systematically check that for every notification there is an actual matching message body at the originating server. If there was not, I would just drop the notice.
    • So instead of getting 1000 emails we get 1000 messages to pick up emails. Then they start spoofing message sends and you have the same exact problem.

      The problem is people click on them and it makes them profitable so they continue to do it. 99% of all spam preys on people who want to better themselves in dumb ass ways.

    • Re:IM2000 (Score:3, Insightful)

      So in the glorious IM2000 future my computer will pull down gigabytes of spam from random trojaned PCs whose owners say "what?" when you accuse them of spamming...
    • Re:IM2000 (Score:3, Insightful)

      by dargaud ( 518470 )
      Sounds like usenet to me... I remember reading his proposal some time ago and it does make a lot of sense. No more flooded mailbox while you are on vacation... And it's also a good way for the sender to control whether or not the mail has been read (as opposed to only received). And idiot family members who send the content of their new digital camera to all family members without downsampling the images will get a quite useful "Full outgoing mailbox" error message.
  • I administer a mail server for a small ISP. The problem with filtering on the user's end is that my costs are consumed by the time the user deals with the spam. I don't think, as the article suggests, that spammers will slow down if their message is not being read, in fact they will just spew out ever more spam. If a 1/10 of 1% hit rate does not deter them, a smaller hit rate won't either.

    I have to put some upper limit to the amount of storage I can give each person (right now I allow 100M, which I think is quite reasonable). But if a user goes on vacation and does not check their e-mail for a month, they could have their inbox filled with spam and viruses (not much difference these days, from a server admin point of view). This will preven legitamate messages from coming through. Therefore, I use the following technical measures to help reduce spam:

    • RBLs:,,, and
    • SPF:Sender (not adopted widely yet, but it does block a few messages a day even now)
    • Blocking specific subject lines (during virus outbreaks this can help)
    • Blocking mail "from" non-existant domains
    I really have no choice, I cannot afford not to take these measures. I explain all of them to my clients, nobody has had a problem yet. These measures catch roughly 75% of spam and viruses, and as far as I know, no false positives.
    • In upcoming the OpenBSD 3.5 [] there is an implementation of Greylisting [] in the spamd daemon []. You can try it out by installing a snapshot of current from a mirror []

      It works by initially by "greylisting" e-mail from unlisted mail servers by sending a "451 4.7.1 Please try again later". If the server resends the e-mail within 4 hours, but minimum 30 min, the server is whitelisted. These timings can be configured, of course.

      For now, this works very well for me, since few virii bothers to resend an e-mail, a

    • Too bad nobody is combining those with a SMTP engine that can see the messages comming in and accept them VERY SLOWLY. (ie.: 1 byte per second)

      I know something like this exists already but why not make known spammer servers get 3rd rate service from our owns servers?

      Their servers would could take weeks to send out the number of messages they can now in 10 minutes. They need to get the massages out quickly or else the ratio of misses starts to cost them. This is the real solution.
  • I think the only solution to spam is something like SPAMNAZI [] (
  • Funny, I was just thinking about some of the problems with spam the other day. I came up with an idea. Note that I am not suggesting we adopt this approach (I haven't thoroughly considered it yet), I am just posting the idea here so that others can consider it, be inspired, identify weak points, come up with improvements, thrash it, or generally do whatever they feel like with it.

    First, some talk about scope ani justification of the idea. This method does not, in any way, eliminate spam. My take is that yo
  • Code numbers probably won't work, for the same reason that charging for mail won't work. People will accumulate a list of people's code numbers. How? You'll have to give out the code # to apply for a credit card at college and get that free t-shirt. I get TONS of paid spam at my house. Do you know how much it costs to print a color flyer and send it to thousands of people? A LOT!!! But I still get them. We all do. Nothing will stop advertising, charging for it will just mean more expensive ads bein
  • Uh, I think this guy just invented signed email.
  • Shooting spammers when you find and convict them might make it a less attractive field to enter.
  • The bases of the problem are twofold:

    1. You want to accept mail from strangers.
    2. Some strangers insist on anonymity.

    Simply put, if you insist on accepting email from anonymous strangers, there is no way to guarantee that all of it is wanted.

    Even if you don't want mail from anonymous entities, but still want mail from strangers, the problem of identity management is non-trivial. The only solution I see is a "web of trust," based on a very large relationship database like Orkut or PeopleAggregator.
  • by 0x0d0a ( 568518 ) on Tuesday April 06, 2004 @03:33PM (#8783499) Journal
    While I'm pretty strongly of the opinion that a PKI system with a trust network and signed content is ultimately going to be the only effective long-term way to deal with spam, this isn't great.

    It's essentially just a PKI system, but requires effort on the part of the individuals to manually set up a trusted transmission channel for authentication data for each person, breaks security if an email is exposed, does not provide strong authentication benefits, and seems to be open to forgery containing data from an original email. It still requires the installation of software.

    Instead of transmitting each "set of formulas" via a trusted channel, one could hand over an RSA pubkey, and instead of some weird proprietary embedding of secrets, one could simply sign the email. This provides all the benefits of the proposed system, operates in a regular manner, is strong against compromise of a client machine or of sent email, and there are, to some degree, systems in place to handle signing.

    I would advise against this solution. It provides no benefits that a conventional email signing system lacks, and has some serious weaknesses.
  • by barc0001 ( 173002 ) on Tuesday April 06, 2004 @03:36PM (#8783533)
    Seriously? Go to a syn-syn/ack-ack system.

    The sending SMTP box says to the receiver "I've got a message for you" Receiver caches the message, hands the source box a 32 digit random number and says I'll call back in 30 seconds by your FQDN. It does so. Receiver says "did you send me a message with the serial 'x'"? If yes, then the source in the header wasn't spoofed, and the message goes through, if not, the message gets dropped.

    Almost all spam these days comes from spoofed sources. But if in this case it's still spam, it's a lot easier to track the source immediately and deal with it. Take away the ability to hide, and like mold in the sunlight, most of it will vanish without further effort.
  • to have the text component of a multi-part HTML email contain totally innocuous text whilst the HTML component has the actual spam.
    I don't think it's too effective (the spam far outweighs the ham in my Bayesian corpus), but I think it's an interesting trick that could pollute the creation of a corpus over time.
  • Actually, this "solution" to spam is a brilliant new tool for spammers.

    Step (1) Create spam solution site with dozens of spam samples (i.e. meta-spam site)
    Step (2) Publish a "solution" that requires scrolling through said dozens of spam examples.
    Step (3) Get Slashdot to post your site
    Step (4) Reap profits from all the extra traffic, as well as the newly-minted cynics who will be convinced there is no spam solution.

  • Sigh. old solution. (Score:3, Interesting)

    by mumblestheclown ( 569987 ) on Tuesday April 06, 2004 @03:45PM (#8783659)
    A token-password based solution. Old news. Old high school buddies still can't email you, nor can potential clients.

    This 'article' dismisses laws outright. Sure, bad laws, like in the USA, haven't worked. But look at europe! Successful laws, minimal spam.

    It never ceases to amaze me what crap articles get accepted while quality ones get rejected.

  • I've never done any VBA coding, though I know VB quite well. Can anybody tell me how to write a function that would be called every time an email comes in and is passed with the parameters of the subject in body as string? also, how to move an email to "deleted items?"

    If i wrote one simple function that looked at content, I'd eliminate 90% of my 1000+ daily spams trivially (all commercial solutions that i have tried have prevented too many of my customer emails from going through).

  • by FattMattP ( 86246 ) on Tuesday April 06, 2004 @03:52PM (#8783739) Homepage
    You Might Be An Anti-Spam Kook If... []

    Each item in the following list was suggested by the words or actions of people who presented themselves to the IETF or elsewhere as having discovered the FUSSP. Some of the items may seem obscure to those who have not dealt with the IETF.

    • You have discovered the Final Ultimate Solution to the Spam Problem (FUSSP).
    • You are the first to think of the FUSSP.
    • You started looking for the FUSSP after observing that it is impossible to filter more than 99% of spam with fewer than 0.1% false positives by currently available mechanisms.
    • Despite being the inventor of the FUSSP, you are unfamiliar with "false positive," "false negative," "UBE," "tarpit," "teergrube," "Brightmail," "Postini," "SpamAssassin," "DNS blacklist," "HELO," "RBL," or "mail envelope."
    • You plan to make money by licensing the FUSSP.
    • You don't plan to make a fortune from the FUSSP, but you do expect fame as its generous and public spirited netizen inventor.
    • You are deeply hurt and angry because you are not respected as "spam fighter."
    • People don't see the value of the FUSSP because they have axes to grind, are jealous, or are too stupid to understand it.
    • You learned how to stop spam during the more than six whole weeks you've been fighting it.
    • The FUSSP assumes that your attention is so important that strangers, other than advertisers, from will pay money to send you mail.
    • Despite having invented the FUSSP, you not only don't know the difference between the SMTP envelope and SMTP headers; you doubt there is such a thing as the SMTP envelope because email doesn't involve paper.
    • Despite having invented the FUSSP, your SMTP header and DSN reading skills are so limited that when you send an objectionable message to two separate sites, you can't tell which of one of them rejected it.
    • You cannot name several potentially fatal flaws in the FUSSP.
    • All you need to do to get the FUSSP implemented and deployed is to publish an RFC or get a law passed.
    • You don't recognize any significant difference between deploying and implementing the FUSSP.
    • You plan to publish an RFC mandating the FUSSP but have never heard of RFC 2223 [] or RFC 2026 [].
    • Inventing the FUSSP did not require that you know the difference between RFC 821 [] and RFC 822 [] or that they have been replaced by RFC 2821 [] and RFC 2822 [].
    • You don't know the relevance of "consensus" or "IESG approval" to publishing RFCs.
    • You think all RFCs have the same standing.
    • Spammers won't ignore, subvert, or exploit the FUSSP if you publish it as an RFC.
    • The FUSSP depends on spammers or mail recipients changing their behavior without any immediate gain.
    • The FUSSP won't be effective until it has been deployed at more than 60% of SMTP servers and that's not a problem.
    • The FUSSP is easy to implement and deploy, but you have done neither.
    • Your job is done after having explained the FUSSP to the IETF or The Industry.
    • Programmers will drop everything to implement the FUSSP.
    • You think that a violation of an RFC by an SMTP client or server is good and sufficient reason to reject all mail from the system's domain.
    • You know that SMTP has no authentication and have never heard of SMTP-AUTH, SMTP-TLS, S/MIME, or PGP.
    • You know that the failure of SMTP servers to authenticate the SMTP clients of strangers is a major bug in SMTP instead of an expression of a primary design goal.
    • Despite discovering the FUSSP, you don't know the meanings of MTA, MUA, SMTP server, SMTP client, or su
  • My proposal for Spam is that we string up anyone and everyone who actually respond to Spam. Other than that, it's a lost cause, don't waste your time, just filter it for Christ's sake, and don't stress over the 10 or 15 a day that get through. Spam is such a non-issue, and please dont blather on and on about bandwidth, the fiber in the ground and the networks attached to it is used at a small fraction of it's capacity. Why people get bent out of shape about Spam is beyond me, I guess either people do not ha
  • by gerardrj ( 207690 ) on Tuesday April 06, 2004 @04:07PM (#8783945) Journal
    This is simple and requires no changes to a mail client to function, but one small change would make things easier. The solution does not need to happen all at once to be effective, and does not change any of the current protocols for email (POP,IMAP, SMTP).

    The idea: multiple, sender/use specific addresses on the client side. Basically instead of having one address with your ISP, you would have the ability to create up to 50 aliases to your account. Not that these are not 50 accounts, all of your mail still winds up in the main mail account at your ISP.

    Lets say you have as your email address. The goal here is that you would NEVER give out that address. Instead, you log in to your ISP's web site and create addresses that you then give out. These addresses can be set to expire after a set date, or only be removed manually.

    So you like to pay your bills on-line, create an address and use that on all the registration forms for your utilites, credit cards, etc.
    bobs-shopping: use it to register for any on-line shopping sites
    bobs-long-ebay-address, sendmailtobob, tossaway32341, etc....

    You create an address that you give only to your family/friends, you create an address for each mailing list, create an address that you put in the public LDAP systems and other person-search sites, create an address for sweepstakes/contests, etc.

    If you start to get spam on an address (you can easily check the headers to see which address the spam was sent to), you simply change the address and tell the few people/sites that used that address about the new one. The more addresses you have, the fewer places you need to notify of any changes.

    The only disadvantage is the initial changeover does take some time/effort. Once created, the addresses mostly just sit there and don't require any maintenance or routine changing.

    The advantages: little to no spam; abliity to easily identify WHERE the spammer acquired your address when you do get any; spam does not take up any bandwidth or storage space on the recieving mail server once an address is deleted after getting spammed; no resource intensive and complicated filter software required on the server.

    How well does it work? With about 35 addresses out there (may are web site specific), I receive only about 6 spam messages a month. Each and every one of those is sent to a public administrator address like webmaster, hostmaster or the like, not too bad considering I recieve such email for about 10 domains.

    In the last year or so since I've started doing this I have only had to disable a single address due to spam, and since it was for a single web site, it took less that five minutes to effect the changeover to a new address.

    To those who say that this is too much of a hassle or takes too much effort, I ask this: would you rather have to spend 30 minutes a year maintaining and changing email addresses and informing senders of the new address, or spend 5 minutes a day updating your spam filters and double-cheking the positive results for false hits?

    As I stated, this does not require and changes to the mail clients, but if there were one change it would be nice: when you reply to a message the client should automatically use the address that the initial message was sent to instead of attempting to use the actual account address.
  • Interactive filtering of SpAm by targets/users is best.

    I think; maybe, valid personal email should be the focus.

    We want our email, but we do NOT want sPaM.

    Currently we use USRID/AccID, DNS, DHCP, ARP-RARP, ... maybe a couple other protocol/apps to provide identification and routing within TCP/IP packets for login, email, web-surf, VoIP, ... so many check, verify, route, ....

    I agree, with others, the W3C (someone) will need to add some RFCs on check/verify local "Lookup" user approved filter for email.

    As Relates to SpaM/Email:

    1. Subscribers, customers, users of an email service must be required to define an "Approved Email List (AEL)". Email client applications should require a user-action (right-click-select option, maybe) to generate a UDP/TCP update-message to add an addressor's email to the user-AEL resident on the email/profile server. To delete any addressors from a user-AEL should require a few extra steps of accessing the user-account web-page and specifically selecting one address (we change friends, someone moves, ...), a group of addresses (job change, organization name update, ...), or all addresses (global list update/upload, reduce complexity, dropout, ...).

    2. Email service providers must provide to users a web-app/text-upload process for managing a user-AEL. (1) Either upload formatted text (with total content overwrite option) user-AEL as part of the user account/profile definition, or (2) on the email service domain's open/manage email account website a web-app that allows easy addition/deletion to the user-AEL.

    3. New/Unknown email addressors, those not identified in an addressee user-AEL, with a datagram over 128-bytes (standardized size more/less for one name and an email address) are terminated, not delivered, bit-bucket, not replied/forwarded, ....

    4. New/Unknown email addressors, those not identified in an addressee user-AEL, with a datagram under 128-bytes are delivered to the email addressee. This will allow the email addressee their option to decide; if the email addressor should be added to their user-AEL. This will allow an addressor to provide enough information to be potentially (as family, friend, business, hobby, ...) added to a user-AEL, or enough URL information to link back to an online business/interest website to track resent online banking, trading/investing, purchases, subscriptions, ... print invoices, or ....

    5. Incoming email are checked for valid local email accounts (NOT, then terminate). Incoming email having a valid local address are then checked by comparing the addresses with the user-AEL with the specific email address (userid@domain.___) of origin (MATCH NOT, then terminate). Repeat email terminations/rejects from same "@domain.___" could be blacklisted as a sPam@domain.___ unless recognized by a local user-AEL.

    I'll stop counting here, because I think the rest can be surmised and counting gets boring. This process could be close to transparent for email users, except for the managing of an email account user-AEL. It would reduce spAM and potentially malicious/viral email in obvious ways by limiting allowed payloads/datagrams from unknown (un-validated/vouched for) sources in any email. Vouched for addressors (causing problems) on a user-AEL could be more traceable. The processing/handling overhead of such a systems would (I expect) be about the same as the present process and would significantly reduce email-server storage space requirements. Email is un-trustable, but required tool in the business world, and increasingly burdensome of our personal time.

    The spAm-cans could only dump to email users that included them in their user-AEL. Over time it would reduce the spam-flood and/or spam-DDOS on the internet, because few (maybe none) would ever see spam-stuff and SPAM would prove a financi
  • by RonBurk ( 543988 ) on Tuesday April 06, 2004 @04:26PM (#8784202) Homepage Journal
    While there's unlikely to be a silver bullet for spam, greylisting combined with a honeypot rbl is likely as close as you can get. People usually criticize greylisting without grasping that it's only one-half of what's needed for effective and completely automatic spam elimination, with 0 rejection of legitimate mail (the 0 assumes no legitimate sender uses an MTA that can't retry, but that's close to true).

    Step 1: Salt the spammer's email databases with guaranteed bogus email addresses that no legitimate email sender has ever seen. This is currently trivially implemented as follows. In your website's robots.txt file, list several files that robots must not examine -- these are your honeypot. Then, fill those files with HTML that contains your bogus email addresses. Spammers will, quite reliably, disobey the robots.txt file, use it to discover HTML files that are not linked to from anywhere else in the world, and add your bogus mail addresses to their database.

    Step 2: Implement greylisting + honeypot-based RBL. When email arrives that is not whitelisted, see if it comes from an IP address that is "temporarily" blacklisted in your RBL. If it is, you can reject it right now. Otherwise, see if the target address is in your honeypot database. If it is, add the sender's IP address to your RBL and fail immediately. Otherwise, engage the now-classic greylisting algorithm (see to "tempfail" the email. The point of the temporary failure is to give the spammer time to use the same IP address to send the same spam to an address that *is* in your honeypot database, so you can then proceed to reject the retry of the spam to a legitimate email address).

    • requires no per-user work, such as "training" of filters.
    • requires no changes to any software, except MTAs (and only a handful of them handle most of the world's software). no new laws.
    • no false positives. to get blacklisted you *must* have transmitted email to an address that could only have been obtained by illegally harvesting a website.
    • even compromised home systems are not terribly harmed. if a spammer takes over your home computer and uses it, well, the IP blacklist need not be permanent, just long enough to cover a single spam run -- a few days is probably plenty. if the spammer is blasting out runs from your home computer continously, well then you have worse problems than finding yourself unable to send email to GrandMa.
    • not easy to defeat. right now, anti-spammers must work very hard to locate the "real" email amidst all that spam -- and never, ever mistakenly reject a "real" email. greylisting plus honeypot RBL inverts the equation. the spammer must make sure that not a single "bogus" email address is anywhere in his database! spammers are ingenious, but developing absolutely perfect lists of legitimate email databases is something they have no experience with so far.
    • no restriction of free speech. total whacko strangers who aren't spammers can still send you email -- it may just get delayed for an hour or so (a fact which is totally true already).
    • nobody makes any money off it. you don't have to pay anybody, except for the effort involved in setup and maintenance (a fraction of the total time wastes on spam currently).
    • computationally cheap. most MTAs are already looking up IP addresses and target addresses in databases. cost of this scheme should not greatly slow down most MTAs. especially compared to content-examination schemes such as Bayesian filters.
    • no judgement calls in blacklisting. no third party has to decide what is spam and what is not. the rbl in this scheme is totally generated from absolutely bogus email addresses -- the only way you can get in the rbl is to flat-out declare yourself a scumbag by sending to one of those illegally obtained addresses.
    No scheme is perfect, but greylisting combined with an RBL that is derived solely from bogus email addresses is pretty damn good.
  • by chill ( 34294 ) on Tuesday April 06, 2004 @04:43PM (#8784442) Journal
    The section on Colin Fashey's site, way down at the bottom, that reads "Basic operation:"

    You have to authorize each sender? The sender computes a code to send you mail?

    Right. Most people can't get the clock on their VCR to stop blinking. This ain't gonna happen.

  • by Rimbo ( 139781 ) <rimbosity&sbcglobal,net> on Tuesday April 06, 2004 @06:05PM (#8785565) Homepage Journal
    From TFA:

    Salting the message with random words thwarted Bayesian filtering.

    It did? Apple's uses a Bayesian filter, right? Salting messages with random words haven't thwarted its filter at all. I might see a couple or three spam every week, but considering that's out of hundreds filtered per week with no false positives, I can live with that.

    He also makes the following curious claim:

    Reasons why content analysis can fail to control spam include:

    (1) Ultimately, only a message recipient can decide, based on content alone, whether or not a message is desired.

    Is this really a problem? I'd say this is one of Bayesian filtering's advantages.

    So far, Bayesian filtering has worked wonderfully for me. I don't see that it's been defeated -- or will ever likely be truly defeated -- at all.
  • by jemenake ( 595948 ) on Tuesday April 06, 2004 @06:26PM (#8785783)
    From the article:
    The formula is generated by the receiver and given to the sender by some "secure" mechanism (which can be as casual as a face-to-face conversation, phone call, postal mail, facsimile, or even conventional e-mail or web page).

    Okay folks... move along... nothing to see here...

    Does the author really think that I'm going to exchange formulae with everyone I want to exchange e-mail with? Even if the client software made it as easy as "pairing" bluetooth devices... ugh!

    Every time I see one of these doomed-to-fail spam stopping schemes, I become more and more convinced that the only way that this problem is ever going to get solved, permanently, is with certificate-signed e-mail. Basically, e-mail client software would cryptographically sign each sender's outgoing mail and the receiver's software could check that their cert was signed by a trusted certificate authority. Most software can already do this; all you need to do is go get a certificate.

    Ultimately, it would probably be left up to the individual receiver as to which certificate authorities they wanted to trust (ie, PGP's "web of trust"). But, for the most part, I think most people would default to trusting a handful of "big" cert authorities. On the face of it, there is some loss of privacy, but the loss of privacy would be in proportion to the clout of the CA that signed your certificate.... which, in turn, would be in proportion to how reliably you wanted your e-mail to be delivered. So, the sender would still get to pick how much privacy they sacrificed.

    But I just see no other way to stop spam than this. Certificates would add a high degree of confidence that the sender could be reached (either by the receiver or by law enforcement)... and "reachability" is the first step towards accountability. Now, for the cases where someone managed to get an certificate with bogus contact info... well, that's what certificate-revocation lists are for. Basically, it's not really different from the IP blacklists that we're using now, except it would (hopefully) be a lot harder to obtain a new certificate than it is to obtain a new IP.

Exceptions prove the rule, and wreck the budget. -- Miller