I do a newsletter for my neighborhood, which I then distribute via e-mail to my neighbors. The last time I sent the newsletter out, one bounced back to me with a note requesting more information. It said I wasn’t on Mr. Jones’ list of people whom he would accept e-mail from, and did I want to request permission? There was a short questionnaire where I could tell him my name and purpose. Mr. Jones then presumably got an e-mail with my response and he could decide whether to accept it.
Sounds like a reasonable plan to me. Painful at first, but once spammers got the idea that virtually no one was going to be reading their request for Nigerian funds, they’d (we hope) find a new occupation.
So you’re saying that if authenticated mail becomes the standard, and it is tied to Windows, that means that no other OS’s will be able to send authenticated mail, and that’s okay?
No; sorry, the second sentence was a bit of a non sequitur. I’m saying that I see no way that Microsoft can tie this to Windows. I’m saying that it is a group choice that needs to be made, and even Microsoft do not have the power to make that decision for everyone. Because it is such a fundamental infrastructure shift, it simply cannot be forced on the world from the client end. If sysadmins can not be persuaded of the system’s benefits, they won’t roll it out. If not enough people use the new system, people will continue to use Olde Email.
Essentially, if they make this system proprietary, it’s not going to work with most of the world’s systems, and thus it will fail because who in their right mind is going to block half of their friends from emailing them? If they make it open, then there won’t be a problem because any old Joe can implement a compliant client. Like I say, I dislike this system from a technical point of view (for example on account of the bona fide mass mailing and webmail issues raised above). I favour a trusted certification scheme, although this is also a paranoiac’s wet dream. What I’m trying to point out is that absolutely any technical solution to spam can be twisted to make it look like someone is trying to screw us. It’s beginning to get on my tits, and I’d like there to be a spam solution in the near future without too much hysteria.
Causing my computer to use its processor to do work for someone else constitutes theft of services, since I already have a use for my ‘extra’ processor cycles. I use them to solve problems that, in the background either make me money or are used for scientific research purposes.
Don’t get the idea that by using my electricity, and my processor, without my consent isn’t ‘payment’. However minute the amount, I’m being forced to pay for something again that I have already paid my ISP for: the bandwidth my traffic uses. I buy bandwidth from my ISP. The nature of the packets traveling over it is of no concern to the ISP or Bill Gates.
There is also the problem that not many spammers use outlook, hotmail, yahoo, or other “popular” ways of sending e-mail. They use Massmail, Atomic Mail or some other software designed to mail in bulk.
As long as the standard e-mail protocol stands, you can’t stop it.
So, they invent a new process. A server that requires something be done before the mail is sent (math problem, some verification, whatever) it STILL has to be backwards compatible to receive e-mail on the old system. So you’re still getting stuff sent out through Massmail. The only difference I see under a newer system is less e-mail from my mother who has a hard enough time figuring out e-mail.
Let’s say the entire system changes overnight. There is nothing from stopping Spammy Sam from getting a domain, setting up his own server, writing a script that sends data out on the new systems protocols and mass mailing a billion users about the wonders of OTC Viagra.
The only way to stop spam is to create better client end software to ignore it and train users to no longer respond to it and NEVER EVER buy anything because of spam. The entire business end of spam needs to dry up before it goes away.
ISP have to take matters into their own hands as well. While spammers can (and do) set up their own servers, ISP’s have to make sure they can not use theirs. I kept watch over mine. I required users to verify username/password before sending mail -which is a setting most clients have these days. I also denied bulk mailing at the server level. The server simply would not mail out more then 50 messages from a single user in one session -unless of course that users name was “root”
Okay, so let’s say I use something like this to send a mail. I click Send, and the mail client contacts a distributed computation service (let’s say Folding@Home). Folding@Home sends my computer a chunk to work out, which it runs through and sends back. Now, how do we authenticate this email on the remote end? We can send the chunk and the solution along with the mail. This would be trivial to forge, as there’s no way to check to see if that particular chunk has been solved already. In fact, a “chunk generator” could be written by one of the spam-meisters to create a chunk, solve it itself, and then use that as forged authentication to spew forth the pork product.
The other solution I see to that is to have the remote end (or the remote end’s ISP) contact Folding@Home to see if that particular chunk had been solved before. That would mean for every email sent, Folding@Home would have to check through all processed chunks to see if that particular one had been solved recently, as opposed to one solved last month or last year (which a spammer had saved or downloaded elsewhere). I am not a computer scientist, but I can see how this could quickly become more trouble than it is worth for Folding@Home, or any distributed computing project for that matter. It only becomes worse for them as the spammers try their forged chunks, old chunks, etc.
I definitely agree with disliking the technical aspects of it. However, when has Microsoft ever made anything open? Seriously, I’d like to know.
I think spamming is currently at relatively low levels.
Can you imagine if email was organised, structured, financed, etc more than it is? As others have said, suddenly “interest groups” and “marketing ventures” would be granted the equivalent of 1/100th of the charges that the average person would pay for an email.
Judging by the amount of crap I get in my street letterbox, as soon as email is a more structured environment, I’m going to get gazillions more than the odd one or two pieces of spam I currently get per month. And companies will be overcome with it.
If my physical letterbox, telephone and fax machine can be raped, why on earth do people think the online version will be any different?
And how do you propose that can be accomplished? Do you need every e-mail server to be able to check the “proof of computation” against whatever that needs to be computed? That would be idiocy if not lunacy.
Hm. You mean each node on the relay path will have to do all the verifications?
I change my characterisation of this scheme. This is complete and utter lunacy, there’s no other way to describe it.
What on earth are you talking about? That’s only one e-mail standard right now, that’s how all these various servers can operate together.
Theft? This is what I mean by an overreaction. No-one’s “stealing” your cycles, just in the same way that when you post a letter no-one’s “stealing” your money. You are paying a small cost to create a system with less spam. There’s not even a suggestion that you’d be doing work for Bill; the computation is intended as a proof of motive, no more, no less. If you’re really that up-tight about your precious cycles, then you can continue to use a system overrun by Viagra spam. It’s your choice.
Seven, the point is that spammers on the old system can be ignored because if someone is not providing proof-of-motive, then they are likely to be a spammer. Obviously this assumption can only be made when most of the world is using the new system. So what you do is have a system which accepts both, but encourage people to filter out what doesn’t have a proof with it, and check it for real email periodically. I don’t see why you think that the spammers can spam just as much on the new system - the whole point is that the task of sending many emails becomes much harder due to the increased overheads.
Tentacle Monster, while this isn’t yet a concrete proposal, my understanding is that the task is negotiated between the email endpoints in some manner, not that the sender says “oh, yeah, I did some work, honest”. Task negotiation is obviously a major component of the system, and it’s wrong to assume that it’s left to the sender to make up a task. As for the trouble of verification:
I’m not aware of the precise technical details of the proposal, because I don’t think they exist yet. However there are numerous problems which are non-trivial to solve but trivial to verify. For example, take the factorisation of large numbers. It’s not easy to perform, but once the factors are obtained it’s extremely easy to multiply them together to verify that they equal the original. I also don’t know if every node needs to be able to check the computation, or who defines the task to be performed. Like I say, I’m not trying to argue that this is a marvellous technical solution, just that the mere mention of it shouldn’t make everyone wet themselves with fear.
Yes, one email standard, huge variety of email software. That’s the entire point. Bill can not drag the entire world off an absolutely ubiquitous open standard by proposing a closed one, because of the vast variety of email infrastructure over which he has absolutely no control.
Well,. considering we don’t have a clue what the mechanics of the idea are at this point, I don’t see a need to go too much into detail on speculations.
But, if the new system is sending a variation on the old system, and the client software and servers are just looking for a flagged field in the header, this method wouldn’t last long. Massmail just creates a new client that automaticly flags the field as billion e-mail get sent out.
IDNHACSD (yet), but how will this keep backwards compatibility? I mean, I’m typing this reply on a very old Pentium III computer with roughly one tenth the computing power of my box at college. 100 seconds to send an email on this doesn’t sound good to me, and that will only worsen as Moore’s law marches onward. What kind of computation time / processor speed could we adopt to keep old fogies like this machine working while still keeping spammers from mass-mailing?
I think having email stamps is a bad idea, not least because it requires creating a new central bureau of some sort that collects postage and uses it for…what do they use it for? And what do we owe them, exactly?
I think the best solution I’ve heard (also proposed by Bill Gates, as far as I know, although I have no cite at the moment) is instead of having to buy postage to send emails, you would have to pay the recipient a small fee. However, as a recipient, you would be expected to send back any fees associated to legitimate emails, so it would cost nothing to send emails to your friends because they wouldn’t make you pay. However, you would keep the fee paid to you for spam, so spammers sending millions of emails would quickly find their practice unmanageable.
Like the puzzle idea, that one doesn’t require centralization, and I’m all for that. The puzzle idea doesn’t seem too bad, but as people have brought up, there’s a pretty large spread of processor speeds out there; it would be annoying or impossible to send emails from, say, a handheld or whatever. This would be okay if everyone using one of those had a fast “backup” computer they could access to solve the authentication puzzle, but that’s far from ideal. Also this is a minor point, but although there are thousands of problems that seem nontrivial to solve but are trivial to verify, not one problem has actually been proved to have this property, so our belief in the validity of an authentication system based on such problems would would require some faith (unless someone were to come up with a proof!). Again, a very small point.
The advantage of puzzle-based authentication is that it probably wouldn’t require as drastic a change as having to send payment with each email, but I think either one is preferable to doing nothing.
I’m all for paying on a per e-mail basis. I like the idea about paying the recipient. If you think about it, you would only need a penny per e-mail to have the intended effect of stopping mass spam in its tracks - I’d be happy to pay up to a nickel or more per message. On the business side, they are worth considerably more than that. On the personal side, you would have the option to refund payment. This could have even further reaching benefits - imagine message boards which were not free to post to - you would cut down considerably on the number of “me too” posts, leading to a higher quality of content. Legitimate business marketing via e-mail could still exist, but would be subject to the laws governing advertising by other methods - specifically, it would only be cost effective to market to a relevant audience, since you are paying for the privelege.
It looks like the cure is worse than the disease. Sure, it is simple to do some multiplications for one message, but the work is in addition of everything else. Multiply the whole thing by a factor of a million (or more), and the overhead just completely stops the servers.
You have to have every node do the computations, because each route is not a closed pipe. E-mail messages can be inserted at every point, and it is possible to hack into a server to upload tons of spam.
Hm, to implement this idea, you need to get a new standard. Surely MIME wouldn’t work. Since there is only one standard, MS can hijack it - or at least attempt to.
This is not going to work, either. You are assuming that spammers use their own servers, but they don’t. They hijack other servers to do their work for them.
