That doesn’t mean it’s not going to work; it’s just an added incentive to have better security. It wouldn’t even be a new problem; it’s just another guise of Being Hacked. I guess it’s not unheard of to be hacked, but when it’s important not to be (for instance, when money is involved), people seem to manage all right by taking the appropriate precautions.
I actually don’t know enough about the technical details of this hijacking business to state how to prevent it, but it seems absurd to me that it wouldn’t be completely preventable by prudent design. If there were money involved, people would certainly be more careful about it. Actually, on reflection, I think a simple encryption scheme (e.g., RSA) could be used to make sure that the person sending the email matches the account being used to send it.
Well, although we have no idea how this proposal scales, or how much load proportionally it will place on servers (remember that spam by some estimates constitutes a third of email traffic, so there’s computational gains to be had as well), let’s consider this. If true, then the system would have to be an end-to-end proposal and not something that relies on the nodes. It doesn’t matter where email is inserted into the system; the email still needs to have a proof of computation if it is to be accepted by the client, which if properly designed will not be achievable without actually doing the computation. Certainly, this won’t stop it actually being sent, but if the mail is never read then spammers will stop sending it; even spammers need margins.
I don’t know if this is exactly what you mean, but you raise what is to my mind the crippler for this scheme; compromised PCs. If recent reports are true, and a large proportion of spam is now being sent by compromised home PCs, then why do spammers care what load they place on their hosts? Assuming they control sufficient desktops, they can send as much as before, complete with valid proofs, and Johnny Didntpatch will just wonder why his spanking new P4 is running like a dog. I don’t particularly see any way around this, other than eliminating compromised machines, which is hardly a less difficult task than solving spam in the first place.
Well, I just don’t see how. It’s clear to me how browser bundling worked, and how Office became the predominant work software, but I simply don’t see how MS can force the entire world on to a closed system of their choosing without a concerted and vigorous act of mindblowing stupidity on the part of a) every other email vendor in the world and b) every user who presently doesn’t use an MS client. It is very easy to say “MS will hijack X”, but really, they don’t have magical powers. Look at their notable failure to sew up the smartphone market, or the set-top-box market, or the games console market. In areas over which they have no obvious form of control, they are forced to win by supplying a superior product, and in all of the above examples, they have failed to date (Xbox maybe excluded). Like I say, not magic.
Well, God knows how much I just luuuuuuvvvvv spammers :rolleyes: but this pay-per-email proposal sucks! I already pay for internet use each month, why should I have to pay extra to send emails? :mad: Somehow the idea of my hard-earned nickels and dimes going into Bill’s pocket doesn’t appeal much to me. Maybe the email stamp system could set up on an OPTIONAL basis, but my solution to spam has been the “delete” button.
We pay for the enterprises of criminals all the time. Higher prices, higher insurance premiums and time spent jumping through security hoops everywhere from airports to sporting events to office buildings, all of these tolls are taken on the average citizen because of those who abuse systems and trust and most importantly, their fellow man.
Anything that makes the regular folks do anything such as paying “postage” or giving up a processor cycle or identifying themselves as trustworthy to a third party, the onus for “cleaning up the spam problem” is put upon the entirely wrong people.
I should not have to do anything to make it harder for criminals in China and Russia – or using servers there – do not try to send me fake home mortgage offers so that they can steal my identity and sell it on the international criminal black market. I should not have to vett my children’s e-mail (which I eventually will, no doubt) to be sure that some sick son of a bitch hasn’t sent out an invitation for them to see the latest in teen beastiality with a few photographic “enticements” to sweeten the offer. My friends and colleagues shouldn’t have to identify themselves to the satisfaction of some arbitrary system (at least one of which currently uses a system which is inaccessible to those with visual impairments) in order to reach me, nor I to them.
I have SpamAssasin running on my server. I automatically kill file e-mails before I ever seen them based upon their matches to some fairly stringent and frequently updated filters and/or the fact that they’re addressed to compromised addresses on my domain. (The ones that people put up on websites before it became obvious that spambots would suck them up and then it was a done deal.) It’s still more than I should have to do.
Not only should forging any portion of a header be a crime in every country in the world, running an open mail server ought to punishable with confiscation and massive fines. Then we might see some progress.
Well, in this context I think it’s the open relays that allow spammers to ping out mail anonymously. Not really a good thing but I’d settle for them being disconnected until they sort themselves out. However, this (and more drastic measures like confiscation etc.) will never be enforceable since most of the spam I get comes from places like Korea and Mexico, neither of which seem to have particularly rigorous approaches to policing their networks. There’s always going to be some network/ISP/country that won’t play ball, so legislation seems to me to be doomed, unless the goal is merely to shift spam off-shore.
Anyway, for anyone still interested there’s a very good summary of some infrastructural anti-spam options here. As you can see, pretty much every potential solution has pros and cons. My personal preference is the cryptographic one, since multiple CAs would be forced to distinguish themselves in terms of the rigorousness with which they enforce their terms and conditions; CAs who certify spammers will rapidly and easily be blacklisted whilst those who go to the trouble of responding to behaviour complaints will gain a reputation and hence customers. Not only this, but ubiquitous certification would have a wide array of applications beyond spam prevention (not least virus avoidance, say). The worry that one CA will end up with too much power is probably the main concern, but if an open certification standard is used, this ought to be preventable. Incidentally, this is one area where we should be worried about Microsoft stealing a march. They’ve been slowly morphing their hotmail accounts into “passports” for some time now, and pushing the idea that they give you access to all sorts of services into the general consciousness. I certainly don’t want MS holding a monopoly on certification; but then the same can be said of Verisign.
