I know that our current system of email give spammers a lot of power to forge address and to send spam.
My question is with the technology we have today would it be possible to make a brand new email system, from scratch, which would render it impossible, or nearly impossible for spammers to forge. Also the system would have to be free like email is now.
Is this something that would be possible. I know they would never adopt a system, I just want to know if it’d be technically possible.
Well, you could make it a lot better.
For example, currently it’s pretty easy to forge the ‘from:’ address that you see on your email, so that it is different from the internal, actual from address. And internet nodes, and your email program pass the email on to you despite this obvious forgery. It would be technically easy to specify that each internet node, refuse to pass on such ‘forged sender’ emails – either discard them or bounce them back to the sender. You could also add this check to email programs. (In fact, in some email programs you can set up filter rules to deal with such emails.)
That could even be done now, fairly easy, technically. The problem is that many current email newsletters, mail lists, groups (yahoo groups), etc. send out their emails with a public ‘from:’ address different from the actual physical address that is sending the emails. They say there are technical reasons that make this better for them, and that it would be too much work to change it. (I don’t know enough about the technical details to know if this is accurate. But my opinion is that they better reconsider this – spam is becoming so overwhelming that people may stop getting email newsletters altogether – how much work will it take to recover once that happens?)
Spammers could still get around this with some work – put the same fake address in both the public and the internal from fields. But I think this would take a specially written ‘rouge’ email program to do this forgery. Which they could do on their own spammer machines, though that makes it easier to identify & blacklist their spam sources. It would make it harder to use armies of infected ‘bot’ machines to distribute their spam. which is becoming more common now.
Another technique to fight spam is sometimes called ‘hop verification’ or ‘verified source’. Under this, as an email hops from one node to the next along the internet, each node would check the ‘from’ address of each email, and verify that it correctly identifies the sender node. The originating node (your ISP) would check that the from address is a valid user account in its system. If an email fails this test, the node refuses to pass the email along. (Apparently, it’s technically feasable to do this. I don’t know what or how major the code changes to do this would be.)
It would still be possible for unknowing infected users machines to be robots generating spam emails, but it would be much easier to identify those machines and notify their owners that their machine has been infected.
These are a couple of technical possibilities that might limit spam.
Though I suspect the spammers would eventually figure out ways around these limits, too.
The real people who keep spam going is that 1/2 of 1% or so stupid enough to actually buy things from spam ads, or enter their information in response to an email from ‘their bank’, or who go out and invest in a stock because a spam email said it was soon to go way up in value.
One idea that’s been kicked around is to force email clients to solve a moderately difficult math problem for each email sent. Thus, regular users get a small delay and small CPU load, but spammers get a large delay and huge CPU loads. If you’re sending out a newsletter, be prepared for your system to take a hit, but if it’s to a reasonable number of people and with relative infrequency, it’s not too bad.
Another solution is to force the user to solve a problem that’s easy for humans but hard for computers. A good example is those warped up images, where users are asked to type in the letters that appear. Not a big deal each time you send an email… but an insurmountable nuisance for spammers.
I don’t read email newsletters, so I don’t care if they get stopped. Most people prefer blogs or wikis these days, or even news feeds that dynamically check for updates. Maybe newsletters should go that route.
I can’t necessarily speak for anyone else here, but frankly, I’d rather the spam than the nuisance of doing that. Those images are annoying enough on websites, and I would do less than one per month.
Trouble is that most spam is sent out from a distributed collection of trojan-infected machines that don’t belong to the spammer.
Yep, so the solution lies in cutting those infested machines off from the internet - a job that lies with the ISPs who provide the internet connections. Preventing residential internet connections from sending SMTP traffic outside of the ISPs network would kill off most of the botnet spam, without impacting the SMTP email infrastructure too much - certainly less than trying to get every mail client replaced with one that does maths and every server with code to check the maths.
We can’t stop the spammers by social means (CAM-SPAM act etc). We can’t stop spam by modifying SMTP, because the mass of installed systems is too great and we don’t have the ability to make every email client and server in the world upgrade. So we need to make it harder for spammers to do their thing - which means cutting off their distribution mechanism - trojan-infected machines on residential ISP networks. If ISPs took simple measures, easier than the measures they take to stop peer-to-peer networks, then spam volumes would collapse overnight.
I’ll stop ranting now.
Si