With the onslaught of spam not getting any slower, is it at all realistically possible to abandon the current method of email and bring in an entirely new, more secure, method that will arm us against junk more effectively?
Or is it inevitable no matter what method email is sent via?
For that matter, is it likely a new email system would be accepted, or would we all just cling to the legacy system?
I think we are little monkeys who will refuse to let go of the buggy as hell email system we have in place now …
I for one would absolutely love some way of eliminating spam. I have a private email address that is not given out other than to my very good friends, but unfortunately there are about 6 people I can’t give it out to as they have this really bad glurge habit and cant seem to get the hang of blind CCing 
and I can trace where my spam comes from by what address the spam arrives at.
I think literally the only way we could end spam is either make it impossible to send an email to more than 5 people at a time, with a ‘refresh’ of 10 minutes before you can use the email program again, or some form of monitoring and licensing commercial emailing, and some form of do not email list, with prosecution of people spamming the do not email list. Neither of these will happen IMHO.
As a commentary aside, I have been online since 99 or 2000, and while still on dial up, I pretty much refused to do email or lists online [like baen’s bar or reading my email online instead of POPing it] because it was so damned slow. I have noticed that I am now not reluctant to read lists and email online because tech has advanced to where it is fast now. I could see a lot of email lists going away and people joining social lists, like the SDMB or Baens Bar, or Yahoo Groups. Facebook is sort of that process. I know a few people where I used to work that do not respond to personal email, all their online life takes place on facebook. They chat there, game with each other, share pictures … I would be willing to bet that there are a lot of people who would buy something like an asus netbook with the little webcam if someone came up with a dedicated facebook addition, where all they could literally do is facebook, no email, no spam, just a webportal for surfing to buy - though the web merchants would have to add an option, notification in facebook instead of by email.
I get more calls at my business from telemarketers than from customers. Lots of people get more junk mail than personal mail. And there was a time when some people got more visits from door-to-door salesmen than from people they knew. If you are publically accessible to others, those others are going to include irritating salespeople in some form.
It’s not just the email system that is the problem. It’s all of the compromised computers that are part of the botnets sending all the spam. Even if you had a secure email system or a pay-per-message system, those compromised computers would still be used to steal account information from the users to send spam from those accounts instead of just sending spam directly.
So I think the first step is eliminating malicious software. Unfortunately that’s probably impossible.
Whatever system you devise, someone else will figure out a way around it. That’s just human nature. Otherwise we’d still be using transposition and substitution cyphers to relay messages concerning national security.
The best way without significantly harming existing software to reduce spam (especially botnets) is to add an authentification line to email headers with a signature/checksum encoded into it. The receiving mail server checks the signature against the certificate authority and can verify that it really came from that registered source. (Doing this in practice requires doing several quite technical things right.) Such certificates would be unforgeable.
The user can specify where uncertified email goes (treated normally, sent into the spam folder, deleted). As more and more systems adopt it, the more gets marked as deletable. At some point the major players stop allowing uncertified email thru.
This plan has been around for a long time with several systems proposed. The problem is that the major players cannot agree on a single system. MS of course is the major difficulty. They want everyong else to use their proposed system (and pay money of course) while most of the others want to use one of freely distributed method.
Note that this wouldn’t stop the 10 emails a day you get from a “legitimate” site that you gave your email to and which refuses to remove you from their email list. In theory the system could be amended so if a certain number of people complain that an emailer is spamming then their certificate gets removed. But in practice, businesses would oppose allowing this.
Well that would be fine of course so long as the sender is verified. I can always blacklist a particular sender myself; it’s the spam with forged headers that such systems have always been meant to prevent.
That is so needlessly complex. You can just extend CloudMark’s system of voting. Cloudmark members vote on which emails are spam, collectively teaching the filter how to distinguish them. (I believe many webmail services, like GMail, do the same thing, but possibly not your corporate email.) This works very well. To improve on it, you can certainly change the system to better track where emails are coming from, stop the forging of From fields, and enact other facets of a sensible protocol. This would plug the last gaps.
It’d be nice to charge a tax of $.01 or so on each email. Even legitimate mass email from companies is so cheap there is little incentive to cut back.
Of course the fee should be higher for my cousin who just sent me the Nieman-Marcus cookie recipe tale.
If email had been designed to be encrypted by default with a digital signature that cannot be forged, things would not be as bad as they are today.
Part of the spam problem and the newer problem of phishing is due to the fact that it’s easy to send a message that appear to come from someone else. Close that door, and it becomes easier to block a lot of spam.
But that can’t stop it completely. Since we want the ability to initiate a email conversation with someone we haven’t yet met, we will always be open to unsolicited mail. No automated system, no matter how complex will ever be able to sort all the messages 100% accurately.
Look, some people, believe it or not, actually are interested in buying Viagra over the Internet. So what is clearly spam to most people isn’t always spam to everyone.
Problem with this is what happens when someone hijacks your PC (via a virus for instance) which then spams e-mail. First you are aware of it is a $1,000 bill for sending 100,000 e-mails.
Can I opt out of all this so I can still get my newsletters, ads, press releases, etc. without Nanny “protecting” me from my vendors and customers?
I’ve had WAYYYYY more trouble from over-zealous spam fighters keeping me from getting legitimate email than i ever have from spammers.
Don’t you dare assume all mass mailings or all advertising is unwanted.
I’ve asked this question before on several technical boards and the answer is always “yes it would be possible to create a better email system,” but the problem is there is too much now.
So it’d be creating a new system while still using the old one.
Of course in any discussion someone always chips in, “It really doesn’t matter, 'cause eventually someone finds a way to crack it.”
Now I think that has some validity to it. For instance, the Digital Rights Management scheme for WMA format has never been “cracked” Why? Probably not because it’s so secure (which it is) but there’s no point to it.
If you have a WMA that’s DRM protected, just burn it to a CD then rip the CD and the WMA protection isn’t there. Simple right? So why bother writing a code to crack it?
And on the flip side there are people who love to “reverse engineer” things. That’s how you get cracked codes. “Geeks” take the final product and work backwards.
To them it’s like a hobby like knitting or putting a puzzle together.
Which might not actually be so bad, in the long run. It is possible to make a computer system secure, and it’s not actually all that hard, but very few people bother to do so, since there’s no penalty to them if they don’t. As it is now, the people who do bother still suffer from the actions of those who don’t.
These methods wouldn’t block them, since these mailings actually come from the companies claiming to send them, so the certificates will match and they will get through. Or they can pay to send them ( the amount I’ve seen is a lot less than a penny a message). I prefer certificates myself.
The way I prefer is to drop this newfangled domain addressing and require explicit paths. No spam then since you always knew exactly where your mail came from and backbone servers could block spamming machines very easily.
And you newbies can get off my lawn
(ihnp4!erc3ba!voyager)
I’ve heard some people suggest a system whereby every email sent has a small refundable cost associated with it, say ten cents. When the person at the other end actually opens the message, the fee is automatically refunded. Thus, sending legitimate emails generally costs nothing (though you now have an extra reason to be pissed at friends or co-workers who don’t read your emails!), but mass mailing on this system becomes prohibitively expensive.
Of course, there are some serious problems with this idea:
[ol]
[li] It requires that financial information be tied to an email address. There goes all the freedom and flexibility of email.[/li][li] Large but perfectly legitimate mailing lists could become extremely expensive. If a hundred thousand people sign up for your weekly newsletter, but on average only half of them open it each week, it costs you $5,000 a week to maintain it.[/li][/ol]
In reality, these and many other problems make the implementation of such a system as a replacement for email pretty much impossible. Even if somebody did build a refundable pay-per-message system, it would never get the kind of adoption necessary to replace email completely. Free, ubiquitous, anonymous email is just way too useful to be abandoned, and it’s those very strengths that make it vulnerable to mass marketing.
For myself, though, I just use Gmail for general-purpose emailing. Their filters are excellent. I’ve been using it since the initial beta back in 2004, and in all that time I’ve had maybe ten spam emails find their way into my inbox. I don’t recall any false positives, though after a while I just stopped checking the spam box. It’s like spam doesn’t even exist for me now. 
x2.
As someone that has worked in PR and Corp Comms, you need to be very careful how you define “spam”. Is it the press release that I send to 50 reporters and 100 analysts? What about very legitimate mail-outs - like the 300 emails I send to marketing managers to inform of sponsorship opportunities?
What about the opt in, 3000 pax mailing list - is that spam?
And yes, even if it is a mass mailing, some unsolicited offers I do want to know about. Like the database purchase offer I received yesterday.
Yep, but the hard part is getting everyone else to join you in your change. SMTP was written in a more naive time and did not have any authentication mechanisms for receiving mail. You could write a mail system that demands authentication before accepting mail but it will add complexity and the cost of change. SMTP competed with a lot of mail schemes but in the end it won because its simple and has been used as the traditional mail relay on the internet for quite some time.
That said, spam really isnt such a big issue anymore because of blacklists and content scanning. The mail that you actually see in your inbox is a small fraction of the mail addressed to you. The spam you see in your spam box is a small percentage of the spam addressed to you too, its just the spam most likely to be real email.
I think eventually we’ll all be using some encryption/authentication scheme in our mail clients and all unencrypted mail will just be sent to junk automatically. No need to redo SMTP, we’ll just be using our existing tools smarter.
I promise I won’t assume that more than 99.99999% is unwanted. Deal?
I know that some of you will find this offensive or galling, but my opinion is that you just haven’t put into play your spam filters. I get very little spam at my real addresses, and I almost don’t know the problem that sparks this thread. Yahoo Mail has learned almost all the people I don’t want to hear from, and I’ve unsubscribed from the companies that I don’t want to hear from again. I also use a dummy address for all the forum signups and so on that I don’t trust.
What are you doing that is opening you to this torrent of spam? Keep blocking the addresses, and IME, the spam will stop.