Discussion:
Thinking outside the box
(too old to reply)
Marc Perkel
2013-03-17 05:16:57 UTC
Permalink
OK - let's think outside the box. Let's pretend e,ail as we know is
going away and we are going to create an entirely new system from
scratch. Nothing has to be compatible. How would we do it right?
Cedric Knight
2013-03-17 10:59:55 UTC
Permalink
Post by Marc Perkel
OK - let's think outside the box. Let's pretend e,ail as we know is
going away and we are going to create an entirely new system from
scratch. Nothing has to be compatible. How would we do it right?
An invitation to brainstorm and daydream? Why not?

I think you'd be looking for a means of private communication that is
flexible, administratively simple, not tied to any particular provider,
but which is free to require more modern processor resources and
connectivity than SMTP. I'd suggest a decentralised web of trust where
each address is linked to a public key (as at present there would be a
potential many-to-many relation between address and individual, but in
most cases one address is one individual). One recipient site may
choose to trust given academic institution's key with trust 0.9, which
trusts most of its students with trust 0.9, which to the first
(recipient) site means 0.81. That institution has the responsibility of
publishing its trust level for compromised student accounts, but that
doesn't stop any other site also having an opinion (equivalent of RBLs).
Similarly, default trust levels might be 0.5 for a good
freemail/free-ID provider (if such things are even needed), which might
trust new accounts starting at 0.01 until behaviour (such as two-way
correspondence with trusted accounts) earns them trust.

Trust and behaviour is computed during initial handshake from the
supplied public keys of sender and authorities, and anything below a
given level is rejected with immediate feedback to sender. (Recipients
could also choose to trust a memorable plaintext address, name or number
for a given period if expecting mail from a physical contact, as a
convenient alternative to exchanging a key in person or receiving it
through a third party.) Direct delivery from client to postbox would
eliminate MSAs, store-and-forward and backscatter. Trust would be based
on cryptographic identity, not network topology, so would be adaptable
to transports other than IPv4.

That kind of thing, Mark?

BTW Thanks John for keeping the list going. I've lost my digest setting
from mailman, so sent "set asrg digest-MIME" to
***@lists.gurus.org. A footer would be good, and I suspect many
ex-digest users would appreciated to at least go "prefix".

C
Dan Oetting
2013-03-17 12:19:20 UTC
Permalink
Post by Cedric Knight
Post by Marc Perkel
OK - let's think outside the box. Let's pretend e,ail as we know is
going away and we are going to create an entirely new system from
scratch. Nothing has to be compatible. How would we do it right?
An invitation to brainstorm and daydream? Why not?
Once you have secure private delivery of messages using public/private keys, you don't need to create a reputation system to decide what to deliver. Each recipient will have a personal contacts list and if the sender is not in that list the message won't be opened. This starts the new dream system with zero receipt of spam and therefore zero profit for spammers thus no spam. Every message can be received and delivered to the users messaging agent.

-- Dan Oetting
Martijn Grooten
2013-03-17 13:28:41 UTC
Permalink
Post by Dan Oetting
Once you have secure private delivery of messages using
public/private keys, you don't need to create a reputation system to
decide what to deliver. Each recipient will have a personal contacts
list and if the sender is not in that list the message won't be
opened. This starts the new dream system with zero receipt of spam
and therefore zero profit for spammers thus no spam. Every message
can be received and delivered to the users messaging agent.
So that's kind of what sites like Facebook and Twitter already do with
direct messages: you can only send them to someone who has added you as
their friend or is following you.

It's true that would stop the bulk of the spam being sent.

It's also fairly trivial to build something like that on top of the
existing SMTP infrastructure.

It doesn't prevent spam sent via compromised accounts though.

It also kills a lot of the current uses of email, which depend on more
or less unsolicited emails being sent.

Martijn.

________________________________

Virus Bulletin Ltd, The Pentagon, Abingdon, OX14 3YP, England.
Company Reg No: 2388295. VAT Reg No: GB 532 5598 33.
Marc Perkel
2013-03-17 14:04:35 UTC
Permalink
ok - just a raw idea.

Suppose that instead of sending the email the sender sent the "envelope"
first which is an invitation. The recipient then "fetches" the email
from the sender's server in a separate transaction. No point in sending
the email if the recipient isn't going to read it.

The envelope can be replied to with "yes - send it to me" or "this is
abuse" or "block" or a number of other standard responses. It also lets
the sender know it was read. Forwarded envelopes would then communicate
back the new email address to the sender when read for those who might
have changed their email address. This could also be an optional way of
sending email.

This isn't entirely thought out but I just have a feeling this could be
worth considering.

All envelopes would be encrypted with a private key and the public key
would be found by DNS. This prevents spoofing domains. The email vendor
could include additional information fields like country or whatever to
help the user figure out if they want to retrieve the message.

Anyhow - just a raw thought.
mathew
2013-03-17 14:43:09 UTC
Permalink
Post by Marc Perkel
Suppose that instead of sending the email the sender sent the
"envelope" first which is an invitation. The recipient then "fetches"
the email from the sender's server in a separate transaction.
http://cr.yp.to/im2000.html

mathew
John Levine
2013-03-17 17:14:30 UTC
Permalink
Post by Marc Perkel
Suppose that instead of sending the email the sender sent the "envelope"
first which is an invitation. The recipient then "fetches" the email
from the sender's server in a separate transaction. No point in sending
the email if the recipient isn't going to read it.
That's basically the same as a per-user RSS feed with notices to look
at it.

If you do that, Tumbleweed's patent lawyers will want a word with you.
--
Regards,
John Levine, ***@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
Barry Shein
2013-03-17 18:41:29 UTC
Permalink
I don't think "there could be a patent issue with that" is a
reasonable counter-argument.

One could speculate on that sort of thing without limit.

And who knows the patent holder might well get excited by your great
idea which utilizes their patent in a new realm such as spam and fund
you etc. Or might donate that use as a public good or go red hat with
it, etc.

Heck, AT&T donated their patent for "independently updateable
rectangular screen regions" aka "windows" back around 1980 to the
public domain as one notable example. Granted they were legally
forbidden from going into the software business at the time but their
reasoning was reasonable, they felt it would do more good for AT&T to
let a thousand flowers bloom than to try to control and develop the
technology themselves.

It's a non-argument, patent owners LIKE when people come up with new
uses for their patents.

They just don't like it when someone uses that IP without their
permission. Period. That's all one can really say and it's kind of
trite to say.
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
John Levine
2013-03-17 18:52:23 UTC
Permalink
Post by Barry Shein
I don't think "there could be a patent issue with that" is a
reasonable counter-argument.
How about "the patent holder has a history of aggressively suing
anyone who they think violates their patent"?
Roger B.A. Klorese
2013-03-17 19:04:53 UTC
Permalink
Post by John Levine
Post by Barry Shein
I don't think "there could be a patent issue with that" is a
reasonable counter-argument.
How about "the patent holder has a history of aggressively suing
anyone who they think violates their patent"?
How about "any defensible patent can be engineered around"? Unless you
think if it needs a lawyer you should skip it.
John Levine
2013-03-17 19:33:01 UTC
Permalink
Post by Roger B.A. Klorese
Post by John Levine
Post by Barry Shein
I don't think "there could be a patent issue with that" is a
reasonable counter-argument.
How about "the patent holder has a history of aggressively suing
anyone who they think violates their patent"?
How about "any defensible patent can be engineered around"? Unless you
think if it needs a lawyer you should skip it.
Tumbleweed's notification patent is pretty good. I've looked at it.

Haven't you ever wondered why nobody has ever done the obvious hack to
send people a message to tell them to look for updates in an RSS feed,
rather than polling the feed? That's why.

Absent the notifications, RSS or Atom does everything you need. A
feed can be transmitted over https and can use passwords or client
certs to ensure that only the intended party can see it.
Roger B.A. Klorese
2013-03-18 02:51:09 UTC
Permalink
Post by John Levine
Haven't you ever wondered why nobody has ever done the obvious hack to
send people a message to tell them to look for updates in an RSS feed,
rather than polling the feed? That's why.
No, because it never occurred to me that that would be valuable. But I
also know that the "send people a message to look" part must, in order
to be narrow enough to be sustained, also is likely to make room for
sending a different sort of message, or a different kind of link, or an
NNTP feed instead of an RSS feed, or something equally useful.
Dave Warren
2013-03-19 22:00:06 UTC
Permalink
Post by John Levine
Haven't you ever wondered why nobody has ever done the obvious hack to
send people a message to tell them to look for updates in an RSS feed,
rather than polling the feed? That's why.
Maybe I'm missing something obvious, but isn't this the definition of
what Pingomatic, Feed Shark, and even FeedBurner's own Pingshot service do?

Or does the patent specifically cover email in some fashion?
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren
John Levine
2013-03-19 22:34:31 UTC
Permalink
Post by Dave Warren
Post by John Levine
Haven't you ever wondered why nobody has ever done the obvious hack to
send people a message to tell them to look for updates in an RSS feed,
rather than polling the feed? That's why.
Maybe I'm missing something obvious, but isn't this the definition of
what Pingomatic, Feed Shark, and even FeedBurner's own Pingshot service do?
Or does the patent specifically cover email in some fashion?
The patents cover notifications to recipients about documents intended
for them, not generic notices about public documents.

They sued Paypal and eBay and got what I gather was a fairly large
settlement.

Their oldest patent, #5,790,790, expires in August 2015. Start
planning now.
--
Regards,
John Levine, ***@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
Barry Shein
2013-03-17 19:23:48 UTC
Permalink
Post by John Levine
Post by Barry Shein
I don't think "there could be a patent issue with that" is a
reasonable counter-argument.
How about "the patent holder has a history of aggressively suing
anyone who they think violates their patent"?
Only interesting if one intends to violate their patent.

I don't think anyone has suggested:

We could mitigate the spam problem by violating the XYZ patent!

And unless they do I don't think pointing out that patent violations
could incur legal action is particularly interesting.

Suggesting we beat the crap out of spammers would also attract the
interest of legal authority. Doesn't necessarily make it a bad idea
tho probably more difficult to obtain informed consent in that case.

This reminds a little of the earlier days of the web when I ran a site
which had a bunch of copyrighted material, music, photos, etc, the
topic was Rock & Roll.

I had written permission to use every bit of that material. I even
said as much on the site. Some of the copyright owners were materially
involved in the site.

Didn't stop the steady stream of random people with no interest in the
said copyrights informing me of the SERIOUSNESS of my alleged
"copyright violations" and demanding I respond to them with PROOF lest
they think of me as a CRIMINAL!

Possibly suggesting one might need to work with the owner of the XYZ
patent on that approach as a point of information might be useful,
without the legal drama.

And of course IETF's guidelines regarding patents and RFCs could be
reviewed or maybe better incorporated by reference.
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
Dan Oetting
2013-03-17 14:19:41 UTC
Permalink
Post by Martijn Grooten
Post by Dan Oetting
Once you have secure private delivery of messages using
public/private keys, you don't need to create a reputation system to
decide what to deliver. Each recipient will have a personal contacts
list and if the sender is not in that list the message won't be
opened. This starts the new dream system with zero receipt of spam
and therefore zero profit for spammers thus no spam. Every message
can be received and delivered to the users messaging agent.
So that's kind of what sites like Facebook and Twitter already do with
direct messages: you can only send them to someone who has added you as
their friend or is following you.
It's true that would stop the bulk of the spam being sent.
It's also fairly trivial to build something like that on top of the
existing SMTP infrastructure.
It doesn't prevent spam sent via compromised accounts though.
A compromised account will only be able to send messages to current contacts. When you receive one you flag that account as compromised and check it perhaps once a day to see if it's been secured. Since they are on your contact list, you probably have an alternate contact so you can call them up to offer sympathies and perhaps help get their digital life straightened out again.
Post by Martijn Grooten
It also kills a lot of the current uses of email, which depend on more
or less unsolicited emails being sent.
There are better solutions than unsolicited email. Many companies have already switched to using web portals for receiving communications. A portal could act as a proxy for the letter of introduction to create a new contact. Nothing says they can't continue to use email if someone wants to use it and deal with the spam problem. At least until the ISPs decide that there is so little non-spam email that it's not worth keeping the servers running.

-- Dan Oetting
Marc Perkel
2013-03-17 13:45:45 UTC
Permalink
Post by Martijn Grooten
Post by Dan Oetting
Once you have secure private delivery of messages using
public/private keys, you don't need to create a reputation system to
decide what to deliver. Each recipient will have a personal contacts
list and if the sender is not in that list the message won't be
opened. This starts the new dream system with zero receipt of spam
and therefore zero profit for spammers thus no spam. Every message
can be received and delivered to the users messaging agent.
So that's kind of what sites like Facebook and Twitter already do with
direct messages: you can only send them to someone who has added you as
their friend or is following you.
It's true that would stop the bulk of the spam being sent.
It's also fairly trivial to build something like that on top of the
existing SMTP infrastructure.
It doesn't prevent spam sent via compromised accounts though.
It also kills a lot of the current uses of email, which depend on more
or less unsolicited emails being sent.
Martijn.
________________________________
Virus Bulletin Ltd, The Pentagon, Abingdon, OX14 3YP, England.
Company Reg No: 2388295. VAT Reg No: GB 532 5598 33.
You don't want to kill the ability of a stranger to contact you. If I'm
a vendor and I want new customers to email me then the system needs to
make sure that can happen.

I like this process - throwing out ideas just to see what sticks.
Dan Oetting
2013-03-17 15:17:03 UTC
Permalink
Post by Martijn Grooten
Post by Dan Oetting
Once you have secure private delivery of messages using
public/private keys, you don't need to create a reputation system to
decide what to deliver. Each recipient will have a personal contacts
list and if the sender is not in that list the message won't be
opened. This starts the new dream system with zero receipt of spam
and therefore zero profit for spammers thus no spam. Every message
can be received and delivered to the users messaging agent.
So that's kind of what sites like Facebook and Twitter already do with
direct messages: you can only send them to someone who has added you as
their friend or is following you.
It's true that would stop the bulk of the spam being sent.
It's also fairly trivial to build something like that on top of the
existing SMTP infrastructure.
It doesn't prevent spam sent via compromised accounts though.
It also kills a lot of the current uses of email, which depend on more
or less unsolicited emails being sent.
You don't want to kill the ability of a stranger to contact you. If I'm a vendor and I want new customers to email me then the system needs to make sure that can happen.
I like this process - throwing out ideas just to see what sticks.
If you want a wide open receiver you can have it. If you can manage the bot generated traffic, that's fine. Otherwise you will quickly abandon that idea and put up a web portal.

The concept of a stranger in a digital credentials world will in itself be strange. It would be trivial to ask every potential contact for proof if identity. That everybody would be asking for such proof would probably grit against the desire for some level of anonymity in our public dealings. The people may decide through legislation that proof of identity must go through a state entity and can only be requested where a specific need is demonstrated. In it's place for most routine uses, the state would offer proof that the contact represents a unique individual to the entity requesting such proof or simple certifications such as age of majority or state of residence.

-- Dan Oetting
Bjartur Thorlacius
2013-03-17 21:20:14 UTC
Permalink
Post by Martijn Grooten
So that's kind of what sites like Facebook and Twitter already do with
direct messages: you can only send them to someone who has added you as
their friend or is following you.
Even Facebook allows direct messages between seeming strangers—but only
between those on their whitelist of confirmed behaving humans.
Paul Smith
2013-03-17 22:47:27 UTC
Permalink
How about simple end-to-end authentication?

Such as:

- When I receive a message, I look for a 'Password' header field. If
there isn't one with my value, then I can be suspicious about the
message. Depending on my requirements, I could discard the message,
treat it as spammy, or accept it anyway etc
- When I send a message to someone, I have the option of telling them my
password in a header
- The email client tracks passwords, so if I receive a message from
***@example.com, which included his password in the header, then
whenever I send a message back to him, my email client automatically
includes the password in the header. The passwords can be stored in
address books, or published on websites if you wish, or whatever.
- Potentially different people could be given different passwords.
- There could be a way of sending an email to someone just telling them
your password, and the email client could take the information from it,
and delete the email (making it possible to automatically tell everyone
of password updates, etc)
- The 'mailto:' url form could be expanded to include the password for
having email links on websites.

(NB - By password, I mean something simple that could easily be
transferred by humans 'offline' - not a cryptographically secure public
key. It would be open to capture by MITM attacks, but I'm not sure
that's such a big problem, compared to simple mass-mail spam)

When signing up for mailing lists, announcements etc, as well as giving
your email address, you could give your password (possibly specific for
that mailing list). The mailing list daemon would include the relevant
passwords when distributing the messages.

There would be no need for a central authority, and it would be quite
flexible. It could be implemented with a large degree of backwards
compatibility - eg even if only 3 people in the world support the
system, you could just treat a message as more 'trustworthy', if it
includes the password, and do the current spam checking stuff if there
isn't a password.

One downside would be that you couldn't easily specify multiple
recipients in a single message; if you send a message Cc'd to 20 people,
your email client would have to send out 20 copies, each with a
different recipient password (including all passwords in a single
message would publish the passwords to all the recipients).

All it would really need is some standard way of specifying the
passwords in the header, and then, over time, email clients could add
support for it.

It wouldn't be foolproof at all, but it would be simple to implement and
should have the potential to cut down a lot of spam.



-

Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53
John R. Levine
2013-03-18 01:06:42 UTC
Permalink
Post by Paul Smith
How about simple end-to-end authentication?
We already have PGP and S/MIME, both fairly widely implemented.

This replaces the spam problem with the introduction problem, when you get
mail from someone who's not on your whitelist or blacklist, how do you
decide whether to accept it?

History suggests that this problem is, if anything, more difficult than
the spam problem.

Regards,
John Levine, ***@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
Paul Smith
2013-03-18 09:33:20 UTC
Permalink
Post by John R. Levine
Post by Paul Smith
How about simple end-to-end authentication?
We already have PGP and S/MIME, both fairly widely implemented.
Do people use those as antispam methods?

Do Facebook/etc sign their emails using PGP or S/MIME?

Can I give Facebook/etc my PGP or S/MIME public key so they can encrypt
their messages to me?
Post by John R. Levine
This replaces the spam problem with the introduction problem, when you
get mail from someone who's not on your whitelist or blacklist, how do
you decide whether to accept it?
What I would suggest is that you still do your current filtering. But,
you can be a bit more aggressive. You're basically giving people you
know & lists/feeds you approve of a 'key' to get themselves through your
spamfilter.

The main advantage over anything now would be able to give the 'key' to
mailing lists/news feeds. Currently, a lot of spam filters can recognise
people you've sent mail to, and thus learn to 'trust' their replies, so
with individuals you won't get much benefit

But, a lot of news feeds use unique sender addresses which the recipient
can't test against, or use well known sender addresses which are easily
forged, so I can tell, for instance, Facebook, that 'my email address is
***@myisp.com' AND my "email key" is 'facebookjunk'. Then, when I get a
message from <***@facebookmail.com>', if it doesn't have the right
'email key' in, I can distrust it, but if it does, then I can keep it.

This would be a lot easier for me to do than giving my PGP public key to
Facebook, and it would be a lot less load on their servers than
encrypting their messages to me.


You could get a similar effect by doing what some people already do, and
having 'unique' email addresses for the different lists they sign up to
(eg '***@mycompany.com' could be almost equivalent to having an
'email password' of 'asrg'), but it would work with situations where
people can't easily create new email addresses, and the 'password' part
wouldn't be visible to other people in the list.




-

Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53
Martijn Grooten
2013-03-18 10:02:29 UTC
Permalink
Two things.

Firstly, both Facebook and Twitter (and probably many others) use From
addresses that are unique to the account (e.g.
notification+***@facebookmail.com). So they've kind of
implemented your system, except they have chosen the 'key' for you.
Which reduces the risk of you being tricked (e.g. phished) into giving
out your Facebook 'key' to someone else.

Secondly, it is pretty trivial to set up your mail client so that
everything but emails from a fixed list of senders goes to a special
semi-quarantine folder. If unsolicited email isn't of huge importance to
you (and your 'key' system assumes it isn't) this should work quite
well, and doesn't require any change to existing infrastructure.

Martijn

________________________________

Virus Bulletin Ltd, The Pentagon, Abingdon, OX14 3YP, England.
Company Reg No: 2388295. VAT Reg No: GB 532 5598 33.
John Levine
2013-03-18 17:28:47 UTC
Permalink
Post by Paul Smith
Post by John R. Levine
We already have PGP and S/MIME, both fairly widely implemented.
Do people use those as antispam methods?
No, because there is no reason to assume anything about mail with a
crypto signature unless you have a priori knowledge about the signing
agent.

This is the same misunderstanding that has lead some people to imagine
that mail that passes SPF or DKIM or whatever should automatically be
whitelisted.

For S/MIME and PGP it's also because the amount of signed mail is too
small to matter in most mailstreams.

R's,
John
Paul Smith
2013-03-18 20:52:49 UTC
Permalink
Post by John Levine
Post by Paul Smith
Post by John R. Levine
We already have PGP and S/MIME, both fairly widely implemented.
Do people use those as antispam methods?
No, because there is no reason to assume anything about mail with a
crypto signature unless you have a priori knowledge about the signing
agent.
Which was my point. If you send me a message signed with your private
key, then all that tells me is that you signed the message with your
private key. If I know you, then that's good, but if I don't, then it
tells me virtually nothing.

But, if I tell you (and only you) my "public" key, and you sign/encrypt
your message to me with MY public key, then I can be fairly sure that
the signed messages I receive aren't spam. Which is the same sort of
mechanism I was suggesting. i.e. the 'key' is provided by the recipient,
not the sender. The difference was that a 'password' is easier for
people to deal with and requires less processing power. It may not be as
'secure', but it would still stop the vast majority of spam. I agree the
'introduction problem' still exists, but that's always going to be a
problem.

Theoretically we can stop email forgery (DKIM, SPF, cryptographic
signing etc), but the only ways I can see that we can possibly stop spam
are either to have recipients 'authorise' senders somehow, or have a
limited number of MTAs which all know each other and which all mail
senders eventually need to use.

(BTW, a 'key' would also be a way to prove explicit 'opt-in' to mailing
lists - you can harvest my email address from many places, but you can't
know my 'key' unless I tell you)



-

Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53
John R. Levine
2013-03-18 21:51:23 UTC
Permalink
But, if I tell you (and only you) my "public" key, and you sign/encrypt your
message to me with MY public key, then I can be fairly sure that the signed
messages I receive aren't spam.
Right, which is why we all use S/MIME signatures and accept only signed
mail from people whose keys we have. Oh, wait.

Since S/MIME has been around for 15 years, and is implemented in most MUAs
including the one you use, why don't we do that? What would have to
change so we do?

Regards,
John Levine, ***@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
Matthias Leisi
2013-03-18 22:18:23 UTC
Permalink
Post by John R. Levine
Since S/MIME has been around for 15 years, and is implemented in most MUAs
including the one you use, why don't we do that? What would have to change
so we do?
Proper support in widely used webmail systems (ie, without installing some
addons/plugins or other stuff which most users would feel uncomfortable
with)?

-- Matthias
John Levine
2013-03-18 22:37:52 UTC
Permalink
Post by Matthias Leisi
Post by John R. Levine
Since S/MIME has been around for 15 years, and is implemented in most MUAs
including the one you use, why don't we do that? What would have to change
so we do?
Proper support in widely used webmail systems (ie, without installing some
addons/plugins or other stuff which most users would feel uncomfortable
with)?
I think that's result rather than cause. They observed that nobody outside
a few corporate and government environments uses S/MIME, so they didn't
bother.

If you want PGP webmail, Hushmail works fine, but they haven't exactly
taken over the world.
--
Regards,
John Levine, ***@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
Bill Cole
2013-03-19 13:02:49 UTC
Permalink
Post by John R. Levine
Since S/MIME has been around for 15 years, and is implemented in most
MUAs including the one you use, why don't we do that? What would have
to change so we do?
People.

Someone has to say it directly: the overwhelming bulk of end users are
unwilling (and perhaps to a substantial degree unable) to apply the
necessary sort of rigorous mental effort to use PGP or S/MIME in a
consistently sound manner.

More direct but probably unfair: end users chronically demonstrate in
aggregate that they are a mob of idiots who would rather tolerate
insecurity than think.

A smaller problem is that a small geeky subset of users would need to
abandon the brittle tactic of gating mailing lists in and out of a
one-user news server, or else they'd need to start signing their news
posts in a gateway-stable manner.
Seth
2013-03-19 01:21:11 UTC
Permalink
Post by Paul Smith
(BTW, a 'key' would also be a way to prove explicit 'opt-in' to mailing
lists - you can harvest my email address from many places, but you can't
know my 'key' unless I tell you)
When spammers steal lists that were actually opted-in to, they'll steal
the keys along with them.

Seth
Neil Schwartzman
2013-03-19 01:23:44 UTC
Permalink
Post by Seth
Post by Paul Smith
(BTW, a 'key' would also be a way to prove explicit 'opt-in' to mailing
lists - you can harvest my email address from many places, but you can't
know my 'key' unless I tell you)
When spammers steal lists that were actually opted-in to, they'll steal
the keys along with them.
Seth
crap. I'm spending too much time on Facebook. I actually went looking for the like button for this.
Dan Oetting
2013-03-19 01:47:03 UTC
Permalink
Post by Seth
Post by Paul Smith
(BTW, a 'key' would also be a way to prove explicit 'opt-in' to mailing
lists - you can harvest my email address from many places, but you can't
know my 'key' unless I tell you)
When spammers steal lists that were actually opted-in to, they'll steal
the keys along with them.
And from that criminal act they will get to send one volley of spam to the users of that list (assuming that they can convincingly forge the sending path) before the user invalidates the key. The users will learn which companies or services are not sufficiently protecting their resources and the advertisers using the spammer service will have their name associated with the specific criminal act to which they may face prosecution along with or instead of the spammer.

-- Dan Oetting
John Levine
2013-03-19 01:52:31 UTC
Permalink
Post by Dan Oetting
Post by Seth
When spammers steal lists that were actually opted-in to, they'll steal
the keys along with them.
And from that criminal act they will get to send one volley of spam to the users of that list (assuming that they can
convincingly forge the sending path) before the user invalidates the key. The users will learn which companies or
services are not sufficiently protecting their resources and the advertisers using the spammer service will have their
name associated with the specific criminal act to which they may face prosecution along with or instead of the spammer.
A certain number of us use unique addresses whenever we sign up for a
list, and there are clear patterns about who leaks and who doesn't.
See recent posts on my blog at http://jl.ly. I can't see any evidence
that places that leak pay any penalty for it.

R's,
John
Dan Oetting
2013-03-19 02:13:31 UTC
Permalink
Post by John Levine
A certain number of us use unique addresses whenever we sign up for a
list, and there are clear patterns about who leaks and who doesn't.
See recent posts on my blog at http://jl.ly. I can't see any evidence
that places that leak pay any penalty for it.
The problem there is that the half dozen readers of your blog don't have a loud enough collective voice to be heard. The tagged address mechanism needs to become a standard extension of mail with support to associate each tag with an address book entry. The biggest block currently is that ISPs would need to support wildcard addresses before this is usable by the public at large that don't run their own mail servers.

-- Dan Oetting
Seth
2013-03-19 03:05:36 UTC
Permalink
Post by Dan Oetting
Post by Seth
When spammers steal lists that were actually opted-in to, they'll steal
the keys along with them.
And from that criminal act they will get to send one volley of spam to
the users of that list (assuming that they can convincingly forge the
sending path) before the user invalidates the key.
And stops getting mail from United Airlines or TDAmeritrade? But they
want _that_ mail.
Post by Dan Oetting
The users will learn which companies or services are not sufficiently
protecting their resources and the advertisers using the spammer
service will have their name associated with the specific criminal act
to which they may face prosecution along with or instead of the
spammer.
It doesn't seem to have hurt the above-mentioned much.

Seth
Dan Oetting
2013-03-19 05:20:27 UTC
Permalink
Post by Seth
Post by Dan Oetting
Post by Seth
When spammers steal lists that were actually opted-in to, they'll steal
the keys along with them.
And from that criminal act they will get to send one volley of spam to
the users of that list (assuming that they can convincingly forge the
sending path) before the user invalidates the key.
And stops getting mail from United Airlines or TDAmeritrade? But they
want _that_ mail.
It should be understood that an MUA supporting invalidating keys can just as easily update the key with the desired sender of that key thus invalidating only the stollen copy.

-- Dan Oetting
Dave Crocker
2013-03-19 16:01:25 UTC
Permalink
Post by Paul Smith
But, if I tell you (and only you) my "public" key, and you sign/encrypt
your message to me with MY public key, then I can be fairly sure that
the signed messages I receive aren't spam.
This comes close to saying "first we need a miracle"...

OpenPGP and S/MIME have had roughly 20 years to succeed. Their patterns
of actual success are quite notable, but have consistently been for
relatively small, homogeneous groups.

One can debate plausible explanations for this basic limitation, but the
raw statistic is clear and should be compelling: Achieving large-scale,
per-person authentication and confidentiality among random folk who
exchange mail is, so far, not possible. The track record in trying to
provide this capability makes clear that any future success here demands
true innovation and considerable caution in the expectations for
success. Efforts are far more likely to fail than to succeed.

There is some question as to whether per-person authentication and
confidentiality mechanisms are at all possible. Certainly the
'usability' design requirements are not yet well understood, either for
end-users or for service operators.

Any discussion about per-person authentication or confidentiality needs
to start with careful attention to both the technical requirements and
the very serious human factors constraints.
Post by Paul Smith
Theoretically we can stop email forgery (DKIM, SPF, cryptographic
Theoretically, we can /not/ stop email forgery. We can limit the
utility of certain forgery scenarios, but that's quite different.

Any discussion about 'stopping' forgery needs to carefully consider a
range of reasonable scenarios and the ability or inability of specific
mechanisms to prevent those scenarios.

It also needs to start with the recognition that forgery hasn't been
stopped in the physical world, and then it needs to explain why the
online world is going to have a different rack record...

d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
Paul Smith
2013-03-19 16:26:09 UTC
Permalink
Post by Dave Crocker
Post by Paul Smith
But, if I tell you (and only you) my "public" key, and you sign/encrypt
your message to me with MY public key, then I can be fairly sure that
the signed messages I receive aren't spam.
This comes close to saying "first we need a miracle"...
OpenPGP and S/MIME have had roughly 20 years to succeed. Their
patterns of actual success are quite notable, but have consistently
been for relatively small, homogeneous groups.
Of course, there is a HUGE difference between a PGP or S/MIME public key
and a simple text password.

That is one big difference between PGP & S/MIME and something simpler.

I could be on the phone to someone, and they ask me for my email address
to send me details, I tell them it and I add "and my email key is
'bibble'". Then, when they send the message to me, their email client
asks for that, and hey presto, I get the message.

Try doing that with a PGP public key...

Yes, PGP & S/MIME are cryptographically much more secure, but people
don't understand them. People do understand passwords. In my experience,
that is the prime reason why PGP & S/MIME aren't widely used.

If a user could set a 'generic password' in their email software and an
optional individual password against entries in their email address
book, it would be well within most users' understanding. Most users
would not be able to generate a PGP key, never mind know what to do with
it after that. (as someone close to here suggested recently: most users
are idiots)

Yes, to work properly, a 'password' system would need wide
implementation support - but we were asked to 'think outside the box'...

Also, I'm not entirely sure about the scale of the 'introduction
problem' with this scheme either.

How many people (other than spammers) are just going to email randomly
to an email address they guess? You're going to get the email address
from somewhere. That "somewhere" can tell you the key as well.

(Yes, this means that if it's on a website, potentially a spammer could
scrape the email & key from there together, but it's a lot more
complicated to automatically link two separate pieces of text than to
identify an email address - also they'd potentially have to do it
frequently to keep up to date with the password which will likely change
much more often than the email address)



-

Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53
John Levine
2013-03-19 16:52:02 UTC
Permalink
Post by Paul Smith
Of course, there is a HUGE difference between a PGP or S/MIME public key
and a simple text password.
Not really. In both cases, key distribution makes them unusable at
large scale.
Steve Atkins
2013-03-19 16:53:45 UTC
Permalink
Post by John Levine
Post by Paul Smith
Of course, there is a HUGE difference between a PGP or S/MIME public key
and a simple text password.
Not really. In both cases, key distribution makes them unusable at
large scale.
With the partial exception of tagged/disposable addresses, where the
simple password is part of the email address.

Cheers,
Steve
Dave Crocker
2013-03-19 16:59:34 UTC
Permalink
Post by Steve Atkins
Post by John Levine
Post by Paul Smith
Of course, there is a HUGE difference between a PGP or S/MIME public key
and a simple text password.
Not really. In both cases, key distribution makes them unusable at
large scale.
With the partial exception of tagged/disposable addresses, where the
simple password is part of the email address.
Within sufficiently constrained scenarios, all sorts of hacks are
viable, and even useful. This is one of those.

But please note that I did admit to 'useful'.

The challenge for such hacks is to properly document and apply the
constraints.

d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
John Levine
2013-03-19 18:10:20 UTC
Permalink
Post by Steve Atkins
Post by John Levine
Not really. In both cases, key distribution makes them unusable at
large scale.
With the partial exception of tagged/disposable addresses, where the
simple password is part of the email address.
It's still got the key distribution problem, in that it is far from
obvious how two parties who wish to communicate using tagged addresses
exchange the addresses in the first place.

The zoemail patent suggests one approach, but the current patent
holders are pretty aggressive about enforcing it.
--
Regards,
John Levine, ***@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
Steve Atkins
2013-03-19 18:13:52 UTC
Permalink
Post by John Levine
Post by Steve Atkins
Post by John Levine
Not really. In both cases, key distribution makes them unusable at
large scale.
With the partial exception of tagged/disposable addresses, where the
simple password is part of the email address.
It's still got the key distribution problem, in that it is far from
obvious how two parties who wish to communicate using tagged addresses
exchange the addresses in the first place.
In the majority of the cases, exactly the same way they do now. Party A gives
party B the address. That it's a tagged address doesn't affect any of that
process.

Works fine. I've been doing it for years.

It doesn't, of course, reduce the amount of spam you receive. If anything
it significantly increases it. That problem is unavoidable the moment
you give someone multiple identifiers rather than a single one.

Cheers,
Steve
Paul Smith
2013-03-19 18:24:04 UTC
Permalink
Post by John Levine
Post by Steve Atkins
Post by John Levine
Not really. In both cases, key distribution makes them unusable at
large scale.
With the partial exception of tagged/disposable addresses, where the
simple password is part of the email address.
It's still got the key distribution problem, in that it is far from
obvious how two parties who wish to communicate using tagged addresses
exchange the addresses in the first place.
How is it different from how two parties who wish to communicate using
UN-tagged addresses exchange the addresses?

There seems to be something here I'm missing. If I want someone to email
me, I tell them my address. They don't magically work it out, I have to
tell them somehow.

Unless you've got some other way of telling what someone's email address is.



-

Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53
Paul Smith
2013-03-19 17:50:48 UTC
Permalink
Post by John Levine
Post by Paul Smith
Of course, there is a HUGE difference between a PGP or S/MIME public key
and a simple text password.
Not really. In both cases, key distribution makes them unusable at
large scale.
Does it?

This is the bit I'm struggling with.

I don't want 'random' people to email me. In fact I don't know anyone
who wants random people to email them.

I do want my friends to email me, I do want people who've seen my
website to email me with questions, I do want Amazon/Paypal/ASRG/etc to
email me (because I've signed up to those services), if I was an
professor, I may want people who've read one of my papers to email me,
or if I was a big company, I may want someone who has seen my adverts to
email me.

With all those groups of people, I can easily envisage a simple way of
getting a key to them.

(I can also see a way of getting a PGP key to them as well, but it's not
quite a simple, because PGP keys are a lot bigger, and more complex to
generate and manage. Also, remember we're talking 'design email from
scratch' here. PGP is a 'bolt on' to existing email, so current email
works without it, so inertia will restrict its use, and it's complexity
will help that inertia).

There wouldn't need to be a big infrastructure for key distribution,
just as there is no infrastructure for email address distribution.

If I want someone to be able to email me, I currently have to tell them
my email address. In my 'brand new email way', I just have to tell them
my 'key' as well. I can think up a new notation as well: 'my email
address is ***@example.com/mailme'. There, that's the key distribution
problem sorted :-).




-

Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53
John Levine
2013-03-19 18:42:08 UTC
Permalink
Post by Paul Smith
I don't want 'random' people to email me. In fact I don't know anyone
who wants random people to email them.
Now you do. I definitely want it to be possible for people who I
don't already know to email me. That's where I get most of my work.
I also get occasional mail from old high school friends and the like.

That doesn't mean that I want unlimited amount of mail from spammers,
but one of the big reasons that SMTP mail wiped out walled gardens
like MCI Mail is that it allows anyone to contact anyone else without
making complicated arrangements first.
Paul Smith
2013-03-19 18:52:11 UTC
Permalink
Post by John Levine
Post by Paul Smith
I don't want 'random' people to email me. In fact I don't know anyone
who wants random people to email them.
Now you do. I definitely want it to be possible for people who I
don't already know to email me. That's where I get most of my work.
I also get occasional mail from old high school friends and the like.
But the thing is that you have to have told them your email address!

They don't think "I used to know John Levine at high school, and I want
to email him, so, let's guess his email address is ***@...", they have
seen your email address somewhere - either you've told them, or they've
seen it on a website, or newsletter, or something.

The 'introduction problem' applies to current email as well... If you
don't know someone's email address, you can't email them. So, that
doesn't really change.






-

Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53
Dave Crocker
2013-03-19 16:57:25 UTC
Permalink
Post by Paul Smith
That is one big difference between PGP & S/MIME and something simpler.
I could be on the phone to someone, and they ask me for my email address
to send me details, I tell them it and I add "and my email key is
'bibble'". Then, when they send the message to me, their email client
asks for that, and hey presto, I get the message.
Paul,

The tenor of your postings is one that is quite popular for topics that
have a poor track record at Internet adoption. The confidence in such
postings asserts that there are reasonably simple methods that could be
extremely successful.

The predicates for such confidence tends to be:

1. Failure to inspect previous failures in detail.

2. Assignment of relevant-but-simplistic blame on those failures.

3. Failure to study the many, varied and serious barriers to success
at Internet-scale adoption, at the technical and human factors levels.

4. Failure to formulate a proposal in enough detail to work through
those barriers.


Ideas -- even good ones -- are amazingly cheap. Viable ideas based on
the details that make them viable, are amazingly difficult.

d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
Dan Oetting
2013-03-18 02:13:23 UTC
Permalink
Post by Paul Smith
How about simple end-to-end authentication?
- When I receive a message, I look for a 'Password' header field. If there isn't one with my value, then I can be suspicious about the message. Depending on my requirements, I could discard the message, treat it as spammy, or accept it anyway etc
- When I send a message to someone, I have the option of telling them my password in a header
This is such a great idea that I decided to retroactively implement it on all mail systems so you can go ahead and use it today. To solve the one to many problem, the password needs to be outside of the fixed headers that are sent to everybody. This required extending the envelope which fortunately was flexible. I hope it works out for you.

-- Dan Oetting
Barry Shein
2013-03-18 20:12:45 UTC
Permalink
Post by Paul Smith
How about simple end-to-end authentication?
I agree, a very simple methodology would be to simply coordinate with
recipients to stick an X-Password or similar in the header.

I actually do that now usually right in the subject and many friends
have come to recognize it because it's sort of funny (no I won't post
it here!) and highly unlikely to be anyone else.

I believe Mailman will optionally insert something like [PHRASE] in
subject lines, such as

Subject: [ASRG] Thinking outside the box

I don't think I've ever seen counterfeiting of that and in the case of
widely subscribed mailing lists it's exceedingly simple.

Which might tell us how low the threshold for slowing down spammers
really is.

It's a little more difficult for legitimate bulk emailers, Amazon for
example, tho if it were a convention perhaps they could tell each
email account we will stick [PHRASE], where PHRASE is different, yet
memorable, for each recipient, in your email if you care to check it.

I'd guess their main objection, besides cost-benefit, would be it'd be
most effective in the Subject:, but for them that's precious real
estate, they probably want to limit it to 60 characters or less and
giving up, say, six for brackets and a 4 letter word might provoke
resistance. Sticking it in a separate X-Header might raise questions
of utility for most recipients.

But that hardly invalidates the idea, just some potential limitations.

P.S. One can also cryptographically sign email of course but that
hasn't caught on, way too complicated?
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
Steve Atkins
2013-03-18 20:16:44 UTC
Permalink
Post by Barry Shein
P.S. One can also cryptographically sign email of course but that
hasn't caught on, way too complicated?
Have you heard of DKIM? If not, you should take a look at it.

Cheers,
Steve
Paul Smith
2013-03-18 20:40:53 UTC
Permalink
Post by Steve Atkins
Post by Barry Shein
P.S. One can also cryptographically sign email of course but that
hasn't caught on, way too complicated?
Have you heard of DKIM? If not, you should take a look at it.
There are problems with DKIM, such as it being complicated, easy to
trash, gets messed up by forwarding etc.

Not saying it's not got its place, but it's not a panacea, and it's
complexity puts people off. I know I've had users ask about it, and once
I tell them what they need to do (which isn't much), they tend to think
it's not worth it.

Also, DKIM isn't an anti-spam method, it's an anti-forgery method.

Cryptographically signing email isn't an anti-spam method either.
Encrypting email using a public key could be an anti-spam method (eg 'I
will only accept mail encrypted with my public key, and I will only tell
people I trust my public key'), but it would be too hard to give people
a public key.



-

Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53
John Levine
2013-03-18 22:35:23 UTC
Permalink
Post by Paul Smith
Not saying it's not got its place, but it's not a panacea, and it's
complexity puts people off.
It's about the easiest signature system ever invented, anywhere.
Post by Paul Smith
Also, DKIM isn't an anti-spam method, it's an anti-forgery method.
It isn't either. It's an accountability method, to associate a stable
identity with a mailstream. Despite a lot of wishful thinking to the
contrary* there is no inherent connection between a DKIM identity and
any other identity in a mail message.

R's,
John


* - dmarc
Martijn Grooten
2013-03-18 20:38:52 UTC
Permalink
I believe Mailman will optionally insert something like [PHRASE] in subject
lines, such as
Subject: [ASRG] Thinking outside the box
I don't think I've ever seen counterfeiting of that and in the case of widely
subscribed mailing lists it's exceedingly simple.
It's probably not worth their effort. Big lists are still small from a spammer's point of view. I guess it would be much easier for them to just subscribe to the list.

But - and I apologise for repeating myself - why not use the sender's email address as a unique password-like identifier? And put that in a header. Call it 'From'. Works rather well.

Martijn.


________________________________

Virus Bulletin Ltd, The Pentagon, Abingdon, OX14 3YP, England.
Company Reg No: 2388295. VAT Reg No: GB 532 5598 33.
Barry Shein
2013-03-19 00:34:03 UTC
Permalink
Post by Martijn Grooten
I believe Mailman will optionally insert something like [PHRASE] in subject
lines, such as
Subject: [ASRG] Thinking outside the box
I don't think I've ever seen counterfeiting of that and in the case of widely
subscribed mailing lists it's exceedingly simple.
It's probably not worth their effort. Big lists are still small from a spammer's point of view. I guess it would be much easier for them to just subscribe to the list.
Any one list is small, but if it were a widely adopted convention (and
I believe among mailing lists it is) and could be reaped they might
get millions of (recipient,[PHRASE]) pairs. Maybe that's still not
enough, but the point is it's easy to fake yet I've never heard of
anyone faking it.
Post by Martijn Grooten
But - and I apologise for repeating myself - why not use the sender's email address as a unique password-like identifier? And put that in a header. Call it 'From'. Works rather well.
You haven't seen From fraud?

I get spam "from" myself all the time.

That's trivial to script.
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
Chris Lewis
2013-03-19 02:03:26 UTC
Permalink
Post by Barry Shein
Any one list is small, but if it were a widely adopted convention (and
I believe among mailing lists it is) and could be reaped they might
get millions of (recipient,[PHRASE]) pairs. Maybe that's still not
enough, but the point is it's easy to fake yet I've never heard of
anyone faking it.
Why bother? Spam the mailing list with the From: forged to be the owner
of the addressbook you got the list from, and the list MTA dutifully
adds the [PHRASE].

Seen that.
Post by Barry Shein
Post by Martijn Grooten
But - and I apologise for repeating myself - why not use the sender's email address as a unique password-like identifier? And put that in a header. Call it 'From'. Works rather well.
You haven't seen From fraud?
I get spam "from" myself all the time.
That's trivial to script.
I think Martijn was being ironic ;-)
Martijn Grooten
2013-03-19 09:23:01 UTC
Permalink
Post by Chris Lewis
Post by Barry Shein
You haven't seen From fraud?
I get spam "from" myself all the time.
That's trivial to script.
I think Martijn was being ironic ;-)
I was. :-)

And at the same time, I do believe that 'From' already provides everything your subject tags and X-Password headers provide. They're all reasonably trivial to script, so if everyone started filtering on From and only allowed approved senders into their inboxes, spammers would start to harvest pairs of addresses - like they could harvest subject tags or X-Password headers. But I do believe that if we tried hard we could come up with a crypto-based solution that allows everyone to give access to their inbox only to pre-approved entities. You need an asymmetric, decentralised social network.

(Let's put aside for the moment that you'll still get spam from compromised accounts and that these will be a lot harder to filter. So the amount of spam that ends up into people's inboxes may not really decrease.)

Much more importantly: it doesn't solve the problem of emails that you didn't expect. I think that being able to receive such emails, when they are legitimate, is an essential property of email.

Martijn.


________________________________

Virus Bulletin Ltd, The Pentagon, Abingdon, OX14 3YP, England.
Company Reg No: 2388295. VAT Reg No: GB 532 5598 33.
Seth
2013-03-19 02:46:22 UTC
Permalink
Post by Martijn Grooten
It's probably not worth their effort. Big lists are still small from a
spammer's point of view. I guess it would be much easier for them to
just subscribe to the list.
And they often do, and send (in one message) to a dozen googlegropes or
yahoogropes (though I don't recall seeing much of that lately).
Post by Martijn Grooten
But - and I apologise for repeating myself - why not use the sender's
email address as a unique password-like identifier? And put that in a
header. Call it 'From'. Works rather well.
Spammers often forge it, when they find a bunch of "associated"
addresses (i.e. all stolen from the same place).

Seth
Chris Lewis
2013-03-19 03:23:37 UTC
Permalink
Post by Seth
Post by Martijn Grooten
It's probably not worth their effort. Big lists are still small from a
spammer's point of view. I guess it would be much easier for them to
just subscribe to the list.
And they often do, and send (in one message) to a dozen googlegropes or
yahoogropes (though I don't recall seeing much of that lately).
Haven't seen anybody deliberately doing it since Crazy Kevin Lipsitz,
the Tempting Tearouts spammer. And that was a long time ago.

But, mailing lists get hit all the time. There are all sorts of mailing
lists that have become abandoned wastegrounds of spam.
Paul Smith
2013-03-19 15:53:25 UTC
Permalink
Post by Martijn Grooten
But - and I apologise for repeating myself - why not use the sender's email address as a unique password-like identifier? And put that in a header. Call it 'From'. Works rather well.
Because I don't know you, but I do know '***@lists.gurus.org'. I gave
***@lists.gurus.org my 'password', but I didn't give you it. But, I
would have received that message from you, because it came via the asrg
mailing list which would have added my password as it sent the message
to me. If I had checked the 'From' address, then my spam filter would
have been suspicious of your message, because it doesn't recognise your
email address.

Also, if I set up my filters to allow mail from '***@lists.gurus.org'
through, then it would be trivial for you to start spamming me now
pretending to be from '***@lists.gurus.org'. But, if I'd given a
password to the list server, you wouldn't have any easy way of finding
that password, so your little trick wouldn't work.

Also, I can't safely whitelist "***@paypal.com" for obvious reasons.

As I mentioned before, for individual -> individual mail, the 'From'
address is helpful, and many spam filters will automatically handle
'known people'. But, there are cases when I receive messages from places
which appears to be 'from' someone else, and that's fine.

Eg:

Mail forwarding works OK now, because I can tell the forwarder my
password, so rather than gmail blocking all the mail my office MTA
forwards to me because it looks like forged mail (failing SPF or
whatever), it now works because my office MTA has my password.

Mailing lists work because the mailing list knows my password.

Mail from Paypal gets through because they know my password, but I can
aggressively filter mail purporting to be from Paypal which doesn't have
my password.

etc

-

Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53
John Levine
2013-03-19 16:47:17 UTC
Permalink
No, but you can safely whitelist mail with a valid paypal.com DKIM
signature.

There's a variety of signing and verification schemes in use right
now. Many of them work quite well for subsets of mail, even though
none is a magic bullet.
Martijn Grooten
2013-03-19 17:20:45 UTC
Permalink
You know, I can adapt my Filter-by-From scheme to allow for lists. And for the few addresses with millions of global recipients.

But perhaps you're right. Perhaps your password-scheme does work better.

That's fine. I wasn't suggesting that we should adapt my Filter-by-From scheme.

I was merely trying to point out that both schemes break an essential property of email. As such, I think they fail.

Having just seen your next post, with further explanations of the scheme, I understand that, essentially, your scheme redefines an email address to be a 2-tuple {email-address,password}. I think that almost all problems we have now with email-addresses receiving spam apply to your 2-tuples receiving spam. So I'm worried that a few years after hypothetical implementation, someone would be arguing for a second password.

(I've ignored implementation details. The exercise was to "think outside the box" and to rebuild email and/or anti-spam from scratch. In that context, I think it's fine not to worry about these.)

Martijn.


________________________________

Virus Bulletin Ltd, The Pentagon, Abingdon, OX14 3YP, England.
Company Reg No: 2388295. VAT Reg No: GB 532 5598 33.
Paul Smith
2013-03-19 17:41:13 UTC
Permalink
Post by Martijn Grooten
aving just seen your next post, with further explanations of the
scheme, I understand that, essentially, your scheme redefines an email
address to be a 2-tuple {email-address,password}.
Possibly, or possibly three things - recipient email address, sender
email address, password.

So, I can have a general password which anyone can use, or a personal
password which only one sender can use to email me, for instance.

Also I can change my password(s), without changing my email address. At
the moment it's not unknown for people to change their email address
when it receives too much spam. With the scheme I suggest, you wouldn't
need to do that, just change the password. (Whether that would be any
easier than changing your email address may be debatable, but at least
it's prettier :-) )
Post by Martijn Grooten
I think that almost all problems we have now with email-addresses
receiving spam apply to your 2-tuples receiving spam.
For someone to send spam to me, they'd have to get a suitable password.

They could do this via compromised accounts, hacking a server with my
details on or by tricking me into telling them my password. But, I can
change the appropriate password then, to cut them off. At the moment
once they have my email address, they have it forever. The only option
is to put up with it, have more aggressive filtering, or change my email
address. This would change with a password system.

Most of the spam I receive currently is to harvested addresses (I still
receive lots of spam to an obscure address I last used on Usenet about
15 years ago, and from 'invisible' email addresses I've planted on
websites), or to made up addresses. These would all be stopped by a
'password' scheme.
Post by Martijn Grooten
second password. (I've ignored implementation details. The exercise
was to "think outside the box" and to rebuild email and/or anti-spam
from scratch. In that context, I think it's fine not to worry about
these.)
Thank you that someone has remembered that...

(I'm aware that this wouldn't work easily or well as a bolt-on to the
current system, but if everyone expected to have to get two bits of info
to send a message to someone, then I'm not convinced it's that unworkable).

-

Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53
Marc Perkel
2013-03-17 13:13:43 UTC
Permalink
Post by Cedric Knight
Post by Marc Perkel
OK - let's think outside the box. Let's pretend e,ail as we know is
going away and we are going to create an entirely new system from
scratch. Nothing has to be compatible. How would we do it right?
An invitation to brainstorm and daydream? Why not?
I think you'd be looking for a means of private communication that is
flexible, administratively simple, not tied to any particular provider,
but which is free to require more modern processor resources and
connectivity than SMTP. I'd suggest a decentralised web of trust where
each address is linked to a public key (as at present there would be a
potential many-to-many relation between address and individual, but in
most cases one address is one individual). One recipient site may
choose to trust given academic institution's key with trust 0.9, which
trusts most of its students with trust 0.9, which to the first
(recipient) site means 0.81. That institution has the responsibility of
publishing its trust level for compromised student accounts, but that
doesn't stop any other site also having an opinion (equivalent of RBLs).
Similarly, default trust levels might be 0.5 for a good
freemail/free-ID provider (if such things are even needed), which might
trust new accounts starting at 0.01 until behaviour (such as two-way
correspondence with trusted accounts) earns them trust.
Trust and behaviour is computed during initial handshake from the
supplied public keys of sender and authorities, and anything below a
given level is rejected with immediate feedback to sender. (Recipients
could also choose to trust a memorable plaintext address, name or number
for a given period if expecting mail from a physical contact, as a
convenient alternative to exchanging a key in person or receiving it
through a third party.) Direct delivery from client to postbox would
eliminate MSAs, store-and-forward and backscatter. Trust would be based
on cryptographic identity, not network topology, so would be adaptable
to transports other than IPv4.
That kind of thing, Mark?
BTW Thanks John for keeping the list going. I've lost my digest setting
from mailman, so sent "set asrg digest-MIME" to
ex-digest users would appreciated to at least go "prefix".
C
YES - in fact this is similar to one of my ideas so the fact that you
thought of it to - great minds think alike.

Suppose at the domain level the public key was published through DNS.
All email was encrypted and no one can spoof you because you would need
the private key to decrypt the email. A spoofer wouldn't have the
private key. (I suppose forwarded email would have to be decrypted and
reencrypted by the forwarder.)

I like it - thinking outside the box.
Peter J. Holzer
2013-03-17 16:06:06 UTC
Permalink
Post by Cedric Knight
Post by Marc Perkel
OK - let's think outside the box. Let's pretend e,ail as we know is
going away and we are going to create an entirely new system from
scratch. Nothing has to be compatible. How would we do it right?
An invitation to brainstorm and daydream? Why not?
I think you'd be looking for a means of private communication that is
flexible, administratively simple, not tied to any particular provider,
but which is free to require more modern processor resources and
connectivity than SMTP. I'd suggest a decentralised web of trust where
each address is linked to a public key (as at present there would be a
potential many-to-many relation between address and individual, but in
most cases one address is one individual).
That reminds me of a system I suggested in 2005:
http://www.hjp.at/projekte/messaging/

(Some of you have probably seen this before)

I was thinking about a separate protocol at the time, but it could be
done over SMTP (or UUCP, as somebody pointed out).
Post by Cedric Knight
One recipient site may
choose to trust given academic institution's key with trust 0.9, which
trusts most of its students with trust 0.9, which to the first
(recipient) site means 0.81. That institution has the responsibility of
publishing its trust level for compromised student accounts,
Better to publish it for all accounts.
Post by Cedric Knight
but that doesn't stop any other site also having an opinion
(equivalent of RBLs). Similarly, default trust levels might be 0.5 for
a good freemail/free-ID provider (if such things are even needed),
which might trust new accounts starting at 0.01 until behaviour (such
as two-way correspondence with trusted accounts) earns them trust.
Yes, explicit trust levels might be useful.


hp
--
_ | Peter J. Holzer | Der eigene Verstand bleibt gefühlt messer-
|_|_) | Sysadmin WSR | scharf. Aber die restliche Welt blickt's
| | | ***@hjp.at | immer weniger.
__/ | http://www.hjp.at/ | -- Matthias Kohrs in desd
Jose-Marcio Martins
2013-03-17 14:43:14 UTC
Permalink
Post by Marc Perkel
OK - let's think outside the box. Let's pretend e,ail as we know is
going away and we are going to create an entirely new system from
scratch. Nothing has to be compatible. How would we do it right?
As long as we're interested on the spam problem, there are two things to
be clearly defined.

* One of the goals of email, as it exists nowadays, is freedom. Freedom
to be able to write to any one in the world. This means, I'm just a
"joe" guy in France and I know the email address of USA president. So,
nothing shall prevent me to send him a message. Shall this idea remain
in the new hypothetical system ?

* What's spam ? Or better, what's the definition of messages I don't
want to receive. Either way, it's the final recipient who shall be able
do decide what kind of message he wants to reach his mailbox.

The second item is related to abusive advertisement. Nowadays, the old
traditional spam (porn, meds, ...) is quite easy to filter. A little
harder is all abusive advertisements sent by marketers. If you ask to
filtering solution vendors, they'll tell you that this isn't spam, but
no matter what they say, I don't want to receive ads and I'm in the
right to decide that. This is why all filter evaluations about mail
filtering have no value as they don't include legal marketing messages.

Only to give you an idea of what I'm talking about, we had to change the
email address of our IT hotline as most messages received there were
messages sent by respectable marketers, messages ranging from pet food
to sex shop sales for mother's day.






--
mathew
2013-03-17 14:52:12 UTC
Permalink
On Mar 17, 2013 9:44 AM, "Jose-Marcio Martins" <
Post by Jose-Marcio Martins
Only to give you an idea of what I'm talking about, we had to change
the email address of our IT hotline as most messages received there
were messages sent by respectable marketers
You seem to have a very strange idea of what constitutes a "respectable
marketer".

mathew
Jose-Marcio Martins
2013-03-17 15:03:08 UTC
Permalink
Post by mathew
On Mar 17, 2013 9:44 AM, "Jose-Marcio Martins"
Post by Jose-Marcio Martins
Only to give you an idea of what I'm talking about, we had to change
the email address of our IT hotline as most messages received there
were messages sent by respectable marketers
You seem to have a very strange idea of what constitutes a "respectable
marketer".
A respectable marketer is an entreprise specialized in sending marketing
messages. A legal business runner and not the traditional spammer using
botnets and similar methods and tools.


--
Neil Schwartzman
2013-03-17 15:11:04 UTC
Permalink
N.B.: 17 hours into the existence of this list and we are into defining spam.

Kill me now.
A respectable marketer is an entreprise specialized in sending marketing messages. A legal business runner and not the traditional spammer using botnets and similar methods and tools.
Dotzero
2013-03-17 18:25:59 UTC
Permalink
Post by Neil Schwartzman
N.B.: 17 hours into the existence of this list and we are into defining spam.
Kill me now.
I'm surprised it took this long.
Barry Shein
2013-03-17 18:59:35 UTC
Permalink
Post by Dotzero
Post by Neil Schwartzman
N.B.: 17 hours into the existence of this list and we are into defining spam.
Kill me now.
I'm surprised it took this long.
A FAQ might be useful tho not sure we'd be ready to agree on one.

Or some generally accepted, written, set of soft boundaries to
discussion.

Difficult, I know.
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
Jose-Marcio Martins
2013-03-17 19:14:43 UTC
Permalink
Post by Barry Shein
A FAQ might be useful tho not sure we'd be ready to agree on one.
Or some generally accepted, written, set of soft boundaries to
discussion.
Difficult, I know.
Sure, sure... but back to the original Marc Perkel question ... "build
something from scratch". One should redefine what the new hypothetical
system shall do... from ... SCRATCH...

And at least... try to ask himself if the idea of, say, "unwanted
messages" we had 10 years ago is still valid, if the "set of soft
boundaries" remain the same...

In other words... did the "spam problem" changed in the last 10 years ?
John Levine
2013-03-17 19:33:23 UTC
Permalink
Post by Jose-Marcio Martins
Post by Barry Shein
A FAQ might be useful tho not sure we'd be ready to agree on one.
Or some generally accepted, written, set of soft boundaries to
discussion.
Difficult, I know.
Sure, sure... but back to the original Marc Perkel question ... "build
something from scratch". One should redefine what the new hypothetical
system shall do... from ... SCRATCH...
And at least... try to ask himself if the idea of, say, "unwanted
messages" we had 10 years ago is still valid, if the "set of soft
boundaries" remain the same...
In other words... did the "spam problem" changed in the last 10 years ?
John Levine
2013-03-17 19:33:54 UTC
Permalink
In other words... has the "spam problem" changed in the last 10 years ?
Now here's an interesting question.
Martijn Grooten
2013-03-17 20:41:47 UTC
Permalink
Post by John Levine
In other words... has the "spam problem" changed in the last 10 years?
Now here's an interesting question.
+1

It's nice to see so much activity in the ASRG, but reading today's
posts, you'd get the impression that email is on its last legs and that
we need to do something now, if we don't want the spammers to win.

That's not what I see, both as someone who professionally works with
spam and as someone who uses email as a communication tool.

Spam levels have come down. A lot. Most of what is still being sent is
blocked by spam filters. I think it was Bruce Schneier who said that
spam is a rare success story in cybercrime. I agree.

I'm not saying the spam problem is solved. There are many areas where
work can and needs to be done: spammers using compromised accounts
and/or hosts; low-volume spam; the grey area between ham and spam; the
fact that a lot of current spam filters rely heavily on IPv4-based
(black)lists; etc.

But I really don't think there is evidence email is so broken, we need
to look for replacements.

Having said all that and returning to what John said, it would be nice
if we could quantify some of the claims made above. How much have spam
volumes come down? What percentage of spam is actually delivered? What
percentage of legitimate mail isn't? Would today's spam-filters still
work if all email were to be sent over IPv6?

Martijn.

________________________________

Virus Bulletin Ltd, The Pentagon, Abingdon, OX14 3YP, England.
Company Reg No: 2388295. VAT Reg No: GB 532 5598 33.
Neil Schwartzman
2013-03-17 21:13:55 UTC
Permalink
Post by Steve Atkins
Post by John Levine
In other words... has the "spam problem" changed in the last 10 years?
Now here's an interesting question.
+1
- 1.

Define spam, first.

Greymail from legitimate marketers? Botnet spam? Both of those on email, or all forms of messaging abuse?

As Steve said earlier,
Post by Steve Atkins
In the real world we tend not to use the term "spam" or "UBE"
or any related definitions and focus on the recipient experience. Categories
like "email users didn't want to receive" and "email users didn't expect to
receive" are self-explanatory, clear, operationally useful and avoid weekly
hundred post threads where people explain carefully what their definition
of spam is.
+1.
Post by Steve Atkins
Spam levels have come down. A lot. Most of what is still being sent is
blocked by spam filters. I think it was Bruce Schneier who said that
spam is a rare success story in cybercrime. I agree.
I'm not saying the spam problem is solved. There are many areas where
work can and needs to be done: spammers using compromised accounts
and/or hosts; low-volume spam; the grey area between ham and spam; the
fact that a lot of current spam filters rely heavily on IPv4-based
(black)lists; etc.
But I really don't think there is evidence email is so broken, we need
to look for replacements.
Having said all that and returning to what John said, it would be nice
if we could quantify some of the claims made above. How much have spam
volumes come down?
that varies greatly upon your point of view as a receiver, and if most of it is filtered anyway, who cares?
Post by Steve Atkins
What percentage of spam is actually delivered?
A more germane point, but this too varies, as spam filtering adapts, so from one site to the next, over time, one can't quantify to any meaningful extent.
Post by Steve Atkins
What percentage of legitimate mail isn't?
I'm sure Return Path could hazard a guess, based upon their certification program, but then again, they tend to certify marketing mail only, and sometimes even confirmed opt-in messaging becomes email users didn't want to receive", and thus spa^H^H^H something users want filtered.
Post by Steve Atkins
Would today's spam-filters still work if all email were to be sent over IPv6?
IP-based filters would not, since they are IPv4-based at the moment. The domain-based filters will work nicely though.
John Levine
2013-03-17 22:32:35 UTC
Permalink
Post by Neil Schwartzman
Post by John Levine
In other words... has the "spam problem" changed in the last 10 years?
Now here's an interesting question.
+1
- 1.
Define spam, first.
Gee, does this mean you now have to punch yourself in the face?

One of the ways I see that the spam problem has changed in the past
decade is that we have converged on practical definitions of spam,
even though the nominal definitions remain all over the place.

I don't know anyone (other than perhaps Esther Dyson) who is worried
about individual messages, even commercial ones, so long as they're
not part of a pattern of bulk sending. My working definition is mail
sent in bulk to people who didn't ask for it, or perhaps mail sent in
bulk to people who don't want it, which are different definitions but
describe largely the same set of messages.

Greymail, unrequested or unwanted bulk mail from big and apparently
legitimate companies is spam, except to people with a financial
interest in it.
--
Regards,
John Levine, ***@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
Neil Schwartzman
2013-03-17 23:28:56 UTC
Permalink
Post by John Levine
In other words... has the "spam problem" changed in the last 10 years?
One of the ways I see that the spam problem has changed in the past
decade is that we have converged on practical definitions of spam,
TECHNICAL
agreed. furthermore, and as a result, we have effectively banished botnet spam and greymail spam to the boondocks.

We have seen a huge increase in spam in other mediums which have less effective filtering.

POLICY
Along with effective technical solutions, a cottage industry has sprung up of 'deliverability experts' who help some greymail marketer types get better at permission and sticking to well-publicized BCPs.
(I wanted to provide a link to a recent spamhaus blog post but they are sustaining a huge DDoS at the moment)

LEGAL
we have seen a steady improvement in the use development and use of spam laws, internationally (see: any number of botnet take-downs), and public-private cooperation is the norm. Whitehat researchers are making a vast difference in the fight. I can provide this link because the recent DDoS has been mitigated : http://krebsonsecurity.com/2013/03/the-world-has-no-room-for-cowards/
Rob McEwen
2013-03-18 02:13:35 UTC
Permalink
Post by Neil Schwartzman
agreed. furthermore, and as a result, we have effectively banished
botnet spam and greymail spam to the boondocks.
We have seen a huge increase in spam in other mediums which have less effective filtering.
Exactly. And mail hosters congratulating themselves for blocking 99% of
the spam is so "2000s". Why? This relates to other trends:

First, RELATED TO THIS: There is MUCH more legit mail per user these
days (+more users). The fact that the infrastructure has held up to this
load is amazing. Great things have happened in the infrastructure to
handle the increasing volume. Many professionals "dabbled" in e-mail 10
years ago and would send/receive perhaps 10 (non-newsletter/non-ad)
messages in an entire week... yet are NOW up to 50+ legit
(non-newsletter/non-ad) sent/received messages PER DAY. Furthermore,
they are now EXPECTING a HIGH degree of reliability. That is making FPs
all the more serious. I know many attorneys who will miss a court date
(and their client would lose by default--which is VERY SERIOUS)... if
certain important notices didn't get to their inbox. (which seems crazy
to all of us who know all that is involved with e-mail "behind the
scenes"... sort of like "making sausage")

At the same time, just as Neil said ("a huge increase in spam in other
mediums which have less effective filtering")... while botnet spam is
well-blocked these days... (a) sneaky spam is up over the past decade,
such as snow-shoe spam, (b) and, overlapping with snowshoe spam,
spammers doing things like "list rental" is up---where the spammers
convince themselves that they are doing "permission based marketing"
because the recipient really did fill out a form back in 2004 to enter a
sweepstakes offer, and didn't read the "receive offers from partners"
fine-print. Many marketers think that is a "pen-pal for life"
unbreakable contract, for them and for whoever buys their data. Other
times, lists which originally had permission are "re-purposed" to a
point where the recipient can't "connect the dots" back to the original
signup, AND... (c) hijacked accounts sending spam is up--especially in
the past few months. (+ hijacked web hosting accounts hosting spammer's
pages are way up too in recent months)

So why do I say that... mail hosters congratulating themselves for
blocking 99% of the spam is so "2000s"

Because, at the end of the day, the end user doesn't really care about
the 200 botnet spams an ISP blocked that day. He is bothered by the 4
spams that made it past the filter that day. (whereas, 10 years ago,
that end user would be DELIGHTED to ONLY get 4 spams past the filter in
one day). Across the board, expectations and infrastructure usage is UP.
Way UP! (interestingly, per-user pricing is NOT up. Sure, better
hardware-per-$$ helped... but the anti-spam and mail hosting filtering
industry ALSO did AMAZING things to combat the spam problem, and volume
increases for legit mail, during those years!...often, doing so WITHOUT
increases in profit margins.)

Regarding more recent trends... I think that some spammers have
"regrouped" in the past few months and realized that hijacked resources
is their best way to evade filters... and, unfortunately, they've had
some success with that in recent months.
--
Rob McEwen
http://dnsbl.invaluement.com/
***@invaluement.com
+1 (478) 475-9032
Jethro R Binks
2013-03-19 10:15:11 UTC
Permalink
Post by Rob McEwen
So why do I say that... mail hosters congratulating themselves for
blocking 99% of the spam is so "2000s"
Because, at the end of the day, the end user doesn't really care about
the 200 botnet spams an ISP blocked that day. He is bothered by the 4
spams that made it past the filter that day. (whereas, 10 years ago,
that end user would be DELIGHTED to ONLY get 4 spams past the filter in
one day).
Amen to that. This is exactly what I find. In establishments where
effective measures of whatever sort have been taken to reduce spam, the
end recipients become accustomed to not having the headache that many here
will remember from 10 years ago. They grumble about the very few spams
that do get through, and they grumble about the 'legit' messages that
didn't for whatever reason. If it comes up, they are always absolutely
astonished when they find out how much stuff they have been protected
from.

Some proportion of time is now spent fielding complaints from people about
the email protection measures blocking too much of what they wanted, and
not blocking enough of what they didn't want. I long ago came to
conclusion that there is little chance of pleasing everyone, or even
anyone, so I pretty much maintain the status quo and send variants on
canned answers and leave it at that.

Jethro.

. . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks, Network Manager,
Information Services Directorate, University Of Strathclyde, Glasgow, UK

The University of Strathclyde is a charitable body, registered in
Scotland, number SC015263.
Roger B.A. Klorese
2013-03-18 03:00:46 UTC
Permalink
Post by John Levine
My working definition is mail
sent in bulk to people who didn't ask for it, or perhaps mail sent in
bulk to people who don't want it, which are different definitions but
describe largely the same set of messages.
Define "bulk" -- if I send an unsolicited message to one user each on
every server on the Internet, is that "bulk"? How and where can it be
identified?
John Levine
2013-03-18 03:04:17 UTC
Permalink
Post by Roger B.A. Klorese
Post by John Levine
My working definition is mail
sent in bulk to people who didn't ask for it, or perhaps mail sent in
bulk to people who don't want it, which are different definitions but
describe largely the same set of messages.
Define "bulk" -- if I send an unsolicited message to one user each on
every server on the Internet, is that "bulk"?
Sounds like it.
Post by Roger B.A. Klorese
How and where can it be identified?
Good question. I didn't say this would be easy.
--
Regards,
John Levine, ***@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
Dan Oetting
2013-03-18 04:21:55 UTC
Permalink
Post by John Levine
Post by Roger B.A. Klorese
Post by John Levine
My working definition is mail
sent in bulk to people who didn't ask for it, or perhaps mail sent in
bulk to people who don't want it, which are different definitions but
describe largely the same set of messages.
Define "bulk" -- if I send an unsolicited message to one user each on
every server on the Internet, is that "bulk"?
Sounds like it.
Post by Roger B.A. Klorese
How and where can it be identified?
Good question. I didn't say this would be easy.
Bulk is most easily identified at the source.
This is a problem because the other part (unsolicited or unwanted) is identified at the destination.

-- Dan Oetting
Alessandro Vesely
2013-03-18 09:10:59 UTC
Permalink
Post by Dan Oetting
Post by John Levine
Post by Roger B.A. Klorese
My working definition is mail sent in bulk to people who
didn't ask for it, or perhaps mail sent in bulk to people who
don't want it, which are different definitions but describe
largely the same set of messages.
Define "bulk" -- if I send an unsolicited message to one user
each on every server on the Internet, is that "bulk"?
Sounds like it.
Post by Roger B.A. Klorese
How and where can it be identified?
Good question. I didn't say this would be easy.
Bulk is most easily identified at the source.
This is a problem because the other part (unsolicited or unwanted)
is identified at the destination.
Define destination. A recipient can certainly say that a message is
unwanted, but solicitations are not managed at the MX.
--
http://fixforwarding.org/
Dan Oetting
2013-03-18 14:03:22 UTC
Permalink
Post by Alessandro Vesely
Post by Dan Oetting
Post by John Levine
Post by Roger B.A. Klorese
My working definition is mail sent in bulk to people who
didn't ask for it, or perhaps mail sent in bulk to people who
don't want it, which are different definitions but describe
largely the same set of messages.
Define "bulk" -- if I send an unsolicited message to one user
each on every server on the Internet, is that "bulk"?
Sounds like it.
Post by Roger B.A. Klorese
How and where can it be identified?
Good question. I didn't say this would be easy.
Bulk is most easily identified at the source.
This is a problem because the other part (unsolicited or unwanted)
is identified at the destination.
Define destination. A recipient can certainly say that a message is
unwanted, but solicitations are not managed at the MX.
If you require a solution to identify every unsolicited email you aren't going to find a solution. But there are cases where the unsolicited status of received email is known and many more situations where a probably unsolicited status is known.

-- Dan Oetting
Alessandro Vesely
2013-03-19 11:04:55 UTC
Permalink
Post by Dan Oetting
Post by Alessandro Vesely
Post by Dan Oetting
Bulk is most easily identified at the source.
This is a problem because the other part (unsolicited or unwanted)
is identified at the destination.
Define destination. A recipient can certainly say that a message is
unwanted, but solicitations are not managed at the MX.
If you require a solution to identify every unsolicited email you
aren't going to find a solution. But there are cases where the
unsolicited status of received email is known and many more
situations where a probably unsolicited status is known.
I agree, but a protocol leaves a lot to be desired if it causes a list
admin to have to say something like:

If you think I'm lying, there's not much I can do about that.
[John's message of 2013-03-17 13:21]

Anyway, solicitation records, if any, are at the source as well, so
the corresponding variant of the definition is quite operational at
that side.
Barry Shein
2013-03-18 20:57:13 UTC
Permalink
Didn't CAN-SPAM reach for the idea that the email had to contain a
reasonable identfication of the sender. And some way to be removed
from future mailings?

That's not FUSSP but on the other hand it certainly defines one
problem with what a lot of people would call spam.

Also, there is the distinction between mechanism and policy, we don't
necessarily have to define spam here, only ways to deal with it when
you (anybody) define it.

I believe that's a much lower, and more achievable, standard to meet.

I'll also throw in that comment by a US SCOTUS justice regarding
pornography in Miller v US (this is all from memory pardon any errors)
which was "I can't define it but I know it when I see it!"

Perhaps not wholly satisfying, particularly since that context indeed
was policy and not mechanism, yet somehow useful.
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
Brendan Hide
2013-03-18 09:08:24 UTC
Permalink
Post by Jose-Marcio Martins
Post by mathew
On Mar 17, 2013 9:44 AM, "Jose-Marcio Martins"
Post by Jose-Marcio Martins
Only to give you an idea of what I'm talking about, we had to change
the email address of our IT hotline as most messages received there
were messages sent by respectable marketers
You seem to have a very strange idea of what constitutes a "respectable
marketer".
A respectable marketer is an entreprise specialized in sending
marketing messages. A legal business runner and not the traditional
spammer using botnets and similar methods and tools.
Late reply here. Just want to nip this one properly.
Post by Jose-Marcio Martins
* Mail sent by one party to another where there is already a prior
relationship between the two parties and subject matter of the
message(s) concerns that relationship, is not spam.
* Mail sent by one party to another with the explicit consent of the
receiving party, is not spam.
If you send me a mail, that's not bulk.
If a subscriber sends a mail to the list, that's solicited.
If my bank sends me a mail, even if I don't particularly appreciate the
mail, chances are they have a signed document where I gave them
permission to send me the mails and, technically, that's solicited.

However:
If a marketer sends me mail and I have no idea who s/he is, chances are
its bulk - but it is definitely unsolicited and warrants being
categorised as spam.

If your "respectable marketer" sends me a mail and he hasn't got proof
of opt-in from me, he's not a respectable marketer at all, he is a
spammer. In the past I have found this to be a very painful process for
naive customers when we've had to explain to them why we've shut down
their spam operations:
- "How can you let my mail be spam?" <-- actual quote ;)
--
__________
Brendan Hide
http://swiftspirit.co.za/
http://www.webafrica.co.za/?AFF1E97
Richi Jennings
2013-03-17 14:59:12 UTC
Permalink
On Sun, Mar 17, 2013 at 2:43 PM, Jose-Marcio Martins
As long as we're interested on the spam problem, there are two things to be
clearly defined.
IME, anti-spam researchers usually answer that pair of questions like this:

1. It's not about content, it's about consent.

2. Spam is UBE -- unsolicited bulk email.
- Unsolicited means lacking informed consent.
- Bulk means automatically-generated (and does not imply large
volumes). Compare with other definitions, notably UCE (the C being
Commercial).
- Email... I'll leave that to your imagination.
Jose-Marcio Martins
2013-03-17 15:49:37 UTC
Permalink
Post by Richi Jennings
On Sun, Mar 17, 2013 at 2:43 PM, Jose-Marcio Martins
As long as we're interested on the spam problem, there are two things to be
clearly defined.
researchers of practitionners ?
Post by Richi Jennings
1. It's not about content, it's about consent.
Right !
Post by Richi Jennings
2. Spam is UBE -- unsolicited bulk email.
- Unsolicited means lacking informed consent.
- Bulk means automatically-generated (and does not imply large
volumes). Compare with other definitions, notably UCE (the C being
Commercial).
- Email... I'll leave that to your imagination.
Thank you very much for the definitions... Maybe I'm new to the field... 8-)

If you receive something like, say, 300-500 UCE (UNSOLICITED commercial
email) a day in the same mailbox, maybe you're in your right of thinking
that all that shouldn't reach your mailbox... No ?


--
Steve Atkins
2013-03-17 15:54:36 UTC
Permalink
Post by Richi Jennings
On Sun, Mar 17, 2013 at 2:43 PM, Jose-Marcio Martins
As long as we're interested on the spam problem, there are two things to be
clearly defined.
1. It's not about content, it's about consent.
2. Spam is UBE -- unsolicited bulk email.
- Unsolicited means lacking informed consent.
- Bulk means automatically-generated (and does not imply large
volumes). Compare with other definitions, notably UCE (the C being
Commercial).
- Email... I'll leave that to your imagination.
In the real world we tend not to use the term "spam" or "UBE"
or any related definitions and focus on the recipient experience. Categories
like "email users didn't want to receive" and "email users didn't expect to
receive" are self-explanatory, clear, operationally useful and avoid weekly
hundred post threads where people explain carefully what their definition
of spam is.

Cheers,
Steve
Ian Eiloart
2013-03-18 13:51:35 UTC
Permalink
Post by Richi Jennings
On Sun, Mar 17, 2013 at 2:43 PM, Jose-Marcio Martins
As long as we're interested on the spam problem, there are two things to be
clearly defined.
1. It's not about content, it's about consent.
2. Spam is UBE -- unsolicited bulk email.
- Unsolicited means lacking informed consent.
- Bulk means automatically-generated (and does not imply large
volumes). Compare with other definitions, notably UCE (the C being
Commercial).
- Email... I'll leave that to your imagination.
Actually, I think "bulk" is irrelevant. If I receive a spam message, I don't care how many other people have received it. In fact, I can't even determine that, and nor can my anti-spam software, although my ESP's anti-spam software may be able to. If I'm the first to receive it, or if it's personalised, then even the ESP can't determine that. And, if I'm to hold someone to account for spamming me, I should not have to prove that there were other recipients.

UK legislation, based on EU directives, addresses unsolicited marketing email (UME), where "marketing" is broadly defined as not just offers for sale of goods or services, but also as promotion of organisational aims.

In my view, a new service would need to eliminate some of the complications, so that we can hold senders and domain owners accountable for email that seems to be sent by them:

1. It would be based on LMTP, not SMTP, in order that individual accept/reject preferences can be expressed.

2. Spoofing of sender addresses would be eliminated - eg through publication of SPF records, strict control of intradomain sender spoofing, and banning of forwarding without sender rewriting.

3. Clients would expose sender information properly by showing addresses as well as comments. But, actually they might also be more careful about identifying senders properly with digital signatures.

4. Mailing lists should not need to modify message bodies. So, clients would have to expose message headers, like list-unsubscribe and list-id headers. This would mean that s-mime, dkim and pgp/gpg might not be corrupted by mailing lists, so we'd have more robust end to end authentication.

5. Domains would need to be flagged for email use. So, for example, they'd have to publish an MX record in order to be able to send email.

6. Reputation services would be based upon domains and email addresses, not IP addresses. This would make transition to IPv6 easier.

7. Currently, UK legislation includes a weak distinction between personal and business recipients. It's legal to send UME to business recipients - presumably there are businesses that like to be on the receiving end of B2B marketing. But which of these email addresses is a business address: "***@acme.example", "***@acme.example", "***@hotmail.example". I think it's uncontroversial that the first is business, the last is personal. However, the middle one is ambiguous (it's a personal local part, in a business domain). I'd like to see some infrastructure for expressing the concept. Or, a personal name in the local part makes it a personal address (but what about ***@apple…?). Or, maybe the exemption should just be removed entirely.
--
Ian Eiloart
Postmaster, University of Sussex
+44 (0) 1273 87-3148
Roger B.A. Klorese
2013-03-18 14:19:54 UTC
Permalink
Post by Ian Eiloart
7. Currently, UK legislation includes a weak distinction between
personal and business recipients. It's legal to send UME to business
recipients - presumably there are businesses that like to be on the
receiving end of B2B marketing. But which of these email addresses is
is business, the last is personal. However, the middle one is
ambiguous (it's a personal local part, in a business domain). I'd like
to see some infrastructure for expressing the concept. Or, a personal
name in the local part makes it a personal address (but what about
It's clear to me: every address at a business is a business address.
Every domain is either business or personal. If businesses wish to
control spam within their business domain, that's on them.
Bill Cole
2013-03-19 02:10:55 UTC
Permalink
Post by Roger B.A. Klorese
Every domain is either business or personal.
As a statement of a discrete binary status, that is simply not true.
Some people may believe or desire it to be true, but that does not make
it a useful premise when devising new mechanisms for use in the real
world. the real world.

Beyond the proximal counter-example which is most obvious to myself,
note instead the widespread (at least in the US) use of addresses in
consumer freemail (e.g. yahoo.com, hotmail.com,gmail.com) and consumer
ISP domains as business addresses by many small businesses. On the other
side of that fuzzy grey band, it is not uncommon for small
privately-owned businesses which have their a "business" email domain to
have a few addresses established simply for the convenience and/or
vanity of family and/or friends of company principals.

One useful (although never officially stated) research finding of the
IRTF ASRG when it still existed was a solid demonstration via SPF that
conceiving an anti-spam scheme with behavioral premises that aren't
quite true does not inevitably result in the fully developed and
deployed anti-spam scheme driving the inconsistent behaviors into
extinction. With SPF, the result has been relegation to weak uses and
narrow applications where it never threatens those behaviors.
Roger B.A. Klorese
2013-03-19 03:05:02 UTC
Permalink
Post by Bill Cole
Beyond the proximal counter-example which is most obvious to myself,
...Say what?
Post by Bill Cole
note instead the widespread (at least in the US) use of addresses in
consumer freemail (e.g. yahoo.com, hotmail.com,gmail.com) and consumer
ISP domains as business addresses by many small businesses.
They deserve to be treated, then, as personal addresses. That's not a
problem, as that would tpyically offer increased protection.
Post by Bill Cole
On the other side of that fuzzy grey band, it is not uncommon for
small privately-owned businesses which have their a "business" email
domain to have a few addresses established simply for the convenience
and/or vanity of family and/or friends of company principals.
Then they should spend the flipping ten bucks a year to get another
domain registered.
Bill Cole
2013-03-19 05:59:42 UTC
Permalink
Post by Roger B.A. Klorese
Post by Bill Cole
Beyond the proximal counter-example which is most obvious to myself,
...Say what?
The domain scconsult.com was registered when the "price" of a domain was
writing a brief justifying essay for the InterNIC, and ".com" was
required to mean a Commercial Enterprise. Since then I have traded in
entrepreneurship for wage slavery, changed spouses, and had a couple of
kids grow up with a mail server in the home. But in theory I might take
the right consulting gig...
Post by Roger B.A. Klorese
Post by Bill Cole
note instead the widespread (at least in the US) use of addresses in
consumer freemail (e.g. yahoo.com, hotmail.com,gmail.com) and
consumer ISP domains as business addresses by many small businesses.
They deserve to be treated, then, as personal addresses. That's not a
problem, as that would tpyically offer increased protection.
Post by Bill Cole
On the other side of that fuzzy grey band, it is not uncommon for
small privately-owned businesses which have their a "business" email
domain to have a few addresses established simply for the convenience
and/or vanity of family and/or friends of company principals.
Then they should spend the flipping ten bucks a year to get another
domain registered.
That's not the expensive bit of the disentanglement.

I also think you've missed my point. I'm not against having strict
domain classes that are definitively "business" or "personal" but I know
that it does not exist today. Building mechanisms of any sort that
depend on an assumption that it does exist is doomed to fail unless you
attack the present reality directly. The fact that some new
ill-conceived anti-spam mechanism is doomed to irrelevancy unless I
split off my trivial business stuff to one of my mothballed domains with
its own mail world AND get my employer's customers to all buy second
domains for their brats & buddies AND everyone else does the same isn't
adequate motivation to get me to do my parts of that work. I'm quite
sure that most people in grey areas will not bother, so unless there's
substantial benefit to ME for doing my own part unilaterally, neither
will I.

SPF really is a relevant case to study because it failed to do what it
was designed to do. If you don't understand its failure, you can't hope
to avoid the same error.
Neil Schwartzman
2013-03-19 14:47:13 UTC
Permalink
I'm not against having strict domain classes that are definitively "business" or "personal"
Me neither. Also, the trains will run on time when I become leader.

In all seriousness, I do wish that domains could be sorted into 'commercial' and 'non-commercial' (which would include personal use) and while one could argue .name and .org could/should have been limited to those uses … that herd of cows left the gate a long long time ago and there is no practical means by which we can differentiate.

Of course, ICANN *is* reviewing WHOIS, so maybe Rod Rasmussen can but this on his 'to do' list.
Ian Eiloart
2013-03-19 11:41:02 UTC
Permalink
It's clear to me: every address at a business is a business address. Every domain is either business or personal. If businesses wish to control spam within their business domain, that's on them.
OK, but clarity of meaning can't be determined by consulting any individual. It requires a community to agree a meaning. And I disagree with you, so we don't have clarity.

I'll tell you why I disagree: At Sussex, we have lots of students with sussex.ac.uk email addresses. Students clearly are not business contacts, and nor are their email addresses. Student addresses constitute the majority of our email addresses, since they are a majority of the people here. Even among staff, we have a policy of not publishing "personal" email addresses like i.eiloart@… in our prospectus, for example. Instead, we use role based addresses like "admissions@…" and so on. That's because when a person leaves the University, their email address is retired. It isn't inherited by their successor. However, their successor will inherit the role based address. Similarly, if a person changes roles (as our administrators do), they'll take their personal address with them, but not their business role address.

The most common place that we'd see a personal address published would be in an academic paper. That's because academic queries relating to the paper would generally need to be answered by the author, not by the Univeristy: it's a question of academic independence.
--
Ian Eiloart
Postmaster, University of Sussex
+44 (0) 1273 87-3148
Barry Shein
2013-03-17 17:39:58 UTC
Permalink
Post by Marc Perkel
OK - let's think outside the box. Let's pretend e,ail as we know is
going away and we are going to create an entirely new system from
scratch. Nothing has to be compatible. How would we do it right?
I'd build a system of e-postage stamps where people would get so many
for free, even 100,000/month would help the current problem tho
probably not that many.

You'd have to buy more at some modest price.

And get the ISPs et al to buy into checking their validity or at least
MUAs to check, probably something cryptographic or maybe servers
similar to the DNS servers, probably both.

The funding would be split between the ISPs and people who run the
stamp validity servers, whatever, TBD.

Similar in many ways to ICANN and the DNS system and domains in many
ways. You can't make up your own domains and use them in email, they'd
be rejected or flagged in email/envelopes, it's not much different.

Or you could choose to accept them, none of this stops you from
accepting email w/ fraudulent stamps other than if you choose to rely
on a service provider who blocks them. You could for example
set up different ports.

"Leakage" is not an issue any more than if I chose to put non-existant
domains on my web page, friends could even put them in their own DNS
and they'd work. Isn't going to bring down ICANN or invalidate the DNS
system.

I've suggested this for well over a decade and it seems to get stuck
on "*CHARGE* someone for EMAIL! NO WAY! I can think of ways around
that!!!" and not much else.

You can get around the sending, but not the receiving (short of
breaking the cryptography etc).

If we create an economy around email, and someone is losing money on
fraudulently sent email (defined by fraudulent stamps or attempts to
get around them) then there'd be more energy put into combatting spam.
--
-Barry Shein

The World | ***@TheWorld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
Andrew Sullivan
2013-03-17 20:14:56 UTC
Permalink
Post by Marc Perkel
OK - let's think outside the box. Let's pretend e,ail as we know is
going away and we are going to create an entirely new system from
scratch. Nothing has to be compatible. How would we do it right?
Obviously, we'd set up a centrally-operated and -controlled entity,
and put a lot of games based on flash in the system. We'd have a lot
of photos involved. And applications to reach the system from
everywhere. Nobody but the central command would own anything on the
system, and the security would be completely impossible to understand.
We could call it, um, Bookface or something.

Naw. Nobody'd use that.

A
--
Andrew Sullivan
***@anvilwalrusden.com
Continue reading on narkive:
Loading...