Domain: bondedsender.org
Stories and comments across the archive that link to bondedsender.org.
Comments · 10
-
Re:Whew
They have something like that already. http://bondedsender.org/ And its a scam
....
Well, my idea is not a scam. It wouldn't be run by one company, it would be a Free, Open Source solution.
Who would control this? Some US goverment agency?
That's the beauty of it- no one needs to 'control' it.
The best way to stop spam is to get people from purchasing crap from spam mailings. Just like JUNK POSTAL MAIL. IMHO
There's a problem with that: I've Never bought anything from a spam email, but I still get spam. I don't know of anyone who has ever bought anything from a spam email, but they still get spam. You see, it only takes literally 1 out of a million people to buy from a spam to make it worthwhile for the spammer to spam. Or, in other words, only 1 in 1,000,000 people respond to spams. That's already a pretty darn low number. I don't really see what can be done to lower that number. And since it's enough to keep the spammers spamming, there will always be spam. -
Re:Whew
They have something like that already. http://bondedsender.org/ And its a scam that spamcop came up with. google "spamcop bondedsender" You have a good idea, but it would be abused. Who would control this? Some US goverment agency? Some new ORG thats just a front for the US gov like ICANN (ie; US DoC)? The best way to stop spam is to get people from purchasing crap from spam mailings. Just like JUNK POSTAL MAIL. IMHO
-
Re:Tools are available
-
The hole Ironport wants you to installIronPort wants you to install a hole to let their stuff through. For SpamAssassin, for example, they want you to put in
-
header RCVD_IN_BONDEDSENDER eval:check_rbl('relay', 'sa.bondedsender.org.')
describe RCVD_IN_BONDEDSENDER Received via a whitelisted Bonded Sender address
score RCVD_IN_BONDEDSENDER -100.000
Note that "-100.000". That says "accept this, even if it looks like spam". You might want to use, say, "-3.0" instead. Give them a little credit, but don't open the floodgates.
Watch for spam with the "RCVD_IN_BONDEDSENDER" flag in the X-Spam-Status header line. You might want to have Mozilla (I assume Slashdot readers aren't using Outlook) move such messages into a "Bonded Sender" folder. That lets you watch what they're sending.
As soon as you find a real spam passed by BondedSender, please post it to NANAE.
-
header RCVD_IN_BONDEDSENDER eval:check_rbl('relay', 'sa.bondedsender.org.')
-
Re:Second side to this coin...If you are interested in how it really works (and how you can take advantage of the same whitelist), go here:
IronPort's receiver service page.If you are interested in the rules that bonded senders have to ablige to:
IronPort's sender standards page. -
Clarity - actual sources...How about the real info?
-
Better site...
IronPort's Whitelist access is available, here.
-
Re:Second or two of processing timeI agree with the penalty payment system for helping the false-positive problem. - Ironport's Bonded Sender Program (who pay TRUSTe to do the validation) is a good first-step in that direction.
For those unfamiliar with the concept, the idea is that you sign up with them, set up a "bond" with a bunch of money, and they add you to their RBL-type whitelist. When a mail server receives an email, they do a DNS-lookup of the sending-mailer's IP address suffixed with a specific domain, and if they're part of the whitelist, they can either let the email through, or as in SpamAssasssin's case, give it a -4.3 score to "help" it get through the filter.
If it was indeed a spam message, the user complains and Ironport deducts $20 from the bond, costing the sending company real money.
The only major hurdle is that the setup fees are far too big right now for anyone but big commercial mailers to use their service ($1000 just for the application fee, plus a multi-thousand dollar annual fee, separate from the "bond").
If another company could set up a similar but affordable service, and convince the majority of spam-filter software makers to use them, the penalty-based micropayment system could work even for individuals, while still allowing normal SMTP email a chance to get through (just less of a chance).
And of course, it's still not a perfect solution - it can easily be abused by spiteful users, but it along with advanced filters can make email a little more palatable.
-
Re:Positive discrimination
Perhaps the ISP needs to put in a charge fr being a spammer in its TOS, sort of along the lines of bondedsender. If you, as an ISP customer, spam, intentionally spam and continue to spam/run an open relay, you forefit the posted bond to your ISP and you get disconnected.
It's just a thought. -
Re:SPAM filterHere's my blog reply to Tim Bray:
Tim Bray proposes having people pay 1 cent per email. It's not much, but it would make some many non-profit email lists unworkable. Most other proposals like this charge only for the first email from an unknown sender, and usually a lot more than one cent. This does require the recipient (perhaps at the ISP level) keeping track of who is already authorized to send free mail.There are actually quite a few workable schemes for preventing spam. Tim Bray is right that any system where sending is both free and anonymous will always be open to spam, but it's not necessary to charge on a per-message basis. One system that is beta-testing right now is Bonded Sender. With this system, the owner of an outgoing mail-sending server puts up money to guarantee that his system won't be sending spam (on the order of $1000 per server, with $500/year renewal). There's a contract that specifies what is spam and a third-party arbitrator for handling disputes. Existing mail-filtering software can easily check the BondedSender status via the DNS system, as they generally already check the DNS status of senders.
There are a couple of drawbacks to this. First, the IP verification won't work with dynamically-assigned addresses. Second, some smaller email senders may not want to spend as much as $1000 on this. Third, it doesn't help you if your ISP is not participating. All of these can be overcome by using a paid relayer, as Tim Bray suggests. It would be up to the relayer to determine how to prevent abuse of its own system.
Other systems work by verifying a digital signature and certificate of the sender, either on a per-message basis (S/MIME or PGP) or on a per connection-basis (using SMTP over TLS). This doesn't require a static IP address to verify identity.
Although it may seem complex and even chaotic, more than one mechanism will exist to prevent spam, even in the long-term. For a variety of legal, political, and financial reasons, no one solution will please everyone. We need to have some sort of meta-email system for allowing these to co-exist effectively.
What I propose is that an independent group be established which will provide a framework for interoperability. What needs to be done?
- A description of anti-spam policies. For example, Tim Bray's
proposed SMTP4ALL charges $.01 per message. Or FirstClassEmail may
charge $1 per message. BondedSender contractually forbids spam and
requires a cash bond up front, as well as identity verification.
There are a lot of possible policies. It should be up to the recipient to specify what policy is acceptable, but there needs to be a concise list so that the decision can be coded in a program.
- There also needs to be a way for the recipient to find the policy. For certificate-based systems, the policy can be encoded directly into the certificate, but the exact syntax needs to be defined. For other systems, something else needs to be devised.
- A way to describe the properties of an individual sender or message. It may be part of the sender's anti-spam policy that unsolicited mailings are allowed, but that each mail will be labeled with what type of mail it is, e.g. commercial, personal, political, charitable soliciting, etc. Similarly, a system such as Hotmail may want to label each user as to whether they are a verified, paying customer, or an anonymous, free customer.
- Some sort of meta-enforcement scheme. There needs to be a way of
knowing if SMTP4ALL is really charging $.01 per message or if it's
letting spammers send through at 1/1000 of that price. Is a CA
shirking its duties?
We don't want the chaos of the current RBL system. This is not something that should be c
- A description of anti-spam policies. For example, Tim Bray's
proposed SMTP4ALL charges $.01 per message. Or FirstClassEmail may
charge $1 per message. BondedSender contractually forbids spam and
requires a cash bond up front, as well as identity verification.