Slashdot Mirror
Email (As We Know It) Doomed?
Mephie writes "A pretty interesting article at Slate.com takes a look at how spam may be killing email as we know it. With the increase of spam, the argument is made that more users will switch from blacklisting spammers to 'whitelisting' specific, trusted addresses, making email more like instant messaging: if you're not on someone's 'buddy list,' you have to prove you're an actual person (e.g. identify a word in an image) to send a message." May be?
Right now, my email box gets about 30 spams a day. I almost never receive legitimate email anymore.
.. Email is just becoming outdated as a method of communication, funny how fast that happened. Spam didn't help though, that's for sure.
Additionally, I find that email communication is too slow, which is ironic since its so much more efficient than the old way everyone used to communicate by post.
Instant messaging clients have more than replaced email for me. They can do everything email clients can do, without spam.
Email will always have a place of course, like websites will need email addresses for contacts, and other such things. But for person to person communication, instant messaging clients are much easier to use
Tolerate no spamming what so ever. If one complain about a customer with an proven case of spam would arrive at a abuse department, shut that account down. There is no need to allow this, and no need to "warn" users doing this.
My ISP limits me from commersial activities at my homepage, why not limit the e-mail account from spamming.
The biggest problem today is that the price of spam is not charged from the spammer, but the poor user who recieves the shit. For all you americans out there, sue a spammer, make him/her pay for all loss of productivity he/she has caused. It'll make you rich, and perhaps make spammers think twice before clicking that send button.
Previously bayesian spam filtering was demonstrated on slashdot to be very effective. Once this becomes commonplace, and seamless, no extra configuration required on the users behalf, hopefully we will see the end of spam.
However, combined with whitelists this could be quite useful. Bayesian filters to filter out spam, except for whitelisted spam. Eg mailing lists of advertisements you sign up to being whitelisted could be effectively. I suppose that when you sign up to a mailing list that would normally be recognised as spam, when it sends a confirmation e-mail your client could recognise it and ask if you want to add it to your whitelist.
Anyway, with the introduction of bayesian filters into an ordinary client means that the future of e-mail may not necessarily have to be so bleak.
I would have no problem with public crypto. If a message isnt cryptographically signed by someone who you care about, then you could just nuke it. I'd be all for this.
Kan jeg få en pils, vær så snill?
CloudMark or other systems that use peer based filtering seem like the way to go. If 10 people have said this is spam, why should I have to see it?
"A language that doesn't affect the way you think about programming, is not worth knowing" - Alan Perlis
You need to do as I do and when you send an e-mail out to someone not in your whitelist have your mail program add it, so that all outgoing e-maila ddresses are checked against the white list and if they are not in they are added. Whitelist is great... and I've not missed any e-mails :)
The worse spam gets, the more people will look to alternatives. Maybe it's time to set up some infrastructure for Internet Mail 2000.
I guess this is where PGP signatures would come in handy. Simply refuse to accept anything without a valid PGP signature (and possibly all unencrypted mail too). Of course, you would be very reliant on the concept of "trust" that is already present in PGP - although on a different basis. The web of trust today only reflects how much people are who they claim to be, whereas a new model also would have to reflect how much people "like" the person sending the mail. Spammers could obviously "validate" each others, and thus the would system would break down :(
The obvious "problem" with e-mail is that anyone can send anything to any valid adress (this also makes it a Good Thing (TM) though), so it would also be an idea to make it harder to get e-mail adresses. Never typing ones e-mail adress - even in "encoded" form (my-email at thisserver dot com) - is definately a start, but all it takes is one AOLer to type it on a webpage, and you are f***ed. Honestly, putting you e-mail available only as an image is not going to help much. There will be a breach of "security" somewhere along the line, and then the flood of spam commences.
The only solution I can see is to just outlaw spam and prosecute them hard and fast. Fat chance that'll ever happen in good 'ole business-friendly US of A.
________
Entranced by anime since late summer 2001 and loving it ^_^
A better way to implement white lists is TMDA. If it don't know the one that is sending the mail, it automatically sends an email asking for a confirmation, so that defeats most spammers and gives normal people the opportunity to not be ignored by a plain white list scheme.
If one complain about a customer with an proven case of spam would arrive at a abuse department, shut that account down.
I don't think it's quite as easy as that. If one customer using my laptop gateway sends a spam from my IP address, is that the end of my cybercafe? If one angry employee at IBM sets off a spamming program as he walks out the door, does IBM vanish from the Internet?
A while back our server got blacklisted for a week or so by SPEW because it was in the same 16-bit IP range as a machine that has been used for spam. That's potentially 65k machines! It was at this point that I vowed not to co-operate with any of these anti-spam measures, which inevitably martyr innocent users at random and don't touch the big spammers with the resources to change IP address and ISP three times a day if necessary. The cure is worse than the original disease!
Virtually serving coffee
os x's default email app, mail, seems to toss spam directly into the trash with (about) 99% accuracy... that is, 99% of spam is correctly identified as spam. perhaps twice i've found emails that i've wanted to receive in the trash, but that's over many months, and the mistakes will never be repeated after a quick "whitelisting".
anyway, if you're really upset by spam, it's pretty friggin' easy to avoid it... do NOT put down your regular email address for any site that wants to email you a password for registration. get a trashy hotmail account (or whatever) just for verifications, and use your regular email addresss for real communication.
perhaps spam, collectively, is a huge problem, but the problems it causes for typical individuals are small, especially given the existence of spam filters. that's why spam won't "kill" email by any measure.
.
For a long time, there were doomsday predictions of the "web as we know it". The pessimists claimed that the signal-to-noise ratio was constantly decreasing and that things would soon degrade to such a point that it would be untenable. Well, what happened? The link structure of the web serves to greatly amplify useful content on the web and filter out noise (so neatly exploited by google).
This is only the latest in a long line of articles saying "spam is increasing at an exponential rate. So in X years Y% of our time will be spent deleting SPAM. E-mail is doomed!!!". This author, for example, says nothing of bayesian spam filters . What is likely is that spam and anti-spam will both mature in a few years, and that a combination of filtering methods will weed out most junk from our mailboxes; users will have so problem manually sending the handful of remaining penis enlargement offers to
Maybe Yahoo and MSN will implement user by user Bayesian spam filtering now :) It would also be interesting to see if they could do the filtering on their entire user base instead of person by person.
"Not knowing when the dawn will come, I open every door." - Emily Dickinson
You can still keep the system open by forcing the sender to spend a little bit of CPU time to send a message (e.g. finding a collision of a short hash function). The idea is explained at:
I had spam yesterday where they spelt Viagra wrong. Unless Viagrea is a new wonder drug?
Not funny at all. You knew what they meant; a filter on your inbox on the keyword 'Viagra' wouldn't have. Someone I know once worked on software to do realtime filtering of keywords in "family friendly" chatrooms. He said it was almost impossible; a human's ability to communicate FUCK without out actually typing it was far ahead of any rules he could encode into his software without breaking legitimate conversations. That's one of the reasons the spam problem is so difficult to solve purely with technology.
I think part of the reason why is because I'm careful about giving out my email address in the first place. I don't post it on slashdot.org (I did as my old retired account, and while I got a couple of compliments and some constructive critisism I also got deluged with hate mail - so I stopped doing that). I don't think people should need to do this, but unfortunately I think people have to.
Somehow my work account gets more spam, I think some people make a few extra bucks by selling the company roster. This would be supported by the fact that I'm pretty sure employee information is also sold, a few recruiters have known just a little too much about what I do for an educated guess.
Chris Kuivenhoven is a thief, beware
My ISP allows me to have 5 email addresses. While I only use one for normal use I have reserved the other for with some back-up users names that I may use in the future. I have never given out any of these extra email address, though they get about 10 emails a week. As the article states spammers are using methods similiar to a hackers dictionary attack to create random email addresses and send them out. So what it basically boils down to is RTFA!
This wouldn't happen. Anyone who lives in the EU: check your emails - are any sent from EU nations? NO. If the US would stop this stupid insistence on your personal details being everyone else's property but your own - then we wouldn't have to put up with so much sh*te being sent to our inbox about mortgages on another continent. I hope the EU goes through with the (jokey) threat to find and list the names of the people breaking the law - so if they ever take a holiday to Paris, we can be waiting.
Pimping my Karma Whore since 1847.
$ wc -l .whitelist .whitelist
804
It works, but it's a pain, and I still have to manually check the spam folder once in a while to catch people writing to me out of the blue about my software. And there are still a few false positives in the archive (tell me about them, and I'll try and weed them out).
Rich.
Gratuitous spam archive advert: http://www.annexia.org/spam/
libguestfs - tools for accessing and modifying virtual machine disk images
Since ISP's give you so many email addresses, or you could run your own mail server, or whatever - when I sign up for something on the net that requires a valid email address, I create an email address just for them.
This serves two purposes. One, if I start getting spam then I know who did it. Second, I can simply shut down that email address.
So, for example, if I wanted to download AVG, then I'd create an alias email address "avg@zerion.com" that simply gets routed to my normal email address, that way when I check it I get my serial number for AVG, and if they start spamming, I know it was AVG because no one else knows that address.
"They said I probly shouldn't fly with just one eye," "I am Bender. Please insert girder."
One answer is for everyone to move to using PGP and digital signatures, any mail thats not encoded with your key is blocked or whatever.
Another answer is this:
1.you have a whitelist that contains anyone you send an email to (would be added automaticly by some kind of filter or proxy) as well as anyone you add specificly (for example you could add *@mycompany.com to whitelist your company mailserver)
2.anyone that emails you who is on the whitelist automaticly gets through
3.when you post your email to newsgroups, message boards, web sites or otherwise give it out, you include some kind of small "key" (perhaps in a signature or something), basicly its a small text string or number.
4.if the person emailing you has included the "key" in their message somewhere or whatever, its let through and that person is added to the whitelist.
5.any other mails are bounced with a "if you want to get in touch with me, include xxx in your message body somewhere to get past my spam filters (where xxx is the "key"). If its a genuine email, the person who sent it in the first place will, if its important enough, respond to the bounceback and include the key, thus getting past the filters and getting on the whitelist.
I like this "real person" approach to things... identifying a word in an image seems like a pretty good way forward to me. If nothing else, it will greatly enhance OCR technology...
Apparently porn will save my marriage... or so I'm told by Jim@fouryourmarriage.net.
Perhaps slashdotting of spammers is a better way forward...
You fool! You've given cheese to a lactose intolerant volcano god! Do you know what that means?
Knuth killed his email address in 1990,
Knuth vs Email
Analytic & algebraic topology of locally Euclidean meterization of infinitely differentiable Riemmanian manifold
The core problem as you put it is humans. There's not much we can do to force everyone to play nice. There will always be greedy abusers of the system, criminals, spammers, scam artists, and the like. And there will always be people who either encourage them or do nothing to stop them. And the rest of us are just caught in the crossfire.
:)
Quite frankly, I browse the web without any popups, etc. and very few actual ads. My email accounts get almost no spam (I don't even need to use tools like spamassin).
The only way to solve the core problem of spam is to convince people to play nice. And call me a cynic, but I just don't think that's going to happen anytime soon. So all that's left is "band-aid engineering" (or mass genocide, but I don't think that's a particularly good solution, even for spammers
"Save the whales, feed the hungry, free the mallocs" -- author unknown
Let's think outside the (mail)box for a second.
Imagine a system where only whitelisted e-mail with a confirmed return address gets through. That would be enough to kill spam. The problem is, how can we allow previously unknown people to get on this whitelist without human intervention and gray/blacklists. Complicated? Not necessarily.
Here's the idea: suppose that we have a certifying service attached to our e-mail address. Say, my e-mail address is me@foo.com and my certifying address is certify.me@foo.com. Now I would want to send e-mail to you@bar.com but you do not know me and you are using a whitelist. No problem. I send you an electronically signed e-mail, and my mailing program, upon deciding that you are not already on my buddy list, cc:s the message (or relevant parts of it) to certify.me@foo.com. When your program receives my message and checks that I am not on your buddy list, it sends a signed query to certify.me@foo.com. The automatic service behind that address verifies that
Upon receiving the certification your program adds my address to your whitelist and accepts the original message. After all, you now know my e-mail address. Even a spammer who would be willing to reveal his identity would be pummeled to a certain death by millions of certify requests (which would make his ISP very unhappy). And should a spammer once get on your whitelist, just blacklist him.
This would not be a burden for mailing lists, because the certifying procedure is only invoked during the first contact.
This scheme would triple the initial number of e-mail messages, but because it's a one time event, the overhead is small. Considering that 95 some percent of all e-mails seem to be spam, this could actually reduce the traffic significantly after all the spammers have either been auto-spammed back for every single piece of spam that they send, or vanished into oblivion if none of their messages ever reach people.
So, anybody willing to implement this?
Existence usually comes as a surprise (Idem)
Until I started using TMDA, just recently. 100% effectiveness, no more spam. It works on the whitelist-centric strategy of only allowing mail from known senders through, and allowing unknown senders to confirm themselves.
You may share my original fear: that important clients wouldn't be able to get through. The fact of the matter is that with a well-populated initial whitelist, you've already taken care of most of those scenarios.
For the remaining population of legitimate senders that aren't whitelisted, you may worry about them not taking the time to confirm themselves. But as the TMDA FAQ notes, we used to have the same worry about confirming mailing list subscriptions, and now that's completely standard. If someone took the time to write you an important message, they'll probably take the few seconds it takes to respond to a confirmation request once and for all. But, my friends, as the article notes, I think we've reached that point where such minor inconveniences are well worth the net drop in junk mail.
No, TMDA does not stop spam at the source, and it barely reduces the resouces required to receive spam, but it does address the most notable waste of human resources, because once you start using it, you don't have to look at spam any more. If you're an end user looking for a fix, check it out.
I think the commercial software vendors are largely responsible for the massive increase in spam. IE is basically an ad delivery system; there's no way to control pop-ups, and no way to block images from ad servers. This is because from the corporate perspective our job as computer users is to view as many ads as humanly possible. Don't expect MS to be of any help. And don't expect any useful legislation either, as the DMA has a powerful and generous lobby in Washington.
But where proprietary software fails us, free software supplies the features that people actually want. Mozilla has built-in pop-up blocking and a great deal of work is going into spam filtering. On my linux box, I use spamassassin and vipul's razor for email, and filterproxy and mozilla to block ads and protect my privacy on the web. Very rarely does any spam make it into my inbox, and I almost never see ads of any kind online. However, it fills me with horror to use other peoples' computers. How can anyone stand all the flashing and blinking?
Conclusion: decent tools are the answer, not bug-eyed rants about the death of email.
Email shouldn't die. If mailserver admins do their jobs right, it should be possible to block out loads of spam.
For instance, look at www.myrealbox.com -- I've had accounts with them for over a year and never received ONE spam in them. Ever! I don't give my address out publicly or to untrusted sources. They do a damn good job of blocking spam.
You see? You see? Your stupid minds! Stupid! Stupid!
Usenet, great and thriving discussion and publishing system. Then someone realizes they can profit by exploiting it. People think, "Well that will only work until people get sick of it and stop reading..." Wrong - it's still there, with almost nothing left but spam in the unmoderated groups.
The same thing will (has already?) happened with email - as long as the cost of exploiting it is less than the percieved profit opportunity, it will be exploited. Given the costs of sending email, it's unlikely to stop being exploited - ever.
I've been forced into whitelisting because some spammer thought it would be a good idea to start using my email address as the reply-to address for all his spam. All the bounced messages come back to me. I get about 200 bounced messages per day from so many different domains. Add that to the regular 30-40 spam messages per day. I've had my email address for almost 5 years and I use it for work as well so I don't want to change it.
I've set my mail programs to see if it's email from someone on my whitelist and if it's not then it replies with a text message explaining why I can't accept email from them but if it's important to email me or they should be on my whitelist then to email a throwaway account that I check less frequently and I'll add them.
I use a Hotmail account as my public, "throwaway" email account - but even Hotmail can be configured so that you rarely get spam. The method is simple - whenever you get any piece of spam, add the entire domain to your "block" list. It is not good enough to block a specific address such as "netoffers3@netoffers.com" -- you must block the entire "netoffers.com" domain.
Maybe I am just lucky, but I almost never get spam anymore on my Hotmail account - an account which, I assure you, is *very* public. (I have been using this account for online transactions for years now). The only "spam" I still get are sale pitches from vendors like Amazon.com and Buy.com - domains which I do not want to block outright.
my religion lies somewhere between buddhism and super monkey ball - pamphlet?
I think this works in the long term better than whitelists:
1. Sending mail server generates a tx content key based on the contents of an e-mail being sent.
2. Sending mail server uses the tx content key with a private key to create a confirmation key.
3. Sending mail server sends the e-mail, along with the confirmation key to the receiving server.
4. Receiving mail server generates a rx content key from the e-mail contents.
5. Receiving mail server sends the rx content key and the confirmation key back to the sending mail server.
6. Sending mail server uses its private key plus the rx content key to re-generate the confirmation key.
7. Sending mail server compares the confirmation keys.
8. If the keys match, the receiving mail server allows the mail to enter the recipient's mailbox.
9. If the keys don't match, the mail is bounced.
This should eliminate spoofed e-mail, which is the only type I get. This technique also keeps the second transaction to a minimum exchange of keys. The keys add traffic, but the eliminated SPAM traffic more than makes up for the penalty. As more and more mail servers are updated with this feature, spoofing is all but eliminated. The remaining "spoofable" domains can be explicitly severed from the net or blocked.
Xesdeeni
Why not? You have whitelist based programs like TMDA and ASK that do something like that but you need user action. If you could integrate to servers and clients, you could have this more transparent (and more effectively fighting spam). The idea is simple: 1- The email is sent. It stays on the queue. 2- A challenge is sent back (in case the origin is not already in the whitelist). 3- The origin is then authenticated sending a reply to the challenge... That's it. (a bit the same TCP does to IP... Make it trustable.) PS.: Of course the spammer could legitimate his origin, but at lease you can add (and identify)him more easily in the blacklist.
How does that stop anything? .0001 per email = $100 if you send out 1 million emails. That doesn't put enough dent into the spammers' costs to really deter them. I think you have to consider the type of spam and where they originate. IMHO, spam comes in 2 forms.
1) Legitimate - ones that come from real companies, with working unsubscribe policies.
2) Illegitimate - from companies that forge headers, spoof IPs, steal legitimate email accounts, etc.
For type 1), you can follow tactics that have proven effective to telemarketing by developing a state/federal do-not-email list. If any company sends email to an address on that list without explicit permisson, they will be warned the first time, and fined $500 per email each time after.
For type 2), you'd just have to criminalize those acts. I don't see any other way to stop them.
...than the hotmail account is Spam Gourmet. Check out their site.
Unlike IM, when I send someone an email, it is unnecessary for them to be online, or have their IM client running in order to receive my message.
Check out Jabber. It does just that. If someone sends me an IM, I don't even need to be online, the jabber server will store the IM for me until I sign on.
IM has the potential to replace email because there really isn't anything email provides that IM can't. Even syncronous communication.
Right now the cost/benefit analysis favors spammers.
The Spammer's View:
First, it's very inexpensive to collect/buy a million email addresses and very inexpensive to send a million emails. Second, the return is sufficient: out of those million emails, all it takes is a handful of replies to make a profit. Third, the risk of being prosecuted or otherwise suffering financial damages is still practically nil, so the worst you have to fear is your ISP cutting you off -- whoop de doo, go uncover another rock and sign up with a new one.
The ISP's View:
It costs little more than a little bandwidth to send a million emails. It costs a little in reputation to be weak on busting spammers' accounts. Signing up a new customer is a profit.
The User's View:
Here's where the "cost" of spam is high, and consequently where most of the effort in fighting it has been made. Most users either just delete or have software to keep spam out of their inbox. Some people are careful about how they publish their email address. Some use blacklists or (more recently) whitelists. The cost to receive an email is fortunately low or nothing.
When the cost of spam becomes too high to ignore, for spammers to send or ISPs to relay, spam will decrease. It already has started to become more expensive: some ISPs have strong anti-spam policies and measures; some laws have been passed against spam; and there is quite a bit of software to deal with spam at the recipient end. But that's not enough, as evidenced by the continuing growth in spam.
Eventually, spam will be dealt with more strongly at the source. It has to be sufficiently painful first, and the pain is starting to be felt by ISPs and others involved in relaying email. I expect the situation to be much better a couple years from now.
-Thomas
I have two primary email addresses. Both are over six years old. Both have been plastered all over my website for the past four years, with no obfuscation (by necessity; it's how potential clients contact me).
One goes thru a subdomain and a BBS. It seems to attract more than its share of spam with blank or bogus TO fields. The BBS spam filter (written by our intrepid sysop) kills all mail not sent to a legit user. That, and some filtering specific to spammer-only return addresses, is sufficient to kill off 99% before it reaches my mailbox.
My other email address is via a real ISP, and is completely unfiltered. It typically gets only a handful of spams a day, the work of 15 seconds to delete 'em all. But more significant -- the total amount of spam received has DECREASED over the years. It now gets maybe half as much as it did in 1997. Lately, some days I don't get any spam at all.
The only thing I've done to protect this address is use something completely bogus for usenet. Once in a while I post with another client that shows my correct address, and forget to change it first, and then for a couple weeks I get a spasm of spam -- but it soon drops back off to the usual handful.
One oddity: every so often, some moron uses my real ISP address for sporging on Usenet. When that happens, my spam drops to ZERO for the duration -- as if this somehow poisons the address!!
As to webmail: My Yahoo account (about 4 years old, only used if all others are down) has never received a single spam. My Hotmail account (going on 5 years old), occasionally used as a spamtrap for sites of unproven privacy policies [cough* realtor.com *cough] but never used in Real Life nor posted anywhere, gets a ton of generic Asian spam, but almost never gets any of the same spams as my regular ISP address. Hotmail's spam blocker sometimes works great, and sometimes not at all -- just about anything in Asian character sets sneaks thru anyway.
~REZ~ #43301. Who'd fake being me anyway?
One of those being Spamnet [cloudmark.com]
Damn-it, I hate companies that don't state up front what their business model is. Is it shareware? Is it trialware? Is it demo? Are they going to ask for money at some point? WTF is the repercussion of me downloading and running their software? I do NOT want to download someone's softare and have to read all the installation crap *while* installing it to figure out what the limitations/deal/catch is with the software.
More and more small win32 software companies are not mentioning *at all* what their software is on their webpages. So I have to spend 10-20 minutes crawling their site trying to figure out what the hell they are doing and who they are. Often I end up having to use Google Groups to find someone commenting on the company's angle. Pain in the ass!
It *sounds like* they let you use SpamNet right now, and use the "spam information" that everyone provides in their enterprise spam filtering solution. But it's buried on one of their other pages.
4. SPEWS sends warning to your ISP
6. SPEWS blocks small IP range, sends second warning
8. SPEWS blocks larger IP range, sends third warning
When SPEWS mails people, I doubt they do so saying 'We're SPEWS and this is an official warning.' They'd do it saying 'This spammer at aaa.bbb.ccc.ddd hit my account this morning, please remove him'. This would have two advantages:
1) SPEWS remains anonymous - this helps, because by now there are an awful lot of spammers screaming for blood
2) ISPs have to treat every spam complaint seriously, because they have no way of knowing which ones are from SPEWS and which are from ordinary users
If SPEWS sent complaints in their own name, then ISPs would simply ignore all non-Spews complaints. An anonymous SPEWS leads to ISPs reading their abuse@ mailboxes with much greater care...
Real Daleks don't climb stairs - they level the building.
Here's what I think I want.
I want peer to peer distribution of spam filtering rules.
Say I get a spam containing the word 'viagra'. (I know, never happens, right?
When I (or anyone else) views that message and says 'that's spam', a rule based on that message should be published for acquisition by email servers across the net. Messages to anyone could be rejected based on a percentage match to known spam.
All of the sudden, spammers would have to compose a _different_ message to everyone on their lists. Not an impossible task, but I prefer the burden remain on the spammers to try to get a message through, and I prefer that that burden remain extremely high.
So, slashdotters and sourceforgers (er.. wait a minute there...no pun intended or implied
Thank You!
Granted, few of them are doing it now, but as whitelists become prevalent, the spammers will simply maintain lists of email tuples, each tuple will have you, your mom, your uncle, and your best friend; all folks in your whitelist. Send to each address in the tuple with a From: address from the tuple, and voila, your whitelist does nothing.
- "History shows again and again how nature points out the folly of men" -- Blue Oyster Cult, 'Godzilla'
It's a temporary phenomenon. A lot of people are new to IM and get these misunderstandings a lot. After about ten years of using IM systems you stop having the problem, in my experience.
(Yes, I'm serious.)
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak