Slashdot Mirror
The Case for Rebuilding The Internet From Scratch
dotnothing writes "I just caught a column on a security site advocating for a total start from scratch as far as certain internet protocols like SMTP. It's an interesting idea and there are some ideas on how to conduct the transition... if everyone would agree on something like this it would definitely reduce the spam (among other things)."
We can't even roll out IPV6. Even Internet2 has some basis in existing standards.
It's an interesting idea and there are some ideas on how to conduct the transition
./confugure
Dude, it's easy. You just download the source and:
make
make install
Works every time, er... unless you're missing some dependancies... but apparently Gentoo and the BSD portage system fixes the dependancy problem.
"Can of worms? The can is open... the worms are everywhere."
There are some very powerful entities that have a vested interest in keeping things they way they are today. I agree that many of these protocols are being used in ways and volumes never intended by their creators, and a redesign would be highly desirable. But with so many interests involved, how would such an endeavor ever get off the ground???
Stop by my site where I write about ERP systems & more
IPv6, replacement for SMTP, Slashdot style moderation on USENET, default encryption on all data transfers, DHCP configures EVERYTHING (like mail server, news server, etc), and more naked women. That would be perfect.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
...but will it help get rid of idiots like the parent post here?
There is no spork.
You mean like IPv6, too?
That has been "widely" accepted. I can see this becoming a "reality".
Why slashdot? Why not?
Will they make use of the new 'Evil' IP bit?
Sometimes I doubt your commitment to Sparkle Motion.
Alright, we can do this, but this time around I've got dibs on "business.com."
If all the people that drone on and on about spam would put 1% of their effort into this we would have Internet 2: spam free edition by now. Instead they think somehow getting laws passed is going to miraculously stop spam.
The way some sociopaths talk, you'd think spam was the most important issue regarding technology today. This is because it IS the biggest thing in their lives. If spam is the biggest problem in your life its time to power down for a few.
You could have a new version of SMTP, maybe called SMTP2 that would refuse connections from an SMTP1 server. That would cause most people to change rather quickly, and might even be workable.
Something like IP, otoh, would be best if the new version could coexist with the old version.
If I have nothing to hide, don't search me
That was the weirdest thing. I thought I posting about a science fiction museum. It said it at the top and when I hit submit I see "The Case for Rebuilding The Internet From Scratch", is this a /. bug?
The problems with various internet protocols (including the underlying IPv4 protocol!) have been known for YEARS, and have been screamed about by us geeks for YEARS. Nothing has happened, and there is a reason for this.
...then you might have something.
If you want to change the standard, you first must convince people to use your new standard. Now if someone comes up with a shiny new email feature that everyone thinks they *must* have, and it happens to be based on an existing protocol, and there's no way it will work with SMTP, well...
Personally, I'd consider "no spam" enough of a feature, but I think I'm in the minority, unfortunately...
--ZS
-- sigs cause cancer.
spam can not be stopped. period. if you believe otherwise you are misguided. the protocol does its jobs, and the verification of the headers and contect are to be done on the end systems. a challenge system at the backbone level is ignorant.
the only update the internet needs is more IP space and faster connections and Internet2 is already doing that.
MARIJUANA, SHROOMS, X: ONLINE?! - E
redesigning the internet would take away everything that makes it good.
A redesign would be forceed to the best interests of conducting business, not sharing information.
It would not cut down spam, only change the form it takes. SPAM can only be slowed via eduacation. People must learn that SPAM is not the way to buy things.
If business don't like the way the internet works, then they can get together and build there own, down to, and including, laying there own backbone.
The Kruger Dunning explains most post on
And, on the seventh day, of the seventh month, of the two thousand and third year of A.D. a darkness fell.
The "net" fell, first one computer, then another, and another.
The web was being taken down, ripped as if it was a spider's web that a clumsy person had walked through.
A few rebels called "Spammers" held out, but they were soon slienced, then, and forever.
But, then a light shined, a new web was forming, first one computer, then another, and another.
And so the story ends, with a new beginning.
... sorry, not happening. Hell, we can't even push out v6, let alone start from scratch. Sure, these organic growths (i'm talking bout the internet) may seem inefficient and disorderly, but anyone in theorectical math knows that such systems have an awkard effecientcy. Similar to the buses in Mexico (they don't have a single entity controling them, like the US does), the internet grows from several competing interests, and often seems chaotic and ineffective. Yet, studies show that the buses in mexico are several fold more effecient than the regulated from the start ones here in the states. Just some food for thought.
(someday, i will make FP)
YOU SUCK BALLS!
There's nothing really wrong with the Internet, it's the fucking morons that use it!
Give something to the world and you find what the best AND the worst have to offer.
Agree or not, it's like the guns issue: Intelligent humans can handle it with no issues, but when you put it in the hands of the ignorant, well, we can see the results...
It'd probably be wise to refactor a lot of the ideas that are currently contained in the RFP body. Distill out a solid and rich set of very basic building blocks of encryption, communication standards for characters, frameworks, etc. and start rebuilding the larger components, such as mail services, from there.
not to tell AOL? Lets just not mention anything to them, and suddently we have two seperate networks...
The old network only consisting of AOlers.
The new network consisting of everyone else.
If this isn't acceptable, could we try just not telling Microsoft?
You can't get 3 people to agree on where to eat. How does anyone expect to reach a worldwide agreement on how to redesign something that's become such a huge part of our lives.
The only way we ended up with something as good as we have was due to the fact that it was created by a small group of very intelligent men with much foresight.
With that in mind I suggest we form a task force to look into this matter. That way we can sleep soundly at night knowing nothing will ever actually happen.
"If you limited normal users to 100 messages per second and major companies to 10,000 messages a second it would be hard for legitimate users to complain, but spamming would be much harder."
Hm... At a limit of 100 per second that only means I can send out 100x60x60x24 = 8,640,000 e-mails per day. How am I going to be able to talk to all of my friends now?
Sticks and Stones may break my bones, but copyright will always protect me.
For years, there's been this little protocol called IMAP. It's really good. Yet most people, or rather most companies, insist on using the hopelessly-outdated POP3 standard. And these two standards are compatible - I can use IMAP without forcing everyone else to make the transition.
You want to obsolete SMTP entirely? Get real.
If it improves performance, reduces commercial advertising and leaves me more productive at the end of the day, I say go for it!
All the new web browsers would agree to support standards, and support them properly. No more of this half-assed guessing game as to what any browser will support. This would also including things like PNG. It's a good 7 years later, and IE (Windows) still can't get it right.
A subjective summary of the column:
- Scrapping the Internet is a good idea because spammers have used email to annoy everyone.
- Under this new, hypothetical email system, Verisign would require everyone to buy a secure ID to ensure they are who their messages say they are.
- The columnist is willing to spend more money and lose his privacy in exchange for these conveniences, so we should be, too.
Please. The problem with spammers isn't because SMTP is so weak. The primary cause of the modern deluge of spam is unsecured email servers around the world, allowing senders to spoof their identity and auto-email anyone they happen to have an address for. And no new system, no matter how rigidly secured, will make up for admins who don't do their job; if it did, it would be prohibitively expensive or complicated and thus be impossible to implement as widely as email is now.
The writer, Larry Seltzer, complains about spammers abusing his account, and yet his online publisher sticks a link to his email address right at the bottom of everything he writes. I would suggest that if he wants to reduce the flow of junk to his inbox, he start with his own managers.
...for the Latin/Classical Civilization ignorant, the parent post is a poorly formatted bastardisation of poem 16 of the poet Catullus. You can find an approximate translation here. The parent has just substituted "Aurelius" and "Furius" in line 2 for "Billy G" and "Microsoft" respectively, and "versiculis" for "software" in line 3.
Note to M1-ers: a curt but otherwise insightful message is not "Flamebait" or "Troll".
MS would buy control of the process and then pollute any standards that result. At least now there is a level playing field.
I don't want MSInternet.
BC
Intel created a 64 CPU from scratch and it appears to be a bit of a turkey. Good design but not a real world solution, you can say the opposite about the Internet.
If the Internet has protocol problems then fix the protocols, it didn't take that long for most of the web to adopt http resume.
This happens to all projects, irregardless of size. Developers will eventually believe that a total restart is the only way to fix problems. It's kinda sad, but I'm as guilty of it as anyone. I don't know how many times I've rewritten a project cuz I didn't like how it turned out, or couldn't fix a bug in the system quite right.
Same thing here.
The fallacy comes in the notion that something can be perfectly engineered. Nature teaches us that a vulnerability will be found, the weakest link will break, and that the internet will have problems in it.
Just cuz you don't like SMTP doesn't mean you should try to take it away from everybody.
I can understand the author's frusteration with the current infrastructure, and it might be nice if we could chuck all of the bad at once.
BUT, this is completely impractical and would never happen. The current installed base and backwards compatibility always have and always will act as insurmountable intertia to sudden and drastic changes. The innovators will keep on innovating while the rest of user base slowly upgrades their most woefully inadequate equipment/software to the new standards.
Let's face it: once the internet moved out of the realm of hobbyists and academia and into the commercial sphere it lost the willingness to accept drastic changes. While it continually evolves (the emergence of ipv6, internet2, etc), I don't think we will be seeing a real, identifiable revolution anytime soon.
-bcollier06
..and, exactly, what studies are you reading?
Try SMTP AUTH. Any respectable MTA implements it.
This would take a centralized authority -- without one, enforcement is left to the commons, and we all know what happens then.
I'm sure we'd have no trouble finding a decent, well-respected, centralized authority to control all of the world's email. After all, no one has any cause to complain about the Internet's existing centralized authorities!
Seems like every implementation I've seen first hand of "let's rebuild this super humoungous system from scratch" never goes as planned. Inevitably, there are many unforseen problems with the new system. Some of these problems are due to poor planning. Some are not. Some of these problems will be a tremendous pain to fix. Some will be discovered immediately while others will be discovered months or years down the road. In the end, you may wind up with more problems than the old system and you wonder if it was really worth it. Just my $0.02.
Seriously, we could talk about what if's all day long, whether about the internet, global politics, the SARS virus, or even the DH rule (I'm against it) but it won't change a damn thing.
Last time I checked, actions speak louder than words.
I'd love to see some action to seriously combat spam because, frankly, I think it's going to do some serious damage over the next few years if the current situation is allowed to continue unchecked.
When people stop checking their inboxes because finding genuine messages is like finding a needle in a haystack, and when 25 or even 50 percent of all internet traffic becomes spam, thus slowing down the entire system for everyone and (more importantly) costing infrastructure providers, ISPs and ultimately the end-user serious money, it'll be a bit late to address the problem.
Better that it's done today - I'd rather deal with the disease now rather than treat the symptoms later.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
"The Internet was designed to be secure from nuclear attack, not its own users."
The problem is, it's very difficult to protect all of a technology's users from harming themselves with the technology or destroying it all together. Just look at virtually all of our inventions and discoveries: nuclear reactions, cars, CFCs, weapons...you can't generally save people from a technology if a substantial proportion of its users are hellbent on using it to annoy everybody else. I think even an "Internet2" would be unsuccessful unless it was so advanced it could somehow protect itself from its own administrators. But even that has its problems. (Insert Terminator reference here.)
Note to M1-ers: a curt but otherwise insightful message is not "Flamebait" or "Troll".
I can see IPv6 being phased in in the next couple of years as the IP problem becomes more intense and NAT becomes even more of a royal pain in the backside. What I don't see happening is twenty years of maturity (in some form) being tossed out the window. It would be a shame to see existing protocols being dumped because they arn't secure - most of the time it is the IMPLEMENTATION that doesnt work or has flaws. Many software packages should be scrapped altogether and rewritten and designed from the top - sendmail is the example that comes straight to mind. So many flaws have come out over time it is silly. I'm not saying SMTP itself isn't flawed though, it most certainly is.
The people at PlanetJailbreak have designed, from scratch, on paper, the UT2003 version and the work has appeared to have paid off - an incredibly low number of bugs from their alpha testers have been reported. Where there have been many flaws in a package based on a fundamentally old codebase it should be rewritten totally, regardless of it being server or client software. The problem would be getting people to adopt - many people never patch a thing.
smells and sounds like the first shot to have One Corporation To Bind Them take over the damn net, too.
;)
;)
nonsense, good thing I'm getting back into ham radio.
The Internet belongs to the users. Always has, damn well better always will, or we'll take it back
how about you just add a header field, and users can decide whether they check it or not. and follow that up with dedicated bits for spam, porn, response to yours, etc. that are outside the security field. violators of the spam and porn bits get to wire Turkish prisons for 35 years
and if we don't care about OCTBT and their steekin' rules, we just ignore the field. if that clots somebody's snot, well, their BGP listing might be redirected, as it deserves to be.
that is how the Internet is supposed to work. you don't like it, build your own.
if this is supposed to be a new economy, how come they still want my old fashioned money?
IBM Researcher Offers an E-Stamp Spam Solution
Email *should*:
-be spamproof (extensible mechanism for integrating CAPTCHAs)
-require a digital signature (so everyone on the network has some degree of digital identity instead of the just trust me model. Solving the distributed digital identity problem probably wont happen in any way we want, so I suggest a simple peer-to-peer identity mechanism much like the one ssh uses. It's good enough for now)
-provide a receipt on delivery (no more your mail has been sitting on a server for a day and you don't know it)
-autonegotiate formatting/language options (your mail server tells the sender to use HTML vs plain text, english vs spanish)
-use ssl in all negotiations (client-server-server-client)
Is this going to happen? Probably not. There's too much stuff built around SMTP that it'll take a decade at least.
This would be a good opportunity for all the new protocol implementations to include use of the "evil bit" we first heard about sometime around the beginning of this month.
I haven't read the article, but with regard to email: since it's invention, people have picked up up other means of electronic communication, like ICQ. So perhaps they would also pick up something like 'email2'? Some nerds could start using it, just for kicks, and more and more people might join in. Eventually the old email system could become obsolete. Because of the spam problem, people also have a real incentive to make the switch.
What we really need is to replace the entire technological infrastructure from scratch.
New electical, plumbing, telephone, fiber, roads, everything. Technology has advanced so much over the past 100 years that the infrastructure, in the USA in particular, is a patchwork of "legacy" and new technologies. You can see just driving around places where shitty old telephone poles head underground. Places where you'll see new fancy street lights, with old crappy lights at the next intersection. Of course, it's unrealistic. But it would be pretty awesome.
The GeekNights podcast is going strong. Listen!
This is an interesting mental game but nothing more. Pick any complex system that has evolved like the Internet and you will find valiant efforts going into total redesign. Off the top of my head, look at how long Microsoft has been carrying along legacy code, or look at how Intel is trying to make a clean break from x86. In the non-computer realm, our legal system is so snarled sometimes the police just stop enforcing certain laws. How about gridlock in a developing city? Would sure be nice to just start over with new roads where and how we would like them to be, but fat chance.
I would even go far to say that even if you COULD rebuild the Internet from scratch, the effort would be useless. The Internet has been an evolutionary system, adapting to the demands users place on it with ever changing requirements. The changes you would make would be accurate for 0.001 seconds, then would start on its own road to obsolesence. You would see this very same article posted on Slashdot about Re-Redesigning the Internet in 2008.
So have fun with the mental exercise, but this beast will always grow on its own.
To reach a rational conclusion:
1)Read or skim Lawrence Lessig's "Code and other laws of cyberspace".
2) think a bit about the DMCA and DRM (assuming you oppose them).
3) if you still think this is a good idea, please click here to find practical help in your area.
Developers could work out the detail of a secure/user-trackable email system, and build it. Then, over a few years time, we have two email accounts. One classic, one new secure style. Once everyone you know has migrated, you can do away with your old email address.
I'm a little confused about this article. It talks about rebuilding the net, but it focuses on a protocol that's really only a software change. You don't need a whole new internet to do that. Just create your messaging service and entice people to use it.
Frankly, I'm surprised more people haven't ditched email for Instant Messaging. Spam just doesn't work on it anymore because permission has to be granted before anybody can contact you. Etc etc.
"Derp de derp."
I've been arguing for years that the only way to fix the spam problem is with some kind of certified-user infrastructure. And I doubt that I'm the first person to see this. Filtering simply does not work, as the current volume of spam (60% of all mail traffic, I'm told) indicates. The only question is, how do you make everybody switch over?
Seltzer's idea of SMTP gateways is ridiculous. Its just another filtering solution. Nor does it make sense to wait for Internet2 to roll out -- that technology will probably exist side-by-side with the current Internet for decades.
Not that I have any better ideas. Perhaps users who go to the new protocol could bounce SMTP email with the appropriate "please change" message. Whatever.
In any case, I don't think the answer will come from the standards wonks. More likely the major ISPs will get together and invent something.
If your primary concern for updating the internet is to prevent spam, or to at least limit it, ive found a fairly good solution. I just keep two seperate addresses. One i use for the bulk of my important personal and business communications and the other is merely a decoy. Any service that requires me to give an address on a form I automatically assume will also lead to an inordinate amount of spam, so I give only my decoy address. This has been very effective for me, because at least 95% of my spam goes to that address and most of that is easily filtered out. The one thing I would love to be able to do is to sort the mail as it comes in so that mail from certain address I know to be important can beput into a seperate folder or something so that I am sure not to miss it (for my decoy account).
"There's no way to rule innocent men. The only power any government has is the power to crack down on criminals."
Nice idea but you've got a whole lot of machines to support in the transition, not everone would want to upgrade their 68k Mac, BeBoxen or Amiga to run a nother platform with compliant software, so who would get the programs for the old systems working?
:-)
Before you say "just get with the program," think of 3rd world countries non-profit organizations and schools who don't have the money for the new hardware and associated software AND licensing for the related necessary upgrades... ("think of the children cames to mind here..."
Yeah, nice idea... in theory.
"Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
Like everybodies going to be using untrustedebian and closedbsd.
pop3 is really quick and has little overhead.
Imap can bring a server to a crawl, espcially if your lusers er clients are trying to sync every porn spam they've recieved in the last 10 years with the latest bug ridden copy of outlook they insist on running.
Lawyers, MBA's, RIAA? A jedi fears not these things!
The article suggests that it would cost more to send email, but not more to get it? How would this be enforced? Could we design a mail protocol that charges per email sent, which means that your co-worker can't send you and his 40 other email buddies the latest joke picture, or religious pronoucement that you must forward to 40 of your friends or face dire consequences?
/. and use funny email nicknames so that no one can become offended by our words, find us on google.com, and come to our house and kill us? Or, maybe because of the accesiblity to our private lives on the Internet, there is a need for private, untraceable email?
This idea may have more than a little merrit. Although the cry for "annonymous" email will be loud, do any of us really need to live double lives on
Why slashdot? Why not?
here's my list:
.com, .org, maybe even .edu and .net. use the ccTLD with other localizations below that.
1) let's clean up ftp. real security options, performance options, etc.
2) smtp. as in the article, smtp needs work, at the protocol level and implementation of mail programs and their handing of information. i really believe that a little key management at the isp level (if enough isp participated) could really make a difference.
3) dns. i would drop
4) more ip addresses. ip6 would be nice, but if i'm starting over from scratch, just increasing the ip address from 32 to 48 or to 64 would help.
5) the ability to do a number of things in a slow, throttled-back fashion to run nicely in the background.
6) better printing protocols. lpd is a mess and the other printing protocols seem to problematic.
7) snmp. this seems to be getting better via v3. the real problem seems to be the software, not the protocol.
just my $0.02
eric
Exactly. Anybody's who's been around Slashdot for more than five minutes should know enough to be terrified of the very idea.
A new design would inevitably reflect business motivations over technical ones at every turn. Say goodbye to the end-to-end concept, get ready for trivially-encrypted protocols just so that the DMCA can be used to force you to use 'authorized' clients that make you view advertisements left and right, expect to see some sort of licensing regime before you can even put up a public server somewhere, etc.
It's a good damn thing this is completely impossible, because it would be an absolute disaster if it happened.
spam hauses (hope thats the right way of spelling plural spam haus). And based on my mail/firewall logs, these are 50% of the time hosted by XO, Verio, Level 3, and C&W, with C&W being by far the worst. If these companies either stopped carrying spammers, or if everyone and their mom blacklisted these fools (check blackholes.us for a kick ass listing of various ip ranges for these hosters) and used spews and spamcop on their mail servers (content filtering in my opinion isnt the cure, your still wasting bandwidth accepting the crap, why not bounce it right away with a rbl?) , the spam problem would drop considerably.
Lawyers, MBA's, RIAA? A jedi fears not these things!
Answer: Compeletely remake the internet.
Problem: The cost would be prohibitive.
Answer: It'd trigger another tech boom and everyone would have jobs and even dumb people with marginal skills would be paid like chemical engineers.
Problem: The switch over would require eveyone to run parallel systems.
Answer: See above.
Problem: Current security depends more on exclusion than inclusion.
Answer: See above.
Problem: Who are you going to trust to write that security model? A wise collective endorsing open standards, an oligarchy of businesses vying for proprietary standards or the government?
Answer: Oh, the wise collective, for sure.
Problem: But do you honestly believe they'd be allowed to?
Answer: Uh, no ...
Problem: So what do you see?
Answer: A problem.
A feeling of having made the same mistake before: Deja Foobar
The author isn't very knowledgable. Quota's for email can be implemented without breaking existng email clients. SMTP allows Authentication via certificates to be layered on top or, most email clients allow SMTP send with authentication.
asked a few people involved in solving the problems of e-mail what would be involved in fixing it. This put them in an awkward position of conflict; after all, spam-filtering vendors and other security companies make their living because these problems exist
Bollocks - the mail guru's who maintain this stuff are mostly volunteers and are not interested in making money off spam/protection. Thats an insult to them.
This will not "reduce the spam." That's like saying copy-protection mechanisms will stop piracy. Or that it's possible to make the Internet completely secure. New protocols will take longer to develop than will crackers' methods of exploiting them.
Nice article. I've had similar thoughts, but it's possible to do what this guy suggests using existing, off-the-shelf, technology (and it can all be done open source too).
The argument in a nutshell is that if everybody were using authentication (and encryption would be nice), then everybody could filter spam at the gateway by simply saying, "I don't want to see any un-authenticated mail".
Ok, fine then. Let's all authenticate our email. There are loads of PKI based SMTP gateways. If you're an MS shop, you could even implement this on a per-user basis. There's a lot of security technology out there that isn't being used.
Ask your favourite Win2K network admin this: do they use L2TP and IPSec on all connections between all machines on their network? Probably not. It's kinda crazy that nobody does since this has got to be one of the most sure fire way to improve your security posture because it prevents all passive network scanning from seeing any data of importance.
Similarly, why aren't we all using PKI to sign and encrypt our email. It's nuts that confidential legal and personal messages are sent around the 'net everyday with no encryption whatsoever. When was the last time your mailclient had to use it's S/MIME capability to decrypt a message from anyone? Would your lawyer send you those important documents on the back of a postcard? How about that multi-million dollar deal your company is working on? Would your CEO be happy mailing the paperwork in a clear-plastic envelope that anyone could see?
Seems to me that we need to be smarter and more consistent in using the technology that we have today before we rush out and architect a new solution that will no doubt be full of holes that we can't forsee at the moment. The open standards of the Internet make it both strong and weak. But as they say, "guns don't kill people, I kill people."
I often have problems understanding certain types of humour. Literal humour is no problem, but for some reason nonliteral humour - irony, I believe it is known as, though I may be wrong - I have a problem with. Perhaps it is due to my naivete. Since I so rarely utilise this verbal sleight of hand, it sometimes escapes my notice when someone addresses me with it. Thanks for pointing out this usage of irony to me. I hope that I will be better equipped for it in future, courtesy of your advice.
Note to M1-ers: a curt but otherwise insightful message is not "Flamebait" or "Troll".
Yet another call to hand off the net to some mythical central authority which'll be able to monitor everything we say and do, then use it against us should we ever complain about what the powers that be are up to.
I'll take a pass on this 'solution', thanks. I'd rather deal with spam than make it any easier for anyone to track every single thing I do on the net. Hell, it's too easy as it is, hence the development of things like Freenet....
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
Have you guys heard of X.500? My impression
was that it was a challenge to SMTP, and it
failed. Does anyone have more info?
I believe there is only so far you can drag along an outdated system. Rebuilding the internet from scratch is a great idea because it allows us to use our experience to start over. That way, we can simplify any improvements because we don't have to carry along the old outdated protocols, etc for compatibility purposes.
Volunteer Mozilla developer, RPI Student.
This proposal does not make any sense. It's a little late for April Fools jokes.
I'm guessing that such a "switch" would once again create demand for the tech sector, for companies trying to switch as well as for companies seeing the new opportunities that may arise.
Would be nice... especially for all of those unemployed people out there!
-Alex
I strongly disagree. The most popular caching software, Squid, doesn't even support 1.1 yet! Nor do a LOT of servers out there.
Then the majority of the world can connect to the NEW better-designed internet on their better-designed Linux boxes using their better-designed Dvorak keyboards.
Already-implemented trumps better-designed.
to settle it all, lets just unplug all the smtp servers and write letters by hand again... no wait .. aol'ers wouldn't understand why their computer stopped saying "you've got mail"
An organization was created devoted to promoting the new internets open standards, which is then backed my some major corporations. And while we're at it can we please ditch HTTP and the browser as well. Re-work the browser to work like a native app and not hypertext. In other words a "web site" would become a "web app". It would work the same way as a browser in that you plug in a URL and the window transofrms itself to include appropriate widgets and information. Don't say this is what web services is for... that's another clunky method that still relies on http. And while I'm at it let's throw in a universal IM protocol. Who will step up to this challenge...? As much as I'd like I don't think anyone would or even could.
Often times, technological advances only happen when it's convenient, not when it's actually needed.
Eddy.WriteLinux.Com
QWERTY
Start with SMTP
Then lets redo http, to be more efficient, use a PCI card to do compression... we could make it much more efficient.
Replace all HTML with XHTML
Replace POP3 with IMAP all around
Replace All file sharing with WebDAV, perhaps enhance it a bit.
Then a standard IM Protocol.
Ah life would be good.
The one true solution is to move the cost of delivery onto the sender. The recipient needs to be charged with the task of picking up their mail. If you'd like to look at it using existing technologies, think of everyone having a different POP server for every sender that delivers them mail.
The obvious benefit is that it's simply not possible for the bad guys to deliver you email. But mailing lists get cheaper too, and there becomes no such thing as a bounce-back.
Most people will want to add people manually. A robot confirm system (image or audio related- human readable- not robot readable) that exists on my website would allow you to add your POP server to my POP list.
I've talked about this quite a bit, and the two questions everyone seems to ask is "but that's just like certification" (which isn't a question), and "pop is on the way out. it should be imap instead" (which also isn't a question). The latter is easy- of course it doesn't have to be POP3. IMAP isn't terribly friendly for this application either, but you're right in thinking that it doesn't matter. Mailing lists may want an IMAP-like system, but for single-delivery, you'll probably want something more like POP. You'll download you message once to your system - whether that be your workstation, or a centralized server that can keep all of your mail for you.
Now about certification. I think many people miss some very important details:
And finally, the most important detail is that we are moving the cost of delivery from the recipient back to the sender- if you have EVER been in a time or place where your bandwidth was costing you by the minute, then you'll know why this is so important. For those of you that don't; get an imagination.
if everyone would agree on something like this it would definitely reduce the spam
I think it would be easier to get everyone to agree to not send spam.
In order for something like this to work every single user of the Internet has to agree to use it. There is no central authority. And this is a good thing. If you want to make a new authentication scheme and have people opt-in to it, we already have that with PGP and SSL signed messages.
A case could be made to have commercial ISPs enforce some rules, so long as nobody is forced to use a particular ISP.
-Ryan C.
-Ryan C.
The real problem is less technical. It is political and judicial. And it is localized to a few countries which are not serious on cracking down on spam: USA, Korea...
Countries which have proper laws on spam have practically no domestic spam problem.
The US needs to clean up its own act. Get a clear cut federal law against spam. It works wonders. It makes it that much easier for ISPs to convince customers that spamming is bad, if you can point to a law rather than just say it's bad etiquette and not considered acceptable use blah-blah-blah...
Don't blame the internet protocols for US politicians faults.
The thing is, the guy never even came close to coming up with a valid justification for replacing the Internet... spam is in of itself not a good reason. There are all sorts of protocols and standards that would be great to replace: - DNS - get rid of telnet and make SSH the standard - replace FTP with SFTP or SCP - clean up the port 80 mess and put more control back into the firewalls I'm not fluent enough on IPv6, but I'm willing to bet the networking folks would love to take a crack at replacing TCP/IP and coming up with a better plumbing, on which the protocols could be built upon. Do that, screw backwards compatibility and I'm sure the replacement will be better than anything we see today. Of course, then some dumbass small company will claim to own a patent on this, and we'll be even more screwed....
---- Meh.
Before running off to change everything how about just getting people to follow the rules we have.
For example one requirement of the SMTP RFCs is that everywhere a domain appears in an SMTP conversation it must be fully qualified AND it must resolve. Unfortunately that requirement is rather widely ignored. Just set your mailserver to reject EHLO/HELO greetings that don't conform and you will bounce lots of spam as well as tons of legit email.
Like the cockroaches they are, spammers rely on hiding in shadows. If legit mail-server operators stuck to the RFCs detecting, filtering and tracking the shady ones out would be easier.
No, it's not perfect, but at least I could do things like check the EHLO against the connecting IP to see if the other server is lying.
I would be absolutely delighted if AOL, Earthlink, Hotmail, Yahoo, MSN and other large mail handlers started being very RFC picky in what they allow. This would force a mass cleanup of non-compliant servers and would make my job a lot easier.
~~~~~~~
"You are not remembered for doing what is expected of you." - Atul Chitnis
"So have fun with the mental exercise, but this beast will always grow on its own. "
Well part of the problem with the "systems" that humans build is that there's a creative process (build it and they will come). But rarely a "destructive" process to taking it apart. Laws are made, now where's the proactive process to removing bad and no longer relevant laws?[1] What about technology, or government agencies? Things just sit around until they decay, if at all.
[1] This is were someone yells "courts", but courts are reactive, rather that proactive.
[1a] The creative process has a structure and checks and balances. The "destructive" process would need similar to prevent a "race" condition.
Yes. Is it practical? That's a different matter entirely.
IF it was to be done, it would have to be done bit by bit, protocol by protocol. You could take SMTP, start work on it, keeping developers in the loop all the while so they could work on incorporating the protocol into their programs. Once the protocol is finalized, you could leave a period of time for developers to finish their programs, then release the new programs and put the new protocol into effect. Of course, rebuilding the internet this way would take a long time.
On the other hand, you have to acknowledge the fact that the internet does behave like a living organism. The internet is very flexible, capable of growing and adapting to meet many different needs. It's a prime example of the fundamental concept of chaos theory: behind chaos, there is order. Do we really want to mess with something that works?
why bother, all new software development that has the potential to copy/move bits from one machine to another must be approved/controlled by the *AA.
I'm sure that this.parent is in violation of some law by merely suggesting that any new networking software ought to be built. Such thought is the exclusive legal domain of the bit-sequence owners.
Go to Jail. Now.
The internet is as flexible and free today as it is simply because it grew up before it was on the radar of the marketing and legal arms of corporate America, and the legislators they send campaign donations to. We're very fortunate about this; an open architecture is what the Internet is "stuck" with, and it's proving difficult for those who would replace it with a closed arcitecture to work against that history.
You had better believe that if we rebuilt the information superhighway from scratch, it would have in place all the controls and restrictions that the various entertainment industry wants, and would be run on standards and protocols which are closed and proprietary. (Many likely from Microsoft, but they would probably be "magnanimous" and licence other proprietary protocols from other companies who have influence with legislators from other states.) In the end, you would not have nearly the flexible and open Internet we have today, but rather something much closer to the one-way "content delivery" system that the entertainment first thought the Internet was, and is now trying to legislate the Internet to be (once they realized that it wasn't naturally that).
-Rob
I've already written my own protocol to replace SMTP. I set up three servers to send mail to each other. They've been busy at it all weekend testing it out. It looks like a great success. There's been no spam at all :-)
now we need to go OSS in diesel cars
This can't happen. Microsoft will not embrace new standards that they don't control. It's just not how they operate. Without support form Redmond, nothing will happen.
The Center for Democracy and Technology has released the results from a six-month survey on how spammers obtain email addresses. The researchers created a few hundred special-purpose email addresses, then carefully exposed each one in exactly one place. After that, it was mostly a matter of sitting back and waiting for the spam to roll in. The destination of each spam indicated where the address had been found.
"Why Am I Getting All This Spam? Unsolicited Commercial E-mail Research Six Month Report"
Some highlights:
By far the most spam was sent to addresses harvested from web pages. Postings to Usenet newsgroups came in a distant second. On Usenet, posters to groups like alt.sex.erotica will receive vastly more spam than those posting to misc.industry.insurance.
Even the most simple sort of address obfuscation ("lwn at lwn.net") appears to be highly effective.
Dictionary attacks (simply trying login names from a list) result in a significant amount of delivered spam. Short account names are more likely to receive this sort of spam than longer ones.
Contrary to expectations, the WHOIS domain name database is not a big source of spam.
Most web sites honor their promises regarding unsolicited email - but you do have to be careful about making your wishes clear.
cpeterso
I remember when AOL joined Usenet too. That's when all the overweight divorced 45 year old women with little yappy dogs named "Boo boo" and "Bubby" invented the gayest of all internet abbreviations:
"LOL"
If you use the term 'LOL' that will mark you forever as an AOL moron.
I get no spam in my mailbox. Not a single piece. First my server catches most of it, then if it gets through, my procmail grabs what's left.
Of course not that I have "challenged" everyone here, I am probably about to get tons of it.
But seriously, I think the problem with spam is education. Watch where you give out your email. Read those web forms carefully. Quit with the "FW: FW: FW: This is so cool!" emails. They aren't interesting, or cool. Stop sending online greeting cards. They are only in the business to collect email addresses. It's really not that hard.
"Tonny Yu, founder and CEO of Mailshell, says that any new and better replacement for SMTP would have to have some sort of certification system to guarantee that senders are who they say they are. The obvious candidates would be certificate services like Verisign, but if demand shot up perhaps there would be more competition. Mail servers would also have to be certified, or mail sent to them would not be trustworthy. "
I agree with mail servers having to be certified, but not individual senders unless its a free service. When setting up SSL for my site, I had to pay for a certificate. Since it will be an online store, that's fine... But a casual user of the internet shouldn't have to pay for certificates in order to send an email. I guess if ISPs offered their users the ability to lease a certificate like we do IPs, that would be fine. Those who want more than that could pay for it.
Volunteer Mozilla developer, RPI Student.
Of course, copyright proponents would love to inspect the contents of Internet traffic as well, and they would put huge money into getting these provisions into the specs.
Unfortunately the things I mention are not the stuff of crappy science fiction, but rather what has been going on so far wherever certain interests can have an influence. Thanks but no thanks. I'd rather keep hitting the delete key more than a hundred times a day and keep my spam and my privacy wherever I can.
How serendipitous!
Aren't there software patches out there already?
or I could be wrong.
anyway, selling hardware is always better (the fry's potential!)
Who wants to start a new company with me?
Lets make a 10 dollar box that translates ipv6 to v4 and sell it to the people who still use 9x out there.
this box features
-plug and pray a 9x machien onto an ipv6 network
-provides basic firewalling
-????????
-and a few other key words that sell to the general public.
Is it true that more people vote for the winner of American Idol, than vote for the president? -Ali G.
Would we have to start over from scratch with new pr0n, too?
:)
It's been such an arduous journey just to get to this point, I don't think I could handle it a second time.
oh, you must be talking about scp
as with most of the other "ideas" on this thread, the thing you'd like to have already exists. all we have to do is use it.
...and therein lies the challenge.
I agree. It is a terribly weak premise that the whole of the Internet has to be scrapped to reduce the annoyance of spam. First off, the most secure transfer protocols I've used (those in ssh) can ride quite comfortably on an insecure protocol. The insecurities in TCP/IP aren't at all responsible for spam.
In the same thread one layer up, secure signed messaging has been available for years, and it is absolutely trivial to configure your mail services to throw out all email without a proper GPG signature. The tools for this have been tested and proven for some time.
The change that is required is social in nature. You need the Moms and Pops on the big services to want "whitelisted email only" enough to get a signature. Someone like AOL could host it for their clients for free, but for the rest of us, we'll have to pay money for the centralized database, to do for e-mail what Verisign does for SSL.
It'd be like buying a domain name. Once the authentication is set up, SSL style, my relatives go on the keyring, and a service like Slashdot goes on it as well. Verisign can set up hyperbolic rate plans for the number of authentications per day per sig. allowed so that the flat fee would cover any normal church mailing list generator but more than that and it just gets denied. Slashdot can configure their site to verify member's keys for up to five e-mails per day per user. So I can post my "real" e-mail to various services and they can throttle and knock off spammers because they have to co-sign every message that gets to my inbox. Organizations like the kernel mailing list can similarly have their key available to add to your ring so they don't have to use a "key" service to get the data out.
We can have all this with the tools we have today. But living in the real world, I simply cannot afford to go whitelist-only while my resume is online and my job sucks; because out of the thousands spam I get, could be the one computer- incompetent middle-manager without the signed e-mail that wants to retain my services at a fun company with good dental and cool laptops.
SMTP spam can be fixed with something called Hash Cash. Is that idea going anywhere at all? Has anyone written an RFC and submitted it to the IETF? I think that this can be rolled out in a way that doesn't break the existing mail system during the migration of the world to the new system.
If tits were wings it'd be flying around.
Point is the answer isn't some ill-thought plan to try and impose centralised control over protocols, it's just old fashioned education that's needed.
Of course, it was never really supposed to be anonymous, and real e-mail anonymity is only possible if you forge headers and if your mail-server admin doesn't care. Speaking of not caring, I don't care about the anonymity problem.
Sure, your IP address may be in the headers, but to resolve it to an identity still takes the cooperation of your ISP. People use webmail accounts all the time with the expectation of anonymity. People use email to leak rumors and expose secrets, like with the Halloween documents. A friend of mine uses her Hotmail account on a mailing list for domestic abuse victims. There's lots of good reasons to hide your identity online, and I won't give them up just as a quick fix to the spam problem.
Right -- and guess who's going to make money off of charging 'email taxes' for everybody who wants to send a message? This is like the big kerflufle over the (false) claims that Canada was going to charge a $.05/email tax to help cover the losses to Canada Post.
So now we're going to pay more money to NSI/Verisign for an email cert when they're refusing to deny DNS to prolific spammers? We'd still need a grey-market method of keeping track of which of those certs were sold to spammers.
Before we get too deep into the idea of using PKI to 'secure' email, I'd suggest that people look at the rather interesting article pointed to by the GnuPrivacyGuard site about The Ten Risks of PKI.
A more interesting question is whether this could be done in an open-source manner, with peer-to-peer authentication servers, webs of trust etc.
The protocol wouldn't be so much a drop-in replacement for sendmail as it would be a parallel delivery mechanism. As (and if) it became proven and trusted, I expect that such a system would slowly overtake SMTP as the preferred method of accepting email (with the 'old' method being less and less trusted). Once 'enough' people started using such a system, the critical mass would result in a flip-over in emphasis by the bigger players.
OS Software is like love: The best way to make it grow is to give it away.
"not gonna happen!"
But on a more serious note, the upgrade cost would be tremendous. Are you going to chip in? If not, then who is?
"Smoking helps you lose weight - one lung at a time" -- A. E. Neumann
Protocols aside, getting down to pure necessity here:
Something needs to happen. I'm sure the internet's backbone has been continually improved to some extent, but I question how sufficient these upgrades really have been. As everyone and their uncle gets broadband to the home, it feels more and more like everyones fighting for a piece of the pie.
In many ways, Internet usage is degrading into "he with the better tools" wins. Since everyones fighting for a piece of the pie, just send twenty differente requests with something like Getright, and get twenty peoples helpings. While us technical elite dont seem to mind so badly, the fact that the situation is this grusome is a bad sign of the times.
I know this is the case for broadband, where ISP's never ever ever so much as dream of buying enough bandwidth to allow you to max your pipe, I'd really like to hear how the backbone of the net itself is holding up.
I'd put my buck with mesh systems, but the latencies inherent in current technologies do not permit it without a real backbone. All the extra maintence communication to keep the mesh optimized and running will only further burden the backbones.
Broadband prices seem fairly fixed for their given areas. No real change seems to be in the air. Once you start looking at more serious connectivity options, things seem even more locked into stasis. Highspeeld syncronous DSL is the one new comer thats sometimes available, although I know nothing of its reliability. T1, T3 and Oc3 12 then 48. I suppose innovation isnt welcome or wanted for equipment that works and whose primary responsibility is reliability, but what are the pricing trends for these upper level connectivity solutions? I'd wager to guess prices remain fairly static. Compared to the rest of the computer industry, they're probably moving backwards.
Something needs to happen to keep the internet growing. Stasis is setting in already.
Myren
Dave Bernstein's Internet Mail 2000 proposal offers a solution the largest problem- excessive bandwidth used by spam crippling the entire network.
Obviously, any system needs authentication; adding it to regular and "IM2000" systems would be an equal challenge. But in a sender (or sender's-ISP) hosted system, you're only sending a small flurry of notification packets, instead of a DDoS attack of full mail text.
Smart MTAs/MUAs could then automatically request and preserve local copies based on whitelists and user activity... and the system could coeexist with existing infrastructure, even SMTP. (Abusing an SMTP gateway would then 'only' clog the disk on the outgoing host, and generate a fairly inconsequential burst of notifications.)
Your SMTP servers should require authentication, anyway.
Protecting from spoofed headers is great, but don't expect every router along the internet to give a crap about anything inside the datagram. Authenticated mail may solve part of the problem for the end-user, but it doesn't solve the (DoS-level) problems on the network itself.
Why doesn't somebody just create a new e-mail protocol using the existing infrastructure. And then pass around free servers and clients with source as PUBLIC DOMAIN so as to make it impossible for anyone to bog it down to prevent wide spread adoption from forced use of one company/organizations client or server. I don't need to go through some licence to write an SMTP server or client. I shouldn't have to for the new protocol either.
Everyone keeps whining about how insecure SMTP is yet can't manage to prototype an alternative. It doesn't take a whole new infrastructure to do. Just do it. It's not like companies needed to redo the internet to make MMOs. Or do you want DRM built in the hardware running the net?
Ben
Work Safe Porn
Count me in!
Here's the first line:
while (1==1) {
BTM
That was the turning point of my life--I went from negative zero to positive zero.
The only way we ended up with something as good as we have was due to the fact that it was created by a small group of very intelligent men with much foresight.
People have said that about the US government, yet look at how its turned out.
if everyone would agree on something like this it would definitely reduce the spam (among other things)
:)
Yeah, "if everyone would agree", right? Well, if everyone agreed on basic standards like valid SMTP headers, we wouldn't be talking about this in the first place...
Everyone's agreement would make the world a great place. Guess why it's so fucked up now
The fundamental reason why we get so much spam is this: it is almost free to send spam to us. The cost is so low, spamming is worth it even if there is a 0.00001% response rate.
To truly solve spam, we need to change that. It has to be no longer essentially free to spam us.
One way to solve this would be for some sort of Email Authority to impose a fee structure on sending and receiving emails. Wrong, wrong, wrong; the cure would be far worse than the disease. I want control of my email; I don't want bureaucrats in government to have any say over what I do with it. Suppose they decide they don't like me and I have to pay $25 per message to send email? (Anytime regulations get proposed, you should always ask yourself "What would happen if my worst enemy were in charge of applying these regulations?")
The correct way to solve this is for each of us to use a mail transfer agent that charges to accept email. Here is how it should work:
You specify an amount of money that it will cost a stranger to send you email. For most of us, five cents would be good, or even ten cents. If you are a famous person, such as Stephen King, you could set the bar higher to cut down the amount of email.
This scheme requires a ubiquitous micropayments system: it shouldn't cost $1 in fees to pay ten cents, and if I want to charge ten cents, you need to be able to pay it (the micropay system I use and the one you use need to be able to cooperate).
Your email client would have a button to click, that would refund the cost for a message you are glad to have received, and another button that adds the sender to your white list: anyone on that list can send you email for free.
(Note that you really don't want to trust the email headers to correctly identify who sent the email! Best would be for digital signatures, with GPG or something similar. If the signature matches your friend, then you trust that the message really is from your friend.)
I actually don't want to receive zero unsolicited messages. There are some messages I would like to get. Suppose it's a coupon for a store I'd like to shop at? But right now, they spam you with a fire hose; I get messages telling me how to increase my penis size, and messages telling me how to increase my breast size; and messages in languages I can't even read; and so on. They just don't care whether you would want the message. But if it cost them $10,000 to send emails to 100,000 people, they wouldn't be so random; they would try to send messages that the person might actually respond to.
steveha
lf(1): it's like ls(1) but sorts filenames by extension, tersely
That might be a little overkill on the paranoia.
Yes, big brother is everywhere.
But if you build a datacom network, you kind of own it. Big brother cant tell you how to design protocols. Most of em wouldnt know a protocol unless it caused the soon to be infamous Y2.038 or Y3k bug.
men in black suits: build in these backdoors for us, and these requests from hollywood lobbyists
garage full of jolt sipping geeks: well, i guess living and working in antoher country might not be that bad.
big brother can always require data carriers to provide whatever taps they are capable of providing, but as soon as you say the magic words "end to end security" a whole lot of such maliciousness starts flying out the window. and good luck outlawing encryption.
whomever has enough power to develop and build a new system will be free to rule it. good luck making it, and then good luck squared getting it used by anyone.
Myren
AKA: because there was nothing better at the time
Theres nothing in existance itself that couldnt stand to be rebuild, and wouldnt be better in the end for it. The question is never if, only at what cost.
-Engineers Credo
Myren
You are advocating an approach that is pragmatic in your personal circumstance, but is sub-optimal. We can do better, and we should try.
The steps you've taken to avoid spam have hurt you. Just a little, but the damage is real.
First, it took your time to create alternative "trap" email accounts, and it takes mental effort for you keep these multiple accounts straight and to recreate them when needed, etc. If you're smart enough, that kind of effort doesn't bother you much. But it's more than you should have to do, and it's more complicated than many people can understand. Nerds shouldn't oppose technical solutions to spam because they personally can evade it- they should work to stop spam for the greater good.
Secondly, those steps are "hacks". They are inelegant workarounds. They offend my sense of systemic beauty. Prehaps most people don't care about this, but the existence of poorly-designed patches on a system are a hint that it wasn't build quite correctly in the first place.
Third, (and most importantly) by forcing you to email your email addresses hidden, your abliity to communicate is reduced. You can't allow other people to email you as much as they might like, because they might be marketers. It's impossible to tell how many opportunities we all might have lost due to this effect.
The best email solution depends on economics- micropayments or similar. If a person could decide to impose a charge of a few pennies or dollars for the service of recieving an unsolicited message from a stranger, all spam problems could be solved.
hasn't bill gates been hoping for this?
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
While we're at it, let's throw out the wired telcos too, since they're monopolizing the foundation communications media of the present internet. Let's implement a completely separate network infrastructure, solely by millions of WIFI access points and repeaters. Everyone run one omni antenna and one high-gain parabolic grid pointing to the next omni 3-4 miles away. Saturate the countryside with these setups and route around the telcos. We could even have our own "arin" and re-use the existing IP-4 address space separately from the "establishment's" internet.
more nekkid women
-Homer
It's old. The more humans I meet, the more I like my cats. At least they are honest.
I'm suprised that nobody has mentioned IM2000 yet. Dan Bernstein came up with a bunch of ideas about how to reform email, the most important of which is the outgoing mail is stored on the sender's server until it is picked up by the recipient. There are lots of unanswered questions about the design, but the seeds are there.
link to an msn search for slashdot.org after opening a popup in js that asks the user if they want to connect to the internet :-)
I still remember kicking the (late) last micros~1 box on my LAN while screaming "why the @#$$ don't you realize you're on the @#$@#$ing network!" (Yes, I know that you have to reconfigure msie, but a browser shouldn't care if you're on the internet or not.)
You can't judge a book by the way it wears its hair.
... Is a way to render irrelevant the burnination known as the Slashdot Effect! ;-D
-/-
Mikey-San
Mikey-San
Karma: +Eleventy billion (mostly affected by watching Celebrity Jeopardy)
I got a spam...
well, i guess its time to rewrite the entire internet from scratch so that everybody will have to by a $2000 certificate from VeriSign and force everybody to use it, just so there's no more spam.
Sounds like a stupid plan to me.
SMTP means "*Simple* Mail Transfer Protocol". It's the equivalence of a letterbox - simple and efficient. Of course it can be abused for spamming, but so is any successor of SMTP and any different messaging service. As long as it is possible for anyone to send email, it will be possible for anyone to send spam.
The main problem does not consist in trying to stop spam in general (that would be impossible), but in making *anonymous* spamming *very* difficult. Standards are there - but many legitimate operators don't care about a standards-compliant infrastructure, stifling security efforts that would be good enough to keep a lot of spam out.
For example, each IP address should have a DNS reverse record pointing to a valid hostname, which resolves to the same IP address. HELO strings and message ID domainparts should be FQDN and not only "office" or "workstation", the sender's host should be an official Mail Exchange (MX) for the envelope-from domainpart, and so on. This way you could easily - using *existing* standards - make sure that the sender is authentic. Anonymous spamming via open proxies or open relays would be impossible, and spammers using their own infrastructure can be RBLd.
So why invent new standards with millions of people having to switch on, which would take 10 or 20 years? Why not use and push existing standards not only as "nice option" for email communication, but as requirements?
and i thought when updating and rebuilding the *world* i receive a shiny new internet with it each time?! what a ripoff..
The Internet works because of ** LAYERED PROTOCOLS **, so if something doesn't work, you just replace one layer with something better.
Application
TCP
IP
Physical
The guys who designed the Internet knew they wouldn't figure it all out at once.
So, if spam is your problem, then replace SMTP and any other mail protocols with Something Better(TM).
Sheesh. This is just another excuse motivated by greed.
I have been running a mail server at home for about 9 months. I never, ever get spam, except for when someone spams a mailing list I'm on. The amount of spam I get is so miniscule that it in no way bothers me to hit "d" when I see one. I am not poor, but I sure am not rich, and my $45/mo cable bill is more than enough to pay. I don't have money laying around to be paying $100/mo for internet access, "secure email", and whatever other secure services this guy is proposing, I'm fine the way things are, thanks.
;)
Posted anonymously so that no one sees the url linked to my username and starts signing me up for spam just to fuck with me
Maybe we should just claim that the Internet is hiding Weapons of Mass Destruction, invade, then hire Halliburton to do the rebuild!
And that's actually a good thing. Blocking email transmission is an ideal tool for censorship. We need a solution that blocks unauthorized email reception.
You're assuming that the current ad hoc assemblage of email servers is the only kind of infrastructure possible. That's precisely the kind of open-architecture-trust-everybody approach that created our current problems.Rather than having a separate administered email server for every single domain, the new setup would require relatively few servers, administered by people who sell certified-user email as a product. It wouldn't be free, but economies of scale should make it affordable.
Of course, these vendors are themselves potential censors. Hopefully there will be enough vendors in enough different jurisdictions to prevent this. If not, then SMTP will still be around for unregulated communication.
Please. We all know about email scraping. But the only countermeasure, not broadcasting your address, is a terrible nuisance. It means there can never be an email 411 system. It means using all that weird obfuscation that is a pain to deal with -- and which I suspect spammers will eventually defeat. And if you're a journalist, or a support person, or anybody else who has to trade email with a lot of technically clueless strangers, not broadcasting your email is not even an option.Huge amounts of email can be blocked at the server by simply requiring basic checks like seeing if the server hostname resolves to the IP the connection it coming from. Another check is to make sure the hostname in the HELO(after it's been verified to resolve to the right IP) matches the domain in the MAIL FROM command. Ie, you aren't going to be sending me mail as joe@aol.com if you're coming from nowhere.net.cn. Postfix has all of these checks, and more, if you want them, although they start racking up the false rejects pretty quick.
No fancy filters needed or nothin'. The only problem is the huge number of idiotic ISPs and companies which don't have proper DNS set up for their servers. We tried this on our listserve, and it cut spam to the list addresses(and list-admin addresses) down to nothing(and I mean NOTHING. No spam. Nada, zip, zilch), but about 3x a week a subscriber's ISP would have a mail server in their cluster that either didn't have a reverse DNS entry, or even worse, didn't have a REGULAR DNS entry(!) It was pathetic. Some big ISPs were involved, too- and they were usually the ones who gave us the most crap("It's a problem on your end". "Read what I just said. YOU DON'T HAVE ANY DNS SET UP FOR YOUR MAIL SERVER AT IP _____." "It's a problem on your end." etc.- the clueless phone-monkeys always thought we were subscribers trying to send other people, with no DNS, email.) The small and mid-size ISPs were usually very good about this("Oops, wow, thanks for telling us, we just fixed it!") We got tired of dealing with the headaches, even though I suppose we should have kept at it, informing the clueless, one mail server at a time. A better error message would have helped too, as the "your server doesn't have any DNS" made people think that OUR server didn't have any DNS....)
If everyone was better about setting up DNS for their mail servers, and started requiring more stringent checking, spam would grind to a halt because the headers are so obviously fake to a mail server with half a brain about them. It's a real simple rule- you wanna send email? You need a hostname. PERIOD.
Please help metamoderate.
Register your own domain or get an address like blah.ath.cx. Then host an SMTP server. You will get email addressed to anything under that domain.
If you need to give a site your email addy, leave in a reference to that site. eg slashdot@myname.ath.cx. That way if someone sells your address, an address leaks, or whatver, you know EXACTLY who is responsible, and you can block junk mail without affecting legitimate email.
Ive been using this technique for quite a while. I can check my email and be confident I have no spam whatsoever. At times when I got spam, it always turned out it was a single site that leaked my addy, and I easilly identified and blocked it.
just to skipped to IP v.7. That way all of the integration issues would be taken care of by Lain.
Is someone to design a nice new safe protocol for email and release good, working open source GPL programs for it that plug right into your existing system, implementing compatibility with whats there now AND transparent compatibility with the New Way for the future!
The trick is to give sys admins as few excuses as possible not to implement the New Way.
It'd be a lot of work, but it could be done.
It's Christmas everyday with BitTorrent.
The author of the article suggests that companies like verisign should sell certificates to users. I think that'd be wrong and no doubt quite expensive, destroying the foundation of email itself. Also, dropping the current protocols is not necessary.
But verification is a nice idea that must not to be abandoned.
I propose that ISPs themselves do the verification (they should do this anyway to be sure their bills get paid).
Usually when you sign up with an ISP you get an email address. Now, you just get a verification signature, too.
The smtp server of your ISP would check your signature and ensure that all headers are correct.
The sender verification at the target would be a simple request to the verification server of the ISP that's hosting the sender. (These servers should have some sort of signature like SSL)
Checks could include the message id or a checksum of the headers generated and stored by the smtp server. (Thus, still keeping privacy.)
I think this approach is both logical and simple (and cheap). And it could be implemented on top of the current system.
In the beginning it won't stop spam being sent through open/exploited relays. But mail from untrusted sources could be easily filtered out. Later it could be blocked altogether if verified emailing would be widely adopted.
-- I love the smell of Blue Screens in the morning.
Hell yes...but NOT as suggested.
For one thing, I DO NOT trust Verisign. Never have, never will.
And set up a parallel network. Only new E-mail could be recieved in new progams - which could also have a module for recieving POP3. Sooner or later, everyone who dislikes spam will activate the new protocol and get a spam-free addy.
Bring on Mail4
Wrote to LinkSys to see if they'd support IPv6 in a new firmware release. The response I got back was: "we're looking into it." In other words, "fugheddabouddit."
As the Yin would not exist without the Yang, could the Usenet exist without the spam?
This idea keeps popping up, but there's no need for a big revolutionary change. The author doesn't know much about SMTP.
You can do this today, using ordinary off-the-shelf email software.
Have a look at RFC 2487. It defines STARTTLS - the use of SMTP over SSL (or its new name, TLS). Sendmail supports it with a small compile-time switch, most other email server software supports it, even Outlook and Outlook Express support it! It's also backwards compatible.
My company is using it right now, primarily to support roaming laptop users who need to use our SMTP server when they're on the road.
But, about 1% of the email servers my server talks to also support STARTTLS. When both source and destination support STARTTLS, the source and destination are certified, and the email can be encrypted.
By using SSL certificates, the source of email is certified. Since spam isn't illegal in most jurisdictions, identifing the source of email tells you who to complain to. If you receive email using regular SMTP, it should go into a queue to be scanned by your spam-filters.
Of course, there is the cost of buying certificates. And if you handle a lot of email, there is the additional CPU load, but it's a small price to pay.
There's no need for an email revolution, just an evolution using proven technology.
Yes, just like what Verisign would want: $100/year from anybody who wants to send or receive mail. Thanks, but I'll stick with unauthenticated mail and spam.
If that's the sort of thing you want, you can already run SMTP over SSL--you don't need a new protocol for that. Operating systems terminally incapable of building services out of modular building blocks can hard-code SSL into their mail servers. Reasonable operating systems can use something like stunnel for wrapping SMTP. Either way, you get authentication. There doesn't even need to be any complex interaction between the SSL authentication and the SMTP server because SSL can simply verify the identity of the connecting host, and SMTP can continue to use its regular host-based identification.
The other important requirement, according to Yu, is a system for tracking resource usage per sender. Basically this means that profiles should be established for normal amounts of mail sending from different types of users. If you limited normal users to 100 messages per second and major companies to 10,000 messages a second it would be hard for legitimate users to complain, but spamming would be much harder.
We don't need a new protocol for this. Per-user throttling of outgoing SMTP connections could be implemented by ISPs at the TCP level, and per-user throttling of incoming SMTP connections can be implemented by the SMTP server. The reason why this isn't done is because it's largely ineffective: many spammers are beyond such controls for outgoing connections anyway, and limits on incoming connections can be circumvented simply by posing as hundreds of different users.
Solutions to the spam problem are things like CAPTCHAs, intelligent text analysis, and communications pattern analysis. Restrictions on who can send what to whom at the ISP level, or the imposition of authentication fees by ISPs or companies like Verisign, however, are thinly disguised attempts at squeezing money out of users. In addition to being ineffective and increasing the cost of E-mail, they also just threaten the openness of the Internet that has made it so successful in the first place.
So if I get swamped at home by telemarketers and door-to-door salesmen, I should just move, correct?
That's assinine. Why should anyone accomodate the scum that are harassing you?
SMTP being replace, that's a possibility. But with "trusted authorities" such as Verisign? Never. Those of us already having to deal with Verisign (or Microsoft or whoever) do NOT want something as important as email to be completely in someone else's hands.
SMTP should be replaced by a protocol that requires authentication. That's the biggest probley (open relays) really. Going any further than that will be more of a pain than its worth.
As for everything else (including IPv4), there are too many old clients out there (old meaning unsupported by the vendor). There are enough Windows 95 clients out there, not to mention other systems where upgrades are simply unnecessary otherwise, to where changing the underlying protocol simply won't happen.
Incremental upgrates, sure. We'll probably end up replacing SMTP -- or updating it -- to support, or even require, authentication. In a few years. We may even supplant FTP with SFTP or some other more secure variant.
But to try and simply replace a major, established protocol -- with no backward compatibility -- simply will not happen. There will be enough resistance and reluctance to make it infeasible; then the upgraders will have to begin supporting both "legacy" and new protocols, and we'll be in a bigger mess than before.
So, my opinion is this: we'll slowly, with full backward compatibility, supplant older protocols with updated ones -- perhaps via adding extensions to them (like SMTP Authentication), allowing slow upgraders to catch up as needed. No revolutionary changes will happen, no forced upgrades...
NGWave - Fast Sound Editor for Windows
While on the subject of doing the impossible, lets reorginize the US Govt while were at it.
The More Knowledge you have the Luckier you Get- J.R. Ewing
Just get rid of it.
Seriously, between sftp and https, what do you need ftp for?
I s'pose you wanna "clean up" telnet too, eh?
OK, we've got DNSBLs, we've got filters, we've got DCC, we've got Razor. Why don't they stop spam?
Let's take DNSBLs. They stop much spam but they don't end the spam problem. Why not?
Possible answers:
(1) Not enough mailboxes are protected by DNSBL
(2) too many spam-source IPs escape listing for too long
For (1) the answer would seem to be: get more mailboxes protected. Get enough protected so that the amount of spam that gets through is too little for the spammer to earn the cost of sending the spam.
For (2) the answer would seem to be: recognize spam faster, get IPs listed faster. Automated recognition might be ideal. Razor, perhaps, feeding back to a good DNSBL?
If it's filters then the problems include:
(1) Not enough mailboxes protected by filters
(2) Too much spam slip sthrough the filters
For DCC and Razor:
(1) Not enough mailboxes are protected.
See a pattern here? I'd say there are solutions, they just aren't used widely enough. With the recent inititive at AOL to block spam there's been a big change: that's one whale of a lot of mailboxes at least partially protected by something that works. Those AOL lawsuits may do a lot as well.
I favor relay spam honeypots and open proxy honeypots - throw them into the mix, too. To some extent these would help compensate for the "not enough mailboxes" problems - the honeypots might end up trapping spam for those unprotected mailboxes anyway (trapping spam that would be DNSBL blocked only helps in that it reduces some bandwidth costs - the spam is doomed form the start if the mailbox has good DNSBL protection.) But if we had universal (which might really mean 85 - 90%) usage of a good DNSBL then spam might die just from that. No change in protocol, just a bigger effort to use what already exists.
Same for any really effective filter - get it used widely enough and the delivered spam falls below the self-sustaining level.
Why not?
I just caught a column on a security site advocating for a total start from scratch as far as certain internet protocols like SMTP.
That's not a sentance.
Okay, so suppose we setup an entirely new mail system and force authenticated mail transfer with some sort of PKI. Everyone that wants to run a mail server needs to get a certificate for their server from their ISP and all certs belong to some sort of tree structure heirarchy. Give everyone who has a certificate the ability to generate a sub-cert for someone else downstream of them.
If someone starts spamming from any particular corner, you can just refuse all mail from that corner of the tree. That might work as incentive to ISP's to lay the smack down on spammers - most of their other customers would probably want functioning mail.
It might not actually be terribly practical, but in my current sleepy state, it sounds quite reasonable. I suppose it sets up a single point of failure, but you might be able to set up multiple roots a la DNS or something.
I dunno.
That maybe the internet does not want to be rebuilt?
I think the *.6 or the *.5.1 version usually get it right--not *.5. I'm sorry, I'll be waiting for those versions before I upgrade my Internet.
- Danny
I'd excpect you could do secure scp by creating an anonymous acct on your system requiring either no password, or a password you make public.
Just out of interest, if you are willing to allow anyone to get a file from your server (ie: anonymous), why the heck would you bother using an encrypted protocol to do the file transfer? If you're willing to make it public, who cares whether someone sniffs your download?
I'm seriously surprised that there is always so much discussion that goes on about spam-mail.
I swear to God, I have NEVER received a SINGLE piece of spam. This is because I'm not stupid, and I don't ever submit my email address to anything but companies that I do business with. I promise you that it is TRULY that simple.
Sig.i>
SMTP does exactly what it should do. If an Anonymous person want to send an E-Mail to someone else, so be it. This is modeled right out of the real world -- except for mail fraud. If you want to fix SMTP, you need to extent the law to E-Mail.
Most of us are sending postcards instead of letters. Let start by securing our documents and dump the postcards.
I think that it would be better to focus on server side protocol changes. The author of qmail hosts this site that talks about on alternate protocol to SMTP. Note that this would be entirely a server side change (it would affect relations between mail servers, while leaving existing protocols for client/server communication).
I sent you (Larry Seltzer) an email. Instead of using expensive certificates, I propose that we add a new type of record to DNS (call it an smtp record for now, someone can always come up with a better name later). The new record would tell what IPs (or FQDNs) are allowed to send email with a certain domain. For example, if an email address is me@slashdot.org, then only mail servers with SMTP records for slashdot.org would be allowed to send an email from me@slashdot.org. If a different mail server tries to send it, the receiving server can refuse the email.
Also check out tmda.net. It uses a number of methods to prevent spam, including temporary addresses and whitelists built by challenges (and client actions). Unlike the previous two proposals, this requires client changes (on the receiver's side), but it does not require others to change the protocols they use. Except for the challenges, senders and intermediary servers do not even need to know it exists.
All three of these proposals could be started more simply and with less additional infrastructure than the certificate idea. The first two require changes to the way things are currently done, but only on the server side. The third is even simpler, only the receiver has to make changes (btw, these are both client and server changes).
The article was half right. SMTP is in need of replacement. But so is the entire TCP/IP suite.
Sure, most Internet users simply assume that it's good, because the Internet is cool, and uses it. But TCP/IP was a lab research project from the 1970s, designed for closed government networks with a small number of time-sharing computers on it. Misbehavior could be dealt with easily, because connections were not open to the public. And the backbone links went at 50 kbps; most sites got on at 9600 bps.
People are now using TCP/IP for anything and everything. Voice, video, radio, spam. It's flexible enough to handle it all, but not efficiently! There are many technical flaws in the protocol suite. IPv6, btw, does nothing to fix it; it just makes matters worse by having even more overhead. NATs today are a security feature, not a bug; apps like FTP that put the address in the application layer (hard on NATs) are BROKEN! BTW, FTP did that because it saved a little code in the Pluribus IMP print routine in 1973. Don't know what that was? Good -- but don't foist its workarounds on the future.
A new protocol suite should be developed that handles today's high speeds (as well as slow links, which will always exist), resists spam and identity spoofing, allows multihoming, handles voice and streaming with connected-mode QoS, and doesn't have TCP/IPs overhead. It can be done. Stamp out TCP/IP fundamentalism!
-
In order to send mail as "foo@bar.com" and get it delivered, there must be a mail agent for "bar.com" that knows enough about you to answer an SMTP VRFY.
-
Each message sent contains some random ID or digital signature, chosen by the sender.
-
Any mail agent wishing to verify the source of a message can query the senders's mail agent with SMTP and a VRFY, and obtain a reply that verifies the message, using a challenge/response or digital signature system.
-
Ultimately, mail messages that cannot be verified are bounced. During a transition period, some manual authentication scheme involving replying to a message is used.
This is backwards-compatible, easy to implement, and implementable in stages. It would be implemeted primarily in ISP mail transfer agents, so deployment doesn't require end user software.Spammers can still spam, but at least they have to have a real domain name to send from.
What we need to get back to is basic IP routing.. and let the world add services as we want to.
Is SMTP at fault for spam? Sure.. in that the system wasn't designed to combat it. There is no reason to re-do anything to bring about a new email system, involving, say, certified links & signaturse of each server & users involved. That can be added to the current internet any time anyone wants to do it... all we have to do is agree on how it works.
THe same goes for DNS, or any other system we don't like.
And 2,000,000 person hours of design by committee won't fix that bloated piece of shit.
There are lots more miles left in the V4 core transport though that people are just figuring out.
You don't need v6 to use 128 bit addressing.
Need Mercedes parts ?
Yet another NY times article about the endless battle against Spam.
... grumble, grumble, grumble, mutter, mutter, Millenium... Hand... Shrimp, I tol' 'em, I tol' 'em.
Consumers will rush out and buy lots of new PCs, eager to find out what this "rebuilt Internet" is all about!
Not to be outdone, Al Gore will re-invent the Internet!
The Dot Com boom will happen all over again, with all of the same companies performing just as well as before, which will make picking a winner even easier this time! Just get in at breakfast and get out by lunch!
Thanks to the reintroduction of exciting new "synergies," it'll be possible to re-open companies that didn't do anything before and won't do anything now!
You'll waste lots of time sending "e-mails" at work, while billing the boss for your extra-curricular discovery of "web pages" like Slashdot!
...it certainly was good.
Beside the fact that mail isn't by far the only "feature" of Internet, there are so many obvious flaws in his proposition of scrapping SMTP that I doubt the guy had more than two minutes to think abou it:
1/ Authentication: Like many pointed out, this would require a central authority. This is already turning into a legal blackmail for SSL certificates so imagine if EVERYONE had to get a "valid" cert. And what about countries like china: the governement will never yield control to a western agency and there will then need to be granted certification ruights and, unltimately, gain the ability to censore anyone in their territory. In other places, it will be easy for spammers to get valid certs and you're back to your initial position.
2/ Certifying mail servers... Well, this is either Paladium (where every software has to be "certified" to run on a machine) or SMTP over TLS (which already exists, BTW) which would run the costs of running a mail server through the roof and exhibit the same flaws as proposition 1/
3/ Resource control: that MUST be central or someone could simply use different services to route his mass mailing. If it's central, it is also a central point of failure. It also places a LOT of power in the hand of a single authority.
I think the least we need now is someone "redesigning Internet" following such ideas.
You must be joking. The Internet is as free and unfucked up as it is because it was created before the assholes of society "discovered" it. Any replacement Internet would be even more hideous than what said assholes are turning the current Internet into -- a latest version Windows/MacOS only pay-per-the-byte form of interactive TV with patented protocols, digital restriction management, and any other profiteering garbage they could dream up. Any replacement would have these things embedded from the start at the lowest levels and legal language to ensure they never left. At least with the current Internet they have to fuck things up piecemeal which takes longer.
..he's talking about. I see no mention of DNS on the originating Mail server.
Most mail servers now a days are checking that the originating mail server exists in DNS as an A Record or DNS record.
If the Check doesn't pass, the transmission ends.
Most of the time, servers don't check the originating server to see if it exists in DNS.
If a protocol update is to happen, why not add a transmission line to the SMTP message delivery process to ensure that not only the originating mail server is valid in DNS but make sure that the, recently validated in DNS, SMTP server actually created or received the message from a trusted host.
Verisign. Bah! What a dumb idea!
Dolemite
_________________
Save the World! Use a Quote!
Every time I watch the news, I see another story about all the wonderful things NASA is doing in outer space. I know, I know, it's all supposed to be very impressive and exciting. But to be honest, it just boils my blood. I mean, the federal government can put a man on the moon, but it can't build a killer robot police force to hunt down and execute all the spammers? What kind of priorities do we have in this country?
Just the other day, there was a big article on the Security Supersite about how the internet might have to be rebuilt to save our children from pornographic spam. And then I read in USA Today how the government is spending $40 billion on outer-space surveillance satellites. Couldn't they put some of that satellite money to better use by constructing space-based laser cannons in geocentric orbit above all the ISPs to make sure our children are safe?
And for a fraction of what NASA spends on all that Mars rover monkey business, I could have a radio-wave-controlled stun gun that would finally stop anyone I thought might be spamming from ever thinking about looking at me wrong again.
It is painfully obvious that the government has the money and resources to build a high-energy force field around every single American, yet it doesn't. I mean, when I'm chasing after spammers with my stun gun it's darn near impossible to ensure my personal safety. Are a few measly cameras in the corners of the Foodland really going to deter an angry man who looks sort of like Alan Ralsky? What about my laptop? The pictures on my screen saver of little Kevin and Annie are irreplaceable! (I'm only going to be a grandmother once, you know! Unless, of course, the government finally gets on the ball with those cryogenic pods.)
And that Hubble telescope, there's a real beaut. Who needs to know if there's life out in space trillions of light years away, anyway? As long as the spacemen don't start sending me special business deals, making me wonder when they will deposit the gold bars in my savings account like that nice man Chavez from Boca Raton, I don't care who they are! If only NASA had aimed that telescope at Boca Raton instead of Pluto, you can bet I'd know what Chavez had for breakfast this morning.
It's shameful the way the internet has been allowed to degenerate, what with unsecure servers and protocols strewn everywhere. Just thinking about all the millions spent on that Mir station gets me in a dither when I check my e-mail and see donkey porn everywhere, with no donkey-porn-sensitive sunglasses to save my poor eyes.
And it sure would cut down on those ill-mannered spammers who keep on spamming despite the ISP's strict anti-spam terms of service if their computers were destroyed by spam-sensitive cybernetic space bees. I only have time to write so many complaints, you know!
If I can't demand killer robot police, then the least I can expect is a laser-powered servo-motored patrol-bot for my yard. How else will I know if it's a that Ralsky look-alike's lawyer trying to serve me court documents or just a raccoon rustling around out there late at night? I understand that in Sweden, every citizen is guaranteed a patrol-bot. But here in the world's richest nation, we go without! The sheer wastefulness of our government makes me sick!
The massive increase in spam seems to be linked to the "broadband" revolution, where every small office can run a badly set up exchange server, all day, every day. I have a nasty feeling that the only way to get any SMTP replacement accepted universally, is for MS put it in Outlook Express etc.... (although how much more secure this would be is anyones guess). To get most of the world to close their open relay's, may sadly require MS to make Exchange default to a more secure setting (which could be opened up by the technically adept if needed). "For gods sake Mavis, grap the penguins and RUN!!!"
I have a DOS box with a TCP stack. It is on a boot floppy and is used for remote system installs of a Linux based Samba machine. No NETBEUI for me.
Can you tell me more? Which TCP stack are you using and where did you get it?
If you'd rather reply offline, please email me at ra2ps3202@sneakemail.com
I guarantee my spam filter won't kill your message:)
Thanks!
Best Regards,
Mike Monett
This is hypothetical only, but government agencies and other bodies interested in "security" (i.e. media mega-corporations that want to milk out everything they can) may be more interested in "re-designing" the internet...maybe enforce some "standards" along the new design to make P2P file sharing impossible!!!
Let's face it, IPv4 is a weird hodgepodge of bizarre protocols. After all, why does the download of a mail message have to use a different protocol then the download of a FTP file? Identicate the user, offer the data he wants, let him download. The differences date from the time when people sent messages using a telnet prompt, and these days are over. A new internet protocol could define ONE flexible way of transferring data, and the biggest difference between SMTP and HTTP would become the port it runs on.
Oh great, thenext thing you know ISPs will start charging me for this too. I send out only around 20 mails a week and i use the smtp on my machine. What you are proposing here is that somebody certify your identity...well thing is iam not interested in paying anymore. maybe its teh ISPs who are promoting spam, just so that they can be certifying authorities in the future...
The main problem as I see it is that we cannot identify the senders of most spam. Some do not hide their origin and could be identified but these are a small proportion and they are generally of a nature that is not offensive.
If we don't know who they are, we cannot chase them with legal action. If they can be found, then laws stand a chance and the threat of legal action will reduce the numbers. Those who remain can be made an example of.
You can argue that legal options are limited as spam is sent from outside of the country, and that filtering is the only real option. However, even filtering becomes more effective if you can identify where the spam is really coming from. To avoid being blacklisted the multi-million message spammer would have to keep moving domain name and that would prove expensive.
Here is my solution to "Who sent the spam?".
I originally thought that we should ditch SMTP. But now I don't think that is really the case. Besides that would be such a major change that it would probably stop the change happening. SMTP works, it gets the mail there, the only problem is you only have the sender's word for who sent it. We just need to extend the idea a little bit to check who sent the mail, and then wait until the whole world has adopted the extension.
I suggest a new header which indicates that the sender's mail server supports verification. A receiver's mail server that also supports verification then has the option of sending a checksum of the mail (or some token sent with the header) back to the sending server, to ask "did you really send this mail?". Upon no reply or a denial the user settings can elect not to have the mail delivered.
At first only some of your mail will be verified, but you will be certain who sent the verified ones. Later as most of the world begins to use the system, people will elect not to receive unverified mail.
I like this idea because it does not break the existing infrastructure, it does not demand big new central servers, nor does it demand everyone gets a new mail reader. It's just the mail servers that need extending, and they can be done one at a time (or may be not at all) without anything breaking. Also there is nothing about it that will stop people receiving the unsolicited porn spam if they want it, they only have elect to receive unverified mail.
We would at least have to stop SPAM and worms from "authenticated" Microsoft Outlook-users fooled into opening this-weeks-malicious-attachment.
And death to all FWDs!
Not Buzzword 2.0 compliant. Please speak english.
I thought not.
Banning hotmail (I swear microsoft sells those addresses to spam agents or generate spam themselves!) I have no trouble keeping my 'main' business email account clean. Just use a hotmail address for all those forms and stuff and watch the spam pile up in there, while at the same time keeping your regular account spam-free.
Seriously, children, if you can't act responsibly we are just going to have to take your toys away from you.
-- No Sig is a Good Sig
The article kept talking about "trustworthy" email, which means to me that MicroSoft will somehow have to see it before it's considered "trustworthy..."
No, thanks...
Any time the word "trustworthy" pops up, I immediately feel as if it is someone trying to violate my trust, my privact, and my right to be left the hell alone...
I suggested something similar to this to some friends a while back.
:-
How hard could it be to setup a few servers (just like the current DNS Root Servers, which seem to run just fine) to handle keys/certs to validate emails.
It wouldn't be rocket science to get something like this running
- User sends email
- Client looks up keyservers, requests a new message ID, keyserver logs user key with new message id
- mail gets sent, with key and id info
And upon receiving, the client does the same in return. This is a very basic way of detailing it, but i'm sure you all know where i'm coming from. I'm suprised nothing like this already exists in the open sauce community (it probably does, i've just not checked).
Hoorah.
nb: if it's flawed, i don't care.
"Never let the truth get in the way of a good story..."
The first time was in the early 90s when MS wanted to build its own network as part of MS, mainly to beat AOL. They had has a thinnly disguised "emulation" of TCP/IP and http. then Bill had his ephipany and decided to embrace the standard InterNet with his give-away IE.
The second time is presently. They are adding special "security bits" to the TCP/IP (Palladium) that maybe usuable by non-MS OSes.
Win-a-few, lose-a-few, MS will always try to dominate a market.
The advantage of this is that if forces the initiator of the email to keep their server up and running to to claim responsibility for the email. If somebody is harassing me, I can now identify them and be able to have legal action taken against them.
Sure, there are some problems with this approach, but I think that it is preferrable to the other alternative that are being proposed, such as e-stamps or certifications which just put another agency between me and the people I want to communicate with.
For those think that alternatives would be hard to implement because of the spam filtering industry, just consider that there is another side to that coin. I am sure that the ISPs would like to take that money they are spending on filtering and put it in their pocket.
I actually started a discussion on this very topic several months ago:
http://groups.google.com/groups?hl=en&lr=&ie=UTF -8&selm=jUwga.13037%24se1.6318202%40newssvr28.news .prodigy.com
When the flood comes, it sends the mirrors, and then simply forwards the rest of the requests to them, thus spreading the load.
No, I don't know of any system that does this automatically now. That doesn't mean there isn't one. I'm certain that I could write one - it's just not that hard.
I like that this guy is looking for a _technical_ solution to the spam problem. Too many legal solutions have been proposed. While I'm the first to say spammers should be fined $100 plus one 0 tacked to the end for each repetition, the very real problems of identifying and dragging them to court remain.
The bad is that it won't work. Allegedly modern companies still use Microsoft Word 97 - if that ain't the pinnacle of cluelessness, I don't know what is. Same companies will use SMTP on their exchange servers in 2020, even if we start using a better system _today_.
Some other poster hit the nail right on the head: Not enough mailboxes are protected. Especially not mailboxes of idiots. The spammer business model works on the 0.01% of total retards their scattershot approach hits. I think they couldn't care less if the clueful 5% of the internet population use spamfilters, they aren't the target anyway.
AOL using good spamfilters does more damage to spammers than all of RBL, Orbs, Spamassassin and Razor together. Because, on a rough estimate, AOL users are 97.462% more likely to fall for a scam^H^H^Hpam than someone who knows about Spamassassin.
Tarpits seem to be the most effective attack, IMHO. If I can keep the spambot occupied for 1 min instead of 0.1 sec, and even 1% of the net population does that, his "cost" for sending spam will increase by about 700% (for 1 mio mails, from 27 hours to 194 hours).
Assorted stuff I do sometimes: Lemuria.org
This is where XML comes into play.
The whole idea is that you can separate the core content from the presentation. You want plain text, run an XSLT file that converts your source xml to a Tagless ASCII file(Keeping the source intact of course). Want all the fancy HTML/Javascript stuff? Yup have another XSLT file for that too. WML for your Cell Phone? Yup.
No need for a separate net, just use the tools that are already available.
Fine. Build it. If it really is an improvement, people will use it. Remember the mantra of the IETF: "Rough consensus and working code".
Oh, and if you REALLY want it, drop me a line and I'll pass it on to the client I wrote it for. I'm sure they'd be happy to deal.
Welcome to the Turing Tarpit, where everything is possible but nothing interesting is easy.