Slashdot Mirror
Revising the Internet Email Infrastructure
Lauren Weinstein writes "People For Internet Responsibility (PFIR) today released a white paper aimed at starting discussion and work to fundamentally revamp Internet e-mail systems to control spam, forgeries, and a range of other problems, while empowering e-mail users rather than ISPs." Excellent start.
Until this comes out, PGP is a great way to keep your email private and secure. It also deals with forged headers using email signing. MIT has a great client here
"Men lie."
"Yeah, about sleeping with other women, but never about bioluminescent plankton."
-Dan Brown
They may well come up with some "standard" for a new internet email system but, nobody is going to use it. Hell ESMTP has been out for years and it still isn't supported by more than half the systems that are on the net.
SMTP is here to stay and it won't change within any reasonable time period. It's unfortunate that it's so unsecure, but that's just the way it is.
Proletariat of the world, unite to kill spammers. Remember to shoot knees first so that they won't be able to run away while you slowly torture them to death.
In Soviet Russia, I ruled you
Have they passed their recommendations by Al Gore yet?
Trolling is a art,
SMTP is here to stay. We're going to have to live with it. Spam control filtering is getting better and there is a good chance that together with decent legislation, spam can be reigned in. A new system will ultimately just create new kinds of abuse, which wil lrequire the industry to take another two year cycle to address.
Sure, ISPs can block PITS from unsavory PCAs, but what stops spammers from creating new, bogus PCAs as needed? If there are only a few "recognized" PCAs, doesn't this tend to concentrate power into a relatively small set of entities?
Roving Web-Teleoperated Robot
First thing is to rename it "i-mail".
Best Windows Freeware
I'm sick of reading proposals (often from industry profit-seeking types) who want to put a paid-for "stamp" or similar "token" on email. (I'm talking generally, though---yes---I did read this paper)
It looks attractive logic:
1. Lots of people use email
2. We offer a system which will beat spam at a cost---our 'trusted 3rd party' or whatever---but only if people who use it can't talk to anyone else, so everyone has to use it
3. Profit.
This is NOT the way forward on spam. Nor, realistically, is anything which re-writes the rules for email. People like editing headers. In fact, if it weren't for spam, people like email as it is---period.
The way forward seems simple:
smtp servers should start requiring genuine users to log in. (though rarely used, there are smtp systems which allow this, and most major clients---yes even the MS ones---already talk to these servers and have done for years)
servers which don't should quickly find their way onto blacklists.
(I shall leave the exact way these blacklists should be used as an exercise for the reader)
Simple. Low cost. Not a business model; but a clear solution.
Anyone want to start writing to ISPs?
...it lives and dies by the efficacy of the CAs. If the CAs suck, then the credentials they send with email mean nothing.
I like the idea, but I wonder which sort of orgs are going to be their "PCAs"? ISPs pretty much allow any comer onto their network, so giving all users a cert wouldn't stop people from making temporary accounts for spam.
Perhaps the ease with which MTAs could cut off CAs (like cutting off domains) would help give incentive to ISPs (or whoever is the PCA) to crack down on their customer base, but that strategy is only marginally successful today. Why would creds make this strategy any better?
Perhaps MTAs would be harder to config as open relays, because authn is required. But what percent of spam comes through open relays? If it's a big percentage, then this may help.
Has anyone analyzed this scenario? I'd like to hear some informed thoughts on what sort of email regime we could expect if this were implemented.
Those who would trade freedom for security will lose both, and deserve neither.
The current "hysteria" over spam is going to lead the Joe Sixpacks and the Mothers-protecting-their-children crowd to accept, indeed to beg for, restrictions on their liberties, all in the name of "stopping those spammers". For the rest of us, for whom "WWW" is NOT synonymous with "The Internet", this could have dire consequences. What if I run my own server, and I'm not "blessed" by the current Official AntiSpam Policy Du Jour ? Do I lose out?
Spammers suck, use your filters. DON'T give the government (and media giants, and Big ISPs) the authority to rewrite the way that the Internet works.
I want to delete my account but Slashdot doesn't allow it.
The problem with nearly every single encryption technology, or initiative for securing and improving Internet communication, is that it tries to solve too many problems at once. History has proven over and over again that it's the small, easy steps that move progress forward, not giant ones.
PGP, HTTPS, S/MIME and countless other 'standards' have all made the same mistake in trying to force users to adopt multiple new rules. What's wrong with just providing encryption, without any of the additional burdens of establishing identity? Countless transfers are sent unencrypted every day because the cost of a web server certificate - which is only expensive because it establishes identity - is so high. Anyone can make a server that provides encryption, but such a server is useless with today's browsers. And yet, I'm supposed to have faith that the people Microsoft, AOL and Opera choose to trust are the people that I want to trust?
It is obvious where email will change next, no matter how much money and time is spent on projects like this one. More and more people will use 'virtual receptionist' services that require you to return an auto-reply message to prove that you're real. Eventually, email clients will develop a way to autodetect and autoreply to these messages, until some sort of system is hammered out. You'll write your message, it will be delivered, the receiving server will connect back to you to verify that you're real, and your system will confirm it, all transparently. Someday, it'll happen in real-time, maybe. Spammers won't be able to use this, because of the increased load on a server that must stay online as long as they want their mail delivered.
That's how change happens. Not because of a bunch of idealists get together and tell me to start PGP-signing my mail. You know what? I started doing that 3 years ago. I haven't once found a single person who even knew how to verify my messages. Not to mention the pathetic state that the keyservers are in, full of expired and forgotten keys, and easily corrupted (again, I know from experience - I corrupted my own keys in an attempt to remove them permanently).
-Elentar
The wheel it turns, around and around, with an ancient rumbling sound.
I see this as a dangerous time. Many people have discussed going to an e-mail system that relies on encryption and security certificates. Are we going to end up with another debacle like we have now for secure websites, where Certificate Authorities like Verisign and Thawte charge hundreds of dollars every year for a certificate and free certificates set off more alarms than a than a Great White concert in a gasoline-soaked tent?
Will Microsoft make lucrative deals with high-roller Certificate Authorities to include them in the Microsoft Exchange e-mail server? Will you be unable to run a mail server without paying big bucks to some "trusted" Certificate Authority?
If we are not careful, the only e-mail servers that will exist will be commercial e-mail servers where the owners can afford hundreds of dollars every year for certificate renewals.
Why do I believe this? Because I follow the money. If Microsoft, Verisign/Thawte, Netscape, etc. think that there's a way to make money, they will push for a standard that ensures it.
Just because SMTP can't be fixed (it can't) doesn't mean it has to die - just that a better alternative has to emerge. I'll keep my SMTP servers running indefinitely and I'll keep SMTP mail, but as better systems emerge I'll be telling people that the more reliable way to contact me is with methods that I know aren't going to give me the experience of picking through the trash when I check my mail. I'll still check my SMTP mail, but probably with decreasing frequency as time passes.
For those of you saying "just improve your filters," (1) give me a filter that can parse an HTML message containing only an image to determine whether it's spam or not (no, you can't reject all HTML mail or mail with attachments, if my brother drags-n-drops a picture of my nephew and clicks "send," I want to receive it), and (2) figure a way to keep the message from being delivered until that determination is made. Post-delivery filtering doesn't solve the bandwidth/cost/traffic problems.
Be courageous, people. Nobody screamed that we didn't need the telephone because the telegraph worked fine. Protocols emerge from changing circumstances. SMTP had its use over the last 30 years, but its time is waning with the onset of the global public internet full of untrusted senders seeking to abuse the system. It's time for a better protocol, and I applaud everyone involved in making a serious effort at developing one instead of trying to fix the unfixable.
-- http://frobnosticate.com
Now we are told once more that the best cure against spam should be to reinvent something to replace the tried-and-true eMail system of decade-old reliability, just because some sociopaths apparently cannot learn to behave without getting a spanking (or jail time) and U.S. privacy laws are still too weak to stop the spam.
And after all the years that spam has plagued the networks, that's quite a poor achievement for a nation that managed to outlaw junk faxes, and had confirmation from the courts that regulating advertising does pass constitutional muster perfectly well:
Subsequently, numerous decisions have also made it crystal clear, over and over again, that neither the First Amendment nor the Dormant Commerce Clause are an obstacle to outlawing electronic spam, by fax or any kind of eMail.
Nor is it at the expense of any legitimate business. Industry itself can't stand the spam anymore.
This is not about "lawmakers never knowing enough about the Internet to regulate any aspect of it in a meaningful way", it's about doing something to prevent imposing compulsory changes to technology that keep fighting the symptoms rather than the cause.
Congress should get over such shameful cowardice and make the simple law that's needed and proven to work.
There is no need to re-engineer the Internet.
There is no justification for widespread surveillance and data retention under the poor excuse of trying to track down spammers.
There is no risk of banning mailing lists or commercial eMail.
There is no doubt what the sociopathic behavior is.
All that is needed is mandatory opt-in for unsolicited bulk eMail (encompassing all kinds of electronic messaging).
And yet some self-proclaimed "experts on electronic advertising" (whose only merit probably is that they know how to spam because they've done it a trillion times at everyone else's expense) keep pretending that opt-in wasn't legal, or feasible, or desirable.
Opt-in works, and it does not hurt anyone but the spammers.
Europe has adopted it, Australia is adopting it (how far behind do you want the U.S. to be, are we to wait for China to outlaw spam before the U.S. will?!), but most importantly the USA have successfully adopted it themselves against junk faxes.
There's probably something wrong in Washington D.C., and the news media in general, when the most insightful newspaper article on the issue comes from USA Today.
Be sure to fax or eMail it to your congress(wo)man though.
Don't spam them, but do attach some selected masterpieces of spam if you think they need an idea of what ends up in the inbox of their constituents, and of their children, 9 billion times, every single day.
Have the SMTP amended so that MTAs perform a DNS check on the previous server, and if it doesnt match correct the header. With guarenteed un-forged headers then at least reporting will be a hell of alot easier.
I think there's a fundamental difference between the problems IPV6 is trying to solve and what any "SMTP2" solution is trying to solve.
IPV6 will solve the underlying problem of running out of IP space.
"SMTP2" would NOT solve the spam problem, because it's not a technical problem, IMHO. Spammers would move over to "SMTP2" eventually. They'd just have to find that one little flaw or feature and they'd be back exploiting it like they're exploiting weaknesses in SMTP now.
If widespread adoption of "SMTP2" takes anywhere near the amount IPV6 adoption is taken, it's not going to work. Spammers would have 5 years to study the new technology and develop solutions to get their crap across the new protocol.
By the time "SMTP2" is in place and used by everybody, the spam problem would no longer be what it is now and we'd be back in the cat-and-mouse game with spammers and their spamware techniques.
All the "SMTP2" solutions I've seen would make normal Email communication between non-spammers much more difficult. I think that's something that should be avoided, even at the cost of not solving the spam problem using technology solutions.
Proletariat of the world, unite to kill spammers. Remember to shoot knees first, so that they can't run away while you slowly torture them to death.
In Soviet Russia, I ruled you