Slashdot Mirror

← Back to Stories (view on slashdot.org)

Revising the Internet Email Infrastructure

Posted by michael on from the starting-over dept.

Lauren Weinstein writes "People For Internet Responsibility (PFIR) today released a white paper aimed at starting discussion and work to fundamentally revamp Internet e-mail systems to control spam, forgeries, and a range of other problems, while empowering e-mail users rather than ISPs." Excellent start.

10 of 311 comments (clear)

  1. PGP by Richardsonke1 · · Score: 5, Informative

    Until this comes out, PGP is a great way to keep your email private and secure. It also deals with forged headers using email signing. MIT has a great client here

    --
    "Men lie."
    "Yeah, about sleeping with other women, but never about bioluminescent plankton."
    -Dan Brown
    1. Re:PGP by rtnz · · Score: 5, Informative

      I would suggest GnuPG, free as in free.

      GnuPG

  2. Whoa, boys.. by grub · · Score: 5, Funny


    Have they passed their recommendations by Al Gore yet?

    --
    Trolling is a art,
  3. PIT/PCA Questions by Hayzeus · · Score: 5, Interesting
    I may be wrong, but what, exactly, is to keep spammers from becoming their own PCA? Why can't they simply generate PITs willy-nilly?

    Sure, ISPs can block PITS from unsavory PCAs, but what stops spammers from creating new, bogus PCAs as needed? If there are only a few "recognized" PCAs, doesn't this tend to concentrate power into a relatively small set of entities?

    --

    Roving Web-Teleoperated Robot
  4. Re:Why do people bother by Nutcase · · Score: 5, Insightful

    It's unfortunate that it's so unsecure, but that's just the way it is.

    I think it's great that it's not secure. Just like every other classic protocol that truly supports the net (tcp, ip, ftp, etc), it's not about what you put over it - it's about moving data as it's told. This distinction is what makes it so difficult to control or "own" the net. I don't believe we could build a "secure" protocol that retains the inbuilt freedom that we have today.

    Yes, people abuse that freedom just like they do any other, and yes, spam is so annoying that many who normally fight for freedom now beg to take it away in this instance, but there are solutions that don't involve removing freedom for everyone.

    The idea of challenge response is good.. as is baysian filtering.. as is pgp key signing, etc...

    And the solution to the abuse of bandwidth on the servers is not to recreate the protocol. it's to make sending spam pointless in the first place - and that happens at the ends. The middle needs to be stupid in order to be smart.

    And now my shameless (and probably inaccurate) retelling of "the world of ends" will itself end.

  5. Follow Apple's lead by L.+VeGas · · Score: 5, Funny

    First thing is to rename it "i-mail".

    --
    Best Windows Freeware
  6. No, No, No by npcole · · Score: 5, Insightful

    I'm sick of reading proposals (often from industry profit-seeking types) who want to put a paid-for "stamp" or similar "token" on email. (I'm talking generally, though---yes---I did read this paper)

    It looks attractive logic:

    1. Lots of people use email
    2. We offer a system which will beat spam at a cost---our 'trusted 3rd party' or whatever---but only if people who use it can't talk to anyone else, so everyone has to use it
    3. Profit.

    This is NOT the way forward on spam. Nor, realistically, is anything which re-writes the rules for email. People like editing headers. In fact, if it weren't for spam, people like email as it is---period.

    The way forward seems simple:

    smtp servers should start requiring genuine users to log in. (though rarely used, there are smtp systems which allow this, and most major clients---yes even the MS ones---already talk to these servers and have done for years)

    servers which don't should quickly find their way onto blacklists.

    (I shall leave the exact way these blacklists should be used as an exercise for the reader)

    Simple. Low cost. Not a business model; but a clear solution.

    Anyone want to start writing to ISPs?

  7. Like all PKI schemes... by stevens · · Score: 5, Interesting

    ...it lives and dies by the efficacy of the CAs. If the CAs suck, then the credentials they send with email mean nothing.

    I like the idea, but I wonder which sort of orgs are going to be their "PCAs"? ISPs pretty much allow any comer onto their network, so giving all users a cert wouldn't stop people from making temporary accounts for spam.

    Perhaps the ease with which MTAs could cut off CAs (like cutting off domains) would help give incentive to ISPs (or whoever is the PCA) to crack down on their customer base, but that strategy is only marginally successful today. Why would creds make this strategy any better?

    Perhaps MTAs would be harder to config as open relays, because authn is required. But what percent of spam comes through open relays? If it's a big percentage, then this may help.

    Has anyone analyzed this scenario? I'd like to hear some informed thoughts on what sort of email regime we could expect if this were implemented.

  8. The ugly truth... by fmaxwell · · Score: 5, Insightful

    I see this as a dangerous time. Many people have discussed going to an e-mail system that relies on encryption and security certificates. Are we going to end up with another debacle like we have now for secure websites, where Certificate Authorities like Verisign and Thawte charge hundreds of dollars every year for a certificate and free certificates set off more alarms than a than a Great White concert in a gasoline-soaked tent?

    Will Microsoft make lucrative deals with high-roller Certificate Authorities to include them in the Microsoft Exchange e-mail server? Will you be unable to run a mail server without paying big bucks to some "trusted" Certificate Authority?

    If we are not careful, the only e-mail servers that will exist will be commercial e-mail servers where the owners can afford hundreds of dollars every year for certificate renewals.

    Why do I believe this? Because I follow the money. If Microsoft, Verisign/Thawte, Netscape, etc. think that there's a way to make money, they will push for a standard that ensures it.

  9. Adopt opt-in: Proven and perfectly constitutional by D4C5CE · · Score: 5, Insightful
    Last week at the FTC, many of the "experts" advocated sticking our heads in the ground though the sandstorm of spam grows ever stronger.

    Now we are told once more that the best cure against spam should be to reinvent something to replace the tried-and-true eMail system of decade-old reliability, just because some sociopaths apparently cannot learn to behave without getting a spanking (or jail time) and U.S. privacy laws are still too weak to stop the spam.

    And after all the years that spam has plagued the networks, that's quite a poor achievement for a nation that managed to outlaw junk faxes, and had confirmation from the courts that regulating advertising does pass constitutional muster perfectly well:

    "Nothing in the Constitution compels us to listen to or to view any unwanted communication, whatever its merit... We therefore categorically reject the argument that a vendor has the right under the Constitution or otherwise to send unwanted material into the home of another... We repeat, the right of a mailer stops at the outer boundary of every person's domain."
    Supreme Court
    Rowan v. U.S. Post Office
    397 U.S. 728

    Subsequently, numerous decisions have also made it crystal clear, over and over again, that neither the First Amendment nor the Dormant Commerce Clause are an obstacle to outlawing electronic spam, by fax or any kind of eMail.
    Nor is it at the expense of any legitimate business. Industry itself can't stand the spam anymore.

    This is not about "lawmakers never knowing enough about the Internet to regulate any aspect of it in a meaningful way", it's about doing something to prevent imposing compulsory changes to technology that keep fighting the symptoms rather than the cause.
    Congress should get over such shameful cowardice and make the simple law that's needed and proven to work.

    There is no need to re-engineer the Internet.
    There is no justification for widespread surveillance and data retention under the poor excuse of trying to track down spammers.
    There is no risk of banning mailing lists or commercial eMail.
    There is no doubt what the sociopathic behavior is.

    All that is needed is mandatory opt-in for unsolicited bulk eMail (encompassing all kinds of electronic messaging).

    And yet some self-proclaimed "experts on electronic advertising" (whose only merit probably is that they know how to spam because they've done it a trillion times at everyone else's expense) keep pretending that opt-in wasn't legal, or feasible, or desirable.

    Opt-in works, and it does not hurt anyone but the spammers.

    Europe has adopted it, Australia is adopting it (how far behind do you want the U.S. to be, are we to wait for China to outlaw spam before the U.S. will?!), but most importantly the USA have successfully adopted it themselves against junk faxes.

    There's probably something wrong in Washington D.C., and the news media in general, when the most insightful newspaper article on the issue comes from USA Today.
    Be sure to fax or eMail it to your congress(wo)man though.
    Don't spam them, but do attach some selected masterpieces of spam if you think they need an idea of what ends up in the inbox of their constituents, and of their children, 9 billion times, every single day.