Microsoft, Yahoo Investigate Spam Solution

bllfrnch writes "The NY Times (account required, yada yada) has an article about the suggestion of email postage to stop the advent of spam. Apparently, both Microsoft and Yahoo! support such an initiative, as they are the largest email service providers. Best quote: ''Damn if I will pay postage for my nice list,' said David Farber, a professor at Carnegie Mellon University, who runs a mailing list on technology and policy with 30,000 recipients'."

Cha ching?

[monstroyer]

Paying for postage already exists, it's called a fax.

This is the worst solution ever and the only reason that MS/Yahoo support it is because of Hotmail/YahooMail. They stand to make huge profits because they host the inboxes of millions of users. Every email received at those accounts would invoice the sender. It's a no brainer for BARRELS OF CASH !!! (tm)

In fact, there already was a good solution proposed a few weeks ago, by microsoft no less. Combine it with Spam Assassin the way Spam Interceptor does (replacing the C/R component) and the solution is plausible.

Re:Cha ching?

[diablobynight]

I am sure it doesn't have that much to do with the money they'll make. This idea has been suggested many times, and all of the times suggested, there has always been a white list, that if you choose to accept the senders mail, you can choose whether to have them billed or not. But here I see the problem, spammers are using open relays and hiding under anonymous accounts already. How will they bill them?

Re:Cha ching?

[MadCow42]

Email postage might make sense under one of two conditions:

1) the recipient gets the postage fee
2) the ISP that gets the postage fee provides email / internet access to the user for free

If the ISP gets the cash without providing any FURTHER service, it's nothing more than a cash grab. I would still be likely to maintain a "free" mail account so my friends wouldn't have to pay to email me... I'd just be more likely to filter that heavily for spam.

MadCow.

Re:Cha ching?

[LBArrettAnderson]

1.) http://www.google.com
2.)search for the hyperlink in nytimes.
3.)Click the link
4.) ...
5.) profit!

Re:Cha ching?

[Trejkaz]

Like hell.
(a) I'm not paying for emails I send to their inboxes unless I get a notice that it will cost money before I send it.
(b) If they insist on this, I'll just keep up my policy of not keeping in contact with morons with hotmail addresses.

Re:Cha ching?

[Frymaster]

spammers are using open relays and hiding under anonymous accounts already. How will they bill them?

ah... but if spammer x sends a boatload of herbal viagra offers under bob's relay and bob gets a bill... then when they do catch spammer x he can be nabbed under wire fraud laws and be open to all sorts of tasty civil action.

Re:Cha ching?

[LBArrettAnderson]

or just click here then click the first link.

Re:Cha ching?

[Awptimus+Prime]

Agreed. I've said it before and I will say it again:

Replace SMTP with a more secure protocol. Give a 12 month window for everyone to upgrade their clients. Then make port 25 filtering mandatory for all ISPs.

Failure to comply results in no email gateway for your customers. Simple as that.

Re:Cha ching?

[interiot]

Simple: most people will likely block all anonymous email.

Re:Cha ching?

[diablobynight]

ummm...don't even need to mod the protocol, if people just set up their mail servers to force authentication before outgoing mail can be sent, there wouldn't be any problems. Sorry there will be some problems, but I bet it would eliminate a lot of spam. Or if we just convinced the RIAA that spam was affecting their music sales, they would find a way to take every one of them to court.LOL

also, best answer to spam, don't click on the links in it, don't read it, just delete it, if it wasn't profitable they wouldn't send it out. Sadly dumb people buy shit from telemarketers and spammers.

Re:Cha ching?

[digital+bath]

but if spammer x sends a boatload of herbal viagra offers under bob's relay and bob gets a bill... then when they do catch spammer x he can be nabbed under wire fraud laws

But until then, would you like to be bob?

Re:Cha ching?

Like Hell, I run my own smtp server off my cable modem line for a reason. No, none of it is spam. It bad enough that many of them block port 80. You're advocating less freedom on the internet. The internet is one of the few mediums for open exchange of ideas left in te world. Go move to China if you like being pushed around and silienced by a tottolitaian government. Go read up on www.eff.org if you don't like your freedoms taken away.

Re:Cha ching?

Also, the questions that arise:

What happens to all the mail that never reaches its destination (server down, user's box full, user no longer exists, user just doesn't check mail)...

What happens to all the mail that is sent to users who sign up for a mailing list or a service with a website where they need to get important notices about their account and such - but the user is hapless and thinks that it's spam and doesn't realize "oh wait... this is something I signed up for three days ago".

What happens if you don't have a credit card or a bank account and you want to send email? And how do you handle processing between, say, Euros and Dollars - or other currencies? And who (PayPal?) is going to benifit from being the processor of all the monies involved?

I don't like any solution that requires needless churning of CPU cycles on already burdened hardware or any monetary investment.

Re:Cha ching?

[babyrat]

Replace SMTP with a more secure protocol. Give a 12 month window for everyone to upgrade their clients. Then make port 25 filtering mandatory for all ISPs.

and WHO is going to mandate this? SMTP is an ad hoc standard - ie people use it because people use it. If everybody's using it then that's a lot of people using it.

Re:Cha ching?

[WolfWithoutAClause]

Any of the big ISPs can do this. They just tell everyone in advance- do this by date X, or we blackhole you. There's nothing that forces anyone to carry anyone else's traffic ever.

Re:Cha ching?

[grub]

GIANT MONEY GRAB

The more I think of this, the more I'm enraged by it. Why?
Imagine that the net's email system is shaped like an hourglass. The top bulb is the sender of email, the bottom is the recipient. That pinched spot in the middle is where a handful of email firms (MS, Yahoo, et al) take a "micropayment" for every mail traversing their network.

They support it because they see it as a long term "User Pay" system. Microsoft has for years wanted to get into this type of system. It's plain fucking bad for the net! DO NOT SUPPORT THIS

Re:Cha ching?

[schon]

Replace SMTP with a more secure protocol.

define 'secure', then describe how it would work.

then give someone 1/2 hour to work around the 'security' (you don't have to implement it, just write a whitepaper.)

Spam exists because spammers are sociopaths. Replacing SMTP with something 'secure' won't change that, and won't stop them.

Re:Cha ching?

[Blkdeath]

Replace SMTP with a more secure protocol. Give a 12 month window for everyone to upgrade their clients. Then make port 25 filtering mandatory for all ISPs.

Governing Body: Replace your SMTP server!
ISP: No.
Governing Body: Uhm, ok, replace your SMTP server NOW!
ISP: No.
Governing Body: Filter port 25 then?
ISP: Who are you?

Re:Cha ching?

[ricochet81]

Cha-Ching is right. Congress and the USPS have been talking about ways to get money from email for years now. This provides the perfect inroad. If MS and Yahoo set up some sort of system to charge (proving its possible), the govt wont be far behind.

Re:Cha ching?

mod parent up informative, please. very useful.

Re:Cha ching?

[dyte]

Let the ISP choose how much they keep and how much they pass on.

This allows for competition.

Re:Cha ching?

[ejdmoo]

Big ISPs, like Yahoo and MSN. :) Get AOL on board and you've won.

Re:Cha ching?

[Shajenko42]

Nah, just do the challenge/response protocol, so that it will know that a certain host definitely sent the email you just received. Then:
A) Send all confirmed emails to a "Priority" folder.
B) After after this has started to catch on widely, start sending everything _not_ confirmed to a "Spam" folder.
C) Finally, after virtually nothing but spam winds up in that folder, just set your filters to delete instead.

After this happens, you can prosecute anyone in the US who spams, and block anyone outside the US that spams. If foreign ISPs, etc want to get their email through again, they can implement the above solution themselves, and we'll remove the block.

Re:Cha ching?

[Zwoop]

if people just set up their mail servers to force authentication before outgoing mail can be sent, there wouldn't be any problems. Sorry there will be some problems, but I bet it would eliminate a lot of spam.

Hmmm, what kind of spam would this prevent? Open SMTP relays? Forged From: addresses? Sure, we might get rid of some spam that way, but it will not fix the real problem IMO. It's just too easy to setup your own SMTP spamming server to "bypass" this, unless of course we start requiring SMTP auth in all SMTP traffic (not just from the MUA to MTA). But what a nightmare to maintain the global directory of servers and credentials...

Also, setting up SMTP auth to work with all possible clients turns out to be somewhat of a pain. I've done it with sendmail, and although it worked nicely "out of the box" for most clients, at least one had serious issues with the SASL and TLS protocols (see this article for instance).

And yeah, unfortunately there will always be victims out there who will buy from spammers and telemarketers. And there will always be predators ready to take advantage of them, if they can do so. Spam works well because it's virtually free to do, so even with some incredible small "click through" rate, it's profitable.

Making spamming computational expensive, as has been talked about several times, seems like the best solution right now. I don't particular like this postage stamp solution, although, it certainly addresses the root of the problem, it's too easy/inexpensive to spam.

-- leif

Re:Cha ching?

[frankthechicken]

Sadly dumb people buy shit from telemarketers and spammers.

And there lies the cause and problem for almost everything, damn people can't be trusted. Cut them out of the link and everything will be fine.

If these spammers could simply mail to the flotsam and jetsam of the world then everything would be fine. In fact there should be a list of dumb people, just to make the spammers life easier, and the rest of us slightly more content with the world.

Re:Cha ching?

[timeOday]

The owner of the compromised account will dispute the charge, therefore the mail won't ever be seen by the recipients, and everybody will be happy. That's the point.

I can't imagine the system is braindead enough not to verify the payment until AFTER the recipient sees the mail! That wouldn't be very postage-like at all, unless you think this proposal is for C.O.D. email!

Re:Cha ching?

[Pieroxy]

Back to the original point: An email service will open "Free" and everyone will rush. Oh wait, that's what's going on right now!

Re:Cha ching?

Depends on how well that Viagra works with all the hot chicks the dating services are promising me to go along with it.

Re:Cha ching?

[Awptimus+Prime]

What's your reason? I've done the same in the past, but just because I could. I couldn't really find a reason I 'needed' to run one.

Your argument is petty, at best. People go on about 'freedom' on the Internet like it's some big anarchists party. Sorry, you don't own any rights to it. It's simply a communication service you are leasing access to. I spent many years working for ISPs and dealt with many attitudes like this, especially when I worked in abuse. I would respond by simply informing the user they hold no "rights" in regard to the issue at hand and disable their account, blacklist their credit card, etc. No human rights organizations ever came after me, so I doubt I infringed on anyones freedoms. I had several legal threats, but they were all dropped due to the AUP and complete stupidity of the claims.

Regardless, many responsible ISPs have already began filtering port 25. EarthLink, and a few other large ones did this long ago.

Anyway, back to why your argument is ignorant: Your ISP has a say if you offer any services from your connection. Sure, we all want P2P, web servers, ftp sites, etc on our DSL/Cable connections. What you do not grasp, is that these services cause extra headaches for ISPs. I've dealt with literally thousands of people with 'owned' systems because they thought it would be a good idea to put smtp/httpd/ftpd/etc on their gateway. The AUP always said not to run these things, but people would do it anyway and whine to hell when you confront them. My confrontations were typically concernining resulting attacks and spam that came from their systems after-the-fact. We never proactively went after any user for running a service, but could since it was a violation of service.

You can't respond intelligently to this with "they should know what they are doing!".. It doesn't work that way. Not with herds of people online, you can't expect them all to even care about or understand security.

Along the same way of thinking, I am assuming you think you should be able to purchase a bunch of 'residential' phone lines and use them for an office? Since the phone companies are just another big network, you should have free reign over what happens there, right? How about the electricity coming into your house. That's another network, and you want your freedoms. Why bother getting a licensed electrician to do your wiring? Regulations are there to protect people from themselves and make the overall system work better. Sadly, many of them will go down kicking and screaming the whole way because they think their $39.99 a month buys them anything and everything they could ever demand -- without understanding the ISP is making $4-8/mo revenue, TOPS, off their account.

Re:Cha ching?

Paying for postage already exists, it's called a fax.

Sorry, wrong. Paying for postage does alreay exist, it's called postage. A fax the recipient pays for.

Re:Cha ching?

[destiney]

he can be nabbed under wire fraud laws and be open to all sorts of tasty civil action.

In how many countries?

Re:Cha ching?

[Awptimus+Prime]

Actually, they would be insane not to. It would save literally thousands of man hours chasing spammers. Not to mention the gigs of bandwidth saved per year if spam could be eliminated.

The major industry players would be the 'governing body', as you put it. They have historically played together decently since the dawn of DDOS attacks. Before smurf.c, ISP #1 would typically ignore anything ISP #2 said. That is not how things are these days.

Re:Cha ching?

But until then, would you like to be bob?

Fortunately for me, I don't run an open relay, nor do I use vulnerable machines on the net without protection.

Much like sexually transmitted diseases, this is 100% preventable.

Re:Cha ching?

[evilviper]

Replace SMTP with a more secure protocol.

Did you come up with that all by yourself, or did you have help?

Obviously, it would be ideal if a protocol were designed to replace SMTP that would stop SPAM, unfortunately, it's not as easy as just spending a few minutes writing one up.

Tell the world, here on slashdot, how you would design this SPAM-proof protocol, and watch as everyone tears apart all of your ideas, listing how they just simply wouldn't work in the real world.

Re:Cha ching?

[Eric+S.+Smith]

But until then, would you like to be bob?

Not at all, which is why I don't run open relays.

Re:Cha ching?

[abandonment]

this isn't that hard to do with sendmail either, check to see if the person sending the mail has logged in to 'check' their mail in the last 'x' minutes, if not, reject. voila, simple script, instant solution.

Re:Cha ching?

[Awptimus+Prime]

Thank you, captain obvious, for informing the world that it would take more than a few minutes to write a replacement.

I did not want to get into a low-level discussion on how to do it, I figure there are many developers out there, who are far more gifted than I will ever be, can deal with that side of it.

Since we are on the issue, sure. Re-tool SMTP into an authentication based protocol, requiring your account's password to allow email to be accepted by your ISPs mail server, just as with POP3.

It's not like this is impossible.

Re:Cha ching?

[David+McBride]

How do you propose to secure SMTP? Precisely what architectual and/or cryptographic scheme do you propose that would work?

If I want to setup my own mailserver (not outside the realm of possibility, I'm a sysadmin) what hoops am I going to have to jump through to satisfy the Ultra Secure Email Lobbyists for Efficent Sending of Spam (USELESS)? Who do I go to if I believe someone is illicitly sending spam through their (presumably paid-for) email license?

How do you propose forcing every single ISP that they need to filter port 25? Those within the US? Those outside?

(And why bother if nobody uses SMTP anymore anyway?)

And that's just the start. If someone's machine get hits by a virus which spams people (or allows others to spam through that machine) how do I know that it was some evil guy and not Joe User who got compromised? How many people are even going to go through the expense of legal proceedings for the million-odd users out there with MyDoom on their machine?

Don't get me wrong, I don't think spam is fun. And I don't have a magic solution; I haven't even really thought about the problem.

But it's also clear that you haven't thought about it, either.

So unless you have an actual idea, or can point to someone who does, you're not going to garner that much interest.

Re:Cha ching?

"But here I see the problem, spammers are using open relays and hiding under anonymous accounts already. How will they bill them?"

Simple, there will be no more free, anonymous email accounts. Is that worth the price of not receiving spam? There are better options out there.

Re:Cha ching?

[ctaylor]

> also, best answer to spam, don't click on the links in it, don't read it, just delete it, if it wasn't profitable they wouldn't send it out.

This doesn't do anything already. What is it? 1/10 of 1% or something like that actually buy something from spam e-mail. The companies that make money from spam don't care if you buy anything. If we don't buy from spam, the companies that _hire_ the spammers don't make money, but the spammers have already been paid. All it takes is a few idiot people to hire spammers for the whole system to perpetuate itself.

Re:Cha ching?

[Awptimus+Prime]

Perhaps you could read my follow-ups before brandishing the troll's club.

Re:Cha ching?

[rw2]

also, best answer to spam, don't click on the links in it, don't read it, just delete it, if it wasn't profitable they wouldn't send it out. Sadly dumb people buy shit from telemarketers and spammers.

Sadly it only takes one purchase in a few hundred thousand to make money. This solution requires perfection that will never be acheived in a society which think janet jacksons boob is news (or worse, that it's offensive) and watches the simple life.

Re:Cha ching?

[Xiridion]

This is the worst solution ever and the only reason that MS/Yahoo support it is because of Hotmail/YahooMail. They stand to make huge profits because they host the inboxes of millions of users.

I agree completely. Any kind of postage is just an attempt to take money from their users. It's also the stupidest thing I've ever heard.

Until there is a standard for verifying outgoing email between mail servers, there is no way to have postage or stop spammers. Spam and viruses can already fake every other field in a message, why not the postage field. There must be a way to verify where the mail originated with a surety or deny it. If such a standard where put in place, spammers would be unable to continue to operate as they do. Postage is bogus and unnecessary.

Re:Cha ching?

[NoMercy]

Admitidly it'd be nice to have a better SMTP purely on the grounds that it's an old protocal and could do with a scrub up and some new brass.

But what's really needed is a simple 'did you send this email' to validate the sender did send the email, a simple handshake which would instantly force the From: field to be correct, solving most problems.

Another layer of security could be brought in with header-checking at each server to ensure the header given by the last server was accurate, problem is virtually all servers use diferent formats for these strings.

A XML version of SMTP would be nice, the current effort XMTP only really has use in processing SMTP data for presentation on various devices, and makes no effort to tidy up the mess of un-readable headers, see: XMTP.

Re:Cha ching?

[winse]

fan that.... just build a better mousetrap. SMTP shouldn't be hard to beat. If you tie together a couple of productivity tools like email/calendar/im/perhaps a file sharing tool and build that over a common secure protocol, i would use and request that my friends join me. It might take a while to catch on or may never catch on, but sometimes good does win (even though it is dumb).

Re:Cha ching?

[David+McBride]

Fair enough.

Pause for effect whilst I scan through your responses..

Okay, the closest thing that I can find that even approaches an idea is:

Since we are on the issue, sure. Re-tool SMTP into an authentication based protocol, requiring your account's password to allow email to be accepted by your ISPs mail server, just as with POP

That's not going to help anything. What's to stop someone from just running their own SMTP server? The software isn't exactly hard to come by.

Even if you could work around that problem, the latest mass-mailing worm/virus is going to roll through /that/ little roadblock, no problem. MyDoom installed a keylogger and has access to every single file that the infected user does. Hence, as soon as they send an email any properly-coded worm will have access to the password and go on a little mailing spree.

By all means start or partake in a discussion trying to devise a sensible solution, but don't pretend that the answer is simple. You'll just look like an idiot.

Re:Cha ching?

[geminidomino]

Yanno, you'd hope that Microsoft would do some research before sticking their foot in it like this over and over again[0]. All of Gates' "Spam Solutions" are the same things that people have been "coming up with" for years, despite the fact that all 2 of them (C/R, Hashcash, etc...) have been thoroughly debunked by those with Clue... [0]We are talking about people who can't even build a working SMTP implimentation, and we're trusting them with the spam problem?!

Re:Cha ching?

[BjornStabell]

Upgrade to IPv6 which makes it impossible to spoof your IP address, then let RBLs do their job. There was never a better time to do this.

Re:Cha ching?

[CmputrAce]

I say let 'em charge.

Then some brilliant group of people will respond with a TOTALLY DIFFERENT alternative to POP and SMTP that GETS RID of SPAM. POP and SMTP are too open and too easy to spoof (I know, they COULD be fixed, but nobody will do it for the sake of "backward compatability).

It's time to let the existing system DIE so we can get ubiquitous, free, and secure, spamless email.

Re:Cha ching?

[btakita]

This solution would take David Farber 83.333 hours to send the email to his "nice" list. I dont think he would like that.

Re:Cha ching?

[Awptimus+Prime]

That's not going to help anything. What's to stop someone from just running their own SMTP server? The software isn't exactly hard to come by.

Filtering port 25, assuming the updated protocol would utilize the same port.

How about not being an asshat when someone has something to say? I mean, really, I did not post this to sound like Mr Smarty Man III. I posted to inspire people to talk about the issues.

You, on the other hand, are posting simply to point out that I did not go into enough depth and pick at what I say. Personally, I feel that posters like you can simply go to hell since you contribute absolutely nothing except for ill feelings towards anyone who wishes to share their thoughts in a forum.

I do not pretend any of it is really simple. The concept is simple, the implementation would be a lot of work, would require global participation, and so on.

Add to the thread of shut the fuck up, troll.

Re:Cha ching?

[n.o.d.y.n.e]

Spam filtering is NEVER going to work. Charging mail stamps is not such a bad idea, however such a system would have to be for bulk mailings only and incorporate applying for exemptions, such as universities, .org, non-profit mailing lists etc. It would have to be thought out. This would require mailers to be transparent. Instead of the slimy sucks who hide in their dirty spam caves as they are now.

Re:Cha ching?

[John+Hasler]

It has a great deal to do with the money they would make by implementing the scheme in such a way as to force everyone to use their services.

Re:Cha ching?

[Lost+Race]

It's already impossible to spoof your IP address in TCP/IPv4. Sure, you can forge a bogus source IP address on the SYN but you'll never get the ACK so you can't complete the connection, and any data you transmit will be ignored. The best you can do with address spoofing in TCP/IPv4 is a SYN flood DoS attack; you certainly can't send any spam with a forged source IP address. (Route it through a proxy/relay/zombie? You can do that in IPv6 too.)

Re:Cha ching?

[Aliencow]

Yeah, everyone knows POP3 is secure and that setting up your own SMTP server is so hard.

Re:Cha ching?

Unfortunately "forcing authentication" means a variety of sins. Any computationally based authentication can run afoul of the encryption export laws, which while they've already been ruled unconstitutional under US Customs got transferred to US Commerce and are still in effect.

It also fractures dumb email clients such as routers and webservers and DNS servers that report back to home.

Take a look at spf.pobox.com for Eric Raymond's very easy and simple suggestion for using the new "Sender Permitted From" field. If we enable setting such things restrictively by default, then we can shoot down the forged spam trivially by having ISP's set the permitted SMTP servers for their domains or their guest domains.

Re:Cha ching?

[Tokerat]

I have a question:

Why the hell ARE we sill using POP and SMTP? Would it really be that hard to get e-mail users to download the "New, Improved, Spam-Free E-Mail system"? Would developers really be unwilling to implement it?

The big hurdle is fragmentation of the current e-mail system, and the possibility of losing your e-mail address, but it's getting to the point where a large portion (I'm inclined to say "majority") of Internet traffic is spam, and that costs many people a lot of money.

Do like is planned for IPv6 (kinda): Let both systems co-exist for a while until the old one dies off. Hell, make sendmail accept both protocols and just warn you when e-mail comes the old way. Eventually we'll be able to turn that off, once everyone is adjusted to using the new system by default. Include it in clients, include it in servers, give the sysadmins migration instructions and hey, addresses need not even change. Would users even have to realize it happened?

Re:Cha ching?

[firewood]

and WHO is going to mandate this? SMTP is an ad hoc standard - ie people use it because people use it. If everybody's using it then that's a lot of people using it.

But a standard is only important if people *contintue* to use it. Given a choice of new-MTP which is less than 50% spam and unsecure SMTP which is going to be more than 99% spam, most people will switch after a few months, and SMTP will decline to the status of a mostly historical standard such as gopher. Only hackers and law enforcement agencies will continue to freely receive anonymous and/or mostly forged SMTP email. Mailing list senders will have to switch if they want to reach the majority of recipients.

Re:Cha ching?

[d34thm0nk3y]

I would say that in this situation that the precedent could be very dangerous. Imagine that all of a sudden the e-mail charge becomes common. Of course the government is going to need to tax it. Then our heroes come up with the 'TOTALLY DIFFERENT' solution. The problem is that this solution pretty much sends e-mail. Do you really think that these large corps and the gov are gonna give up that cash?? NOT A CHANCE IN HELL! They are going to cover it under 'e-mail' and take the charges regardless of the fact that it runs on some fancy new protocol.

Re:Cha ching?

[Wesley+Felter]

I see nobody around here is familiar with the actual proposals. Nobody would send a bill to anybody else, so there's no possibility of an innocent person getting the bill for spam. If mail doesn't have the postage it would just be dropped.

Re:Cha ching?

[smchris]

Email postage might make sense under one of two conditions:

1) the recipient gets the postage fee

Oh, yeah. That would have been great a few years ago with dial up when some fool I didn't even know personally (campaigning for a club office no less) got an address book virus and sent me something like 10,000 emails and another 5,000 after I complained to his ISP.

But not many after I started forwarding them back to the ISP :)

Re:Cha ching?

[Gaijin42]

Because if the mail doesnt come with the postage (which would be signed with some massive encryption) the mail is automatically rejected.

Re:Cha ching?

[evilviper]

Re-tool SMTP into an authentication based protocol, requiring your account's password to allow email to be accepted by your ISPs mail server, just as with POP3.

Practically every SMTP server can require authentication. I've setup several myself.

Re:Cha ching?

[Comen]

I agreee with you completly, were are my mod points when I need them, Thats why you have to read this yahoo article and laugh your ass off, I cant think of any way you can realyl secure email enough to charge people, hell if we could secure it we wouldnt need to charge people at all, thier whole argument is bogus and any one with a brain should be able to see that.
Microsoft especialy having the balls to even mention something liek this is laughable, there in secure OS and email clients have causes most the worm/virus based email problems around and then they say chanrging for that will fix it? with no mention how to secure not only the protocol but the OS in wich the application's run on. So charging for soemthing that we cant control enough to stop is the answer to stopping spam? Not to mention the tons of other issues David already mentioned above, even if they could control the open way that a mail server can just be setup on the internet now, where the people or even the virus or worm can just install a tiny mail server itself if passwords/encryption where a issue, mails server get compromised now.

Re:Cha ching?

So unless you have an actual idea, or can point to someone who does, you're not going to garner that much interest.

Actually, his idea is much more interesting than your "I'm an expert but I don't see any good solution so we should all just give up" response, if only because he doesn't display apathy such as yours.

If a solution comes up, it'll be from someone willing to think of something new, not someone clinging to the kludges of the past.

Re:Cha ching?

[EtherMonkey]

If my experience is the norm, then the majority of ISP's don't give spam or virus filtering a passing thought. Even though there are free tools available to help reduce junk email and viruses, they don't deploy them.

I was just at a customer site on Friday because they called complaining of all the Novarg-infected email they were receiving. Their client-based antivirus was working, so they weren't infected, but I was shocked that their ISP let the virus get that far. When I called the ISP (a large regional outfit) they said they had no plans to implement either spam or virus filtering, due to the "significant cost and support burden."

Re:Cha ching?

When it comes down to it IF this would really become law only the US and maybe a few other countries will have postage (and thats a big maybe). So we all send mail though servers in a country that doesn't charge postage. Do you think the spammers will figure that out?

Re:Cha ching?

Why doesn't somebody just cripple every open relay with a virus? Fry them all.

Re:Cha ching?

[Basehart]

"he can be nabbed under wire fraud laws and be open to all sorts of tasty civil action.

"In how many countries?"

Well, you can take Afghanistan and Iraq off the list of untouchables. Who's next? Is sending out Spam a good enough reason to go to war?

Re:Cha ching?

[senatorpjt]

Maybe I'm just an idiot, but I didn't think I was running an open relay either. I tested it with some of the open-relay test webpages, but it turns out that Postfix was allowing relaying from the local /24 subnet on my ISP (which none of the tests would have shown), and it just happened that someone on the subnet noticed.

Re:Cha ching?

[diablobynight]

Oh I hope so, send me in. screw terrorism, nothing pisses me off like spam.

Re:Cha ching?

[diablobynight]

forcing authentication is not a problem, it's simple as all hell. Jesus christ.

Re:Cha ching?

[senatorpjt]

What's your reason? I've done the same in the past, but just because I could. I couldn't really find a reason I 'needed' to run one.

OK. Well, I've never "needed" to run one, any more than I "need" email to begin with. I run my SMTP server because it allows me to receive mail under multiple names for different purposes, do my own spam filtering, consolidate accounts, etc. I definitely "need" incoming SMTP, as much as I use an email address to give to my friends may not be appropriate for say, a business contact. Also, I just don't like my ISP's email implementation. They only support POP, and maybe I just don't like my email sitting on their server for any moron employee of TW to read.

Re:Cha ching?

[JuggleGeek]

don't even need to mod the protocol, if people just set up their mail servers to force authentication before outgoing mail can be sent, there wouldn't be any problems.

Nonsense. Spammers can run their own SMTP servers if they want. More commonly, they manage to infect other systems and let them send the mail. I agree that anyone running a mail server should do authentication - and most already do - but claiming that would solve the problem is pure nonsense.

best answer to spam, don't click on the links in it, don't read it, just delete it, if it wasn't profitable they wouldn't send it out

If *nobody* responded to it, the spam would probably stop - eventually. But >99% people ignoring it isn't going to stop the problem, because they still make money on the fraction stupid enough to buy from it.

Your post was modded insightful, but it certainly wasn't.

Re:Cha ching?

[JamieF]

Replace SMTP with what? More secure how?

>The concept is simple, the implementation would be a lot of work

Right. The concept of "fix spam" is easy, but the implementation of an unspecified design is really hard. Kind of like "create lasting world peace" and "switch from fossil fuels to alternative energy sources" and "find a cure for cancer" are easy concepts, but implementing them sure is a lot of work. The engineers will have to roll up their sleeves but I'm sure we can get it done if we can all just agree to get on with it!

You forgot the part where you actually offer a suggestion. What you've done is to restate the goal, and get mad when someone points out that you haven't actually proposed anything specific.

>> What's to stop someone from just running their own SMTP server? The software isn't exactly hard to come by.
>Filtering port 25, assuming the updated protocol would utilize the same port.

Maybe you don't understand te poster's point. What's to stop someone from just setting up a $NEW_MAIL_PROTOCOL server and spamming from that? How does your completely unspecific new mail service differentiate between good mail and bad mail?

Re:Cha ching?

[Grizzlysmit]

Paying for postage already exists, it's called a fax.

This is the worst solution ever and the only reason that MS/Yahoo support it is because of Hotmail/YahooMail. They stand to make huge profits because they host the inboxes of millions of users. Every email received at those accounts would invoice the sender. It's a no brainer for BARRELS OF CASH !!! (tm)

In fact, there already was a good solution proposed a few weeks ago, by microsoft no less. Combine it with Spam Assassin the way Spam Interceptor does (replacing the C/R component) and the solution is plausible.

How's this for a soln: first we solve the problem of header forgery, without that we're nowhere. Next we implement a stamp system, but you have to pay into the recipients account. So they pay you to receive their email. You also have a specials list, which sets special prices for some email. This list uses signatures of emails, ie. not just from this user, but email header/body matches patterns, etc. to assign special prices to items of email. The special prices can be positive or negative or 0, positive x means sender must pay x units of Internet credit to receiver, negative x means receiver pays, the sender x units of Internet credit, presumably some sort of subscription, 0 means no charge for this, ie. this is my friend, no problem, no charge.

There would need to be some sort of mechanism to refund charges if it latter, turns out to be you're friend. Some sort of third party financial institution might be needed to negotiate these charges, and keep the accounts. But we should still allow some white listed pgp/gpg signed etc stuff to bypass this system, and go straight to us, just like now, but only for users know to us.

Under this scheme you could charge say $1 or even $1, 000, 000, 000 for unknowns to email you, with a promise of a partial or complete refund if you decide it's ok for them to email you, and an equal promise of no refund if you don't want to, despite what they say commercial, groups & spammers know that 99.9999% of people don't want their crap, if they had to risk even $1 per email, they'd desist pretty quick.

The downside of this scheme is it somewhat increases the complexity of the process of transferring email.

God I hate that Lameness filter it is just so lame, the lameness filter just plain suxs. The Lameness filter never gets it right, it is a complete joke, a waste of space. The very concept of a lameness filter is the lamest idea of all time.

Re:Cha ching?

[Awptimus+Prime]

I guess people can't understand that it's just an idea. Once again, try adding to ideas instead of retracting from them. Then these threads would actually be worth something instead of appearing as a bunch of agumentative geeks with no social skills. :)

Re:Cha ching?

[JPriest]

AOL already blocked half a billion emails last year. AOL already has a solution that works in preventing many kinds of SPAM if only some other ISP's would also do the same thing the world would be a better place.

AOL will not accept mail from SMTP servers with IP addresses like 12-34-23.dsl.miamfl.bbc.com.

It is called DNS, the best part is the we don't even need to change the core infastructure of the internet to start using it.

Open relays are not the only problem, anyone can install an SMTP server or trojan a PC and use it as an SMTP server. 1/3 of all spam is now sent this way and the popularity is growing.

I still move that SMTP server be added to a DNS record much like mail exchangers have been for ages. it would be a _backwards_compatible_ solution for the ISP's that don't want to get in line.

Re:Cha ching?

[bl1st3r]

Any ISP that has ever blocked outgoing SMTP ports for me has quickly found themselves without me as a customer. I run my own mailserver and wouldn't want it any other way. Its the only way that I can be certain that my e-mail is my e-mail. It also goes a long way in allowing me to be proactive about spam that gets to me through a combination of ORDB, SpamAssasin and custom blacklisting through Postfix.

To say that I don't have a right to send e-mail may be correct, after all, I don't have a right to use the internet at all. But if I am going to be on the internet. And if I am going to be paying for that access, I demand to be able to send my own e-mails. And I'll vote as such with my wallet. I've switched ISP's probably 8 times before sticking with Charter cable. They are awesome and with the minor flaw that they have blocked ICMP traffic for me, they are doing a great job.

Widespread blocking of services doesn't fix the problem. It's like killing mosquito's with a nuclear bomb. It just sucks. Why not come along with a good technological solution? Possibly a new e-mail protocol or get more widespread use of technologies that already exist(like I do).

-E

Re:Cha ching?

[Flingles]

There is, according to some other /. spam article. Spammers will pay 10x more for a list of people who actually bought something (as opposed to a list of valid email adresses).

Re:Cha ching?

[Knetzar]

I was thinkinhg a trail of IP addresses added to the header would help. Just have each SMTP server append the IP of where the mail came from and then one SHOULD be able to trace where email truly come from. This should at least allow blocking of computers with viruses and open relays.

Re:Cha ching?

[balloonhead]

The only way sexually transmitted diseases are 100% preventable are if you exercise abstinence. For a lot of people, that's not a viable option, just as the only way to truly secure your machine is by keeping it unplugged.

Condoms, virus checkers, and some knowledge of network security will go some way towards things, but what you are proposing amounts to blaming someone who's burgled because they didn't research their locks properly, didn't modify the lock they bought with the latest security features, and didn't know locks inside-out before even buying a door.

Expecting everyone with a computer to secure it is unrealistic. Ideally the software manufacturers should take this into account, but there will always be bugs and exploits.

Re:Cha ching?

And I'll vote as such with my wallet. I've switched ISP's probably 8 times before sticking with Charter cable

And I've just received a spam from them...

Re:Cha ching?

[Ciggy]

A fax the recipient pays for.

Surely:

1. fax sender pays for phone call to receiver's device (local calls are NOT free everywhere in the world, USA peeps note)
2. receiver can use electronic fax receiving so no treeware for which to pay; just a large disk ^_^

Re:Cha ching?

> How does your completely unspecific new mail service differentiate between good mail and bad mail?

Maybe he plans to use the evil bit.

Re:Cha ching?

Email postage might make sense under one of two conditions:

1) the recipient gets the postage fee
2) the ISP that gets the postage fee provides email / internet access to the user for free

Even if this were adopted, it wouldn't take long before they stopped paying or giving the recipients anything. Ideas like this sound good, but once you let an ISP charge for email they are gonna find a way to keep that money.

Re:Cha ching?

in a society which think janet jacksons boob is news (or worse, that it's offensive)

I _don't_ want my children to see her boobs, much less myself.

Is it news? Yes, because something like this has _never_ happened before on one of the most watched shows of the year, on _publicly_ broadcast television. It was most definitely news.

Re:Cha ching?

[Vadim+Makarov]

May I suggest making a deposit to the central authority. You can only send as many emails as you have money deposited on your account at any time (note: if the recipient receives your email and you are on their whitelist or are marked manually as such upon reading the email, the bit of money associated with this email is instantly freed for use in your other outgoing emails).

Little users will make small deposits; thus, no large number of emails could be sent via their hijacked accounts.

Larger users or mailing list distributors will make larger deposits, and thus will care about their security.

The choice of central authority is a bit delicate question, but we already do have many central systems on the Internet that accept payments from everyone in the world. These are DNS authorities, and the system by and large does work.

Re:Cha ching?

[diablobynight]

And your post is simply filled with contradiction and no helpful information.

If spammers run their own SMTP servers, than it will be easy for me to trace the spam back to them now won't it. Then I report the IP to their ISP, who then discontinue their service.

Re:Cha ching?

[p00ya]

So unless you have an actual idea, or can point to someone who does, you're not going to garner that much interest.

Well, there goes the whole premise of posting on slashdot. I guess we can still try for the +5 funny.

Re:Cha ching?

[phorm]

Set a cutoff. If you don't get an "X-sender-verified" tag by period X, don't receive mail from the sending server. Maybe a year should be a long enough period to enact a standard?

Re:Cha ching?

[phorm]

Hmmmm... options already exist:

SMTP-Auth (you must supply a username/password when sending email)

POP3/IMAP-SSL, not sure if there is an SMTP-SSL but there should be... at least for the authentication process.

Re:Cha ching?

[Ben+Hutchings]

You can spoof your IP address in IPv4. It's easier if you're on the same network segment as the spoofed address, though. If the segment isn't switched, it's trivial to get the responses by putting the NIC into promiscuous mode. If the segment is switched then you should be able to steal the target address by using MAC spoofing or ARP spoofing. With ARP spoofing you can also become a man-in-the-middle for extra fun. If you're not on the same network segment the possibilities are admittedly more limited. However, if the machines you're sending your spoofed packets to are running to still don't have a good TCP ISN generator (many don't) it should be possible to predict the ISN and to set up a connection without seeing the replies. You don't have to limit yourself to one guess, of course.

Re:Cha ching?

[jhunsake]

You truly are a fucking idiot.

Re:Cha ching?

[Awptimus+Prime]

Is the word 'fucking' supposed to drive your point home harder? I used to do that, too. When I was 13.

This is a typical example of why spam continues. People, for no good reason, just refuse to think about anything. God help us if someone has an idea. Be it good, or not, I do not think name calling is what this website was intended for.

Re:Cha ching?

Whatever you say, you fucking idiot.

Do we need this?

[RT+Alec]

Story also posted on C-Net (no account required, yada yada).

What hapened to Yahoo's (as yet unveiled) scheme-to-end-all-schemes for authenticating mail? IMHO, I think that SPF:Sender will make great strides towards combatting spam, combined with new laws that make spoofing illegal. And AOL is backing it, so I think there is a good chance for success, as they are both one of the largest sources of e-mail as well as one of the most commonly spoofed domains.

Re:Do we need this?

[Ryan+Amos]

Laws mean jack shit when you're dealing with a spammer operating out of Romania. Legislating the internet in general is just a waste of time. Also, any technical scheme to stop spam that does not include a whitelist of some kind is also doomed to fail. All a spammer has to do is hack a random Windows box (and they do,) set up a custom mail server that will spoof the headers, then spam away. Then again, whitelists carry with them their own problems.

Blacklists aren't a great idea either, too easy to hop around via hacked boxes and/or DDoS the blacklist server (as we've seen happen recently.) The only way I could see a scheme like this being even remotely successful would be if ISPs started parsing incoming packets for mail server requests, then dropped them, as 99% of end-users should not be running a mail server.

Basically, the problem with spam is that most of the solutions introduce bigger problems than they solve. Adding to the problem is the fact that no system is ironclad, so somebody eventually will find a way around it. Now we know how the RIAA feels with their "protected" CDs. The best solution seems to be some sort of adaptive filtering, which is what most people use now. There's no real effective way to reduce spam seen by the mailserver, so the best way is to reduce spam seen by the user.

Re:Do we need this?

[GreyPoopon]

...I think that SPF:Sender will make great strides towards combatting spam...

Here's my favorite quote with respect to SPF:Sender:

All these proposals can run into problems because there are legitimate cases when mail sent by one domain claims to be from another. For example, online greeting-card services will send messages with the return address of the person sending the card, even though the message does not go through the sender's e-mail account.

What's funny about this is that the greeting-card services are NOTORIOUS for selling email addresses as spam-phish in the first place. Hence the reason why I never read email greeting cards anymore.

Re:Do we need this?

[RT+Alec]

I think laws can be helpful, provided they are not, well, clueless. As for CAN-SPAM, the best part is outlawing the use of deceptive headers. Now pill pushers and mortgage brokers (who are almost always located in the U.S.) can be prosecuted if they forge headers. If they don't forge headers, then ISPs can blacklist their source much more effectively.

The more common blacklists (at least the ones I use) are Spamhaus , Sorbs, and NJABL. I don't think those are going down anytime soon, with the work they have done to distribute their hosts.

I completely agree that ISPs (and any business that has computers connected to the Internet) should block egress port 25 traffic. I have rallied this point for quite some time, and it has proven to be quite unpopular:

• ISP's need to block egress port 25!!
• Good news!
• What about port 25?

The arguments against sum up to "let's fix the spam problem, but not if it means I can't use my consumer cable modem as if I were a business" and the equaly irresponsible "but I want to run my own mail server-- how dare you try to take away my toy!" To be fair, there are legitimate reasons that a person might need to run their own mail server, but they are quite few and far between-- certainly less in number than spammers!

Re:Do we need this?

[MaineCoon]

There are other legitimate uses, of course. For example, I run a server from which I give email accounts to my friends. The server uses POP-before-SMTP authentication, so they can send from anywhere with their mail clients without it being an open relay. But a couple of my friends use Earthlink, which blocks outgoing port 25. All Earthlink customers must send their email through Earthlink's mail servers (although Earthlink users can use any 'from' address they want). I don't think I really want to add all of Earthlink's IPs to an SPF block... but I don't want to stop offering mail to those friends who use it, either. Catch 22 for me if this system goes into full force and Earthlink continues this block.

- MaineCoon

Re:Do we need this?

Yeh, go laws that make spoofing illegal. That:ll stop em.

Why not just make being bad illegal?

Re:Do we need this?

[GreyPoopon]

But a couple of my friends use Earthlink, which blocks outgoing port 25.

I think your other choice is to offer SMTP service on some port besides 25. I've seen this done by some web hosts.

Re:Do we need this?

[protogoogoo69]

and the equaly irresponsible "but I want to run my own mail server-- how dare you try to take away my toy!" To be fair, there are legitimate reasons that a person might need to run their own mail server, but they are quite few and far between-- certainly less in number than spammers!

No, to be fair, you don't even need a legitimate reason to run a mail server. If Jill-Sendmail wants to toy around with her computer because she wants to see what administration is like without having to pay $4000 for certifications, then so be it. Who are we to judge Jill's authority over her own computer? If her machine gets a virus, is misconfigured and spews gigabytes all over the place, or if she accidently creates an open relay, well thats a job for her ISP. But spammers dont even need your computer, they can just walk into an insecure library computer lab, boot up Knoppix, and create their own open relay.

Oh yeah, block port 25, that'll stop em! Then a couple months later, they'll start hacking gateways or start wardialing for wireless connections. Hell, all they have do is split their pay with someone crafty enough to crack into whitelisted computers and use them as proxies for more the spammers. So what's next: port 80? port 21? Hell, let's block all the ports, that'll stop those bastards!! Sooner or later, you have to realize that spam exists because there are stupid humans who can be suckered into buying anything and perpetuated by stupid humans who having nothing better to contribute to society! And if people start becoming network-nazi's, then they will be stupid too. Its like a hardcore sysadmin who forces her users to memorize MD5 sums as their passwords and then changes them weekly! Sooner or later, people are going to start leaving their passwords on sticky-notes under their keyboards while the cracker finds a faster way in via social engineering. Humans are the weakest link here, not sendmail, not the SMTP protocol, and certainly not the firewall scripts. And when you figure there are probably only around 200 spammers, you have to wonder who the real dups are here: the ones spending $1,000's in man hours on bayesian filters and spam-laws, the ones buying penis enlargement kits, or the ones sending mass mail from a cheapo Pentium-2 laptop with a textfile containing over 5M email addresses? Consider if only 0.5% are interested in that mail...because that's all it takes. No, I have a better proposal: educate people on how NOT to be conned. Educate them on how to recognize spam and /dev/null it. Eventually, commercial interests would spend less on email mass marketing, which would mean spamming is less lucrative to spammers.

Re:Do we need this?

Is it just me or does SPF seem like it was made by morons? Why not put a public key in the DNS record instead, and have legit outgoing SMTP servers sign mail messages with the private key? Then incoming servers can confirm the signing (based on the DNS record, like SPF) but it doesn't break forwarding.

I mean, why not just make it utterly transparent? The key encryption could be something relatively trivial computationally to minimize incoming mail server load (as if the DNS request wouldn't likely be the bottleneck, anyway). I don't understand. Is there something wrong with what I'm saying?

Mirrors without registration

[digitalvengeance]

Here is a Washington Times summary that doesn't require registration.

http://washingtontimes.com/upi-breaking/20040202-1 23126-8662r.htm

And here is a IHT article which appears to feature the same quote as the NYT article. Same article? I won't register...

http://www.iht.com/articles/127677.html

Josh.

Re:Mirrors without registration

Yes, same article.

Re:Mirrors without registration

Do I have to join the Unification Church and marry whoever Rev. Moon assigns me to before I read it? (The Washington Times is owned by the Moonies.) http://en.wikipedia.org/wiki/Washington_Times

Eh?

[DakotaK]

Could anyone truely pull this off? Most people would never dream of paying for e-mail. And what's to stop me from setting up my own mail server and sending it off? Step 1: Charge for e-mail Step 2: ??? Step 3: Profit

Re:Eh?

Interesting point. I think we would see an increase in the number of people doing just that - set up their own email servers.

The problem is, most of these people probably would not know how to properly configure it, and we would see an increase in the number of open relays available to spammers to subvert.

I don't trust any solution that comes from MS, Yahoo, or AOL, all of whom seem to be the most widely abused systems in existance today. It is up to these organizations to fix their own cruddy operations before attempting to tell the rest of us what to do.

Re:Eh?

[ooby]

Both Yahoo and Hotmail sell premium accounts, so somebody pays for email. I do agree, however, that paying to use email (paying for anything other than your own server, bandwitdh, etc.) is pretty lame. We might be able to rely on consumer rejection because there will probably always be a free (or near free) alternative to paying to send email.

There are advantages to the technique. If it is implemented, spammers may stop sending porn to my yahoo and hotmail accounts, and these type accounts probably make up the bulk of non-corporate email addresses. So a side effect may be a drop in spam across the board (providing the spammers don't adapt).

It's a ridiculous concept

[MysteriousMystery]

It's a ridiculous concept really, the reasons email has become successful to begin with is that it's fast and free. If you charge for email, people will just move over to instant messengers or other systems. And how do you enforce charging people who you may or may not be able to track, the proposal to charge for spam based on the reciever's choice is absolutely ridiculous.

Re:It's a ridiculous concept

I haven't thought this through, but what would happen if a place like Yahoo would charge for certifying bulk email? Say by encryting it with a private key, or using some kind of watermark or stamp. In that case, I could white list people I know, enable emails that decrypt nicely if I want ads, and send everythign else to the trash.

Re:It's a ridiculous concept

[Prof.Phreak]

If you charge for email, people will just move over to instant messengers or other systems.

But then they'll impose charges on IM, and the very bits that fly around. Oh, wait...

Actually, mobile phone companies already charge folks per IM message, so you can't just send millions of them without pay.

Re:It's a ridiculous concept

[Drishmung]

No, it's not free. But it is very, very inexpensive.

For the volumes that most casual users require it is so inexpensive that it is cheaper for the ISP to charge a flat rate, rather than account for some fraction of a cent per email. It would cost the ISP more to do the accounting (you would be charged mainly for being sent the bill itself).

Spammers, with their huge volumes of email, actually do pay for the email they send. However, they send so much mail that the cost per message is vanishingly small.

This proposal attempts to stop spam by removing the financial incentive. But it does so by artificially inflating the price. The spammers pay more, and the ISPs make huge profit margins. Of course, this only works if there isn't another place the spammers can go that charges less. (In fact, there is now a huge incentive for ISPs to make money by undercutting the inflated rates. Possibly covertly. I.e. special rates for spammers. After all, who better qualifies for 'bulk discounts'?)

The only way this can work is if there is a monopoly, otherwise market forces will act to bring the price down.

So, the price of stopping spam is to confer a monopoly for email on MS and Yahoo, together with extraordinary profits. With the likelihood of a side order of corruption as spammers try to bypass the rates.

Re:It's a ridiculous concept

[njchick]

Those who don't want spam will move to the new scheme. If you want to write them you'll have to pay. Those who don't care about spam or don't mind setting up multi-layer anti-spam defences are welcome to stay with SMTP. After all, mailing lists didn't destroy USENET, they just made it less relevant.

Re:It's a ridiculous concept

[mr.+methane]

I dunno, I like the idea. It needs some tweaking for certain, but as it stands now, email is almost useless.

Email isn't free. It costs a minimum of a few hundred bucks to get a computer, plus the cost of even a minimal dial-up account. Anti-spam software costs money. And aside from hobbyists or unemployed folks, spending 40 hours trying to duct-tape some filtering solution on every computer just isn't reasonable.

Spammers have significantly reduced the value of my computer, by taking what was once a useful resource and turning it into a major annoyance. Is it a complete solution? Probably not. Seems like an interesting place to start, though.

Re:It's a ridiculous concept

"email is almost useless"

Really?

"Anti-spam software costs money"

Search for PopFile on google. I just set it up on another computer. It took about 5 minutes. Training it take a couple minutes a day for a week or two.

Re:It's a ridiculous concept

[ryanjensen]

Actually, when I had service from AT&T I would get 5-6 spam SMS messages every day. I had to pay for each one of those messages, while the sender, presumably using the ##########@attws.com email method, never had to pay a cent. If anything, SMS spam is the worst of all unsolicited commercial messages, because it results in a direct financial loss to the recipient.

Re:It's a ridiculous concept

Email for me is useless because even if I used something like Popfile (which I do) I still would have to hire someone fulltime to check my junk mail folder for false positives. I get thousands of spam each month and going through it all just is not feasible. Also spammers are sending more intelligent spam now that defeats most filters. I get spam that has 3 lines of text advertising their product then they tack on a 400 word essay at the end for the sole purpose of defeating filters. This method seems very effective, the only thing left for me to do is start implementing whitelists. I now do all business communication over the phone and personal communication is dont over instant messenger. Email for me is useless.

Re:It's a ridiculous concept

You have to pay to recive sms'?

Re:It's a ridiculous concept

[Rik+van+Riel]

Spammers, with their huge volumes of email, actually do pay for the email they send.

That would work in a world where spammers paid their bills. ISPs don't see that happen all the time...

Re:It's a ridiculous concept

[ryanjensen]

Yup, if you don't have it included in your plan, which I didn't. I eventually got them to block SMS for my phone number after months of support calls. (Who the hell uses it anyway? If you have your phone, and your friend has his phone, why not just talk on the phone?)

Re:It's a ridiculous concept

[kinnell]

If you charge for email, people will just move over to instant messengers or other systems

I think it's more likely that people will switch from ISPs which charge to send email to ISPs which do it free. Especially spammers.

Re:It's a ridiculous concept

[gnu-generation-one]

How much is your SourceForge account going to cost when everyone on the email lists has the option of taking your two-cent postage and keeping it?

You think we'll see a new type of fraud, where someone signs up for a yahoo account, then tries to con people into sending them an email (I want information about your website shop, honest) and just collects postage? How soon before shops stop using email at all when the cost hits them?

Re:It's a ridiculous concept

Those who don't want spam will move to the new scheme. If you want to write them you'll have to pay.

Well, I sure hope none of them ever wanted to hear from me, because I'm damned if I value contact with them highly enough to pay Microsoft for the privilege.

Re:It's a ridiculous concept

[mr.+methane]

Well, you do have a point - people might be inclined to think twice before posting, if they know it might cost them the price of a starbucks coffee.

But there must be a down side to this somewhere. :-)

Re:It's a ridiculous concept

[mr.+methane]

time is more valuable than money. For someone who is not comfortable integrating multiple applications and resolving the conflicts they always create, it's a big expense.

Someone asking me for a buck, I don't mind jut saying no to them. Someone demanding that I give them the only thing I can't get more of - time - is a criminal.

Re:It's a ridiculous concept

[ssstraub]

If your getting thousands of spam per month then it's time to:

1) Stop posting your address on the web w/o any obfuscation. A simple email_DELETETHIS_@domain.com goes a long way. Or better, use a jpg to show your email and not a text link. 2) Stop using your REAL EMAIL ADDRESS when signing up for ANYTHING. 3) Get a new email address that isn't something extremely easy to guess like "bob@msn.com"

Re:It's a ridiculous concept

[ssstraub]

So you think that because it annoys you and you are unwilling/unable to make the situation better for yourself, EVERYONE should be punished by paying for each email sent?

I'm glad you don't get to make the decisions.

Re:It's a ridiculous concept

[mr.+methane]

how *does* one get this "free email"? I had to buy a computer, a firewall, a monitor, and pay the phone company a chunk 'o cash to give me a connection.

I'm sure all the ub3r h4x0rs will run some freeware solution that only takes 20 hours to setup and requires about the same amount of maintenance as a typical IBM mainframe, but for the unwashed masses, a computer is a generic tool, and they want it to work well with a minimum of work; porn spams in your kid's email means the computer is fundamentally broken to many people.

Re:It's a ridiculous concept

[ssstraub]

how *does* one get this "free email"? I had to buy a computer, a firewall, a monitor, and pay the phone company a chunk 'o cash to give me a connection.

You just said it yourself. You already paid the phone company (or ISP more likely) for the connection. You will be paying twice if they segregate one form of data from the other, as in: email costs this much, but regular data costs this much.

My point remains. If the spam is such a problem for you, why don't you pay for a service to filter your spam for you (no setup by you) instead of subscribing to the idea that paying for email cleanup (essentially that's what it is) should be forced on everyone? There are many people that consider it a problem, but many *less* that consider it a problem worth paying for with each message sent.

Postage?

[mindstormpt]

Doesn't seem too smart but at least it's better than the memory and processor cycles idea

Re:Postage?

[Trejkaz]

I don't know about that. I'd love to invoice Microsoft for all my wasted memory and processor cycles.

Re:Postage?

On the contrary, I think the CPU cycles idea is a good one. Even if it only took 3 seconds per email, it would KILL the spammers (how do you send out 25 million emails at 3 seconds each?) while not doing much to the rest of us.

I send out a double opt-in newsletter for one of my clients, with about 75,000 subscribers. Yes, I realize it would take my nearly 3 days to send out our monthly newsletter.

BFD! I spend 3 days of MY time each month dealing with spam. I'd much rather it be 3 days of my CPU's time.

Re:Postage?

[Zeinfeld]

Doesn't seem too smart but at least it's better than the memory and processor cycles idea

The media accounts are wrong. Microsoft is pushing a processor cycles idea. The NPR interview with Ryan Hamlin the GM of the anti-spam division is a more accurate example of what they have presented.

The accreditation scheme that Microsoft and Yahoo are considering mean you pay for sending spam. You do not pay for sending email. It is like ironport bonded sender, you spam, you forfeit part of your bond. You no spam you no pay.

Ryan was pushing the computational scheme hardest. But the basic scheme is, you stop impersonation spam so you know where the message comes from, then you act on what you know about that person. It authentication and accreditation.

Re:Postage?

[mindstormpt]

In any case, that's going to bring a lot more trouble for "free" email providers... You'll have to "deposit" $5 if you want to open an hotmail account? I realize that spam must be stopped, it bother me too (a lot) but I really don't know if that's the right way... That acredited sender stuff isn't too good either :( I send e-mails through my ISP's SMTP server (the only I'm allowed to use) with an e-mail address from my hosting account... I guess I won't be able to do it anymore, if that becomes widespread :/ And spammers will allways find a way through...

Re:Postage?

[Alien+Conspiracy]

You don't need a bonded-sender type accreditation scheme.

All you need is the Mailbox Reputation Network.

snail mail

[QEDog]

Would this really help?
How come stamps can't stop all the spam I get through snail mail? Please, make those AOL disks stop!

Re:snail mail

[nizo]

Actually, all you have to do is send your date of birth, SS#, bank account numbers, and credit card numbers to nojunk@scammer.ru and once they use that information to verify you really are who you say you are they will take you off of every maillist in the whole world, guaranteed!

Re:snail mail

[QEDog]

Actually, all you have to do is send your date of birth, SS#, bank account numbers, and credit card numbers to nojunk@scammer.ru and once they use that information to verify you really are who you say you are they will take you off of every maillist in the whole world, guaranteed!

I tried that, and it only changed the spam mail from Credit Card Offers to Billing Companies Mail. I'm not sure if your suggestion really works...
Oh well, maybe I will be able to get this issue resolved after I complete the deal with this nigerian prince who contacted me the other day...

Re:snail mail

[dyte]

How come stamps can't stop all the spam I get through snail mail?

Because the price is not high enough to stop it. And because the money does not go to the right place.

Re:snail mail

[JWhitlock]

As the son of a U.S. Postal Service employee, I'm forced to tell you that it's Direct Mail, not snail spam or junk mail. The big difference is with direct mail, the marketer is paying for every item sent, but with spam, most of the cost is placed on the ISP and the end user. Direct mail is more targeted, often more effective, and helps keep the cost of first-class mail (that's your mail) down. Spam just makes the spammers richer, and annoys the rest of us to tears.

Of course, if it still annoys you, there are a few simple steps you can take to drastically reduce the amount of direct mail you get. The majority of the mail I get is now mail I want to get. I still get AOL CDs, but it's down to twice a year - usually due to a new magazine subscription where I haven't told them my preferences.

Re:snail mail

[LostCluster]

They don't stop it, but they certainly limit it. Also, postal regulations prevent many messages that are cent as spam from being sent in an unsolicited ad.

Re:snail mail

"Oh well, maybe I will be able to get this issue resolved after I complete the deal with this nigerian prince who contacted me the other day..."

hey, that guy owes me money!

Re:snail mail

[firewood]

Postal junk mail is good! It pays a large part of the salaries of the people who deliver all the rest of my USPS mail. Spam pays my ISP nothing (but trouble).

Re:snail mail

"The big difference is with direct mail, the marketer is paying for every item sent"

Not paying for the waste disposal costs, are they?

Re:snail mail

[sharekk]

Yeah really. The worst problem of this is it takes away the argument of "don't send me spam because I pay for the bandwidth". If something like this happened I bet the reputable companies would start doing direct marketing the same way they send those coupons on cheap recycled paper. I don't feel that I'd win earning a dollar daily, wading through 1,000 emails because every department store in my state was sending me their sale information.

not to mention all the new scams "Make 50,000 a year reading email! from home!"

Re:snail mail

[robertjw]

As the son of two U.S. Postal Service employees, the grandson of one U.S. Postal Service employee (ret.) and the big brother of another U.S. Postal Service employee I'm forced to tell you that it doesn't matter what you call it, it's merely semantics to us layman. There is a difference between boxholders, bulk, pre-sorted first class, etc... as far as the post office is concerned, but for most people it's just trash.

The USPS is just another bloated government agency full of people trying to preserve their jobs. Bulk mailings do not keep the cost of first class down, the force it up. Bulk mailers are given a SIGNIFICANT discount over first class letter senders, but these discounted letters are shipped all together with the first class mail. All the USPS is doing is keeping the volume of mail up so their thousands of employees can remain employed.

With the advent of cheap long distance, cheap mobile phones, email and instant messaging, personal correspondance by the postal system has dropped significantly. With online bill paying and automatic withdrawls the sending of monthly bills/statements have also dropped. If the Postal Service would stop giving discounts to all of these mass mailing credit card and home refinance companies the mail volume would drop significantly and they could cut their employees and facilities drastically.

Junk mail annoys me because the vast majority of the time it is not a good or service that I might be interested in. I like getting advertisements from local businesses that may provide a service I'm interested in. So much of the mass mail is from companies, just like email spammers, who think that if they send enough cheap mail it will pay off.

Re:snail mail

[autechre]

If you follow the link the grandparent poster provided, you would see that you can tell the Direct Marketing Association exactly what sort of junk mail you would like to get. There are all sorts of categories, and it's free if you print it out and mail it yourself (plus $.37 postage, of course).

hiJacked account?

[Numeric]

so now all those poor AOL users will get a huge bill

15.95 internet services
9100.00 e-stamps

Re:hiJacked account?

[Comatose51]

If they don't bother trying to secure their machine, then perhaps they should bear the responsibility for it. Perhaps AOL or their ISP can warn them at a certain point. Hopefully this will pressure people to be more security-conscious and that might in turn pressure software makers to do the same.

Re:hiJacked account?

[mahdi13]

I think that would get more people to STOP using the internet. People are very lazy and view their computers as an appliance.
Toaster = make bread crunchy
Refrigerator = Keeps think cool
TV = Keeps intellegence at a managable level
Computer = E-mail and check aol.com for important news stories

If the average person is forced to take responsibility for their computers, they would give them up in a heartbeat

This will work

(but only if the only people who get charged are the spammers.)

They Stop Recieving

[millahtime]

So, how are they going to charge their customers that get free email for the postage??? Won't other free emailers pop up and take their place???

And if they only recieve postaged email, who would want to use them????

What's more annoying...spam you have to delete(or is somewhat filtered) or the mess of postage. I would say the mess of postage.

Re:They Stop Recieving

[rjelks]

I didn't RTFA, but I've heard this idea proposed before. The idea was to only charge postage on accounts after they have sent the first 500 or so emails. I still think the idea stinks. I've heard other solutions that are better. My favorite was offering bounties for spammers. Another interesting idea that I've heard involved costing the advertisers money.

The idea: Spammers are hard to track down, but the companies that advertise with spammers are right there in the email. I doubt they get more than 1 in 100, maybe 1 in 1000 click-throughs on a given broadcast of spam. If everybody that got that message hit their webpage, instant Slashdot effect (that's a nice way of putting it). The point is, bandwidth costs money, and these advertisers are costing us bandwidth. Spam wouldn't be cost-effective anymore if they got hit with 3 million people reloading their webpage a few times a day for a week. An email client that tapped back a little wouldn't be hard to come up with. Since they are inviting us the their pages, I don't even think there would be much of a legal issue. INAL (I'm not a lawyer) though. The spammers aren't the problem, it's the guys paying the spammers.

-

Re:They Stop Recieving

[beebware]

Spammer: See,I was successful - I got you lots of potential purchasers.
Client: Yeah, but only 100 of them brought something
Spammer: True-perhaps the pricing was a bit too high/item was wrong colour. Change that and then pay me $2000 to send out another batch and we'll see how many people buy this time.

Re:They Stop Recieving

[pyros]

The problem with that is the links typically identify the address that the link was sent to, so you're verifying your address is valid. Your address would then be that much more valuable to sites that don't get knocked off or bankrupt by a DDoS. So spammers will keep your address, and can charge more for it because it's been verified.

Re:They Stop Recieving

[rjelks]

I didn't mean to exactly reply to the email. This email "client" would access the site, just the main domain, from a browser. If it was coded right, they would only get an ip address.

-

smokescreen

[mabu]

There's no way to enforce this. The irony is that the only way a pay-for-email scheme would work, is in the context of a network of trusted mail relays, which is in effect, A WHITELIST.

All this does is prove that eventually, there will be a network of whitelisted SMTP relays that will do more to combat the spamedemic. You don't need to charge money - that's an extra, goofy idea to make profit for a few select corporate interests. It won't fly because millions of systems will refuse to pay the "postage" extortion fee in order to be whitelisted.

Re:smokescreen

You don't need a whitelist, nor are there any corporate profits, if the postage is collected by the recipient, rather than paid by the sender. Not only that, but given that the recipient isn't required to cash such a stamp, email remains free your friends (and mailing list admins). Only the spammers will pay.

It wouldn't take much to add to your spam filter to have it automatically cash in your stamps, and only for those categories of mail that you chose.

If the stamp is for a suitably trivial amount, then you simply need to pile up a large quantity of certificates to cash in at once to avoid transaction costs. And guess who is the only one generating large quantities of email at once, making it worthwhile to bother?

This form of postage is not a fee to deliver the message, but rather a fee for annoying the recipient, payable directly to them.

Re:smokescreen

[malfunct]

Hopefully the e-mail servers not on the official white list will also start thier own whitelist and the "for pay" e-mail groups can send and recieve e-mail from themeselves. I know if I had a choice I'd prohibit receiving e-mail from anyone on a white list that charged per e-mail like that.

Re:smokescreen

[smittyoneeach]

So a two-tier ecology evolves.
I have a white-list box, for which a premium is paid, or, perhaps, offered through my ISP, which only sends/receives mail from others on that network.
Part of the magic of the paybox is that it has usage pattern analysis that detects problem nodes and crushes them.
Sure, there will be some hacking; the existence of a system implies a work-around, but the idea will catch on.
Saying there is no way to make a reasonably spamless email network is like being a circuit-switched network guy and telling Metcalf he's half daft...oh, wait...

Re:smokescreen

[LostCluster]

And then they won't be in the whitelist, and they won't be able to reach users of Yahoo, Hotmail, MSN, and presumably AOL, Earthlink and the like will also join in on this.

In short, it'll be a closed e-mail system where every user is passing through a lameness filter, and every provider has some way to trace back the user should accountablity ever be need...

Sorry, allowing anonymous e-mail allows spam... no way to kill one without killing the other.

Re:smokescreen

[harlows_monkeys]

There's no way to enforce this

Uhm...evidently you've missed the last 30 years of work in cryptography. This sort of thing is *trivial* to enforce.

Re:smokescreen

[Lehk228]

if a system like that was imlemented then it would also make paypal obsolete entirely, it would be trivial to include a "big stamp" that could be set to $x.yz in order to pay for things

Re:smokescreen

[mabu]

You think this can be enforced?

Good luck getting the whole world and every mail server on the planet to bow to Microsoft and Yahoo in setting standards for e-mail. You're a lot more hopeful than I am, cryptography or no cryptography.

Re:smokescreen

[firewood]

It won't fly because millions of systems will refuse to pay the "postage" extortion fee in order to be whitelisted.

They will if they want to reach the majority of email recipients after those recipients switch. Most recipients will switch after the new protocoll becomes widespread (all the major ISPs, plus a couple good linux & Mac clients) and gets even 10X less spam. Only law enforcement agencies, rape crisis centers (etc.) and hackers will continue to monitor SMTP email, since it will contain 99% forgeries and spam. If you want to email them, you won't have to switch.

Re:smokescreen

Only law enforcement agencies, rape crisis centers (etc.) and hackers will continue to monitor SMTP email, since it will contain 99% forgeries and spam.

You're saying spammers will continue to flood SMTP mail with their trash even when the only people ever reading it are the cops?

They're not stupid, you know. If literally only the feds are reading insecure email, why the fuck would spammers still be sending spam? They do it because it pays, not because they're beings of pure evil!

I like the computational challenge solution better

[kcornia]

Asking the sender to process a quick math question seems a better solution to me.

Spam boxes would be prohibitively expensive due to the heavy requirements for sending millions of spams, and it would have the added benefit of notifying people when their box has been owned due to 100% processor utilization on said owned relay box.

The money option just sounds like pushing for a new revenue stream. To heck with that.

Common sense...

[FrancisR]

"AOL is taking a different approach and is testing a system under development by the Internet Research Task Force. The system, called the Sender Permitted From, or S.P.F., creates a way for the owner of an Internet domain, like aol.com, to specify which computers are authorized to send e-mail with aol.com return addresses." Shouldn't AOL have thought of this a long time ago? I remember a few years ago when I used to use AOL and got deluged with FormMail spam with faked @aol.com return addresses. Good to see they're getting their act together.

Re:Common sense...

[Narcissus]

How would this work exactly? From what little I know about email, wouldn't this mean that the receiving server (or possibly the sending server) would need to do a check on aol.com servers to determine if that computer is able to send that email?

If the sending server needs to check it, then it doesn't change much (as a spammer will just set up their own server that will ignore that step). Either way, what happens if the server that needs to be checked doesn't support that feature? If you reject it, then you have the case where you need to upgrade all the servers (so use one of the other protocols that have been discussed). If you accept it, then wouldn't a spammer just make it appear to come from a particular computer that doesn't support the checking (for example, one of the hundreds of servers that will be set up for this exact purpose)?

Also, couldn't this check be a new form of DoS? If I wanted to grind a server down, I would send a heap of spam pretending to be from a fictitious user: if I send out a few million emails like that, then wouldn't each one of those have to hit a particular computer to determine if it's valid?

Seems like a lot of extra network communication to me when you could just use another secure protool.

Re:Common sense...

[FrancisR]

It's pretty simple: AOL handles their own mail internally, so if any incoming mail has "@aol.com" in the sender's address, they can assume it's forged.

Re:Common sense...

[Narcissus]

Ahh... so this system is only good for a domain to check emails that are supposedly coming from itself?
That's good, but a lot of the spam I get is from bizarre (non existent?) domains. Plus, wouldn't this just mean that the spammer will have to do two runs? One to all AOL addresses from a Yahoo account, and vice versa?

Re:Common sense...

[FrancisR]

Yeah, doing two runs like that would definetly defeat the purpose of that kind of filtering. But I suppose it'd weed out the extremely stupid spammers.

Re:Common sense...

[thogard]

SPF only will help stop From: forgeries from existing domains. It will force spamers to register more domain names. Heck, it might even help bring back the domain name squaters business. I think the current propsal has some scaleability issues and doesn't make use of exising tools that are part of the existing DNS system. It also fails to stop the fact that bob@example.com can forge email from joe@example.com.

Re:Common sense...

[mastropiero]

Well, it is the receiving server that does the checking actually. The point is if a spammer sets up a domain that ignores SPF, then that particular domain can be known as spam-friendly and can be "safely" blocked. SPF would work well in sort of a weighed-domain scheme, where you keep track of which domains are known to spoof addresses and mass mail so you can take the necesary steps to avoid being spammed. You can see more info here

Welcome to the new IM revolution

[jobugeek]

I can't think of something else that would push an enormous amount of people from email to instant messaging. Someone will change the format to allow messaging of those off-line and bingo. New email!

Re:Welcome to the new IM revolution

[Dwedit]

They had that already... It was called ICQ.

Re:Welcome to the new IM revolution

[MichaelGCD]

Yahoo instant messaging already does this. You can see messages sent to you while you were offline. I know a guy who keeps his AIM account online 24/7 with automatic logs, it's already happening.

Re:Welcome to the new IM revolution

[Dukael_Mikakis]

... and bingo, new SPAM also. If people migrate to IM, then Spammers can just use dictionaries to hassle people's screen names (I have already experienced people trolling for sex talk online) and soon we'll be dealing with dozens of pop-up (which makes it worse) windows asking if we want Printer Ink. And it doesn't necessarily help having a buddy list, because all IM services will still pop-up a window "Spammer has sent a message, would you like to see it", so even though you can avoid the Spam, you still have to deal with the window.

It helps that you can be offline, but if IM is the chief communication then we won't be able to stay offline, if we want our messages. And those that collect messages while offline (i.e. Yahoo) will just flood you with back Spam.

If Spammers can break email, they'll break IM. It's just that up until now there hasn't been reason to. Don't give them a reason, either.

Just enforce the damn laws!!!!

[ackthpt]

Geez. Why the heck can't these fat-walleted companies fork over a few bucks or a few of their own employees to help the local and federal government bust some heads? All I see is talk-talk-talk. Let's get some action and stop it with these stupid schemes. Seriously, the purveyors of spam are fraudsters, can't they be reigned in on that alone?

Oh, maybe if the postage goes to further line the pockets of M'soft and Y'hoo, as a likin worked, I can see their true motivation.

Re:Just enforce the damn laws!!!!

[Steve+B]

Seriously, the purveyors of spam are fraudsters, can't they be reigned in on that alone?

More fundamentally, the moment they make the slightest identifiable attempt to bypass spam filters, they are computer crackers.

I hate spam but...

[dolo666]

How will this affect websites sending their users emails from requested sources?

Like I'm the programmer of Gemsites, a Slashdot clone. When we register a user, we shoot them an email. So are we going to have to pay money to do that?

Because that would be totally stupid, and it would possibly put an end to discussion websites that require logons to validate users, unless there was a method to bypass the charge for sending email.

The way Microsoft will turn it, would be that we all *should* be paying per email, because of this reason or that reason. Bottom line is Billy Goat Gates on his mountain of cash, trying to pile up more of it.

Re:I hate spam but...

[cosmo7]

Had you taken the time to read the article you would know the answer to your question.

The idea is that unstamped email would be filtered and forwarded as usual. Stamped email would not be filtered, so you wouldn't lose real messages in the filter. The stamp fees are miniscule for normal users (but not for spammers) and would probably be part of your ISP bill, since the ISP is, on balance, nearly breaking even on the cost of stamps.

Since you are probably already losing notifications in people's spam filters you would not be in a worse position.

Postage hasn't stopped Junk mailers

[EvilTwinSkippy]

Everyone, please go home and open your mailbox. Now tell me if having to pay for postage has cut down on the level of unsoliceted mail arriving in you snailmail mailbox.

Re:Postage hasn't stopped Junk mailers

[millahtime]

With snail mail they have found that it can make money. Like with internet service. On average with their mailer adds they get enough people to buy the product that after about a year they start making a profit on the customer. Spam would cut down because they couldn't afford it but it would not go away.

Re:Postage hasn't stopped Junk mailers

[Trejkaz]

Postage hasn't, but a "No Junk Mail" sign seems to cut it down quite a bit.

(... so I propose we invent a .no_junk_mail file to drop into our home directories to indicate we don't want spam.)

Re:Postage hasn't stopped Junk mailers

[bear_phillips]

I get about five pieces of junkmail a day. I get about 40+ spam emails a day. So yes, paying for postage has cut down on the level of unsolicated mail arriving in my snailmail mailbox.

Re:Postage hasn't stopped Junk mailers

[AvitarX]

email account:

5 spams, 2 mails I want.

Snail mail

1 bill
1 magazine
1 letter
1 credit card applications from a non fraudulent company.

so I got one mail I want (the maazine) and 2 that would not be spam to one spam mail. And one spam that is at least quarter way reputable.

so yes, postage is cleanin my real life inbox.

Also, unlike e-spam, postale spam makes it so I can send a letter for less money, much like TV spam gives me free tv.

Re:Postage hasn't stopped Junk mailers

It certainly has. I only get 1 or 2 a week. Maybe. Maybe you're receiving over 600 unsolicited snail mails a day though. That's how much spam I normally have in my inbox.

Re:Postage hasn't stopped Junk mailers

[EvilTwinSkippy]

And then EvilTwinSkippy was enlightened...

Re:Postage hasn't stopped Junk mailers

[M.C.+Hampster]

Um, yeeeah....

...Checks mailbox...

Let's see here, I've got around 4 or 5 unsolicited mails here. All of them look to be from legitimate businesses. All of them have paid money to try to solicit me.

...Checks Yahoo! inbox...

Hmm, around 150 unsolicited emails in a single day. I don't dare look at them because of the web bugs, scams, etc. that are present.

Do you think that if postal mail didn't cost anything that I'd be receiving only 4 or 5 unsolicited mailings a day?

Re:Postage hasn't stopped Junk mailers

[gnu-generation-one]

"Everyone, please go home and open your mailbox."

One letter, from the electricity supplier. 800 spam emails, dunno who from. 300 virus emails. What's it supposed to mean again?

Re:Postage hasn't stopped Junk mailers

[4of12]

Now tell me if having to pay for postage has cut down on the level of unsoliceted mail arriving in you snailmail mailbox.

Excellent point.

I may be wrong, but from what I understand postage on that unsolicited bulk snail mail helps to keep the post office in business (even though they charge us mortals more for one-off mail).

The snail/digital analogy would be nicely completed if fees paid by spammers would be enough to help keep the Internet in business.

Re:Postage hasn't stopped Junk mailers

[austad]

I'm Alan Ralsky you insensitive clod!!!

Re:Postage hasn't stopped Junk mailers

[gcaseye6677]

I'd say that laws against mail fraud that carry stiff penalties are more of a threat to junk mailers than the prospect of paying bulk postage rates. Not to mention it would probably be easier to trace a bulk mailer than some spammer relaying mail from an anonymous overseas proxy.

Re:Postage hasn't stopped Junk mailers

[evilviper]

postale spam makes it so I can send a letter for less money,

I hear people saying that quite a lot... However, I have yet to see any shred of evidence to back-up that claim, just baseless assumptions.

Re:Postage hasn't stopped Junk mailers

[drfireman]

You don't know how much physical junk mail you'd get it it were free. Fortunately, I do. You would get over 12 tons of physical junk mail a day. If you're getting less than that, then you should conclude that postage has done a good if not perfect job of curtailing your problem.

Re:Postage hasn't stopped Junk mailers

[EvilTwinSkippy]

Not to mention the cost of stamps rising almost annually.

Re:Postage hasn't stopped Junk mailers

[AvitarX]

Well gas seems to rise in price anually too.

And that is the most cost effective way to move mail around, so that is not to shocking.

Also sub-urban sprawl increases the cost of mail delivery too. Again, and people get further apart I expect the cost of mail to increase.

Lastly and likly not true, but possible the increase in databases could mean that bulk mailers are sending less more targetted mail. Which would mean that if my original premise was correct the cost of mail would increase.

I don't know if my last premise is true or not. All I know is that the marketing department of Heidlberg (big printing company) claims it is true when they sell their machine designed to handle cusomized printing. But the source is not too reliable under the circumstances.

Re:Postage hasn't stopped Junk mailers

Use the "G" button you dumbass.

Re:Postage hasn't stopped Junk mailers

It hasn't. But it sure has cut down on the reason to even have a mailbox. If not for all those stupid bills, I wouldn't need one at all.

Re:Postage hasn't stopped Junk mailers

[Haeleth]

Now tell me if having to pay for postage has cut down on the level of unsoliceted mail arriving in you snailmail mailbox.

Answer: we don't know.

Paying for snail mail was implemented long before the advent of unsolicited commercial mailing. We cannot say that postage fees have cut down the level of snailmail spam, because we do not have any data on what the levels would be if there were no postage charge. Of course, it cuts both ways: we also can't say that they haven't.

My guess? If we implement postage charges for email, we'll see a huge rise in phishing, with spammers using stolen credit cards to pay for their e-stamps. And spam will drop by 10% at best.

Re:Postage hasn't stopped Junk mailers

[hymie3]

..Checks Yahoo! inbox...

Hmm, around 150 unsolicited emails in a single day. I don't dare look at them because of the web bugs, scams, etc. that are present.


How is that even possible? I've had a yahoo account since, well, the first day they offered a free email account. I get about 150 spams a day... in my Bulk folder. I get about five a day in my Inbox.

Two months ago it was more like ten a day in my inbox. Spam filtering *does* work and I point to Yahoo as one way that seems to work well. With the addition of filtering (I am, admittedly, too lazy to take the time to add a filter to catch the remaining four or five a day which tend to all come from the same set of spammers) spam really can be dropped to a manageable level.

Also, Yahoo, by default, turns off images and javascript and crap in the emails in your inbox. You *have* to turn them on. 5 a day slipping through the filter is still five too many, but it's a far cry from the deluge that you seem to imply to be the case.

Filtering *does* work.

I think I have a better solution.

[mikeophile]

Instead of billing the sender of bulk email, why can't the receiver bill the service provider who permitted the bulk email to be sent in the first place?

What you say? Microsoft would get huge bills because of the abusers of it's Hotmail service? That would be a pity, wouldn't it?

Re:I think I have a better solution.

[EvilTwinSkippy]

'Cept that all of those spammers are generally using forged headers from all sorts of third-world locales, hijacked desktop machines, and other legal, semilegal, illegal, and otherwise extra-jurisdictional relays.

The Internet is not a closed system. They would throw a satellite into orbit and shoot their spam in from space... through hijacked TIVO boxes connected to satellite TV subscribers jacked into a DSL line for broadband.

Wipe away to the satellite subscriber being led away in chains...

(6 Hz voice) Now doesn't cable sound so much better?

Re:I think I have a better solution.

[AKnightCowboy]

What you say? Microsoft would get huge bills because of the abusers of it's Hotmail service? That would be a pity, wouldn't it?

I've never seen a spammer using a Hotmail account to relay spam. It's be pretty impractical since it's web based. They may or may not forge the from address to appear to be coming from Hotmail, but that doesn't make Microsoft guilty of anything.

Re:I think I have a better solution.

I don't believe that there is a technological solution to spam, and this one is no different, although not for the reasons you cited.

'Cept that all of those spammers are generally using forged headers

Forging headers is irrelevant - you just look at the last one before it hits your server. That one can't be forged.

from all sorts of third-world locales

Which would get disconnected if they didn't pay their bills. If the person is running an open relay, they'll be quick to fix it once all of their net access goes away.

hijacked desktop machines

Who need to get their machines fixed. Might teach them a lesson.

and other legal, semilegal, illegal, and otherwise extra-jurisdictional relays.

All of which is irrelevant..

THe real issue with this is that there is no way for a machine to differentiate between solicited and unsolicited SMTP. You think that Linus would want to start paying money for every post on the LKLM? Or Bugtraq? Or any confirmed opt-in service?

Re:I think I have a better solution.

That last one my friend is a SOCKS proxy, dumbass.

Re:I think I have a better solution.

[Phroggy]

What you say? Microsoft would get huge bills because of the abusers of it's Hotmail service? That would be a pity, wouldn't it?

Most spam from @hotmail.com addresses doesn't come from Hotmail. A list of what's currently in my inbox:

From: mail.com
Really from: hispeed.ch

From: mail.com
Really from: hispeed.ch

From: osn.de
Really from: adsl.tpnet.pl

From: tiscali.co.uk
Really from: t-dialin.net

From: artnet.com.br
Really from: ny325.east.verizon.net

From: siba.fi
Really from: dsl.pltn13.pacbell.net

From: cellularpia.co.kr
Really from: cypresscom.net

From: wanadoo.fr
Really from: btcentralplus.com

From: hotmail.com
Really from: megared.net.mx

From: xcelco.on.ca
Really from: bb.netvision.net.il

From: onlinehome.de
Really from: interbusiness.it

From: el-nacional.com
Really from: (IP address)

From: tiscali.co.uk
Really from: cable.ntl.com

From: web.de
Really from: (IP address)

From: sasquatch.com
Really from: dyn.optonline.net

From: julian.uwo.ca
Really from: dsl.lsan03.pacbell.net

These are the spams I've gotten since last night that were not blocked by SpamCop (most of my mail is forwarded through SpamCop, but not all, and SpamCop doesn't always catch all spam). This also doesn't count what gets blocked by my DNS RBL filters. Anyway, notice how many of them came from different countries than the e-mail address used. There's really no correlation.

Re:I think I have a better solution.

[KlaymenDK]

At first this sounds good, but there's a catch called "not everyone runs their own mail server".

Take me for instance, I've got a website that was (WAS!) hosted with Azero in Denmark -- twice we were hijacked to send spam, and twice Azero basically told us to go fukk ourselves. Naturally, we're not on a much better provider.

But those two times, who should be stuck with your bill? The shitty provider, or the non-mailserver-skilled site owner? Basically, where do you put the blame when outsourcing is a part of the equation?

Already working?

[pen]

It seems that both Yahoo, and lately Microsoft, have discovered a pretty good solution for spam. My YM mailbox has been largely spam-free for a few months, and in the last week or two, Hotmail has been doing a pretty good job as well. Every now and then a spam gets through, but that's about it.

Re:Already working?

I closed down my hotmail account last year, when I reached the limit on spam filters. The only option they gave me was to pay for a upgraded service. Considering the amount of spam coming through hotmail, I declined, as I already pay for spam, and don't need to get hit twice.

I now use my own mail server, fully tested by ORDB as secure, with RBL checks, which has severly curtailed spam reaching me. HotSpam can take a hike, I will use my own proven secure, stable, and trusted system instead.

Re:Already working?

Yeah, AOL is doing that too. It's called DATERS: Deleting Anything That Even Resembles Spam.

My sister has an AOL email address, and I can't mention anything in her emails or it gets kicked back as spam. Emails to her have to be completely devoid of usable content to get through.

Nice system guys.

Re:Already working?

[RetroGeek]

Emails to her have to be completely devoid of usable content to get through.

But isn't that the definition of SPAM?

sounds silly to me

[Matt+Ownby]

What is wrong with migrating to a replacement for SMTP? What is wrong with developing better challenge/response systems?

If email gets a postage fee applied to it, people will stop using it. If I have to pay to send mail to someone at yahoo or hotmail, I would tell that person to get a different email address. No one is going to use email if it has a mandatory fee attached to it. Then again, maybe that's what needs to happen to give people a reason to stop using SMTP ...

Re:sounds silly to me

I totally agree. I recently got handed the sys admin job of our Linux server. I am astonished at all the seemingly easy to implement things out there that would have made our service better for our client's that we host. Things like SMTP auth, which I admit I haven't had the time to implement cause I want to give myself a nice buffer to work with should things break. I know there are people out there with more knowledge in the field, but couldn't it be possible to make a new system that works with the old, that implements a lot of better anti-spam security and such into the standard. You could even build into the server a way to make it work with the current way, much like how IPv6 adopters can still access IPv4 stuff. Then once everyone has been given enough time to make the switch and the new system is robust and has gone through some real live load testing and the like and proven to be effective and stable we can just pull the plug on the compatible part and work with a revised better way of doing email.

It seems like a lot of what people are doing to fight spam is good, it would just be better served as part of the standard instead of duct taped on.

Re:sounds silly to me

[axxackall]

What is wrong with migrating to a replacement for SMTP? What is wrong with developing better challenge/response systems?

Nothing.

If email gets a postage fee applied to it, people will stop using it.

This is the answer on the question "How can we push people to use email/NG or whatever?"

I think we are at begining of what we may call as "the end of email as we know it". I think in few years corporations will move to e-signed electronic messages, following by the home users.

But if MS/Y! will bring the postage to SMTP then I doubt that email/NG will be based on SMTP - most likely people will look for alernative still not-commercialized solutions. Somehow i have a feeling that Jabber have many chances here. But we'll see.

Re:sounds silly to me

[pjrc]

What is wrong with migrating to a replacement for SMTP?

Migrating (in our lifetime).

What is wrong with developing better challenge/response systems?

Again, the migrating part.

Re:sounds silly to me

[hennypenny]

The idea of raising the costs to the spammers appeals to me as a natural way to thwart current volumes, but there are some drawbacks.

If I want to send an e-mail to someone who checks for stamps, I need a new mail client. How long will it take to outfit the world with new readers or plugins for Pegasus, Outlook, Eudora, Mosilla, etc?

Some reputable outfits such as Thawte, US Postal Service , Deutsche Bundespost, etc. need to set up facilities so my e-mail can get stamped, and I can get billed.

We need both mail readers and mail hosts that can verify the stamp's validity.

To be at all acceptable there has to be a whitelist mechanism a recipient can invoke, again at the server and desktop.

On the other hand, until these systems are in place, we are no worse off than now.

But it seems to me that if someone has a foolproof new protocol, that would be just as big a job to implement, and would have the benefit of not triggering all the squeaks about "free e-mail."

On the other hand, I have not seen a description of such a foolproof system that I understood and had confidence in.

Re:sounds silly to me

[blakestah]

What is wrong with migrating to a replacement for SMTP? What is wrong with developing better challenge/response systems?

Nothing. Except that Microsoft and Yahoo! don't make millions implementing it.

A solution.
1) Bayesian filtering
2) Add SPF
3) Add whitelisting, by having encryption keys for each SMTP server's outbound mail. This is effectively a per SMTP server whitelist - public keys are obtained as part of mail client reading the mail.
4) smtp-auth

No one without a name-password can send mail. He can only send mail from his own SMTP server. His mail is encrypted to prove where it came from, and his IP address checks out with the DNS listing for his domain as a permitted sender. And, his email is still scanned for content.

This takes care of all current spammer techniques - compromising local machines (smtp-auth), forging domains (encryption key mismatch), etc.

This is a great idea!

[mir@ge]

I mean, paying for postage has stopped advertisers from sending marketing materials to my home. Oh wait, sorry. This is a terrible idea!

-Alec

Re:This is a great idea!

[FrancisR]

But with real mail, at least you get those pretty Business Reply Mail cards.

Re:This is a great idea!

[gsperling]

Which you can promptly put a big red "X" on, and put back in the mailbox and send back to the offending company. They are then charged for the return postage back to them. Or, how about the credit card offers that send you business reply envelopes? I shred their application and mail it back to 'em.

Re:This is a great idea!

The best thing to do with those is to mail something heavier than paper. (Not my idea, so other posted something about this a year back or so). His proposal was to fill the envelop with cement powder or whatever the heck you make concrete from. Seal the envelop, dip in water. Wait to dry and you're mailing them a block of concrete. Of course this assumes that they have to pay an increased cost with increased weight, and cement powder would cost you money, but I still think it's a great idea.

Question...

[JoeLinux]

Wasn't one of the hallmarks of a doomed .com company the fact that they tried to get people to pay for something they usually got for free?

Just spitballin' here..

Joe

Re:Question...

[doorbot.com]

Wasn't one of the hallmarks of a doomed .com company the fact that they tried to get people to pay for something they usually got for free?

Like SCO's "Linux license"?

Re:Question...

SCO got the patent on that one... Linux is free, but they are asking for $599.

Re:Question...

[firewood]

Wasn't one of the hallmarks of a doomed .com company the fact that they tried to get people to pay for something they usually got for free?

Unfortunately, it's no longer free... unless you consider buying or learning how to install a spam filter free, or wading through 100's of obnoxious emails every day. The major of providers of free web email will probably start charging for unsecure SMTP eventually also, since it costs them; but leave the new secure email protocol free for recipients, since they actually will make money from any postage from a pay protocol, or need less resources due to much less spam from a more secure non-pay protocol.

Re:Question...

[_Sharp'r_]

Yeah. Let's get real. Here's how it would really go:

1. Yahoo, AOL, MSN, whoever decides that they are going to setup a system where it costs users to send emails.
2. People notice email costs money now.
3. Several million new "free" email services appear on the Internet run by anyone smart enough to setup SMTP services on whatever port is settled on if they start blocking 25, in combination with all the ISPs in the world that didn't go along with (1) above.
4. Yahoo, AOL, MSN, whoever that was doing (1) above start to either suffer a massive user drain because they just started charging their users a bunch of new fees, or they roll the cost of sending email into their "normal" fees to avoid that. This makes (1) above completely pointless, other than to encourage semi-secret gateways between the free and paid email systems.
5. ???? (just to keep tradition)
6. No profit, no affect on spam, paid email goes away.

Re:Question...

[futuramarama]

Sure, but then they also got wise and started putting any number of advertisements on online sites I used to read for free (I don't mind the banners...except when they explode over the text).

Spam is another form of this, but more like an ugly roadside billboard. And despite occasional local government initiatives to remove the billboards, there still seems to be plenty of them.

Postage on Email won't stop spam anyway

[Djarum]

Think about how much junk mail you get in your post box already? You think charging is going to eliminate it? I just checked my mail. I got a bill, the new issue of Rolling Stone and 6 pieces of junk mail sent to "Current Resident" which promply went straight to the trash.

I wonder how many trees would be saved if people stopped sending junk mail.

Re:Postage on Email won't stop spam anyway

[ilikecaffeine]

I've found meatspace spammers are getting more creative with their addresses. The other day, I got a bunch of coupons addressed to "Primary Grocery Shopper." I haven't decided how I feel about that. Is that better or worse than "Current Resident?"

At least they didn't buy my name, I guess.

Why can't DNS solve spam???

[clusterix]

Why can't MX records become required to list all in AND out going official SMTP for a domain. From then on, SMTP servers could reject non matching MXed sender IPs and if spam does get through - you know you to blame.

Re:Why can't DNS solve spam???

[tubabeat]

That'll be SPF you're talking about there then.

Re:Why can't DNS solve spam???

If you set up a mail server properly, then an MX record is required, or the message bounces, informing the sender that they are misconfigured.

I had a legit message bounce due to this, as the last link in the send chain was the DNS server, and not their mail server. They fixed it, pronto, and their mail now comes through.

There are many methods to ensure legit mail on the server, but a lot of them are not enforced by default.

Reg-free link

[Joey+Patterson]

Here.

The Real Question.

[Neck_of_the_Woods]

Who profits? Who will regulate the size and the postage on that? Would they still agree that this is a great Idea is the US postal service was the one that made a profit?

I am still surprised to this day that there is not a better solution to e-mail. Maybe that is the next killer app....the race is on boys they are just trying to figure out how to make the most money on it.

International Problems

[glpierce]

Exactly how will this work outside the US? Considering that $0.01 is a lot of money in third-world countries, and not much in the UK, you can't just make it a flat rate. But if you make it a sliding scale, what's to prevent a spammer from using an address in Somalia to make it cheaper?

Re:International Problems

[millahtime]

I would have to say the rest of the world would ignore us. So they put something into effect here.... foreigners would all go down to the local pub and have a beer while laughing at us.

After looking at the possible solutions

[Sheetrock]

It's clear that sender-pays is the only technological scheme that is effective and can be guaranteed effective in the long term.

Other proposed solutions involve lengthy computations on a sender's machine, which can be trivially verified on the receiver's machine. These will be overcome with faster machines, and spammers can afford better hardware than the rest of us anyway. Legislation is no solution, as the only sort that respects the First Admendment rights of emailers provides the same rights to unsolicited email.

As the saying goes at our local Mensa chapter: wise thoughts may go into your mind, but pultem calidus invado pantorum. At the end of the day postage is the cheapest option, given the cost of enforcement or technology updates.

Re:After looking at the possible solutions

So, mensa boy, where would the calculations to determine the postage take place?

Re:After looking at the possible solutions

[LesPaul75]

It's clear? I wouldn't say it's "clear."

What happens when your machine sends 500000 spam messages because it's infected with a virus? How exactly do you "guarantee" that won't happen? The only thing that's truly clear is that there is no guaranteed effective solution.

Who modded this up? Do Microsoft employees read slashdot?

Re:After looking at the possible solutions

[Sirch]

pultem calidus invado pantorum

Californian chickens invade our pants?

Re:After looking at the possible solutions

[jcr]

Other proposed solutions involve lengthy computations on a sender's machine, which can be trivially verified on the receiver's machine. These will be overcome with faster machines, and spammers can afford better hardware than the rest of us anyway.

Not necessarily.. There are problems that can be made arbtrarily difficult to compute.

-jcr

Re:After looking at the possible solutions

[ComputerSlicer23]

Hmmm, "Sender Pays" is a technical fiasco. There's a reason that micro payment doesn't exist. The only reason send pays works just fine for the US Post Office. Because there is only one party to buy postage from, and you buy it, and tack something physical on a real piece of mail.

What charge are you going to have for sending a piece of mail? Is it a penny? What happens one you get charged a penny for a piece of mail you didn't send? What happens when you get charged a penny a quarter of a million times for a piece of mail you didn't send? How does the ISP keep track of who racked up the charges? How does the ISP bill the consumers for it?

Because I might have to make fiscal transactions with say 500-10000 different financial institutions, that will have a transaction fee that far exceeds what any sane person would be willing to pay to send a piece of mail. So once you solve this minor issue, that lots of people have been working on for years, it might just work. (E-Mail might be just the leverage you need to pull this off, micro payments have never really had a killer app).

However, enforcing someone to do a math problem has an absolutely trivial solution to new hardware. Make the problem harder. Nearly all of the problems involve doing some type of math problem. Want to make it more expensive. Require them to do the same problem, but with bigger numbers. Your next problem, is that Spammers will pay $20K to get custom built hardware to do the problems orders of magnitude faster then any generic piece of hardware could do it.

Finally, the easiest way, is to get all outgoing SMTP servers to add an X-Header signature to all e-mails. This e-mail minus the X-Header's digital digest with the private key on a public web of trust is "XYZ". Now your problem is that you've created an incentive for people to steal private keys. The private keys will have to be kept in pretty much in the clear somewhere on the machine (which will be a problem).

Now you've just made the size of each e-mail significantly large (most signatures are a 1-4K if I remember correctly).

Now you have to solve the PKI problem

Finally, my preferred solution, is to force the sender to sign the mail using the GPG key I give them. Technically speaking, they could sign it with any key they want, but I white list in any signature using my public key, and the public keys that are used on the mailing lists I'd like to follow. Then mailing lists only have to sign one mail message and send lots of duplicates of that single signature. Now, getting past my SPAM filter requires that you deal with an object that I control. So if Yahoo gets their private key stolen, some spammer will start spewing SPAM that can get past nearly all ISP's spam filters where the SMTP just signs the mail. In my system, I couldn't care less. My public/private (which is only used for this, I have another one for authenticating who I am), has no value. I'll gladly post both of them to the net. I can make it easy for people who I can to send me mail, and all my mail has some form of digitial checksum on it. All of which is good. My only problem would be if someone found a mailing lists private key. All I'd have to do is then tell the admin that his key has been compromised and somebody is sending SPAM with it.

I'm not fond of SPF, because all someone has to do is be able to forge an IP, which isn't particularly difficult. I can't control all the nasty corners of the internet. I can control what key I force you to use, and I can control what lists I put on my trusted key list if they cause problems for me.

The biggest problem with my solution is that it requires everyone to change how they work. Technically all they have to do is go fiddle with sendmail a bit, and add an outgoing X-Header, I can use that to white list people in until it reaches critical mass. Then I can just black list anybody who doesn't do that to outgoing mail.

Kirby

Re:After looking at the possible solutions

[ultracosm]

Theoretically the sender should be paying already.

People who want to connect get an internet account, which they must pay for (or their school or community or whatever). Included in that fee is the cost of email.

The problem with Spam NOW is that spammers are finding ways to use internet service that other people have paid for, without permission.

The solution is to force ISPs to enforce their own end user agreements about not sending spam. And while they are at it, enforce a requirement that no computer that has been compromised by a trojan or virus may be connected to the network, nor may any computer that is configured (accidently or on purpose) to allow others to use it without permission.

Once spammers are using their own accounts to send spam, so they aren't stealing service from other people and can be identified and held responsible if they do engage in fraud or theft, maybe then the spam problem will still be out of control and need a further solution, like "postage" or challenge response. We can talk about it then.

Re:After looking at the possible solutions

[irokie]

anger like this deserves more recognition!
and the man has taste in guitars too!

Re:After looking at the possible solutions

[Have+Blue]

Anything that requires the end user to do more work than they do now will never work (this includes setting up signing services and managing whitelists and blacklists). It has to be fully automated and performed by the ISP.

The next thing that will probably happen in the spam wars is that port 25 outgoing gets blocked by most ISPs to combat trojaned home PCs. No, it's not a perfect solution. Yes, it will inconvenience some innocent users. Email has become a textbook tragedy of the commons; spam is a constantly growing problem and sooner or later the flaws in the current email system will outweigh its benefits and the current system will be replaced by something less capable but more resistant to exploitation.

Re:After looking at the possible solutions

[JuggleGeek]

It's clear that sender-pays is the only technological scheme that is effective and can be guaranteed effective in the long term.

Nonsense. In order for sender pays to work, you have to be able to verify who *really* sent the message. Otherwise, you can't bill them - you don't know who sent it. That isn't the only problem with sender-pays, but it's a killer.

Once you can verify who really sent the message, the spam problem gets much easier to deal with. If you know that they claim to be JohnDoe but they aren't really JohnDoe, then you can toss that mail - you already know it's not legitimate. If JohnDoe really did send the message, and it's spam, he'll end up blacklisted in no time. Sites that rarely, if ever, have complaints about spam will end up on whitelists, just as the sites who commonly abuse will end up on blacklists.

Having verification about who *really* sent the mail makes things relatively easy. And once that is done, forcing people to pay to send email is pointless.

Re:After looking at the possible solutions

[Snowmit]

Maybe you Mensa kids should take a good look at your (snail) mailboxes and the 'in' bin next to your fax machine. See all of those unsolicited commercial messages?

Sender pays does not discourage commercial users in the real world. Why would it suddenly start working on the Internet? So long as it is in some way profitable to send us advertisements, companies will continue to do so.

What sender pays does accomplish is that it discourages legitimate use of mail. I get a lot more commercial letters than ones from friends and family. Apparently, it's profitable to send me ads. On the other hand, I get substantially more legitimate emails than unsolicited commercial ones. If you start charging me for sending email to friends and family, that will stop.

Re:After looking at the possible solutions

[ComputerSlicer23]

Two points. Technically speaking the ISP could do all of it for you. There is no need for you to know your GPG key (it's useless to you). They could do everything but setup the mailing list keys. At which point, once this setup is common enough, I'm sure ISP's will automate this. Just verify the most commonly used keys that didn't get accepted. Add them to the known white list you trust at the ISP level. Technically, there is no need for an individual to have a single key. The ISP could have only 1 key, or could have 1 key for 10 users.

This technically speaking won't stop SPAM. However, it will change the economics of it.

Finally, filtering SMTP 25 has been done for ages on plenty of networks. I've had it done to me when I was in Rolla, MO in 1998 or so.

Again the problem is that I can't control all the networks in the world. I can only control mine. I want a solution that puts me in control. I have no interest in a solution that involves me trusting the entire internet.

Kirby

didn't HE write thsi already

[bvdbos]

I remember HE who's name shall not be spoken on this site predict this already in the 1995-book The Road Ahead? It's been a while since I read it so I don't recall this exactly, but I do remember something about this is in the book... gr Bas

Ha!

[Mr.+Underbridge]

How come stamps can't stop all the spam I get through snail mail? Please, make those AOL disks stop!

I realize you're being facetious, but I still don't get 100 AOL discs a day, like I do spam. Hell, if I did, I wouldn't have had to use my nice Snoop CD for my wall mural.

Re:Ha!

Now wait just one minizzle.

Re:I like the computational challenge solution bet

[millahtime]

What about me who runs a mail server (a legit one at that for a no-profit) on an old Pentium 166? It's a fine smtp server but don't ask it to do any heavy math. This would screw the little guy using old hardware too.

Better than that...

[ackthpt]

They stand to make huge profits because they host the inboxes of millions of users. Every email received at those accounts would invoice the sender. It's a no brainer for BARRELS OF CASH !!! (tm)

Someone also has to provide software and systems to meter and invoice email. Gee, who could that be...

Worst non-solution ever

[192939495969798999]

If that worked, then regular mail would have no junk mail, because no one would pay the postage. Yet every time I open the mailbox, I am greeted with a fistful of unsolicited advertisements. The only way to "block" email spam is to not have an email address. For every measure put in place, there will be someone willing to work around it.

Re:Worst non-solution ever

[cosmo7]

The first problem with equating junk mail with spam is that you don't know how much junk mail you'd get if postage and printing were free. I imagine it would be a lot. Like a tree's worth of paper every day.

This is why your junk mail is qualitatively different to your spam; the price hurdle means that a business has to have something viable going on to make it worthwhile. With the stamp scheme you'd probably start to see paid-for spam, but not like the depressingly offensive stuff that is being delivered to your inbox right now.

Reading without account (using google)

[Marco+Krohn]

1. copy link location (here: "http://www.nytimes.com/2004/ and so on...")
2. google search for the URL: search for "http:// and so on"
3. ignore that you got no search results and click on the link below "If the URL is valid, try visiting that web page by clicking on the following link: " (and yes, it is the same link!)
4. enjoy reading :-)

Re:Reading without account (using google)

[Joey+Patterson]

Or just click here.

Re:Reading without account (using google)

[Marco+Krohn]

Doesn't work for me unfortunately :-(

I better start practicing...

[PaulK]

my tweezer skills. It's not enough that I've spent decades removing paperclips, business cards, broken diskettes, credit cards, diskette labels, coins, and other assorted crap from drives and systems....

Now I need to worry about stamps too, just as my eyesight is diminishing.

Score one for the hardware folks! Best idea ever!

Postage -- even more spam!

[Mad+Bad+Rabbit]

Oh, great. One of the proponents is a bulk-emailer called "Goodmail", who wants this system because if they pay to send out spam (with the postage going to ISPs), the ISPs will have a financial incentive not to block them.

Re:Postage -- even more spam!

[Dukael_Mikakis]

the ISPs will have a financial incentive not to block them.

It's sort of a sly trick that ISPs already have a financial incentive not to block spammers. Spammers pay lots of good money to use the ISPs' servers for distribution.

More like...

[tubabeat]

...A scheme to encourage spammers to send out even more trojan laden viruses to send their spam from compromised machines at the expense of the victim.

I fail to understand how a scheme that involves the schemes administrators making a profit for every mail sent is going to reduce the amount of mail sent.

Re:More like...

[Patrik_AKA_RedX]

I fail to understand how a scheme that involves the schemes administrators making a profit for every mail sent is going to reduce the amount of mail sent.

It's the same methode used by governments. They can't find a decent solution to a problem, so they invent a new tax for it (see sigarets). 6 months later the problem is still there, so they raise the tax. (see sigarets again).

At the end of the year, the problem is still there, people pay more taxes and the politicians "solved" a problem.(sigaret anyone?)

Re:More like...

[theCoder]

Oh, it'll reduce the amount of mail sent, just not the amount of spam mail. That's not strictly true, since the amount of spam sent would go down as well, but not as much as the amount of legitmate mail.

But I'll continue running my SMTP server as long as I'm able. Maybe I'll just start telling people about my "freemail" address that doesn't require a payment to send to.

Choice Quote

[nate1138]

Heh, here's a choice quote, from an exec at Goodmail, one of the postage schemes that would allow postage paid spam right into your inbox:

"The very notion that I have to get permission to send you a marketing message doesn't make sense and is not good public policy,"

I think it's GREAT public policy. If I don't want your ads, tough shit.

Re:Choice Quote

[ogre57]

"The very notion that I have to get permission to send you a marketing message doesn't make sense and is not good public policy," said Richard Gingras, Goodmail's chief executive.

To: Mr Richard Gingras

Dear Sir,

So you think getting permission to send a marketing message doesn't make sense. Fine. In addition to the proposed penny you will be charged by the ISP we demand you also be charged $100.00 to be credited to each recipient for each marketing message of yours delivered to our inboxes. Thus sending 1 message to 1,000 people will cause $100,010.00 to be deducted from your account. We will continue to delete your marketing message unread of course, the $100.00 merely reimburses us somewhat for the required hassle without imposing an undue burden on you, the sender.

We seek a similar arrangement regarding telemarketing, those responsible for the trash the USPS jams in our snail mail boxes, and all other forms of unsolicited marketing. Specifically we demand the sender be charged with whatever handling charge is reasonable for the medium, plus at minimum $100.00 (indexed to inflation) to be tendered to each recipient of your message as fair recompense for disposing of your unwelcome waste.

Our alternate proposal is that you serve one day in prison at hard labor per message per recipient. Thus for sending 1 message to 1,000 people or 2 messages to 500 you personally and all other responsible parties would spend 1,000 days "making big ones into little ones" or similar activity. We consider the additional monetary burden well worth the satisfaction of knowing you are receiving what you so richly deserve, including quality time with your roommate "Bubba".

We realize many will consider the above proposals to be too lenient. Indeed, many of us were quite vocal in our support of a variation of "Death by a Thousand Cuts". However the majority believe we should reserve such methods for use if the gently persuasive measures listed above were to fail.

Regards,

Nearly Everyone Else On The Planet

Yahoo supports this?

[mblase]

Yahoo! Mail already has a spam filter engine, and it's ridiculously effective for a freemail provider. I rarely use my Yahoo account, but still tend to check it daily for email that should go to my new email addy and doesn't.

On a typical day, Yahoo! Mail will have around 100 new spam messages for me, and only two to six of them will make it to my inbox. After a quick setup a month or two ago, I can now check them all with one click and have them identified and deleted as spam with a second click.

While I understand Yahoo! wanting to lessen the burden on their filtering software by supporting postage, I think the sheer cost of such postage would eliminate Yahoo! Mail as a free service and wipe out most of its users in the process. I honestly can't imagine why they would want to use it instead of their already very effective spam traps.

Hash Cash and standards

[GeorgeH]

I heard some guy from Microsoft talking about some of MS's spam plans, after billg committed the company to stopping spam by 2006. They seem to really like the idea of hash cash, which certainly seems like the most reasonable bolt-on solution.

I think the best bet for Microsoft's anti-spam campaign would be to be as open as possible with the process. If they could come up with a standard for hash cash, enable it on every Exchange server, as well as provide it for every Sendmail, Qmail and Postfix server, they would have a huge PR victory. Everyone would be focusing on how Microsoft cured spam and they could start to shake their buggy image.

They've got two temptations they'll have to avoid if they want to win this battle though. The first is their culture: they're notorious for only using standards when it suits their needs. They need to be political about getting the standard accepted everywhere, which means playing nice with the Internet as a whole. The second is to try and use this to throw their monopoly weight around. If they say "only Exchange servers can user our powerful anti-spam techniques" people will turn off the spam protection so that they can get mail from Linux mail servers. I'm pretty sure they're too smart for the second one.

Basically, this is intuitive to most Slashdot readers. Open networks are bigger than closed networks and a network's value is exponential of its size. If MS can make an open spam solution they'll have helped build a very valuable network.

Re:Hash Cash and standards

[EvilTwinSkippy]

Why am I not going to be shocked when in 3 years my Postfix box will be ignored by Exchange servers because it's open-source and thus and open relay. This is such a shameless grab, almost as bad as their campaign to paint Linux boxes as unsecure. Any linux users remember THAT back in '99? Talk to any MS admin about a Linux box and they swore it was virus infected.

Re:Hash Cash and standards

[eric777]

Painting Linux boxes as *insecure*? That's pretty funny.

The thing is, I don't remember that happening.

Not doubting you or anything, but can you post a supporting link or two?

Ideally, you could find a Microsoft-sponsored article in the wayback machine...

Bah, article text

[Joey+Patterson]

Gates Backs E-Mail Stamp in War on Spam
By SAUL HANSELL

Published: February 2, 2004

hould people have to buy electronic stamps to send e-mail?

Some Internet experts have long suggested that the rising tide of junk e-mail, or spam, would turn into a trickle if senders had to pay even as little as a penny for each message they sent. Such an amount might be minor for legitimate commerce and communications, but it could destroy businesses that send a million offers in hopes that 10 people will respond. The idea has been dismissed both as impractical and against the free spirit of the Internet.

Advertisement

Now, though, the idea of e-mail postage is getting a second look from the owners of the two largest e-mail systems in the world, Microsoft and Yahoo.

Ten days ago, Bill Gates, Microsoft's chairman, told the World Economic Forum in Davos, Switzerland, that spam would not be a problem in two years, in part because of systems that would require people to pay money to send e-mail. Yahoo, meanwhile, is quietly evaluating an e-mail postage plan being developed by Goodmail, a Silicon Valley start-up company.

"The fundamental problem with spam is there is not enough friction in sending e-mail," said Brad Garlinghouse, Yahoo's manager for communications products.

The company is intrigued by the idea of postage, Mr. Garlinghouse said, because it would force mailers to send only those offers a significant number of people might accept. "All of a sudden, spammers can't behave without regard for the Internet providers' or end users' interests, " he said.

Neither Yahoo nor Microsoft have made any commitment to charging postage, in part because the idea still faces substantial opposition among Internet users.

"Damn if I will pay postage for my nice list," said David Farber, a professor at Carnegie Mellon University, who runs a mailing list on technology and policy with 30,000 recipients. He said electronic postage systems are likely to be too complex and would charge noncommercial users who should be able to send e-mail free.

"I suspect the cost of postage will start out small and it will rapidly escalate," he added.

In the meantime, the big Internet providers, including Microsoft and Yahoo, in recent weeks have renewed talks that stalled last year about creating technological standards to help identify the senders of legitimate e-mail. That way, spammers would either have to identify themselves or risk that users would discard all anonymous mail.

But for the big Internet access providers, or I.S.P.'s, the prospect of e-mail postage creating a new revenue stream that could help offset the cost of their e-mail systems is undeniably attractive.

"Sending large volumes of e-mail involve costs that are paid for by the I.S.P.'s and eventually by consumers," said Linda Beck, executive vice president for operations at EarthLink. "Should there be some sort of financial responsibility borne by the originators of these large volume programs? I think there should." E-mail between private individuals, she added, ought to remain free.

Differentiating among classes of e-mail is one of the substantial technical difficulties that e-mail postage proposals face. In wrestling with this matter, academic researchers have proposed complex stamp systems in which each e-mail recipient sets the price for a message to enter his or her in-box. Mr. Gates talked at Davos about a system that would allow users to waive charges for friends and relatives.

Goodmail, founded by Daniel T. Dreymann, an Israeli entrepreneur, is developing a system that it hopes will be easier to adopt. It proposes that only high-volume mailers pay postage at first, at a rate of a penny a message, with the money going to the e-mail recipient's Internet access provider. (The company suggests, but does not require, that the Internet providers share the payments with their users, either through rebates or by lowering monthly fees.)

The Goodmail system is desi

Re:I like the computational challenge solution bet

[dustmote]

I thought I had been keeping up with the spam-stopping stuff, but I had never heard of this idea. It seems like a very good idea to me, pros and cons anyone?

Spam solution

[BeemanH2O]

Yahoo wants to find a solution to stop spam? Stop offering free e-mail accounts. Half of the spam I get comes from yahoo, the other half is from Hotmail.

Maybe if they would charge a dollar or two a month and make it an even better service such a problem wouldn't exist with them.

Re:Spam solution

[Dragonmaster+Lou]

Actually, if you look at the headers, most of the spam that looks to be from Hotmail or Yahoo aren't infact from them -- they just forge Hotmail or Yahoo return addresses.

That said, not having seen the actual spam you receive, I don't know if this is the case in your particular situation or not. However, this is the most common case.

Re:Spam solution

Too bad the spam doesn't actually come from hotmail and yahoo's mail servers or your view of the problem might be correct, as it is you clearly have no clue what you're talking about.

Maybe google "forged reply address" and u might find some ideas...

Well,

[hackstraw]

this sure works for snail mail.

Increasee sizzwwe

[Bishop,+Martin]

To:Microsoft From: Istar Muhbar Would u loike 2 no how 2 st0p spamz?

Re:I like the computational challenge solution bet

Same as always. What about mailing lists?

Still wouldn't stop all spam

[Necroman]

Many spammers hijack other peoples email accounts, or use fake/stolen credit cards to get email address from big providers (like Earthlink).

So this same person will go on Earthlink with their stole credit card, rack up some huge postal bill on the credit card from all the spam he/she sends out, but never actually get stuck with the bill.

Hacking/backdoors would also become more predominate on people computers, so the hacker/spammer can spam from valid email addresses without getting charged. This would just cause more problems then already exist.

Who gets the benefit from the postage?

How about the RECEIVER? If someone sends 100 e-mails, make it akin to sending each recipient a nickel (for their time/etc).. So next time I open my inbox and have 1000 new messages, I just made fifty bucks.

Sounds like you don't use Yahoo/Microsoft

[Ironstud]

Like spam people use their web front end. Yahoo and Microsoft have open relay servers. Maybe they should only allow people to access their accounts via the web.

Then make sure a person can not past a large number of recipients (like thousands) into the To field.

I don't use Yahoo and Microsoft free accounts because they are CRAP -- spammers can hack into their flawed business logics. (Just too many spammers use them from them).

as CBG might say

worst....idea....ever

Goodmail just wants to eliminate all free spam

[Thagg]

The Goodmail "solution" is the worst of all possible worlds. What they want to do is convince people doing spam filtering that paid-for spam should still go through. They want to raise the quality of the spam, not get rid of it.

Please. That's not the answer.

thad

Re:Goodmail just wants to eliminate all free spam

[Dr.+Mojura]

I agree. The "Good"mail idea seems to be that ISPs will charge spammers a fee to guarantee delivery to the end users. It is 'suggested' that the money collected be paid to the user in some fashion for receiving the e-mail, but that's not likely. What is likely is that some unscrupulous ISPs will sell a spammer the right to send a million emails to its users, keeping the profits for themselves. Granted, it seems this scheme would only work for a webmail type system, where the ISP handles all of the spam filtering, not the end user. Hotmail users, beware!

Re:Goodmail just wants to eliminate all free spam

[gnuman99]

This will not fly. From the "goodmail systems" website:

Goodmail Systems has developed a patent-protected email stamping process that addresses the root economic causes of spam.
...
Responsible mass-mailers, who have watched email decline in viability as a marketing and group communications tool, will be able to communicate more effectively and benefit from dramatic increases in delivery rates.

Sooo, they have patented some hash algorithm (or some encryption like GPG has) to identify people. Well, that is bloody original. Isn't it like PGP and GnuPG ??

Futhermore, since free software will not incorporate anything like this, this entire thing will fail. If MS/Yahoo put this into their emails, we'll see a bunch of replies - sednamil/exim/postfix/etc.. " has detected a virus in form of a patented hash. Please use a non-compromised e-mail client and/or server. This message has been deleted from the server." :P

Re:Goodmail just wants to eliminate all free spam

[jfengel]

There is something to be said for raising the quality of spam.

I receive an awful lot of spam which hopes I'm a complete moron, attempting to defraud me or sell me a product (or web site) I'm clearly not interested in. The amount of spam that I get from "respectable" senders is extremely small. They turn a profit on spam only because their costs are extremely low.

By raising the costs even slightly, the equation shifts. If I got only as much spam as I got in my postal mailbox, I could filter it by hand with no noticeable effort. It's only when it gets to hundreds a day, as many people get, that it drags down servers and costs real time.

Besides, "respectable" spam is legally required to be marked as such, making it easy to filter. The new American law is considered a joke because most spammers aren't respectable, and so it's ineffective. But if some solution, such as this, is able to effectively raise the quality of the spam, we'll have an easier time dealing with that which is left.

In the Workplace

[millahtime]

This would put a huge damper on collaberation with companies. If it cost me for all the eails I send for the projects I work on then I wouldn't send them. It would make my job harder and make the products I work on more costly and and take longer to due just due to the fact of it slowing down my work or i have to wait longer for things.

Re:In the Workplace

[firewood]

It would make my job harder and make the products I work on more costly and and take longer to due just due to the fact of it slowing down my work or i have to wait longer for things.

If the economic costs (loss productive time) of having every employee wade through spam every morning is greater than the cost of a new protocol, then it will be in the interest of most businesses to migrate ASAP. If you want to do business with these corporations, then you will have to switch also.

List owners can raise cash for stamps...

...by selling their lists to:

NSA
CIA
FBI
NASA
Spammers...

Grief, adding 'postage' to email is gonna totally kill the 'new economy'. A technological solution is needed, not an economical one.

Welcome to the IM spam revolution

[enosys]

Some people already get IM spam. If people started using IM instead of e-mail spammers would move to IM too.

Microsoft is revisiting failed "solutions" of the

[Black+Art]

None of the proposals by Microsoft and Yahoo are new. They have been suggested on mailing lists like Cypherpunks for over five years now.

Every time they get posted, the same reasons get pointed out why they will not work.

What it has proved is that people are willing to cling to an idea long after it has been proven to be false.

The anti-spam crowd can now be officially declared a religion.

What again!?

This joke comes around every couple of years and always manages to reel in a few suckers... a journalist as well this time it appears!

pay

I fully agree with Farber. Why on Earth should we have to pay for a service that works perfectly fine while free, or almost free(pay to get the address to which mail is sent). I get spam everyday, I also get a credit card, DVD, CD, or some other offer in my snail mailbox everyday. I'm not really a big save the trees guy, but for me it is easy and less guilty to put email in the trash than it is to put real letters in the trash.

Re:I like the computational challenge solution bet

[Trejkaz]

You don't even need the math question. Since most spammers use invalid return addresses, all you need is any question. "Are you a real user?" usually works fine, as I've seen with TMDA.

If the spammers did use valid return addresses, then we would know where they are, and they would already be crippling themselves with the enormous number of bounces they would receive from invalid addresses.

Escrow

[djtack]

And how do you enforce charging people who you may or may not be able to track, the proposal to charge for spam based on the reciever's choice is absolutely ridiculous.

This is not so hard at all; you simply require the payment be placed in an escrow account before the mail server will accept the message. The sender would include some unique token in the message headers that corresponds to the escrow funds.

Read about it here: Selling Interrupt Rgihts. The article is from 2002, btw, this is hardly a new concept.

Re:Escrow

[n.o.d.y.n.e]

I don't think the parent's point was that it's not actually technically possible, more that it is ridiculous that a sender pays for emailing someone who has chosen they should pay.

This is obviously flawed

We've all seen the likes of viruses like MyDoom, so we should be aware of the prospect that people are writing viruses to act as remote services for their various nefarious requirements.

So what's going to stop someon from writing a virus that sniffs someones email settings in the registry, and then starts sending SPAM through that server as that person ?

Unlike the current situation where SPAM is stealing resources (and a little cash) the game will change so that SPAM steals peoples e-cash.

Clearly whatever this initiative is aimed at doing, making things better for legitimate users of email is not at the top of the list.

And if I don't...?

[Storm]

...Does this mean if I don't pay, I won't get another email from yahoo or msn?

Remind me again, where's the downside of this?

Re:And if I don't...?

[r_cerq]

Nope. The one paying is the sender; if you don't pay, you won't send to Y! or MSN.

related story this morning on NPR

[fishbert42]

Reading the headline reminded me that I heard a story on NPR while laying in bed this morning about ways to go about eliminating spam on the internet.

Not sure if it contains any "new" information, but it might be worth a listen.

Troll?

[RT+Alec]

Sorry to whine, but why would my post be modded a troll? I was completely serious. See my history of posts and you will see that I frequently post about spam and various solutions, including several about SPF:Sender.

It still costs them though

[enosys]

I have a Yahoo.com e-mail account and I agree. However, the problem is only solved for you, not them. They still have to add extra hardware (with associated increased power and maintennance costs) because of the volume of spam coming in.

Re:It still costs them though

[jmv]

Well, if it continues to work and spammers eventually go out of business, then it also solves their problem.

Snail Mail is not a good comparison

[PaK_Phoenix]

The problem with comparing the junk mail you recieve at home, with email spam is flawed. The two systems are different enough, even if it's hard to see at first.

Snail Mail spam, gets a 'pre-sorted bulk rate', so they usually concentrate on a certian market( geological, company customer bases etc. etc.) Also with a physical address you have a pretty good idea of the location of the customer.

Email Spam is just a 'shotgun load of crap', launched at the internet like buckshot. Part of what makes email spam 'work' for the spammer is that they pretty much hit 'everybody'.

I guess what I am trying to say is the email spammer is more likely to bombard 'everyone' because it costs the same. Snail mail will try to 'target' an audience, but still send out lots more mail than they would if they had to pay first class postage( what you or I have to pay to mail).

If they do institute a percharge for email, there should be no 'bulk discount'.

Re:I like the computational challenge solution bet

[kcornia]

Well I'd hope that I could set up lists of e-mail addresses that don't need to be challenged. So e-mail groups would have some configuring to do, but it seems like it would be pretty easy to build in some safeguards so not EVERY mail is computationally challenged, but unsolicited mails are.

Dunno, just thinkin' off the top of my head here.

Nope, nope, nope

[ackthpt]

ah... but if spammer x sends a boatload of herbal viagra offers under bob's relay and bob gets a bill... then when they do catch spammer x he can be nabbed under wire fraud laws and be open to all sorts of tasty civil action.

That's naive. You know Ralsky and the like use open relays around the world. He's even contracted some in China. You might tighten a net at best, but eventually you come back to the problem of trying to bill non-USA service providers. Lotsa luck. At best you encourage them to clean up their open relays and implement some decent security, lest their IP traffic be blocked at the border. But this should already be happening. Start locking these things out and they'll get around to fixing things pronto.

Re:Nope, nope, nope

[dfung]

Is this proposal really that ineffectual?

I totally agree with what your saying, but if a offshore ISP doesn't do anything accept send spam and faces being blacklisted because they ignore their bills, then it seems to me that this might actually have some leverage. If you were an offshore ISP that was 100% legitimate mass e-mail (a opt-in magazine headlines digest for instance) then you pay the mass mailing fee as part of your cost of doing business. If you have a mix of legit and UCE customers, then I think the pressure will be on you to pick a side and move (the pressure comes not from the US, but from your legit customers who are getting blocked out because of the spammers).

Am I missing something important here?

Re:Nope, nope, nope

[ackthpt]

but if a offshore ISP doesn't do anything accept send spam and faces being blacklisted because they ignore their bills,

Here's something for you to consider. Who the heck died and made you the tax collector for the world? That's exactly what they'll be saying to Microsoft and Yahoo. This approach would be excedingly painful to negotiate, worse, most of the open relays aren't great big machines, but zombies and small servers with lax security.

A couple years back some sh!t hit the fan regarding Bill Jones run for office in California. Seems some Campaign email was routed through a elementary school computer in Korea. What are you going to do? Send them a bill and have Microsoft or Yahoo goons shut down the school when they don't pay it?

What's needed is cooperation, not this loopy strategy.

Blacklist/Whitelist or roll out a new standard and have major ISP's switch over and at some point block old SMTP Problem solved.

Re:Nope, nope, nope

[Trevin]

Who the heck died and made you the tax collector for the world?

They don't have to be the tax collector for the world; just a bill collector for any email sent to their service. After all, they provide the equipment and the staff to maintain it; why shouldn't they charge people for using it?

This is just like an idea I proposed many months ago. The difference is that with my idea, all computers are blacklisted by default; only those servers who maintain a billing account with the receiving ISP are allowed to send mail to them

Re:Nope, nope, nope

[dfung]

If most open relays really are zombies, then I do agree - no real mechanism for enforcement. I genuinely don't know what the story is here.

In the recent past, it seemed that the spamming farms weren't giant machines, but they weren't mostly zombies either - wasn't that big US spammer in Texas or Florida just a guy with a T3 and a garage full of medium-sized servers? If that's the case, and you're being pounded with Viagra-grams from a guy with another garage in Indonesia, then this sort of "pay your tax or report to /dev/null" probably would work.

Of course, if such a system were enacted, then I guess the shift to zombie relays would accelerate.

I too believe that cooperation is needed, but it's needed as much from the CMU guy who feels he has the right to send his 30,000 e-mails out for free as it is from spammers. Charge me a penny for my e-mails or only allow 600 free outgoing messages a month. But please do something, because I'm pretty sure that my (insert mobile data device here - I have a Sidekick) will stop being useful when it's flooded with spam.

Re:Nope, nope, nope

> traffic be blocked at the border. But this should already be happening. Start locking these things out
> and they'll get around to fixing things pronto.

The matter of fact is, do you REALLY believe it matters that much to the rest of the world that the USA tries to lock out others?

You blatently overestimate the importance of the USA, only approx 5% or less of the world population lives there, and in number of internet users it is not really very relevant either anymore compared to the rest of the world.

You would really look a lot smarter if you would be thinking about solvign the problem instead of thinkling about how the problem can be kept away from you because you cannot keep the problem away.

Re:Nope, nope, nope

> Am I missing something important here?

Yes, you are missing the most important thing here and on the way forget some very relevant facts.

Many important and very informative mailinglists are run by PRIVATE INDIVIDUALS, not businesses.
You say I should pay for delivery of the approx 1500 mails I deliver each week on request of the receivers? Well, this is a free service, and I'll go do somethign else if that is the case. Result, some 1500 peopel and companies will have less security information.

You also forget that most of the world (95% of us live outside the USA you know) also does not have the same rules as are used in the USA, not the same laws, and actually, usually don't care too much for the laws in the USA either (EUrope and patents come to mind)

If you are thinkling abotu a solution, you better keep that in mind.

What you completely and utterly forget is that the simple effect of this p[ayment scheme is changing the balance in favor of big money. Only those with big money can afford to distribute information, and as a result you take away one of the most fundamental and important differences between the 'real' world and the internet when it comes to publishing.

I really and very strongly suggest you take the private person into account instead of jyour business only approach.

Then something else, you do realize the USA is less then 5% of this world in number of people, and similar in number of conencted computers?
You really think that the USA can lock peopel out? I rather think they'll find that they are locking themselves out.

You also forget that most of the world (95% of us live outside the USA you know) also does not have the same rules as are used in the USA, not the same laws, and actually, usually don't care too much for the laws in the USA either (EUrope and patents come to mind)

If you are thinking about a solution, you better keep that in mind.

Because of all the problems that payment for email bring, it is really really really really a better idea to fix the smtp protocol to address the anyone can deliver everythign problem instead of creating tons of new problems in order to put a very bad fix to a problem.

Re:Nope, nope, nope

[d34thm0nk3y]

ugh... this goes for a bunch of other posts I have read so far, but why repeat myself a dozen times?

Who are you to tell me how I can use the internet I pay for.

...the CMU guy who feels he has the right to send his 30,000 e-mails out for free

guess what, he DOES have that right, and it is NOT free.

I truly believe that anybody who thinks government or corporate regulation is a good way to fix a problem on the internet is smoking crack! I mean cripes, we all know how good a job the FCC is doing at "regulating" the airwaves (read regulate as making it too expensive for anybody to actually use)

Re:Nope, nope, nope

[diablobynight]

Whenever someone has an open relay, we should go to their company, drag their server outside and run that shit over with the biggest truck we can find.

Re:Nope, nope, nope

[cynicalmoose]

lest their IP traffic be blocked at the border

While it's perfectly permissible to charge for the transfer of information, the first amendment is hardly likely to allow blocking. IANAL. IANAA

Re:Nope, nope, nope

[BlackHawk-666]

I hope all you email buddies are on AOL and Hotmail then, since you won't be receiving much mail otherwise.

Re:Nope, nope, nope

If you have a mix of legit and UCE customers, then I think the pressure will be on you to pick a side and move (the pressure comes not from the US, but from your legit customers who are getting blocked out because of the spammers).

I don't. I'll put it this way - if my ISP starts getting blocked because it's not paying Microsoft for the privilege of sending email to MSN addresses, I'm not going to switch ISP - I'm going to say a big "fuck you" to Microsoft and suggest that any MSN customers who want to receive email from me do the switching.

Allow me to repeat that - I am not going to support any ISP that pays *another* Microsoft tax. Fuck them. No, I don't think saying "fuck" makes me look big, I'm just expressing what I really think here.

Not really news....

[Crypto+Gnome]

Yet again Microsoft is doing their best to prostitute something which is currently "free" into something which they can use to screw their customer for unreasonable amounts of cash.

Today they're trying to "embrace and extend" email.

A Microsoft backed solution will lead to proprietary enhancements, patent litigation, prosecution and the general demise of email other than through Microsoft Proprietary Commercial Products.

Oh and you can forget about sending email from any *NIX like OS, absolutely not from any GPL or otherwise OpenSource OS.

I am not predicting the future, these things have already occurred In other areas of computing, just not email (yet).

Didn't Bill Gates

[hansoloaf]

remark that there will be no more spam by 2006? I guess this is one of his solutions. han solo

Re:Didn't Bill Gates

640k, man. 640k.

What exactly would you be paying for?

[mabu]

This pay-for-postage e-mail model.. what is the money paying for?

* The bandwidth and network resources used?

We already pay for that; we have quotas and guidelines in place regarding bandwidth, storage quotas and restrictions on spamming with all ISPs.

* Subsidizing a new mail system that is "spam free?"

Does anybody think that if Yahoo and Microsoft hijack the e-mail network, they won't abuse it? Both companies have a sordid history of deploying disposal privacy policies and spamming their own users, sometimes to the point of creating so much noise they upsell users on value-added solutions to solve the problems they create.

The only way a pay-for-postage model would work is if the major networks go private and make their e-mail systems un-integrated with the existing SMTP network. Do you want Microsoft, Yahoo or a handful of powerful corporations to be in control over the e-mail system?

* Why pay per-message anyway? It's an ineffective argument to claim such quantum pricing is necessary and that resources would require it, nor would it teach people to be more responsible in their mailing practices.

80% of the traffic on the Internet is junk mail. If we simply enforced existing laws regarding network exploitation and computer tampering, we'd instantly negate the main value of the pay-per-e-mail article, and even with the system in place, there's absolutely no provision to address the larger problem of unauthorized SMTP traffic hogging bandwidth.

I don't have a problem with the idea of paying extra to have a spam-free e-mail network, but on a per-message basis, it's just stupid and greedy. If we're going to pay, I recommend it go like this:

1. Add a small fee to each domain registration which goes to establish a regulatory group, that adopts an international standard for responsible mailing practices.

2. Contract out, just like we do with the TLD system, the administration of a centralized SMTP whitelist, with a system of checks-and-balances to effectively "license" responsible mail relays.

3. Offer anyone running a mail server, the option of using the centralized whitelist to approve the systems from which it will accept mail.

I have been saying for more than a year, this is the way to go. This scheme by MS and Yahoo is a flavor of what I'm saying, with the tacked-on idea of charging per-message, and instead of making the mail network an open system, it would be controlled by select corporate interests.

We're heading in the right direction, but this scheme by Microsoft and Yahoo has a long way to go.

Re:I like the computational challenge solution bet

Spam boxes would be prohibitively expensive due to the heavy requirements for sending millions of spams

So spammers would simply send a virus and 0wn hundreds of thousands of Windoze boxes, making a supercomputer that can overwhelm any "Computational Challenge" solution.

Re:I like the computational challenge solution bet

[mark-t]

Not that I'm trying to shoot the solution down, I really do like the theory behind what is being proposed here.

But how would this solution address legitimate mailing lists, where the mailing list server actually has justifiable reason to send to hundreds or thousands of people at once? Why must any system that runs a mailing list necessarily have a whole crapload of CPU horsepower to go along with it?

And if any allowance is made for making the load on legitimate mailing lists more tolerable, what is to stop spammers from exploiting the same allowance, effectively removing all the benefits that were originally offered?

Oh Shit!

[NetNinja]

Here it comes! A way to really make money on the internet.

First it will cost 2cents, Then after a year they will raise it to 4cents.
Then after that they will raise it to 7 cents because they can and nobody can give you a justification of such a large increase.

Re:Oh Shit!

[millahtime]

Oh no, it will cost me 2 cents to always put in my 2 cents.

You should collect your own fees

[steveha]

The basic idea, to make spamming too expensive to be worth it, will work. But I don't want to have Microsoft, Yahoo, etc. collect the money; the email account owner should set the fee and collect it.

I wrote it up here:

http://slashdot.org/comments.pl?sid=94145&cid=8077 371

The key points:

You set the fee, and collect it.

You can refund the fee if you wanted the email.

You can add people to a whitelist.

The whitelist uses digital signatures, not easily-forged header fields.

It doesn't really work unless we have a micropayment system that can charge small amounts (five cents) without expensive overhead.

In the discussion attached to that article, one person pointed out that this system could be exploited like this: advertise a job, one that looks like it's really worth applying for. Charge about 20 cents per email to accept resumes. Pocket all the money. It's a perfect small-time fraud scheme: you steal so little, from so many people; who would be motivated enough to check up on whether there was ever really a job to apply for?

I have to say, even without the charging of fees, a whitelist based on digital signatures would be great. You could have a special folder where known-good emails go, and another one for the rest. I'd have my email client play a chime sound when known-good emails arrive, but not the rest.

steveha

pay or compute!

[maliabu]

would it work if the senders are required to either pay for the email, or face a computational challenge?

so for big companies who charge a fee for subscription, they probably don't mind paying to do a mailinglist.

for personal emails, people will probably choose to compute than pay.

Two reasons the solutions won't work

[iCoach]

1) The computing solution
How exactly is this change over going to take place over the next two years? As soon as a few major corporations implement it they won't be able to receive email from those who haven't. That not too mention the fact that the communcation of said calculation is another drain on the net while we wait (supposedly hopefully) for people to adopt the new calc procedure. If it is made backward compatible then whats the point in doing it at all? The only way to filter out those emails is to lump them into a seperate folder - while "we" are "adopting" that folder is rapidly going to be viewed as a spam filter. Unfortunately it is going to get filled with good emails. I don't know about you, but my baysian filter works pretty damn well right now.

2) Paying for email? This one has so many holes it is laughable. First, who collects postage, ICANN, W3C, Microsoft? And who collects the fee for international mail? And how is it dispersed? And who is going to keep the price reasonable? I myself send upwards of 20 emails a day. That is going to get damn expensive even at $.10 an email.
And if the "postage" is implemented, what about email lists? Sending to 100,000's of /.ers would be prohibitively expensive.

I could go on, but I am sure everyone else can see how assinine the solutions are.

-Coach

Very bad idea...

[twoslice]

It would bring the DNS servers to their knees. It would be better to have the DNS server have an LDAP record and use an LDAP server for the lookup - LDAP was designed for fast directory lookups.

btw - it would do nothing for spoofed addresses from real domains....

Re:Very bad idea...

[sholden]

Why?

Doing a reverse DNS lookup of the name associated with the IP of the server connecting is common enough already, eg.:

$ telnet staff.cs.usyd.edu.au 25
Trying 129.78.8.1...
Connected to staff.cs.usyd.edu.au.
Escape character is '^]'.
220 staff.cs.usyd.edu.au. V1.2 ready at Tue, 03 Feb 2004 10:22:23 +1100
HELO foo.com
250 G'day foo.com, I'm staff.cs.usyd.edu.au., I thought you were [censored].swiftdsl.com.au.

That doesn't seem to have brought DNS to its knees...

And it would do lots for spoofed addresses from real domains - you couldn't send email from a domain except via the outgoing mail servers of that domain. Hence you couldn't spoof email from ebay.com (well you could spoof it in the From: header but not in the envelo), unless you managed to get one of ebay.com's outgoing mail servers to do it for you (which hopefully, they would be configured not to do).

spf.pobox.com is one implementation of the idea, not using MX records obviously since that would break existing mail senders, but using TXT records.

Re:Very bad idea...

[Lehk228]

But as it is now there are not millions of reverse DNS lookups every day, it could work but ISP's would need a bit of time to ready their boxen.

the solution results in only spam

[frovingslosh]

''Damn if I will pay postage for my nice list,'

This pretty much says it all. If there's a postage charged for email then email will become all spam, not spam free.

The first to go will be lists like the above, no free newsletter is going to be able to justify paying postage on mailings of 30,000 or more.

Along with that will be the automated emails. Think /. will still email you when someone responds to your post if it costs them? Think again. You will not get email order confirmation, notice about your rebates, shipping tracking information, or other automated business related email that you want either.

Some people might pay a micro payment on some email, but others will not. Rather than being the killer app for the Internet, email will fall into disuse.

While all of this is going on, the spammers are not going to be slowed one damn bit. If they could be held accountable they would be stopped already. They will either continue to sign up for throw away accounts and then abandon them and not pay for the email, or they will continue to make their deals with shady ISP who damn well know they are spammers and let it slide. If a spammer has a deal with an IPS to send spam you can bet he isn't really going to pay the ISP postage fees. Worse yet, the claim will be made that the spammer is paying postage fees, and that those supposed fees omehow make it legitimate for then to cram your mailbox with spam for the p3nis patch and the paris hilton video xjrf.

And one other effect it will have is that I will certainly not pay to forward all the hundreds of daily spam I get to utc@ftc.org, and other spam fighters will see their complaints of spam dry up too.

In short order, much of the valid uses of email will come to an end because of this "postage", and spammers will continue completely unaffected. And it seems hard to believe that Yahoo and Microsoft don't already understand this.

Re:the solution results in only spam

[fltsimbuff]

IMO, it would be utterly impossible to charge for all email. As long as you have a data pipe as versatile as TCP/IP provides, people will find ways of setting up email systems. People running their own servers, changing ports, doing whatever they can to keep their service running.
It will simply be moved from commercial email servers, to Free servers provided by people who believe in things like Linux, and open source.

I, for one, think this is yet another horrid, impossible-to-implement idea. Sure... set up pay services, but you aren't going to force people to use them.

So to me, it is not going to affect email all that much. Unless they close all Internet standards, and rework TCP/IP, and the entire Internet network, they cannot stop free email.

Let Freedom Ring!!

Re:I like the computational challenge solution bet

[gnu-generation-one]

"Asking the sender to process a quick math question seems a better solution to me."

Well, it might not stop spam, but it'll help me get some work done.

Your email has been held in a queue until you answer the following question: "Given the vector x,y,z, calculate the look-angles phi, theta, psi, formatting your answer as C++ code"

Instead of postage

Outbound mail as well as inbound mail should be checked at the ISP level
for both spam and virus.

My Favorite Quote

[L7_]

"The very notion that I have to get permission to send you a marketing message doesn't make sense and is not good public policy," said Richard Gingras, Goodmail's chief executive.

What the hell? It >does make sense from a consumer's perspective, and it might not be good public policy to a corporation because how else will people really know that they want thier product? Unless they actually knew that they needed it, and looked for companies that would produce it?

Blacklist

[millahtime]

I'm sure this has been said but how about blacklisting SPAM providers. I know we do that now but how about a better system to do that. Maybe ISPs that allow their IPs to send spam get blocked. The whole IP block.

Why should we pay/white list it when we can black list it?

Re:Blacklist

[taustin]

How about blacklisting (and null routing) any ISP that thinks it can charge "postage" extortion for email?

Will Microsoft pay me for every email they send me that I consider spam?

The average person will fall for this

[SummerMan]

Charging for email is an inevitability. The corporate marketing machines will spin full speed, the media will eat it up and spoonfeed it to the masses as a "good thing" and "such a small price to pay to fight the evil spammers". People will buy into it using comparisons of paying for other forms of communication (fax, phone, snailmail) as their acceptance that this is "just the way things are".

Of course, the ongoing costs to fight the spammers will require this postage to go up and up and up....
...and it will utlimately be as futile as the war against snailmail spammers.

What if you had to pay for a whitelisted account ?

[msimm]

I mean if you talking about a whitelisted network of trusted/know valid smtp servers there is going to be some cost involved (validation of both individual users and networked servers). If that cost where low enough I'd happily pay a few dollars (on time fee? annual?) to get an account (sounds like getting a digital certificate but without all the geek factor) that I could send from as a know/validated user.

Post a postage bond...

[jordandeamattson]

Actually, this problem can be solved without charging postage on each and every piece of email.

The problem can be addressed by putting people at risk of being charged postage. This can be done by requiring that senders post a bond of say 1/10 of 1 cent per item sent.

If you are sending 30,000 pieces of mail a week, your bond would only be $30.00. If people like your email, you will never have to pay the toll, but if they don't like it, then you will be subject it.

The folks that will be caught in this web are spammers and direct marketers. They send millions of spams in the hope that just a few folks will bite. If we raise their cost of doing it above the return, they will be out of business ASAP.

The only way to kill spam, which depends on a frictionless mailing process, is to introduce some friction (i.e. cost) into the system.

Yours,

Jordan

Re:Post a postage bond...

[RalphSlate]

Problem is, you'll need to raise the threshold above their profit. I doubt these people are wasting all this time because they make $500 per mailing. I bet they make tens of thousands per mailing. And once you bring the charges to that level, you affect ordinary senders.

Ralph

Re:Post a postage bond...

That would be the DEATH of email.

We, well, we already have, switched to IM.

You can stay in the payMail world if you want.

Re:Post a postage bond...

[evilviper]

The folks that will be caught in this web are spammers and direct marketers. They send millions of spams in the hope that just a few folks will bite. If we raise their cost of doing it above the return, they will be out of business ASAP.

In the US, political speech is protected. If there is any system like this put in place, there will need to be an exception for political-party spammers, and the commercial spammers will certainly figure out a way to use that exception...

Re:Post a postage bond...

[BlueEyes_Austin]

"In the US, political speech is protected. If there is any system like this put in place, there will need to be an exception for political-party spammers, and the commercial spammers will certainly figure out a way to use that exception." Nonsense. There's nothing in the First Amendment requiring FREE media for your political beliefs! Try taking a bunch of political flyers down to the post office and to mail them without postage...or tell a local TV ad exec that he needs to put you 30 second spot on for free!

Re:Post a postage bond...

[Lehk228]

Free speech in the US is not Free as in Beer, it's um.... uh...free as in speech... you can't be punished by the government for expressing your beliefs, that doesn't mean that you have to be allowed to say what you want in any medium without cost... otherwise the superbowl would have had my "Fuck the RIAA" message instead of Pepsi's "keep the money rolling in to the riaa via iTMS"...

Re:Post a postage bond...

[KidSock]

This can be done by requiring that senders post a bond of say 1/10 of 1 cent per item sent.

I agree. It has to be a system where you submit money but aren't charged unless it's determined you're violating the contract.

For example, you could buy a digital certificate for $30 that gives you authorized access to any number of mail relays. If you're a relay you pay $100 to talk to other relays. If a certificate is identified as being responsible for sending spam it is immediately revoked (well, almost immediately) and you lose the money. As more and more users use these certificates the mail relays can begin to require them. A new backbone of clean-mail will eventually overgrow the old unprotected "dirty" network.

Re:Post a postage bond...

I write software for an Email Service Provider. (I realize that probably doesn't make me popular here. I can live with that)

I would sign up for the bond in a second if I could. I am tired of dealing with anti-spam and trying to win what essentially is an arms race.

Back to your point about bonds. Its being done right now and is provided by a sister comapny to Ironport.com. It's so far not effective mainly because they have not closed the major players ala yahoo/hotmail. Until they do the idea will wallow since Aol/hotmail/yahoo makes up for over 50% of the volume. If they even could close one of the big boys I'd sign up without thinking twice.

Providing a bond system will not put us out of business. I'm afraid the opposite will occur. It will in fact solidify our business. I would pay the price in a second because I no longer have to worry about dodging anti-spamming tricks to get email into an inbox. It's all about getting into the inbox. So yes let's introduce a bond, yes lets charge me 1 cent aper email. We would pass the cost onto our clients. Our clients make the real money. The make enough that they would be *willing* to spend 1 cent per email if they are guaranteed it gets into the inbox. It's all about getting into the inbox and a bond or postage guarantees that.

Re:Post a postage bond...

[Technician]

The problem can be addressed by putting people at risk of being charged postage. This can be done by requiring that senders post a bond of say 1/10 of 1 cent per item sent.


Since bulk mailers tend to steal resources, I think it would create problems with stolen credit card and banking numbers. As long as they are borrowing a relay or trojaned machine, why not borrow an account number also? Can you imagine the trouble trying to fix this. The receiver of SPAM is not willing to go unpaid to punish the spammer and you are trying to get your money back from 300,000 people. Good luck fighting the new fraud.

Re:Post a postage bond...

[SmackCrackandPot]

If you are sending 30,000 pieces of mail a week, your bond would only be $30.00. If people like your email, you will never have to pay the toll, but if they don't like it, then you will be subject it.

But how do you handle the situation where spammers CC a spam to 100+ E-mail addresses. Do you waive the bond if only one recipient, a majority of the recipients or if all recipients accept the message?

It won't take spammers long to create dummy accounts to accept E-mail in order to avoid paying bonds.

Re:Post a postage bond...

[jordandeamattson]

The beauty of this system is that the recipient decides what is or isn't spam. Under this proposal - which isn't new and isn't mine - you as the sender are betting 1/10 of 1 cent that I want to read your email. If I do, then you win the bet and keep that part of your bond. If I don't, then you lose the bet and pay me 1/10 of 1 cent.

A couple of other points:
1. The bond is posted in advance. It gives you permission to send a set number of emails.

2.There needs to be a set period in which I have to declare that something is spam or not, in order to collect the bounty (say a week).

3. If I say it is spam, then it is spam for me. No appeal, no ability to change my vote. If I don't like it, then you have to foreit my portion of the bond to me.

With the above ground rules in place, we would have system where I go to my ISP and post a bound equal to the number of emails I want to send in a week. If I want to send a million emails a week, then I post a bond of $1,000.

Once this is in place, I can send 1,000,000 emails in a week period. But if people start calling it spam (directly or through their spam filtering software), then I start foreitin 1/10 of 1 cent for each and every piece of span I have sent.

Maybe only 10% of the folks think it is spam, well, then he is down to 900,000 emails he can send in the next week or he has to pay up again.

It is my understanding that the spammers are getting by on 1 or 2 hits out of each mail. This is possible, because they don't have a cost (that wonderful frictionless Interet) of doing business.

The goal of this system - and we can adjust the numbers as required - is to introduce some friction to those who are taking advantage of the Internet, while keeping thingsrelatively frictionless for those that are playing by the rules.

Remember, unlike bulk mail (which is bad enough), a spammer makes me and others pay the cost of them sending a message to me. This turns it around and gets them to pay those costs.

Yours,

Jordan

Re:Post a postage bond...

[jordandeamattson]

Hi Technician -

Actually, this is a good thing.

If people start stealing credit cads and banking numbers, they start leaving bigger foot prints.

We also have a system and specialists that have a relatively good success at catching folks that commit bank fruad.

If that stolen credit card and/or banking number is associated with a mail bond, they are going to leave even more clearly defined and bigger foot prints which we can track down.

Simply put, the FBI will treat a case of "wire fruad" a lot more seriously than a borrowed relay or trojaned machine.

Finally, if my "borrowed relay" (open relay) isn't allowed to send email, because my mail bond is exhausted, you can bet that I am going to take it more seriously than I might have done.

Yours,

Jordan

morons investigate corepirate nazi/puppet solution

it's like having oj administrate the battered womens' shelter, except these guise also want to be billyonerrors at everyone's eXPense?

This was not the original idea.

[stripmarkup]

I remember the original idea being something like this:

1) The user determines how much to charge to read email from someone not on his/her whitelist. For example, I would look at untrusted emails for at least $0.10 a pop.

2) The user can choose not to collect the payment if the unknown sender is someone legitimate, like an old acquaintance, a friend with a new email address, a job offer, etc.

This would effectively kill spam without creating much of an inconvenience to legitimate email.

Re:This was not the original idea.

[millahtime]

Will people actually do that or will they be lazy and just delete it???? And what about someone like my mom.... she couldn't handle an extra feature like that. Try explaining that to her.

Re:This was not the original idea.

[stripmarkup]

By default, your mom would charge $0.00. She would be compatible with the new system, she wouldn't miss any email but she'd still be vulnerable to spam (she could still use old spam filters, of course).

The feature can be very easy to use. There can be an icon representing a cash attachment, indicating the amount. Attached cash could be another sort field. My guess is that if someone could learn to use email and has ever paid a bill or cashed a check, this should be easy.

Re:This was not the original idea.

[millahtime]

My mom and my girlfriend on paying bills and understanding money. Oh, sore spot. They don't get moneny and can't manage it to save their lives. And there are a lot more out there like them.

Re:This was not the original idea.

[taustin]

This would effectively kill spam without creating much of an inconvenience to legitimate email.

Until spammers start signing up for mailing lists, and not putting the sending addresses on their whitelists.

There's only two possiblities: Either the spammers have some way to force you to pay, in which case, there will be massive lawsuits, or not, in which case, the entire idea is pointless and silly.

It's a stupid idea.

Re:Federal BIll 602p!!

[BdosError]

Nice to see that old urban legendenjoying a comeback. Heck, it may ever turn out to be true. If it does, I hope they have the foresight to actually designate it with this non-standard identifier.

Postage? Wha?

[Houn]

Seems to me the quickest way to prove how little postage does for spam would be to sign up a few top-level MS and Yahoo execs for every free catalogue there is... anyone up to posting names and addresses? ;)

(Yeah, I'm mostly joking, but wasn't it slashdot that reported it when the "Spam King" got this same treatment?)

Credit card payment?

[rjelks]

There are millions of stolen credit card numbers floating around. It may be risky to use them on products delivered to a home, but what about the spammers. How many spammers are going to be buying these numbers and using them to charge up their spam? Could this cause an increase to identity theft? -

Maybe they WANT to kill mailing lists.

I don't recall seeing this mentioned elsewhere, but it's possible that Microsoft are actively trying to kill off mailing lists, since they are what makes the collaborative development of Linux and Apache possible.

Re:What if you had to pay for a whitelisted accoun

[mabu]

I'm not against paying for services of this nature, but per-message is ridiculous and greedy.

We already "pay" anyway. More than half the bandwidth used is taken up by spam. Curbing the propagation of spam would have major returns in the form of saved system resources and bandwidth. It's analagous to noticing that the vaccine for an ailment is actually cheaper than the treatment.

That notwithstanding, there are a number of ways to pay for such a system; the most obvious is something like a few bucks extra for each domain renewal/registration - this would FULLY FUND a major centralized SMTP whitelist not unlike how the root server network is set up.

Stop Email Newsletters; Switch to RSS

[rjamestaylor]

Philip Greenspun, I believe, commented at the height of Internet Hype email was still the killer app of the Internet, not the web. Indeed in 2000, iirc, Dave Winer sent out an email newsletter wherein he stated his amazement that more people rely on his newsletter for updates than visit his dymnamically updated website. No mystery to me: emailed newsletters require no action on my part except subscribing (and not always that is required, which is why we're discussing spam, eh?), has a familiar interface that my Mom, a grandmother many times over, has no trouble mastering, and is well-supported by various vendors. But email is overrun with spam, worms and viruses ... and forwarded conspiracies from grandmothers (*ahem*).

But another method of delivering news is available to content serializers: RSS feeds. RSS feeds allow for true "push" content delivery like email. But, RSS feeds are not as easy to grasp, access or view as email.

Proposal: create an add-in RSS feed aggregator into common email platforms such as Outlook, Outlook Express, Mozilla, Eudora, pine (kidding), etc. Build content creation mechansism into the same email clients with the ability to post the feeds to a public directory (Google? Anyone listening?) with various subscription options on both ends.

This way email could be returned to a person-to-person(s) communication tool for low-volume communication needs; content aggregators could better server their readers/viewers and we can all experience whirrled peas.

Whatever. Anyway, just an idea -- what thinkest thou?

Re:Stop Email Newsletters; Switch to RSS

[phildog]

I like this idea. Anything that makes RSS pervasive is a good thing.

I actually belong to an email list that gets sent to dodgeit, that I consume with an RSS reader that then sends me an email.

So I have:
list -> email -> rss -> email -> me

Why all the hoops? Control. I can end the subscription any time I want and never ever get spammed because I was once a member of the list.

Re:Stop Email Newsletters; Switch to RSS

[rjamestaylor]

very nice.

yep, it's a solution.

[sommerfeld]

.. but not the way the proponents think it is.

False positives from good filters are infrequent enough that only the borderline-spammy are likely to trip up the filters often enough to be willing to pay for an edge to be let through.

Like the Habeas SWE mark, email postage will quickly evolve into a mark which can be used to distinguish spam from wanted email.. if it's got e-postage, it must be spam!

Night of the living...

[FrostedWheat]

This idea just will not go away! It's like a zombie from some old horror movie!

Charging for emails ... okie it would certainly lower spam; by killing email completly in the process. There would be nobody left to spam! It's like using a thermonuclear weapon to swat a fly. And as in all good old horror movies, the fly will come back horribly mutated and worse than before.

I can understand Microsoft, but I'm suprised at Yahoo! They should know better.

Re:Night of the living...

[millahtime]

Bill probubaly slipped something into the water. Prolly the same thing they are drinking over at the Microsoft compound.

Re:Night of the living...

[L7_]

I believe that the correct term is "Drinking the Kool-Aid."

You know that one guy that mixed up a bunch of special kool-aid back in the 70's?

2 solutions

[Tumbleweed]

Okay, the satisfying solution - kill all spammers. "It's the only way to be sure." Yet when I suggest this, people look at me like _I'm_ the criminal! *shrug*

Solution 2 - new technology for mail servers. A combination of a black list and a white list and challenge/response. If you make it through the challenge, depending on the destination user's preference, you automatically make it onto the white list. The user can (should) set up a list of people/mailing lists already on their whitelist. The user can generate one-time email addresses that will let, say, an ecommerce site respond to them, and that first response's from address gets added to the whitelist, but anything else using that address gets bounced as spam. Bounce messages get tossed, not responded to. Any challenge not responded to in x amount of time (configurable) get tossed (or put in a bin for the user to check on periodically).

The hard parts: requires new software, requires users (who are almost ALL stupid) to respond to a challenge if they've never emailed that person before.

Good: stops spam at the server level, not at the mail client level. Doesn't require government intervention. Puts user in control of email they get. An IQ test of sorts for people to get onto mailing lists (yay!).

Now WHY is this SO hard? An upgraded version of TMDA could do it if you slap a web interface on it.

computational challenge wouldnt work either

[TekGoNos]

Today, spammers are using virus's.
Almost all the last major virus's have been written by spammers (including Sobig and MyDoom)

When you have 100 000 infested machines, sending 100 million spam-messages is only a matter of 1000 per box. (and 100 000 is a LOW number of infested machines)
As there are mailing lists with more than 1000 recipients, the computational challenge must permit this in reaconable time, so there is no problem for the spammer.

Sure, it might kill those low-budget-hobby spammers, but the few big ones will be completly unaffected.
And allmost all spam DOES come from a few big spammers.

Re:computational challenge wouldnt work either

[timothv]

Did they teach you how to make plurals of words when you were in grade school?

Digital Signatures

[quork]

There already is a solution... It is called a digital signature and comes from a Certificate Authority. Couldn't ISP's, Yahoo, or even Hotmail be required to issue PKI certificates to a paying user? Email administrators would then have the option of dropping any email that wasn't digitaly signed (as coming from a legitimate CA). This digital signature would shed light on the responsible parties involved in sending SPAM. Then fines could be levied on the guilty parties. Screw the stamp people. I already pay for the privilage of sending email.

It's not that hard

Bayesian filters are turning spam into an incomprehensible mess of near-random words and characters. At some point, it's gonna stop working.

Postage wouldn't be bad if the recipient gets the money...he's the one getting bothered. If two people email back and forth the net effect is zero. If the recipient can override postage with a whitelist, even better. You need a good micropayment infrastructure to make it work.

Or, just send unknown senders a turing challenge. "Who's the U.S. President?" or something. Do it only when the email fails the Bayesian filter, that way most legitimate unknown senders can get through fine, but you have a little protection for false positives.

People complain about the challenge idea, but what's more annoying: 1) Answering an occasional challenge (very occasional if combined with Bayes), 2) Paying postage, or 3) Never getting a response because your email has been lost in a heap of spam?

Double taxation

[xoran99]

First of all, every email I send is already paid for with the check that I sent to my cable company every month. I pay them to relay my messages to other people who have (probably) paid to have the ability to receive such messages. It seems very pompous of Yahoo and Microsoft to suggest that the free and open protocols and agreements that have allowed free information exchange for decades. I would rather have another free and open SMTP replacement than have to pay to forward jokes and virus warnings to all my friends...

Where these companies are coming from..

[mabu]

One thing to realize is that you don't have Yahoo and Microsoft asking themselves, "What can we do to solve this spam problem?"

What they are pondering in reality is, "How can we make money off this spam problem?"

Once you understand this, their goofy, impractical ideas make sense... at least to them.

Wait a minute...

They're not just doing it for money... They're doing it for a SHITLOAD of money!

RSS is the prof's answer

[phildog]

The answer to the prof's concer is RSS. You give back control of subscriptions 100% to the 30,000 subscribers and eliminate all that mailman/listserv/lyris/yahoogroups/topica nonsense.

If you've ever seen a post to a public list that reads "please take me off your list" you know how goofy subscription management via email can be. RSS is intuitive. Email listserv is not.

I'm not endorsing the email postage solution, but I'll take it if it helps the spam problem significantly. I can control my own mailing lists, Professor. Don't underestimate your users. If they want what you got, they will find a way to get it.

Re:RSS is the prof's answer

RSS with usenet or web forum backend.

Who subscribes to email lists these days? Nobody in theyre right mind unless its for work revengs or otherwise (which i must say is fun for the admin :D)

I plan to subscribe to every high volume mail list :D

Re:RSS is the prof's answer

I've never used an RSS feed before (at least, not directly, that I know of).

1) How do I subscribe.
2) How do I unsubscribe?
3) What tool(s) are used?

Re:I like the computational challenge solution bet

[Narcissus]

Just in case you're not making a joke (sorry if you are!) the grandparent post was actually about asking the computer that's sending the email the "question": some sort of factoring question most likely.

A fight I would like to watch

[dyte]

Or if we just convinced the RIAA that spam was affecting their music sales

hummm, I think your on to something here.
how 'bout a peer to peer system that uses open relays. Pit the RIAA against the spammers and let them fight it out!

Thats a fight that I would like to watch! ;-)

Re:A fight I would like to watch

[Jaysyn]

...and if we're lucky they'll both lose.

Jaysyn

Re:A fight I would like to watch

Been there, done it...

http://easta.sourceforge.net

Heresy?

[2marcus]

So, I realize that this is heresy on slashdot, but, playing devil's advocate:

What is so wrong about paying for a resource you are using? Few people expect free phone calls, why should sending "email" bits be different than sending "voice" bits? (ok, a lot of people now use the internet to have free international phone conversation, etc. etc.). Many people on slashdot believe in capitalism - under which you expect to pay in some way for most services. Do we just expect free email because we've always gotten free email, or is there a fundamental reason why email should be free?

Note, I am asking this as a philosophical question separate from implementability of a system like email stamps, or whether it will cost more to charge for 0.00001 cents worth of service than you get, or whatever.

-Marcus

Re:Heresy?

[millahtime]

Well, to speak about paying... I am with the email I have with my ISP. A lot of email goes through services you have to pay for.

The free emails get their money on advertising so to be true it isn't totally free.

Nothing is ever really free

Re:Heresy?

[Zed2K]

I already am paying for it. $40 some a month for my internet connection that includes email. The problem is that I'm getting stuff that I don't want and there is no way to stop it. The ISP's say they hate spam and their servers can't handle it but then turn around and sell their user lists to the highest bidder which generates more spam. The free email folks say they hate spam yet do the same thing but also allow spammers to use them.

I say start charging per email, but have a limit. Say a thousand or so a month, anything beyond that you have to pay per 100 lot or something.

Re:Heresy?

[potpie]

What is so wrong about paying for a resource you are using?

The difference is that you're already paying for your internet access, which covers email, web browsing, and everything else. That's because it's all the same to the computer. It's all just little packets of data blasting through your ethernet cable. Now if you sign up for some special email service, they could charge you for using it, but you shouldn't have to pay extra to your ISP because of the type of data you're sending. A packet is a packet no matter what it contains.

And how do they define email? Something sent through SMTP from your machine? What about webmail? Does the length of the email matter?

About phone calls... those are different from emails. While the purpose may be the same, they work completely differently and cannot really be compared that well. If all you used your internet for was to send and receive emails, then you'd be using it similarly to a phone, which only does one job and isn't always using up bandwidth. But you're not doing that; you're going on /. and downloading programs and pictures and mp3s and such. Now that little email where you said "hey there" seems a little trivial.

Emails are nothing compared to videos and other data formats. Charging for them for any reason wouldn't make sense from a technical point of view, and as for spammers, they'll get around it somehow. I had a friend who got hit with a trojan horse virus that sent out spam. She was on AOL so her account got frozen. At least she wasn't hit with a huge bill for somebody else's wrongdoing. I'm sure they could have sorted it out if she was, but it would only have been annoying and time-consuming.

Re:Heresy?

[jmv]

What is so wrong about paying for a resource you are using?

Note that you're already paying for the service by paying your ISP for connection + bandwidth. What's wrong is that it's a completely artificial cost, that will likely cause more problems that it solves (what about mailing lists, spam virus using your machine, ...).

Re:Heresy?

[JuggleGeek]

playing devil's advocate

Playing devil's advocate and being stupid are not the same thing.

What is so wrong about paying for a resource you are using?

The vast majority of us already pay for our internet access. Pretending we don't doesn't change that fact. Spam is caused by people who abuse the system, forcing their costs onto other people in hopes of making money from the people they are abusing.

computational challenge is bogus

[frovingslosh]

Computational challenge is a dream of those who haven't (or can't) think it through. The spammers are usually in league with the ISPs. Don't for an instant think that a rogue ISP who is letting the spammers send email (or a spammer who is acting as their own ISP) would really apply a real computational challenge any more than they would charge a real postage fee for each spam. It would affect you and me. It would kill that 30,000 piece newsletter. It would stop /. from notifying you when someone responds to your email, as well as other business related email like shipping notification, order tracking and rebate information, but it would not stop spam. It would do the opposite, the damn spammers would claim that since they "paid" the computational challenge that their spam was somehow more valid,

And a computational challenge would sure as hell stop me from forwarding the hundred to two hundred or more spam emails I get each day to uce@ftc.gov. So there woul,d only be negative effects from a computational challenge or from postage, not positive ones.

Payment of sending better make ads go away

[Knight55]

If they plan to double dip with ADs AND micropayments then even I will be pissed. It's like the post office attaching a PEPSI logo to every letter I send.

I hope I didn't give PEPSI or the PO any ideas there.... :-/

Re:Federal BIll 602p!!

[rjamestaylor]

Getting moderated down is fine, but what idiot thought this was FLAMEBAIT?

Catch a clue, moderators. This is a flamebait:

Whoever moderated the parent as Flamebait is a moron or a India-based technology wonk thinking their $.35/day wages are going to make them the next Bill Gates, in which case I excuse them for failing to understand basic English. Whoever you are you suck and should have moderating privileges removed retroactive to the date of your birth, which would probably be sometime in 1999.

Now that's Flamebait, buck-o.

How about mail server "buddy lists"

[ricochet81]

How about an RFC that builds a protocol on top of mail, using mail headers? such that each person builds their own whitelist. If u wanna email someone, you have to request permission to be added to their list, akin to adding people to your buddy list. It really wouldnt be that hard. perhaps each mail server would have its own whitelists for each user on it. then the mail server asks the client (triggered by a request for addition) if its ok to add this sender? if not, its rejected and all ones after that from that sender. if not the mail server delivers. Mail clients would have to have some sort of way to manage this database, but if you dont have an RFC XXX compatible client, get one or stop complaining about spam.

Re:How about mail server "buddy lists"

[irokie]

but what about info@*.com... anyone can email them? one of the info a/cs for our server comes straight to me and 10 of the 25 spams that come to me everyday come that way.
and we're only a small service. for a proper company, whitelisting people would be nearly as time consuming as getting rid of spam...

Re:How about mail server "buddy lists"

[ricochet81]

simply disable whitelisting for that account.

It's The Fundamentals, Stupid

[tds67]

"The fundamental problem with spam is there is not enough friction in sending e-mail," said Brad Garlinghouse, Yahoo's manager for communications products.

The fundamental strength with e-mail is there is not a lot of friction in sending it.

I hope they go for it

[taustin]

I'd love to see both Microsoft and Yahoo driven completely out of the email business entirely. That would reduce spam quite a bit.

So let's all write letters to both companies and encourage them to refuse to connect either way with anyone not buying in to their extortion scheme.

Client-side filtering

[FrancisR]

I think the best way is to just have people handle spam filtering in their own ways, at the client level. Adaptive spam filtering is available in several e-mail clients, and it works very well while annoying very little people.

However, I know that some people still have dialup and they'd still have to download all the spam before filtering it.

Chance at becoming policy?!

[thrice]

I wonder how great of a chance this has of becoming policy, considering that one of the individuals quoted with a disparaging remark in the article, David Farber, is considered the grand father of the Internet as well as serving as the Chief Technologist for Federal Communications Commission.

I WILL SAY IT AGAIN...

[quork]

There already is a solution... It is called a digital signature and comes from a Certificate Authority. Couldn't ISP's, Yahoo, or even Hotmail be required to issue PKI certificates to a paying user? Email administrators would then have the option of dropping any email that wasn't digitaly signed (as coming from a legitimate CA). This digital signature would shed light on the responsible parties involved in sending SPAM. Then fines could be levied on the guilty parties. Screw the stamp people. I already pay for the privilage of sending email. Digital Signatures are free!

Re:I WILL SAY IT AGAIN...

[evilviper]

Digital Signatures are free!

Free to who, exactly? First you have to pay the CA for the 'privlidge' of using their certificates, then the ISP recieving massive ammounts of e-mail has to get very serious systems to crunch the numbers needed to verify the certificates.

Re:I WILL SAY IT AGAIN...

[mabu]

I will say it again too...

That's what is commonly referred to as a "whitelist".

Re:I WILL SAY IT AGAIN...

[thogard]

Spamers can buy certs too. If verisign will sell a spamer 100 domains, why won't they sell them 100 mail certs too? Why do people keep wanting to repeat the mistakes of X.400 email?

Re:I WILL SAY IT AGAIN...

[MacDork]

Free to who, exactly? First you have to pay the CA for the 'privlidge' of using their certificates, then the ISP recieving massive ammounts of e-mail has to get very serious systems to crunch the numbers needed to verify the certificates.

Parent said signatures are free, not certificates. Certificates, ideally, would be a small one time fee. Don't spam and your certificate never gets revoked. Spam, and well, be prepared to buy lots of certificates. Would it not be worth one dollar to you to abolish spam? And obviously, ISPs have to do absolutely nothing for this to happen. Signature verification could/should/would be done on the user's end. That way, we can still receive email from our white-listed 'poor as Kenny' friends. Now, before you start to think it is just some get rich quick scheme on behalf of CA's, who do you think is going to be dealing with the spam certificate revocation headaches? They'll earn every penny we pay.

Re:I WILL SAY IT AGAIN...

[ian+mills]

Certificates are free as well.
http://www.thawte.com/html/COMMUNITY/personal/inde x.html
You can also sign your own, but then they aren't trusted of course.

And for this 'postage' solution to work, the money comes in the form of digital signatures anyway, so your argument about very serious system being needed applies there as well. Spammers are unlikely to start signing spams because
a) their cert would be revoked
b) signing takes a decent amount of processing time, which for 25 million emails would pose a decent delay.
The biggest problem digital signatures face is webmail, but if MS and Yahoo started signing their users mail that would take care of the two biggest and the rest would probably follow. Since MS is a Root CA this wouldn't be that difficult for them todo.

Re:I WILL SAY IT AGAIN...

[the-build-chicken]

correct, you can sign your own...and you can also sign OTHERS!...you can sign another company/organisation/group certificate with your certificate, and have them sign their employees/members with that certificate and vice verse...or they could sign their friends with theirs, and 'vouch' for their mates to you...slowly developing a ring of trust....you starting getting spam under on cert, look up the chain and contact the parent..."hey, you told me this guy was trusted...what's going on?...I'm pulling your certificate so neither me or my friends can talk...and I have 1000 friend groups" etc etc.....sounds like it would work to me (may be naive though :) )...anyone want to shoot holes in it?

Re:I WILL SAY IT AGAIN...

[evilviper]

your argument about very serious system being needed applies there as well.
[...]
Spammers are unlikely to start signing spams because
a) their cert would be revoked

First off, I can generate millions of certificates if you like. The problem is, they won't be signed by an Authority... But, if you don't verify the signature (which you seem to be insisting) then those would pass right through... It has a sig, must not be spam. No need to verify that it's legit.

b) signing takes a decent amount of processing time, which for 25 million emails would pose a decent delay.

Not really... Only cost the EFF $25,000 for a DES cracker, who says signing hardware will be expensive? I know I can get PCI crypto accelerators for under $100, so throw those in a few dozen machines, and you're signing e-mails incredibly fast. (Alternatively, see my last point...)

And if you aren't verifying the signatures (an you seem to be sugesting) then what's the difference? Put something that looks like a signature, and it'll pass through.

The biggest problem digital signatures face is webmail, but if MS and Yahoo started signing their users mail that would take care of the two biggest and the rest would probably follow.

Well, Yahoo and Hotmail are going to face the same problems that spammers face... They're sending millions of e-mails, so they are going to need to do signing at very fast speeds. Either this signature will be simple, and then spammers won't have a problem dealing with it, or it will be complex, and Yahoo and Hotmail won't be able to handle the massize number crunching.

Re:I WILL SAY IT AGAIN...

[JamieF]

Let me get this straight:
- a central body would decide what is spam and what isn't spam
- a central body would be somehow accountable for arbitrating disputes over whether a message was spam or not, whether a spamming complaint was valid or not, whether someone stole their cert and spammed with it, etc.
- everyone who wanted to send mail would need to pay for a certificate
- everyone who wanted to check incoming mail would have to check a certificate revocation list very frequently, to avoid getting mail from spammers who had just gotten a new cert and spammed like crazy

There is a technique very much like this, and it's FREE, and it's called a relay blacklist. The difference is that there is no fancy crypto involved, but the same problems remain:
- the third party is fallible when it comes to identifying spammers vs. non-spammers
- spammers are happy to keep one step ahead of the blacklist, even if that means using a new identity (domain or cert) every day
- the identity (domain or cert) that spammers use is actually one that someone else paid for, so the system punishes everyone EXCEPT the spammer

I wish this would work, but I really don't think it would.

Re:I WILL SAY IT AGAIN...

[JamieF]

>Since MS is a Root CA this wouldn't be that difficult for them todo.

The apparent cornerstone of this scheme is that MS's (or whoever's) root CA private key remains private, so that only they could sign their emails. Wouldn't it suck if the next big worm was actually a distributed brute-force crack attempt aimed at a root CA's private key? If they got it, any cert based anti-spam scheme would be subverted. Sign your own spams with the real private key! Woo hoo, spam fest! OK, maybe you revoke the CA's key, but how easily would this be propagated?

I dunno what the capacity is of all hackable machines on the 'net, so it's awfully hard to know how long such a massively distributed crack effort would take. Any guessers out there?

Re:I WILL SAY IT AGAIN...

[MacDork]

a central body would decide what is spam and what isn't spam

That's happening already, whether you like it or not.

a central body would be somehow accountable for arbitrating disputes over whether a message was spam or not, whether a spamming complaint was valid or not, whether someone stole their cert and spammed with it, etc.

Except for the cert part, see above.

everyone who wanted to send mail would need to pay for a certificate

No, but if you're unsigned, you get dumped into the unsigned mailbox with all the unsigned spam. Fine if your receiver has you whitelisted in their filters, not so good when mailing strangers. No easier to find than it is now. Just incentive, nobody's going to force you.

everyone who wanted to check incoming mail would have to check a certificate revocation list very frequently, to avoid getting mail from spammers who had just gotten a new cert and spammed like crazy

Which takes longer, having your computer make one SOAP call per key, or inspecting for spam yourself? I'm betting on the machine, not John Henry.

There is a technique very much like this, and it's FREE, and it's called a relay blacklist. The difference is that there is no fancy crypto involved, but the same problems remain:

No, the main difference is you know where spam came from rather than who it came from. Where is trivial to spoof with zombied machines and open proxies/relays. Who is not when strong encryption and CAs are involved.

the third party is fallible when it comes to identifying spammers vs. non-spammers

Yes, but when something is positively identified as spam, the best you can do now is filter it and keep looking. Black list aol.com and you have a lot of legitimate mail not coming through. Blacklist a cert, and you only block a spammer. If you're fast enough, it starts to cost them lots of money in new certs.

spammers are happy to keep one step ahead of the blacklist, even if that means using a new identity (domain or cert) every day

Changing domain doesn't cost anything. New certs do. Changing once a day won't be fast enough. Not even once an hour. Most of the spam is generated by a very small group of people. They'll be forced to buy keys in bulk, because once a key is ID'ed, all spam everywhere sent with that key is canned.

the identity (domain or cert) that spammers use is actually one that someone else paid for, so the system punishes everyone EXCEPT the spammer

Huh? My private key is on my keychain. Should spambot.exe try to access it, I get a nice little dialog informing me of the fact. Script my mail client, and I'm gonna notice it pop open and start spewing spam as quickly as it can. If that actually becomes a problem, I can get my keychain nag me whenever I use my mail client too. If you don't know how to protect your key, maybe you'll decide it's worth figuring out when yours is stolen and then revoked for spamming.

The only system I see punishing everyone except the spammers is the one being hailed by Microsoft as the end of spam. This one, while not perfect, would go a long way toward alleviating the problem. And the cherry on top: We would all have fancy crypto protecting our privacy. I see no down side.

Re:I WILL SAY IT AGAIN...

[42forty-two42]

Actually, it's called a Web of Trust, not a ring of trust, and it's the basis behind PGP and GnuPG

Old news, still a solution to seriously consider.

[iansmith]

The reason we have spam is because it is pretty much free to send.

We have lots of real junk mail, but imagine if every mom and pop store, kid and porn site could anonymously send a letter to everyone for FREE? You would be burried in letters.

The ONLY way to stop Spam is to make it too expensive for spammers to dend it. There are many ways to do this, some good, some bad, some work with others.

1. Charge.
Mail can be sent with a one-time key that allows the reciever to charge for the email.
Email boxes can be configured to allow whitlisted people in for free, allow anyone to send, or only allow paid mail.
Mailing lists and other bulk emailing needs can send all their mail out as no-charge. Nobody can force you to pay them.. but they don't have to read your email either.
This of course will only work with...

2. Authenticated mail servers. If we make it too time consuming for spammers to spam, we will stop the majority of it. Make them have to hack into an authenticated server before they can send. Still will not stop it, but will cut the flood way down.

3. Authenticated users. Even better. Now I know that when it says From: Friend@aol.com it really is them.

4. Expensive CPU computation. Make sending servers answer hard math questions. Downsides are people with Pentium 90's who run mailing lists get hit. But is it always a bad thing to make people with high usage pay for what they consume?

5. Let Microsoft or AOL set up a secret, closed source mailing system incompatable with the current SMTP methods and trust them to handle the spam and not destroy our privacy. No thanks.

6. Let the government handle all the email, making you use your SSN or some other unique identifier as an address. Not going to even touch this one.

There are plenty of other ways. Spam is now such a problem we need to impliment one or more of them. We have to make sure spammers PAY for every message somehow. Make it expensive in money, time or time served.

List owners need not fear...

[vonPoonBurGer]

...as long as there's a way to send email "collect". If sending an email costs you 2 cents, you're not going to want to send out a list mailing to 30000. That's $600 per issue! However, if you can send each of those emails and have the recipient agree to pay the 2 cents, then there's no problem. Of course, then you need to prevent spammers from sending collect... Maybe have people wanting on your list pay 24 whole cents up front for a year's subscription? Idunno, seems like yet another 'net problem that could be overcome with micropayments.

KISS

[t_allardyce]

All this is going to do is make email totally proprietry and over complex. It will mean banding about digital cirtificates and various payment methods - (probably controlled by microsoft) just to send a simple email the length of this post. But something most people will probably miss is that if two people know eachother then they will just have their email addresses on a "safe" list in their email client and theres no reason they would need to use the payment system.

If your going to make email more complicated i dont see any reason to use a payment based system over a challenge-based system - eg: you send an email to someone for the first time, their server or client sends back an email with a human test (eg type a number from a graphic, answer a simple random question such as "if mary had a little lamb what animal did mary have?" or ask them the name and gender of the person they are emailing) the advantage being that its not a central system, its not complicated, it only needs to be done once, and it can be set/edited/tweeked by the user.

Do you really want to trust Mickey$oft

[Splezunk]

If their email to prevent spammers is going to be as good as their security on their boxen, why bother. There will be a work around in less than a week, and the spammers will have a bonus of getting a whole of new email address's. We really need an open and free organisation that has nothing to gain, to design a new mail system. The current one is becoming useless.

another solution

[TheQuietDan]

All the spam I get I have been forwarding to the FTC. I wonder if they are doing the investigations like they said they would? Dan

Re:another solution

[r_cerq]

Suuuuuuuure they are. Considering the current amount of SPAM on the Internet, they probably have the world's entire population of monkeys analyzing it. 1000 monkeys just don't cut it anymore.

And the First shall be last

[dnoyeb]

If Yahoo and MS start charging for emails they will immediately loost the title of being the largest. Heck probably 90% of their addresses are just fill mailboxes anyway.

I can't see why they would even consider such a thing knowing the internet is too strong to give in. People dont even want to pay for what already costs money, why would they pay for what is currently free?

I would not currently pay to end my spam problem.

Re:And the First shall be last

[FrancisR]

They'd still be big, just because they're well-known. Just look at their search sites: even though MSN and Yahoo have crappy ad-packed search engines, a lot of people still use their sites to search instead of Google. Also, if you knew nothing about computers, which would you be more comfortable using: Hotmail or "cool-free-web-mail-by-bob.biz"?

Re:I like the computational challenge solution bet

[Zocalo]

Asking the sender to process a quick math question seems a better solution to me.

Well, it does save the inconvenience of having to also solve the small issue of having to come up with a microbilling system. However, it *still* does nothing for legitimate senders of bulk mail. While a big corporate might have no problems throwing hardware at the solution, I'm sure the non-profit operators of lists for open source projects and charities etc. might not like the idea as much.

Patent???

[millahtime]

When have you ever known Microsoft to do the solution that exists. Has anyone checked to see if Yahoo or Microsoft got a patent on the whole stamp idea?

E-mail was never "free" to begin with...

[LostCluster]

Just because it's on the Internet doesn't make it free. Operating an e-mail server costs money, you have to plug it into a wall and we all know power isn't free. You also have to plug it into a computer network, and we all know those aren't free. You also have to plug that network into an Internet connection, and we all know those aren't free either.

It's the fact that e-mail has no per-message unit of charge that makes it appear free, and why e-mail lists you want to be on are so cheap to operate, and spam you don't want to get is so cheap to throw at you. It's hard to raise the cost of one without raising the cost of the other.

However, e-mail lists can simply convert to a pull-based mechanism such as a web page or RSS... so I think e-mail list operators who shout down anti-spam measures that interfere with their current operations are just being lazy, they can convert their subscribers to other delivery methods if they want to.

SPAMMER!!

See my history of posts and you will see that I frequently post about spam

Sounds to me like you're a spammer.

I hate you people and your kind, with your Nigerian business man this and your you've got a small penis that, you make me sick.

In fact you not only make me sick, but you make Jesus cry. CRY DAMNIT!!

Now Jesus is a nice boy and he doesn't deserve to cry. Oh no, Jesus does not deserve to cry, especially over an evil and wicked spammer such as yourself.

You deserve to be hunted down and had bad, wicked and nasty things done to you.

You evil spammer you.

The Nerve Of This Guy!

"The very notion that I have to get permission to send you a marketing message doesn't make sense and is not good public policy," said Richard Gingras, Goodmail's chief executive.

The nerve of this guy. When it costs me money (read "bandwidth"), it requires my permission.

Challenge-response and Sender Permited systems are all that will ever work. When the spammer's get a 99% bounce rate you'll see the economics that drive them cause the spam to taper down to zero.

My favorite is MailWasher Pro. I bounce ALL unsolicited spams (300+ a day from several accounts total) and after a month it's already starting to taper off as they see that these addresses are "bad".

Re:Old news, still a solution to seriously conside

[mabu]

The reason we have spam is because it is pretty much free to send.


Bzzzt! Wrong. Thanks for playing.

99% of the reason we have spam is because authorities don't enforce the existing laws already on the books that these spammers violate. Breaking into innocent peoples' computers and repurposing foreign network resources are illegal in almost every jurisdiction, but the authorities have yet to demonstrate they have an interest or method of catching these crooks. Once they do, you'll see this problem drop off considerably.

No, not simple

[Vainglorious+Coward]

Experience has shown that those who say "simply replace SMTP" do not understand the nature of the problem. It's no coincidence that one of the symptoms of being an anti-spam kook is that your solution involves replacing SMTP

Re:No, not simple

[Awptimus+Prime]

Please paypal me the cost of replacing my keyboard, as it is now laden with Coke.

"You think this list is about you."

Very funny stuff. :)

Re:No, not simple

[Knetzar]

Priority 1: Post to slashdot
Priority 2: CLEAN KEYBOARD!

Why.. don't.. people... listen...

[snakecoder]

The solution is out. It's called authentication. It is used in a source forge project called Tagged Message Delivery Agent, and by a for profit company called mailblocks.com. It's simple, it works

Re:Why.. don't.. people... listen...

[Tailhook]

They will. Authentication works. It wont take long either.

Unique email addresses to every sender. Simple, free, 100% effective. The pain of spam has reached the point where I would rather inconvenience some people than put up with spam. Thus, authentication is viable.

Sender pays.... what?

[Convergence]

How much is the sender paid?

Other than time, the cost to a recipient for a single message is on the order of $.00001, or about a million emails for ten dollars.

If you make the price signifigantly higher than that, you encourage recipients to game and the system to recieve email because they are renumerated far in excess of the actual costs to deal with it. (See the problems in the US with telco 'settlement fees' for related work.)

Yet, if you make the price at $10/million messages, thats not going to impact spam that much --- roughly double the price for sending it.

Much much better solution:

Something like XNS. Imagine if every connection to your computer (on any port and for any reason) was automatically involve an exchange of terms and conditions. Imagine, a spammer wants to send you an email, first he or she would have to agree to the terms of your computers automatic policy of accepting unsolicited commercial email. You could make your policy require a payment from the sender of $10 (for example). Any spammer who does not accept your terms is automatically rejected. If the spammer makes the connection and agrees to your terms but then renegs on them, you now how a documented route to go after them in court.

cart before the ox...

[dougnaka]

Microsoft and Yahoo are getting ahead of themselves here.. They can't even STOP the spammers, what makes them think they'll be able to enforce a toll?

Of course I know the answer to this, it's called change the nature of email. Which is a subtle way of saying let's move everyone to a new set of protocols/services that we could control so we can make them pay for their spamming...

If you're going to go to those lengths, just redo the protocol without the new tax. Make it harder to send forged email.

Attention Microsoft and Yahoo

[MillionthMonkey]

(Apologies to those who have seen this before.)

Your company advocates a

(x) technical ( ) legislative (x) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
(x) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(x) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
(x) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
(x) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
(x) Unpopularity of weird new taxes
(x) Public reluctance to accept weird new forms of money
(x) Huge existing software investment in SMTP
(x) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
(x) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
(x) Extreme stupidity on the part of people who do business with spammers
(x) Extreme stupidity on the part of people who do business with Microsoft
(x) Extreme stupidity on the part of people who do business with Yahoo
(x) Dishonesty on the part of spammers themselves
(x) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
(x) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
(x) Countermeasures must work if phased in gradually
(x) Sending email should be free
(x) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

( ) Sorry dude, but I don't think it would work.
(x) This is a stupid idea, and you're a stupid company for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Re:Attention Microsoft and Yahoo

[thogard]

The sadest part of your list is that it doesn't have:
( ) I think you might have something here.

Re:Attention Microsoft and Yahoo

[MillionthMonkey]

The sadest part of your list is that it doesn't have:
( ) I think you might have something here.

Yep...
I figure this "form" post does make a point, and the conspicuous absence of hope is part of it. :)

Re:Attention Microsoft and Yahoo

[firewood]

Sending email should be free

The whole reason for this "tragedy of the commons" is that sending email to most everybody is free. The way to solve the problem is to make it cost something to get email into most ISPs networks (unless the recipient is an anonymous police tip line, rape crisis center, spam researcher, etc. Those types might continue to monitor legacy SMTP ports.). The cost might be per email, or the price of identifying oneself to a certification authority (enough ID that the police (or lynch mobs) can find you if you break enough spam laws.)

Re:Attention Microsoft and Yahoo

[MillionthMonkey]

There has been a lot of talk about replacing SMTP with something better. Except I think "something better" will turn out to be as exploitable as SMTP if we ever try it, as long as messages can be sent for free.
Any messaging protocol is susceptible to spam if transmission is free and sending a message to someone merely requires knowledge of a fixed, relatively stable piece of information such as an email address. People come up with ways to complicate SMTP and they often don't realize that the replacement protocols they are devising will largely suffer the same problems. SMTP does make spam easy, but any protocol with these properties will make spam possible, and spam merely needs to be possible for the world to go to hell. The spam being so egregiously easy on top of being possible is very noticeable with SMTP, but in a practical sense it's irrelevant. The spam would arrive even if SMTP didn't make it so easy.

So it appears we have no choice but to charge for it. But most people, if given the chance of free, spam-infested email, and pay-per-send email, will opt for the free email, or at least elect to have it available. Who wants to get financial information involved? If I can manage to keep the address secret (yeah right, but I can hope!) I can get away with no spam and be able to send messages for free! Plus I will continue to need an SMTP account for the mailing lists I'm on, who cannot participate in this new pay scheme and send me mail at my Microsoft address.

We are all going to be receiving spam for the rest of our lives. Solutions to spam should be viewed as suspiciously as blueprints for perpetual motion machines.

Re:Attention Microsoft and Yahoo

[int18]

It already costs money to get email into ISP networks, in the same way it costs money to get any packets into ISP networks. Email isn't free, it's just really, really, cheap. And heaps of *good* applications are based on this fact. Killing them off is bad.

Re:Attention Microsoft and Yahoo

Your post uses:

(x) an incredibly stupid, irritating and pompous stylistic conceit.
( ) informative or insightful comment.

Re:I like the computational challenge solution bet

[geekoid]

except the spammer will send out 1 piece of spam, and somebody else system will be doing the actuall spamming.

Re:I like the computational challenge solution bet

[LostCluster]

The paradox this solution hit is as follows...

If somebody can afford to send a mail list to X many people Y times a week, then that'll be the same price as sending a spam message to X many people Y times a week.

If you set the computational price too high, you've killed all mailing lists, and set it too low and and spam will still exist...

Re:Old news, still a solution to seriously conside

[dougnaka]

Bzzzt! Wrong also. Thanks for playing.

The REASON we have spam is because some stupid people are BUYING the CRAP the spammers are selling.

I oppose money...

[Billy+the+Mountain]

Instead I advocate that the mail server require of the sender to do a brute force cracking of an encrypted message that takes 30-40 seconds per recipient.

what a stupid idea.

[UID30]

this one is even more stupid than M$ solution of the server sending an "expensive" equation to the client to solve before it sends a message.

rule #1) you can't tax a frikkin internet protocol. why, you ask? because there IS NO FRIKKIN WAY TO REGULATE IT!

lets assume this "email tax" were implemented in the US. what kind of infrastructure would it take? the job of taxation would either fall on the owner of the email server (highly improbably at best) or on the government ... now what would it take for the government to "tax" mail ... well, they'd have to know how much mail was sent ... so, they'd have to route ALL MAIL. hello. lets all change the MX records for our domains to point to mail.postoffice.gov ... ha ha ha ha. whew. nevermind the "paranoid" ramifications of having all your email routed thru a government network ... but how much would THAT system cost the taxpayers? insane i say.

now lets just say that a working "revenue collection" system were in place ... whats to keep any individual from firing up their own copy of sendmail and bypassing the whole deal? i know ... a government body could intercept and monitor all internet protocl traffic pointed at port 25! well, what if my firewall portmaps internal 25 to external 10025 ... and my "destination" firewall portmaps external 10025 to internal 25? i know! that same government body could intercept and monitor ALL internet protocol traffic EVERYWHERE! ha ha!

ok ok ... lets say that all that monitoring and enforcement stuff works ... but i want to get an email from my buddy in canada? or korea? now who pays what to whom? whats to keep the intelligent programmer community from then developing a different, more secure, mail protcol ... thus making obsolete all the infrastructure that was built for this half baked plan?

wait ... wouldn't it be better to just START with a redesign of mail protocols? build checkpointing and accountability into the system from the beginning? keep the old mail and new mail systems completely separate ... anybody running a gateway between old & new systems would thus become accountable for all traffic originating from the gateway. sure you'd have a period of time during transition where things might get a little chaotic, but you could always run 2 mail clients until all your contacts get onto the new system. surely there is some IETF committee working on this.

i can imagine the public service messages on tv even now ... 10yr old child in front of computer turn to call over his shoulder, "Daddy! I've got another penis enlargement mail!! Make it stoooooooooppp...". Father figure pans into the picture, "No problem, son! I've just signed up for NewMail! It looks the same as your old mail, but without all the spam!"

Charging postage doesn't stop snail-mail spam...

[crushinghellhammer]

All that junk that lands up in your mailbox - grocery-store lists, coupons etc - somebody pays for all that. I'm sure it costs them a bit too. Still, it's delivered.

So what makes them (Microsoft/Yahoo) think that a similar scheme will stop all spam. If the spammer has to pay for each email he sends, he'll recover his costs by charging the person who's product is advertised in the spam a little extra.

The solution's already out there

[Undefined+Parameter]

Think about it this way: what do you do if a neighbor incessantly follows you around talking about this or that service or product? Well, most people would ask the jerk to kindly shut up. But if this only encourages the neighbor, then it would be logical to get a restraining order. If the neighbor violates the restraining order, then s/he goes to jail.

So, why can't we apply this to all forms of unrequested solicitaiton? Why can't we just make it a criminal offense to badger someone (or several someones indiscriminately) with wasteful spam, mailings, phone calls, faxes, pager spam, etc.?

I think that the usual answer is that you can't arrest a corporation, and that it's even harder to impose penalties on an international corporation. My solution to this is rather radical: allow corporations to be criminally tried for infractions against the law. If they lose the case, they can appeal, but if they lose the appeal (or if they don't appeal), then those responsible should be arrested and punished (by fines, community service, or jail time; the usual means) according to the crime and their participation in it. A major spam corporation might then be effectively broken up; it would certainly put some more teeth into the laws and regulations regarding corporations.

As for multinational corporations... well, there do exist precidents and systems by which nations cooperate to track down and arrest criminals. It would be no more complex than it already is, but would take more manpower.

There are some oddities involving tax laws in the US which deal with all of this, but I'll let someone else who knows that subject better than I explain it, or leave it to the individual slashdotter to research it on their own.

~UP

What do you mean "how do we collect"?

[hacksoncode]

I'm no fan of this "solution" (which seems no better nor even any different from a whitelist).

However, the people asking how we'll collect from the spammers didn't RTFA. You pay *first* by buying the stamp from the third party (and presumably get refunded for any mail that doesn't go through).

Yes, they could, theoretically, scam credit card numbers (assuming there weren't an escrow period for volume buys, which is sure how I would set it up), but if anything has the slightest chance to get them stomped for good, stealing from Visa is it.

Re:What do you mean "how do we collect"?

[forevermore]

You pay *first* by buying the stamp from the third party

And who is the third party? I run my own mail server, does that mean that I'd have to set up some sort of payment system (ie. start a business and deal with paperwork, etc.) before people could send me email? Or would I just be stuck "in the dark ages" and remain subject to spam.

Or what if I want to send mail to someone? Do I pay the recipient, or the recipient's ISP? Do I have to buy a "stamp" for each ISP out there? This is just such a bad idea in so many ways.

smtp+auth+tls nough said!

[cdc179]

Damn Bastards, you killed email.

I am sick and tired of a select few companies proposing things that only intrest them.

If all ISP or individuals who run mail servers would configure them to authenticate a user before allowing them to send mail would take care of just as much spam as what they are proposing to do.

The spam you aren't going to stop in either method will be comming from infected microblow(M$) machines.

If such a postage scheme takes off all reply after me,
"Do not send any mail to user on systems the abide by this system."
If everybody stops sending mail to users on these systems it will die a horable death!

Enough said!

eNotes/eFreight anyone?

[GoMMiX]

Right, start charging to send an email when it's the ISP and end user who actual brunt the cost of transport.

I think not. US Postage is accepted because a real service is provided and required on behalf of the US Postal service to deliver mail.

On eMail, there is in fact no interaction on behalf of the US Postal service or any other government agency required to deliver the electronic message.

As well, this will hardly stop spam - in fact it will give spam the foundation it needs to legitimize itself as a corporate business model. Granted, spam will become slightly more tolerable with regards to the 'amount' of spam - however spam messages will begin to contain massive amounts of information rather then quick and small advertisements.

Regardless, the internet will not tolerate such useless regulation - and email would quickly be replaced by alternate forms of [free] communication(s).

We don't need taxation, we need representation. We pay enough taxes already. It's time for the government to step up and pass legislation that recognizes the need to prevent illegal and unwanted communication(s) on the internet.

Sure, we all want a free internet - but directing [unwanted] communication to specific users repeatedly should be a crime. Once a user declares they do not wish to receive [spam] messages from the sender - that should be the end of it. To continue further [spam] communication(s) should in fact be a criminal offense.

These same practices take a roll in physical solicitations and telephony solicitations. If a person wishes to not have physical solititations - they simply post a [no soliciting] sign at their residence or place of business. Likewise, we have the national 'do not call' registry to prevent unwanted telephony solicitations. As well, there are very strict laws to prevent the unwanted transmission of [soliciting] fax documents.

All forms of solicitation are [proposedly] banned at the users request under the idea that such communications present a legitimate cost to the user.

Email solicitation is in fact no different. The burdon of cost is in fact extended to the user in the form of time, bandwith, and hardware/software resources required to receive and dispose of such [unwanted] communication(s).

I, personally, receive over 40,000 [unwanted] messages per month.

This is after years of preventative measures. There is simply nothing a user can do to stop [unwanted] email, aside from relocating their email address. In which case, it is sitll only a matter of time before their address(es) are aquired and distributed among spam groups.

We have a constitutional right to protect ourselves and our family. Spam is in fact a real threat to many of us. It imposes real costs and has real reprocussions. Future legislation must recognize that threat, and allow [victimized] end users to seek judgement for damages caused to them.

It's a pitty, really, that politicians are so uneducated about technology. Had they the slightest incling, this problem would have been delt with along with the national do not call registry.

One day, though, we will in fact prevail -- and spammers will be spending their time behind bars - far from the likes of any technology. They are criminals, 80 year old woman or not. They are taking from others to benefit themselves. Many of them perform hanus criminal acts to further improve their [spam] operation(s).

So to all spammers, I would say; Our time will come, and so will yours. Be ready, we are.

Why Patch When You Should Replace?

The problem with all these anti-spam "solutions" is that they treat the symptom, and not the cause.

The current email protocol is seriously broken. It was invented back in the day when the internet was an infant, and everybody knew one another. That day is long gone, but we're stuck with the same old protocol like some dismal 70's TV rerun.

We need a protocol that expects the very worst of each and every email, and plans for it.

The Open Source community fights tooth and nail over whether KDE or Gnome belongs in UserLinux! When is everyone going to start fighting at least as hard for a new email protocol that solves this (and the virus attachment) problem?

Charging a fee for email is a typical M$ solution: patch the problem to shut the complainers up, while maintaining the same old flawed system, and in the end, solving nothing at all.

Legal Approaches that no one has suggested

With all the sys admins or whatnot trying to figure out which IPs are truly responsible and the huge efforts they exert to find the guilty party or machine, why doesn't anyone talk about the basic follow the money method?

You may have legislation to put spammers in jail or levy huge fines on them, but first you have to find them. That is easy. All law enforcement has to do is:

1. Pretend to be a vendor that wants to advertize via spam. You'll have to write a check to pay them and then that's it. You have the classic sting operation.

2. The spam advertizes a store, so figure out the store and pay them or write to them or supoena them with the question "Who did you pay to send all those emails?".

Follow the money folks. It isn't that hard. Why filter and chase when the spammers are already using compromised home PCs? They know about technology - but can they handle the long arm of the law? Presuming of course, that the law is interested in stopping spam.

AOL can offer FREE email and get customers back!

[Proudrooster]

I say let Microsoft and Yahoo go shake down it's customers for E-Stamp fees. Better yet, let them make the new protocol which they refer to as "caller id" proprietary and, only run on Microsoft products.

This is just the break AOL needs to get back in the game. AOL can offer SPAM blockage without the fees. I am not a fan or proponent of AOL, but my point is that the market is going to quickly sort this out. I wish Microsoft and Yahoo all the best and hope they go full speed ahead with this plan. After all, taking something that's FREE and charging money for it in a down economy is brilliant! Absolutely brilliant! These companies must be full of MBA's from the finest schools. I wonder if I could be successful selling the FREE MSN CD's :)

While MSFT and Yahoo are inventing "caller id" for email. Maybe they could figure out if the email is "long distance", "intra-lata", or "near-zone". Next, they could invent a whole wacked out billing system just like SBC/Ameritech in which I can call across the country for 3 cents a minute, but calling outside of a 20 mile radius costs 10 cents a minute or more depending on the time of time. And there's another idea. Invent a rate plan based on the time of day the email is sent. What if you use a laptop? Will there be email roaming charges!? The possibilities are limitless. Go get'em boys, put those MBA's to good use, just don't expect a check from me, but do send me a copy of your rate plan so I can laugh!

Re:Old news, still a solution to seriously conside

[mabu]

The ONLY way to stop Spam is to make it too expensive for spammers to send it.

I agree with you, however I think the best way to do this is make spammer's "costs" involve BAIL MONEY and CRIMINAL DEFENSE LAWYERS FEES!

Doesn't make sense, not good public policy?

[DaveJay]

Sigh. From the article:

>"The very notion that I have to get permission to send you a marketing
>message doesn't make sense and is not good public policy."

I dunno. I feel like the very notion that marketers should be allowed to cram advertising into the email boxes of anyone they feel like, without regard for the costs borne and time lost* by the individuals and ISPs at the receiving end, doesn't make sense and is not good public policy. I guess it depends on who you think the public is -- the masses as individuals, or the masses as business owners and operators.

*I never really thought about the time lost, until I started administering a few extra domains with email addresses on a lot of spam lists. Even with direct access to the mail server over the LAN, it takes a surprisingly long time for thunderbird to rifle through the messages (via IMAP) to discard spamassassinated messages and apply the bayesian filtering to the rest. I can only imagine how horrific it must be for 56k modem users!

Fix the protocol...

Charging will not work. Here's what will happen:

1) Start charging for SMTP sends.
2) New mail protocol to avoid charges becomes widely adopted.
3) Spammers learn to use the new protocol.
4) Repeat the above, ad infinitum (until a new protocol requires sender identity - public keys?).

IOW, the money may spur new protocols, but won't prevent spam. If we're smart we'll just short-circuit this process and move to a new protocol while keeping things free.

Postage doen't need to be money, time is better.

[Charles+Dart]

[Please exuse me if this is what the article is about, I didn't feel up to sacrificing my first male child to the Times.] The newsletter for the Society for Industrial and Applied Mathematics has an interesting article about postage. from the article (link goes to page with link to PDF Read "Math 1, Spam 0")

The Penny Black Project instead uses "proofs of work," a concept first introduced in 1992 by Cynthia Dwork and Moni Naor of the IBM Almaden Research Center. The idea is simple: "If I don't know you, you have to prove to me that you spent ten seconds of CPU time just for me, and just for this message," says Dwork, who now works at Microsoft Research. For legitimate senders, spending ten extra seconds to send an e-mail message is no problem. Most of the time, you spend more time than that simply composing the message. But for spammers, those ten seconds are the kiss of death. The one thing that no one can steal is more seconds than there are in a day. For a single computer, the CPU time available in a day amounts to 86,400 seconds; a spammer who wanted to put electronic postage on millions of messages would thus need hundreds of computers. Dwork is betting that most spammers cannot afford that kind of expense. Spam costs almost nothing for a spammer to send, but a recipient who looks at the message and manually deletes it incurs a perceptible cost in lost time.

So what

[iminplaya]

if I attach a jpeg of a stamp to my mail? Will that work? Actually I believe that they just want to eliminate anonymous mail and access to the 'net. Luckily for us, somebody will always offer free, anonymous mail, until it is outlawed.

*sigh*

[Knights+who+say+'INT]

Once, registering domains was free too :(

Proposal Will Stop All Spam...

[Cbs228]

... Because there will be a mass migration to some other protocol, myself included. If everyone stops using SMTP, it becomes an unattractive way in which to post ads.

How do you define "email?" IMs and SMTP both serve much the same function, and the only real difference is that IMs are designed for near-instantaneous delivery. Does that make IMs email? What about CGI-based contact forms that deliver directly to a POP3 box? It has the same effect as an email, so is it email? If SMTP is taxed then people will move away from it and start using more non-traditional message delivery services. You would have to tax the whole internet to tax "email."

I am not willing to pay to send email messages, and (as always) the spammers will move out of jurisdiction and continue spamming for nearly-free.

idiot

hey -- you are welcome to filter your port 25 traffic any time you like.

if people can't even keep their windows boxes updated, how do you expect to enforce isps blocking port 25?

YOU ARE PART OF THE PROBLEM

Solving the spam problem is not the problem

[jarran]

There are dozens of "great" ways to solve the spam problem, this may or (more like) may not be one of them. But the real problem is finding a migration path away from the current system to any new "fixed" system.

During the transition period, users will either have to accept e-mail from the old SMTP system, or refuse it. If they accept it, why would anyone move to the new system when they are still going to get spam via SMTP? If they refuse it, why will anyone move to the new system when it means they anyone still using SMTP (which at the start, will be virtually everyone) will be unable to e-mail them?

If we could say, "OK, from Jan 1st 2005, SMTP is gonna be switched off and everyone will use the new system", there wouldn't be a problem, but obviously we can't do that.

Or we could somehow stop spam from SMTP getting to accounts on the new system. But then, if we could do that, we could presumably use exactly the same technique to fix SMTP.

That said...

[dolo666]

... does anyone know how to authenticate a user *without* email? We get users from hotmail all the time saying they could not register because they never got the email.

No

Bob has bitch tits.

Re:No

Rule Two: Mod Parent Up

Security risk

[unoengborg]

If we are going to pay postage, we must have some electronic way of doing that. It could be creditcard or something else. Whatever it is you will have to be able to do payments through your computer. That will probably include som account information et.

What an admirable target for viruses, trojans or spyware that would be. The relatively small problem of using e-mail filters to prevent your inbox from clogging up will be replaced with the bigger problem of keeping your money in the wallet.

A better way would probably be to only accept digitally signed mails, that way the sender could always be identified, and if spam was illegal in most countries we would be able to prevent spam with legal processes.

The problem is that there could be legitimate use of anonnymous mail. E.g. who would send an e-mail to the press telling that their company is doing an Enron to the press or even the police if they knew they could be identified.

But I think its easier to learn to live with this disadvantage, than to loose the money in your wallet. After all wistle blowers could still slip a paper note into an unmarked envelope and slip it under the doorstep of the reciever.

Re:I like the computational challenge solution bet

[Swanktastic]

Asking the sender to process a quick math question seems a better solution to me.

Ok Einstein, how would the marketing department send emails?

No doubt about it...

[Eric+Damron]

this is an attempt to create a cash cow.

Spammers are going to remain anoymous and will not get billed. It's the average joe that will line Microsoft's pockets.

Tell me this: If a hacker is able to hack into a mail server running Microsoft exchange and email out millions of emails because of Microsoft's buggy insecure software, will Microsoft pick up the postage or will the poor fool who trusted Microsoft's products?

Spam solution: its simple folks!

[pilgrim23]

We have had a solution to the SPAM problem. It has been there for many many years but we fail to make use of the resources available. Think it through. Instead of a "Email tax" merely set up a nice PayPal account we coudl all donate to for a organization based in some nebulous unknown 3rd world country. This organization, preferably with a cool 4 letter acronym based name, could then higher such people as retired SAS officers, unemployed KGB operatives, Columbian Cartel hit men out of work, Balkan Mercenaries...you get the idea.... These noble souls could then isolate and identify spam generators and.... "007 Begin Data Purge" Sometime in the future, the simple, gentle mementos of this organization (a collection of not more then 30 mummified right thumbs gathered in the performance of their solemn duty) will be a reminder to the world community that it is fare kinder to converse, then to be perverse... --

A Better Solution

[localman]

Doesn't it just come down to killing the easy anonymity of email? If the whole system was run in a secure fashion, then it would be child's play to sue the pants off a few high profile spammers and put the whole bunch of them out of business. And blacklists would actually be useful.

Of course it requires a major conversion of the ol' SMTP, but with a huge amount of power concentrated in AOL, MSN, and Yahoo, I think they could come up with a secure email alternative and force everyone to upgrade. It would be painful for a bit, but in the long run I bet it would be better.

I'm all for anonymity in general, but not in my inbox. Post to a discussion or something through an anonymizer if you want that.

Cheers.

This means the Spammers Win

[ottomatic42]

I'm not going to pay for e-mail just because spam has taken over the internet. I MUCH rather set up filters and reduce my spam down to trickle before I am going pay for sending e-mail, that would be the dumbest thing ever and completely mess up the exchange of ideas we now have thanks to the internet. Unless all service providers covered the charge I'm fully against it.

Is the payment paid in cash or processor cycles?

[Osrin]

Every time I've read about this proposal so far it has been about making the sending relay do a little extra processing by solving a simple puzzle rather than asking somebody to fork over a few cents.

The idea is that if it takes you some extra time to bulk mail you will need more hardward and more processors to do it. The algorithm I read about was using memory content movement through the bus rather than straight processor cycles, i.e. buying a faster processor does immediately reduce the amount of time it takes to solve the "sending puzzle".

No doubt Google will help you find the original article, it was only about a week ago when it was on the BBC news site.

You Forgot One Thing..

[dbretton]

Email postage might make sense if the the government of every internet-enabled country in the world were to accept and enforce this taxation equally, or if we had a single world government.

But that's just a small detail...

Re:Is the payment paid in cash or processor cycles

[Osrin]

This is the URL to the original BBC story - http://news.bbc.co.uk/1/hi/technology/3324883.stm

Not having a NYT account I don't know if this is directly related or not. Seems that it needs some airtime anyway.

They obivously are forwarding them to my inbox

[jotaeleemeese]

I get in excess of 50 spams per day in Yahoo.

No charge for 'legitimate' advertising?

[0siris]

The idea may work, but I'm not in favour. I like email, I like that it's free, and it means I rarely have to use snail mail / faxes.

One thing though - if Microsoft or Yahoo are approached by a company offering to pay for a bulk... er..., promotional mail sending spree, will they accept? I mean, if they are in it for the money like some of the posts on this topic suggest then maybe they can work in a reduced rate for known (high paying businesses) spammers?

Billy-boy wants to own it...

[KC7GR]

This may be nothing more than my own paranoia kicking in, but...

Micro$platt has a long and colorful history of buying out (or attempting to buy out) their competition. If said competition refuses a buyout, the usual result is a hostile takeover of some form or another.

I think Billy-boy and 'UncaFester' Ballmer would love to "own" E-mail. However, it's such an open application (SMTP) that the only way they could come up with to "own" it is to come up with their own system of electronic postage.

This business of "ending spam in two years" is nothing more than a smokescreen. Our legislators already had the perfect chance to, if not end spam, and least put a big dent in it by BANNING IT OUTRIGHT. Did they take the chance? Nooooo. Not with their puppet masters in the DMA breathing down their collective necks.

It would have been a no-brainer to extend the junk FAX law to cover E-mail as well. Along those lines, I've often wondered what part of 'No!' it is that telemarketdroids and spammers Just Don't Understand.

Anyway... This is nothing more than Billy-boy's attempt to "own" something that he really can't. I predict the entire effort will end in utter disaster of a public-relations nature.

And the worst part is that I don't think it'll have the slightest effect on the spam problem. Nothing will, until legislators are brave enough to recognize where the private property lines are on the Internet, and subsequently say "No, spamming is NOT legal. Period."

Re:I like the computational challenge solution bet

[Lehk228]

not if users can set certain servers as no-challenge, that way the recieving machine simply asks the mailserve "did you send this?"

Re:FCC Chairman Declares Halftime Show Crass

[Laxori666]

What's crass and pure outrage is the fact that CBS refused to display that ad about the federal deficit from www.moveon.org ... I think people should be more worried about _that_!

Use another port

[RT+Alec]

Use a different port for initial mail submission. In other words, accept mail from the outside world to your users on port 25 (the standard port for MTAs to communicate). Obviously, you are already doing this. For mail from your users to the outside world (or other users, for that matter), use port 587 (submission) or even better, port 465 (smtps) with SSL or TLS for security. Now none of your users have to worry about ISPs blocking egress port 25 traffic (a practice I support, as it fixes many other problems in addition to spam-- such as Windows viruses).

SMTP+SSL+AUTH is better than POP before SMTP, now that most clients support AUTH. The trick is setting it up, see these tips for more advice:
http://www.sendmail.org/~ca/email/auth.html
http://www.sendmail.org/~ca/email/starttls.html
http://www.sendmail.org/compiling.html
(obviously, these tips are for Sendmail, but other MTAs can be similarly configured).

Well yes please!

[miffo.swe]

Here i am with loads of money burning in my pocket, what will i do? Why not spend it on a scam portraying to be about fighting spam but really is an attempt to tax email?

Anyone with half a brain will be very reluctant to give the power of email delivery to Microsoft as little as we have been keen to give them the key to the internet (MS Passport). Giving them that kind of power for free is like giving a bankrober a better gun -"here, please rob me again!"

What is there to assure us that MS dosnt sign an agreement with someone for discounts on large quantities of "informational email"?

Another very big reason is that spamming is not going to be solved this way. Lets say i have an account and someone uses the latest hole in Longhorn/whatever and steals my account? What about thousands of accounts? I cant really see any way to remove spam without seriously crippling email as we have learnt to love it.

The only real long term solution is to take away the incentive to send spam, the money pouring in from mindless companies paying for spam. Why not solve the root of the problem instead of creating a new market for MS and Yahoo?

GPG and Web Of Trust is the answer

[Tracy+Reed]

If every user or at least every server had a key and we all signed each others keys creating a web of trust and only accepted signed and trusted mail the spam problem would be solved. I really dislike the way SSL certificates are handed out. A central CA is a very bad idea due to the cost and browser lock-in issues etc. With GPG and web of trust if you want to run a mail server you need to talk to a friend who is already running one and get them to sign your key. Perhaps we could even use DNS to propagate and cache the keys and sigs. If you sign a key that turns out to be a spammer you better revoke that signature fast before the person upstreeam from you revokes yours. Problem solved. Now if only we could get the big guys to go along with it...

Re:GPG and Web Of Trust is the answer

[seb249]

This is actually a really good idea, Perhaps if the "little guys" start working together we can nut out a working model that can then be pushed to the larger companies.

Seb

Dummest idea ever!

[GooberToo]

As soon as money comes into the equation for email, only an absolute idiot is going to thank that the government isn't going to start taxing it!

Supporting micro payments is simply going to be another form of tax revenue. Not only does this plan make zero sense, but I certainly don't want to have to pay to email AND pay taxes on it too! I already pay for my DSL connection. I pay for my hardware. I pay for my time. I don't want to have to pay again, for everything I've already paid for.

The short line of idiots is over there! No thanks...I'm going elsewhere.

MS's fix for everthing seems to make them money

[sPaKr]

Postage? Ya.. that will stop spam. Lets look at this

• Online porn makes more memny then anything else
  
• Porn and other similar industries produce the lions share of spam
  
• Good content, is mostly un-funded list servs, yada.
  

Charging for email (postage) will only insure that all email is spam as the average user wont send email but the spammers who are making money will be happy. It will Legitmize their buisness, and they will just incure another buiness expense which they will pass along to their clients. This has to be the worse Idea have heard in a while. The real solution to the spam problem lays in two areas. First stopping spoofing and forceing people to own up to where email comes from thus making filtering rules trival to implment. The second way to stop spam is to punish the people that use it. All of the fly by night websites that sell porn, herbal vigra.. and mortages should be put on an FTC hit list and punished publically to teach others that 'viral marketing' is really a virus that will snap back and kick your ass for unleashing it.

Same concept as RIAA is pushing

[tentimestwenty]

It's the same ridiculous concept as the RIAA is pushing. There's not enough "friction" currently so let's make it harder and more expensive to use so that it will cut down on "spam." Obviously the end result is that ordinary people pay more and have less freedom to use the technology.

why do ppl use hotmail

i will never understand how someone can use an email-provider who doesn't offer pop3 or forwarding... wonder if those people are even crazy enough to pay for it

What about mailing lists?

[AaronW]

What about mailing lists? I'm on numerous mailing lists, some of which have thousands of users. How do you combat spam and not stop legitimate mass mailings?

Also, as far as charging people for sending email, what about all the hijacked machines out there? Granted, it would certainly give an incentive for people to patch their machines. Finally, all ISPs would have to approve it. If one ISP, to attract customers, says unlimited free email, they might get a lot of people who legitimately send a lot of email as well as spammers. What about foreign countries? How would you get countries like China, Korea, or Russia to do this?

I think the only technical solutions are white lists and some form of user authentication. However, authentication can also cause problems, especially if an ISP blocks outbound port 25 connections. For example, I have several domain names and I use various email addresses in order to block spam. I have one email address where I never receive spam because I only use it for personal communications or emails to people I know for sure will not spam me. I never use it for mailing lists since spammers frequently spider web sites that archive messages. I also never publish it on my web site.

However, no matter what email address or domain I use for sending mail, I have my mail server forward everything through my ISP's mail server.

If my ISP decided to only allow the email address they assigned me and they blocked outbound port 25 then I could not send any email with a different from and/or reply-to address. I also send email with my work address when working from home.

I think if something like California's spam law went into effect nationwide, it could do a lot to stop spammers. Even though most spam appears to come from China or other foreign countries, most of the companies sending the spam are right here in the US.

-Aaron

So the next Virus is going to cost me?

[iion_tichy]

What if I get a Virus that sends a million emails from my account - much bigger damage if sending the email costs something.

I don't think security mechanisms exist yet that could prevent that scenario.

Spammers will just forge the "stamps"

[kjfitz]

If they can forge a header they can forge the postage.

Come on, the spammer has already shown an low regard for the law anyway.

Dumb idea plus Good idea = Everybody happy

[Felinoid]

The dumb idea = 1 cent per e-mail...
The smart idea = Reject all spam with no PGP signature.
The current idea = A "White list" and "Black list"

Mix it up:

If you match one of the above conditions your e-mail is sent:
If your a known goodguy such as eBay (or Microsoft.. ug) then you get on the global white list... (Requires a sizeable deposit)
If your willing to provide absolute certanty that you are who you clame to be (PGP) you also get through.
If your not willing (or able) to do eather then you get to pay...

Spammers will play around with this.. Some will fork over the 1 cent... untill they realise 2,000 e-mails means $200... You know that isn't much money really...

Spammers will go for the white list... Sizeable deposit revoked.. lawsutes... but that's kinda the way it works.

Spammers will PGP themselfs and that seams like the best idea becouse it's probably better if we can positively identify the spammer than if we make him pay becouse a lot of spam is criminal offering prescription drugs with out a prescription that sort of thing.

If I know Slashdot like I think I do.. and I'm cool with it if I'm wrong... But I think someone is going to say "Why bother with the dumb thing?"

It's quite simple: We have Windows, MacOs and the Posex famaly of operting systems (Ok MacOs is part of that & technicly WinNT can join too.. But not the point)
The dumb idea, the smart idea, the current idea.
We will always have that mix and it's important that people have the option open to them.

The dumb idea: Probably the easies way to go. A big headake in many ways but most people want a passive non-invasive non-committing pacage.
They want an easy way in and out.
Plug and play. Pay your quarter in the arcade instead of owning the cartrage.

The smart idea: Typlicly some sort of commitment is called for and it's not a simple one. An investment of time or money.. usually time. People don't want that unless they really understand what they are getting out of it.
Users will resent being forced to buy a game console or worse a whole computer just to play a stupid video game.

The current way: Or usually a tweek of the current way. Some happy middle ground that works well but not perfictly.
Game rentals. For a lot of people it's easy to slip into and go with.

Now as far as I'm conserned (and I know others will disagree.. and when that changes it's time to get paranoid..) in the os department the dumb, smart and currnt ideas are:

Dumb: Windows, Smart: MacOs, Current: Posix...
For the record I've gone Posix..

Re:Dumb idea plus Good idea = Everybody happy

[chriskenrick]

If you match one of the above conditions your e-mail is sent:
If your a known goodguy such as eBay (or Microsoft.. ug) then you get on the global white list... (Requires a sizeable deposit)
If your willing to provide absolute certanty that you are who you clame to be (PGP) you also get through.
If your not willing (or able) to do eather then you get to pay...


Sorry, but that isn't going to help with things like non-profit mailing lists, who aren't going to have the funds for the "sizeable deposit". You've then got to have every single list member PGP signing emails, which is pretty ridiculous.

Spam isn't an easy problem to solve, by any means.

Spam Solution

I have a solution, When a person sends an email, the email server recieving the email will generate a response and in the response it will have an image that has letters and numbers. The person then has to send another email and in the subject of the email you have to put the generated text. And you make the image so hard to read that computer ocr software can't read it clearly. So once the server recieves that second email with the code in the subject it allows the first email to go through. It's kinda a pia but it would elminate some of the spam because if a spammer sends out 30,000 emails then that means they would actually have to send out 60K with the correct codes.

Charging per e-mail is just going

[KalvinB]

to create a market for subcription based/free e-mail.

Fine MS and Yahoo and whoever else, be retarded. I'm not going to dump Mercury Mail just so I can micropayment people to death. I'll happily take your pissed off customers and I'm sure most other e-mail servers will do the same.

There are already dozens of free ways to communicate with people over the internet. If your "solution" involves invading my privacy or my pocket book, you need to remove your head from between your legs and see if you can come with an actual solution now that oxygen is reaching your brain.

Everyone, including the spammers are going to flock to the easiest and cheapest ways to communicate. You need to deal with the problem not just try to hide it under a pile of money and/or regulations.

It's pathetic how many people think sacrificing liberty for safty is a bad idea but when it comes to sacrificing privacy and money over spam, that's somehow a good idea.

I'm perfectly content with the current system as I'm keeping spam down to a dull roar without caring about who sent the spam or charging senders.

Blocking port 25 is just going to result in people running their SMTP servers on another port. I already run mine on two ports. If 25 goes away, another will be standardized or RinetD's stock will go up as people will be forwarding as many ports as needed to keep the mail moving.

Ben

How about stop giving out addresses?

[RyoShin]

Maybe the answer doesn't lie in paying for e-mails, but for big companies (Microsoft, ISPs, Yahoo!) to stop selling e-mail lists to those damned spammers.

Oh, sure, you have the web bots and fake sign up forms and what have you, but I bet if some law was passed (that punished heavily and was inforced heavily as well) that made it illegal to sell a person's e-mail address without their prior knowledge of exactly who it is going to, things would dry up.

At the very least, make it so that if a company does sell someone's e-mail, that person gets some kind of reimbursment for now having to waste their time guessing is an e-mail is spam or not.

A buddy list can help... sort of

[enosys]

A buddy list can help at least on some services because you can totally ignore all messages from people who aren't on your buddy list. That's not really nice because then other people who are trying to legitimately contact you won't be able to.

With some IM clients you could set up a challenge system for people who aren't on your buddy list. But guess what? You find out that you have to deal with more or less the same issues as when trying to stop spam in e-mail.

Re:A buddy list can help... sort of

[Dukael_Mikakis]

Yeah, I'm trying to think of some way that it could all work. Perhaps some sort of Friendster (or now Orkut) style validation where screennames get scores based on whether they're legitimate people or not (heck, that's even like /. moderation). But then the potential for abuse there is also astronomical, as spammers could set up validation farms. In essence, any sort of spam prevention that depends upon users will fail because spammers are users themselves. In fact, spammers sre most likely users with significantly more resources than the average user. So I think it's trouble, no matter what.

It will not work.

Paying for email is seen as a way to stop spam by many.
What all of those forget5 is that it also takes away the one big reason why people use email instead of fax, even when that means having to scan and manipulate pictures instead of just throwing a sheet of paper on a machine.

IT WILL NEVER WORK

As soon as such an idea is introduced and normal email is hindered, peopel will setup alternatives.

I do like Yahoo's idea to sign messages at the originating server, esp. when combined with DNS info that tells which hosts are allowed to deliver mail from a domain.

This idea however is stupid and is bound to make email even less usable then it is today due to the spam, just forget it,

Don't pay the ISP. Pay the recipient.

[uncadonna]

If the recipient replies or authorizes, they forego the fee.

Advantages: real email stays free, spam costs, microtransaction standards emerge.

Disadvantages: Microsoft and Yahoo don't make as much money. Sorry.

Bring 'Em on

[kindbud]

I'm not an ISP, but that doesn't mean my company's mail servers don't receive a significant volume of mail. Last month, the incoming mail servers for our 5,000 or so employees rejected 11 million spams with a SpamAssassin score >= 10. If we had instead accepted those emails, and received a penny for each of them, my department would have brought in $110,000 in revenue for the last month, just for turning off the spam filter.

Sounds like a plan.

Let Yahoo and MS charge for email

[imnoteddy]

It might be kind of nice if the big boys tried to charge for email because then people would have an incentive to find a solution. In other words kill email as we know it.

If there was going to be a charge for email, consider how one group of email users, namely universities, would react. First, they'd find a workaround/new protocol so internal "messages" wouldn't be charged for. Next, universities would find a way to exchange "messages" between each other without charges. Then others would pick up on the idea and ...

There are technical solutions, but they won't be adopted until a certain pain threshold is reached. Spam filters have improved a lot lately and have been holding the pain down. Charging for email would ratchet the pain level up immensely.

Re:Old news, still a solution to seriously conside

[mabu]

The REASON we have spam is because some stupid people are BUYING the CRAP the spammers are selling.

Really? How's your penis doing these days?

You don't know anything about spamming if you believe what you're saying.

If spamming really was effective, there would be a lot more legitimate companies doing it, but there aren't, and there's a reason for it. It's really only economically viable if you can do it en masse and it's relatively cheap. The vast majority of spamming promotions are strictly commission-based. If people really were buying a lot of these products, that wouldn't be the model spam-promoting companies would employ.

Any easy one...

[bergeron76]

Microsoft partners with Yahoo, with the greater goal of crushing Google.com, and returning Yahoo the #1 search engine ranking (as powered by msn.com).

I for one, certainly hope that google releases a mail service SOON. By doing so, they'll pre-emt the forthcoming Microsoft strike. Furthermore, if they do it right, they can easily become the #1 mail system AND kick MSFT back a few steps in the process.

But what do I know - I'm just a slashdot-reading-msn-bigot and I don't want no stinking google corrupting my great msn.com search results!

Frictionless....

[mousse-man]

There are ways to get spammers: a) make it a felony. One spam, one month in the pen, with Bubba. With the amount sent in one spam run, we can be pretty sure the person will never spam again. b) make sure that any country harboring spammers gets cut off the internet if they do not deliver the spammers to the country of the first person charging them with spamming. c) do the same with people that buy from spammers.

Re:I like the computational challenge solution bet

[John+Hasler]

> Since most spammers use invalid return addresses

They _do_ use valid return addresses. Mine, for one.

> ...as I've seen with TMDA.

Yes, I'm seeing more and more of that crap, along with the bogus bounces and "You have a virus" warnings.

Re:I like the computational challenge solution bet

[John+Hasler]

Simple. "Legitimate" mailing lists would be Yahoo Groups. All others would be SOL.

Yes, there has to be *some* cost for stranger-mail

[isdnip]

I'm drowning in spam, and it's getting in the way of my job. The only solution that can possibly work is one that involves putting a price tag on spam. So here's my proposal (which I've put on here before, btw; this is not a new topic). The only way to put a price tag on spam is to put a price tag on email. But it doesn't have to apply to all email.

The price, then, is for the right to touch MY mailbox IF you're a stranger -- if you're a mailing list that I've subscribed to, you would go onto my whitelist, and come in postage-free. If you are somebody I know, you go onto my whitelist, and come in postage-free. Yes, for this to work, there has to be some way for the POP server (NOT the client) to maintain per-user whitelists.

If you're not on my whitelist, you need to use a one-time "stampette", whose price would have to be high enough to discourage spammers, but low enough to not bother anybody worthwhile. I'm thinking around a quarter-cent per message, but it wouldn't be fixed by anyone in particular. These stampettes would be issued on a free-market basis, and anyone could set up a micropostage service, provided that the *recipient* whitelisted it. So if somebody were giving away stamps at, oh, a million per dollar, then spammers would use them, and those stamps wouldn't be on my whitelist. Again, it's a free market solution, no government intervention.

ISPs, in this scheme, should issue all subscribers a batch of stampettes (which mail clients would learn quickly to attach, if needed). A thousand for a quarter-dollar (or quarter-Euro) would be more than enough for a month, don't you think? How many strangers (or first-time correspondents) do you write to?

Re:Yes, there has to be *some* cost for stranger-m

[Alien+Conspiracy]

It already exists: this is what sudonames.com does.

Also check-out the Mailbox Reputation Network, which can provide the infrastructure for doing this on a global scale.

Re:Yes, there has to be *some* cost for stranger-m

[Alien+Conspiracy]

Sorry that URL should be The Mailbox Reputation Network.

Woohoo!

[Geek+of+Tech]

Thanks Yahoo! It's about time someone figures out a way to stop all that spam coming from Microsoft.... well, except for the patches they keep emailing me....

Re:I like the computational challenge solution bet

isn't really just a server by server whitelisting system.
ie. a server you deal with each day would probable be asked an easy question.
a new server a hard question. the low load of hard questions as the user base builds up would be managable.
but the one off load of 1000 hard questions could be killer.

Re:I like the computational challenge solution bet

[rhysweatherley]

No need to appeal to old P166 boxes for a "won't work example". A top of the line Palm or iPAQ handheld, or a next generation smart mobile phone won't have sufficient CPU capacity to do heavy math. At least your P166 had an FPU. The average PDA doesn't. Heavy math in the SMTP client isn't really a solution either.

Time to sign up some Yahoo email accounts

[b0lt]

Cha ching!

Try to learn from history, not repeat it.

[49152]

>The difference is that with my idea, all computers are blacklisted by default; only those servers who maintain a billing account with the receiving ISP are allowed to send mail to them

Do you have any idea how many ISPs, domains and email servers there exists in the world?

This is excactly the way X.400 mail worked and the reason why it did not (and never could have) scale up to the hundreds of millions users Internet email have.

Spoofed Emails = Charges?

[nurb432]

What about all the spoofed emails that get bounced, or make it to recipients that appear to come from you when i really didnt...

So i get charged for something i have ZERO control over?

No I didn't RTFA, since I refuse to register. Information should be free... .

Here are your spam solutions

[bigberk]

Why do solutions always have to cost money or put control is some company's hands? I call bullshit. So here, people, are your solutions to spam:

User-level: spamprobe, bogofilter, spamassassin and spambayes are all very effective statistical filters with bayesian components. Train them well and you will see next to 0 spam, with just about no false positives. I dare say these will filter mail better than a human could do visually.

Those statistical filters aren't scalable. Running a large ISP is more your thing? Then install DCC at your site and enable greylisting on top of it. This will catch nearly all your spam, and false positives are rather rare.

All this software is free and actively developed. There, I've just saved you from spam. Where's my 200 USD consulting fee?

Re:I like the computational challenge solution bet

[John+Hasler]

I hadn't thought of that. I guess the proposal isn't all bad after all.

Re:Old news, still a solution to seriously conside

[firewood]

The REASON we have spam is because some stupid people are BUYING the CRAP the spammers are selling.

However, there are millions of stupid people and they breed faster. It would cost you far more than email postage to even attempt to educate most of them, and you would probably fail anyway.

sending mail violation of SCO IP

Dear Slashdot readers,

SCO has investigated a feature of Linux that allows you to send electronic email. This feature is violating the Intellectual Property of SCO. Please remove the ability to send and receive email from your operating system immediatly, or puchase a sending mail licensing fee for $500 per half a processor from SCO. More information on this issue can be found at http://www.sco.com/licenses/sendmail

Thank you,
SCO

Another sugestion to fighting spam

How about this: every major ISP pays the FCC (or the equivalent in another country) a tax on the e-mail, this gets passed down to the users in various forms, usually with not much affect (.01/e-mail sent or recipient) thus big ISPs support spammers but the spammers have to foot the bill for the tax. Now to deal with the mailing list problem, one implements a tax free whitelist for the recievers so that legitimate newsletters are not taxed. What about non USA/western country e-mail you ask? well the user is always footing the bill for the e-mail therefore ISPs can give the user the choice of accepting the e-mail (and paying tax for it) or chucking it; I'm sure some enterprising ISP would provide discount services for corresponding with india or wherever to buisnesses. So to recap: ISPs make a little less money, government makes more, and the spam buisness model becomes moot because of costs.

Spam solved

I don't see the problem with limiting the # of emails form any given ip to 10000 an hour. This way, johnny-come-lately with his home brew email server can send email to his 30000 users in a few hours. They could even have a waiver for companies like m$n, yahoo, and dell. Or any other company who is adhering to opt-in ads. It would take a spammer forever to spam at that rate

Re:Yes, there has to be *some* cost for stranger-m

[isdnip]

Those are interesting, thank you for posting them.

Both, however, seem dependent upon having both sides of the conversation join. In the case of Mailbox Reputation Network, it seems to be a voucher-based (as in I vouch for you, a web of trust) system. In the case of sudonames, it seems to be a whitelist system, where non-members can't send mail to you.

If both were universal, they'd probably work, especially sudonames, because that seems to count the credits, making host-hijacking worthless (it would run out of credits, which wouldn't happen right away with MRN, as I see it). But if I joined sudonames today, random people trying to reach my sudonames address would get bounced.

But then any micropostage scheme could have that problem, even mine, though a whitelist would exempt recipients from needing credits (stampettes).

Re:Federal BIll 602p!!

To whomever modd'ed this as Flamebait -- thank you for correct moderation!

Meaningless Spam

[Basehart]

I recently started getting spam that has nothing but random words. The subject lines are stuff like "RE: Lawn Move Over Sense"

The body is stuff like "wall patience gratis sense over never everywhere nixon seaside wallflower table quicksand sky blue..."

As usual it's addressed to fakename@ my domain

What's the point of such mail, other than to clog the web with really useless crap.

Getting v.iagra spam kind of makes sense, in a spammy kind of way, but these new things don't make any kind of sense at all.

Re:Meaningless Spam

[forkboy]

It's those goddam Discordians, I tell ya.

Hail Eris, Ewige Blumenkraft, fnord, and all that nonsense.

Either that or its a coded URL for kiddie porn. Anyone tried some basic codebreaking on gibberish spam yet?

Re:Meaningless Spam

[Ciggy]

What's the point of such mail, other than to clog the web with really useless crap.

Any your filters with crap: you get it, see it as spam, give it to your spam filter to learn and, Robert's your father's brother, your filter starts filtering out proper email as spam as well.

I'm lucky as I can filter on "To:" alone; as in 2003, 8579/8625 (99.47%) and, so far this year, 2961/2969 (99.73%), arrive at one e-addr [all spam has arrived at one "Envelope-to:"] - the rest are message IDs and "postmaster@", "email@", "webmaster@" & "get.real@"

Re:Old news, still a solution to seriously conside

[That's+Unpossible!]

Wrong. The reason we have spam is because spammers have convinced an infinitely large group of slimy/ignorant companies that stupid people are buying crap the spammers are selling.

A subtle difference.

Re:Old news, still a solution to seriously conside

[arothmanmusic]

"If spamming really was effective, there would be a lot more legitimate companies doing it, but there aren't, and there's a reason for it."

Actually, there are plenty of legitimate companies using mass email for advertising... the problem is that they play by the rules and are therefore much more easily filtered out by spam-blockers and less often noticed than their shady counterparts. Furthermore, legit companies tend to target the audience better and can therefore send smaller mailing runs, so you don't notice them as 'spam' as much because they aren't completely off the mark if you happen to receive them.

My company generates a large portion of its sales leads from bulk email that some might call 'spam'. I can guarantee you that if there were a reasonable scheme in place, my bosses would happily pay to continue sending our bulk emails 'cause they bring in business.

The bottom line though is that we need a new, secure email standard that allows the sender to be reliably identified. We can keep it all free if there's a method in place for enforcing the current laws.

Worst idea ever.

[Gadzinka]

It's the worst idea to fight spam ever.

It's almost as bad as the methods of the most hated government body in Poland -- our version of IRS. When dealing with VAT deduction the law states, that you can deduct VAT only if the person that sold you goods really paid it.

The idea is that people will do IRS's job, checking if someone paid their VAT, so they would stay clean. In practice no one can really check and if someone cheats on his taxes, his customers are held liable and fined.

Now do the math and find out how this relates to this story. Only this time ``fining body'' won't be government, so there won't be any simple way to protest those bills.

You just gonna have to ``prove that you're not a horse''. In court.

Robert

Pain

How about we reintroduce flogging? Or, for poetic justice -- the spammer will have to volunteer some time to the post office carrying by hand a fraction of the bandwidth he wasted, without being allowed to used motorized means. Plus, that gives you the possibility to run them over.

Previously posted solution

[splorp!]

I believe I posted a solution to the spam problem a while back...

Re:Postage doen't need to be money, time is better

[JuggleGeek]

[Please exuse me if this is what the article is about, I didn't feel up to sacrificing my first male child to the Times.]

I find it funny that many folks on /. will complain about the NYTimes requiring you to set up a free account, but those same folks who call it "sacrificing my first male child" are willing to set up a free account on SlashDot.

I've had a NYTimes account for a long time. I get emails from them with news summaries every day. The email address I gave them has never been given to anyone else, and it's never received a piece of spam - just like the email address I gave to /. hasn't received any spam.

You're just bitching without any rhyme or reason.

Re:I like the computational challenge solution bet

[JamieF]

This just punishes the relay, not the spammer. There's no guarantee that the owner of the relay box will notice, or do anything, just because their box is sluggish. Plenty of machines are already infected with worms, and nobody is fixing them; what if those worms were (instead of a pointless exercise in chaos) tools to identify available servers for spammers to use? (In fact one of the recent MyDoom worms is suggested to have this purpose.)

Take all the idle capacity of poorly protected servers on the 'net. That's the amount of processing power that spammers potentially have at their disposal to spend on solving little math problems. And note, it costs them nothing because they're somebody else's hardware on somebody else's bandwidth. As long as they don't completely exhaust the usefulness of each infected server, there will be plenty of folks who won't even notice that anything is wrong with their server, so they won't have any idea that they should try and fix it.

Reimbursment

[Hobobo]

Why not reverse the model--you pay the send the mail and then the reciever can choose to reimburse you. I'd much rather bother with that then have to go through Penis Enlargment ads and bill spammers anyways.

Re:Reimbursment

[Ciggy]

Why not reverse the model--you pay the send the mail and then the reciever can choose to reimburse you.

Isn't that the current spam model - Penis enlargement pills, etc supplier PAYS spammer to send mail and then gets reimbursed when moron BUYS his/her product.

That should get rid of that pesky email problem

[bxbaser]

That will almost certainly kill email as we know it.
Email is popular because it is free, charging for it will just cause it to die out.

MyDoom-Viagra

Given how much everyone hates SPAM, why can't the authors of MyDoom do everyone a big favor and create a virus to do a DDoS against the true perpetrators of SPAM - all those Viagra sites that are PAYING the spammers to do their dirtywork?

Like other posters have said, you prevent limp users from clicking SPAM links, but you can prevent the links from working!

I'd gladly connect an unpatched (as if that made any difference) Windoze box directly to my cable modem if a MyDoom-Viagra virus hit the net.

Oh, put a sock in it!

[some+old+guy]

How much do we whine and kvetch about catalogs, sweepstakes, and credit offers in our snailmail boxes? How irate are we at the endless flow of crappola spewing from our televisions and radios? And how incensed are we at a few viagra ads in our inboxes? Advertising of all kinds is here to stay, and there is no avoiding it, short of a Luddite/Amish rejection of all forms of modern communication. With a declining economy, a degraded environment, dangerous Moslem lunatics, and male pattern baldness to worry about, a couple dozen strokes of the [del] key a day doesn't seem like much of a problem, now does it?

Forging IP addresses

[phliar]

... I'm not fond of SPF, because all someone has to do is be able to forge an IP, which isn't particularly difficult.

Really? Are you just saying this because you heard it somewhere, or have you figured out how to predict sequence numbers so you don't have to complete the TCP handshake?

From the SPF FAQ:

There is no question that for a brief time in the early 90's there was some risk of such attacks because switched networks had not replaced large broadcast segments in some significant destination networks (i.e. corporate and retail ISP), ISN prediction was easy, and security was generally so rotten that with skill, an attacker could pretty much guarantee the ability to crack devices in the necessary places to make a spoof work.

It is not that time. A decade of cracking, the complete triumph of switches even in shoestring networks like my home office, and the cleansing influence of y2k have made a TCP session spoof into the sort of trick that requires such significant setup that there is no point in doing the spoof in the classical manner of sequence number prediction.

In the words of Bill Cole, "if someone had figured out a way to do TCP spoofing against an arbitrary target on the Internet without compromising higher-value machines than the target as preparation, that capacity is itself so potentially valuable that using it to send spam would be silly. ...There are some very lucrative and nearly invisible ways one could use that sort of ability."

Re:Forging IP addresses

[ComputerSlicer23]

Hmmm, it's probably hard to do on a large enough scale, without getting caught that it's worth the spammers while. However, breaking into a router isn't terrible difficult. At which point, yes, you could pull this off. Forging an IP, just involves getting a router that is upstream compromised from the receiver, and setting up a tunnel to it. Now, I don't have to guess the sequence number or any of that non-sense. Just start a TCP connection, run it like normal. Since I'm at a major upstream router for that mail server, all I have to do is capture the packets destined for the connections I initiated, and forward the ones that didn't. No sequence number guessing at all. There are enough hacks out there for Cisco routers that don't get upgraded, that I'm willing to bet it could be pulled off at an impressive scale. The biggest problem will be having an IP packet escape and having the real IP send a TCP error that closes the connection.

Finally, it's not merely about forging IP's. You also could forge DNS entries. Which isn't that hard (especially if they served up real answers for the non-SPF/txt requests). As someone who'se been hacked by a DNS poison attack, clearly it's possible. Most DNS transactions are done via UDP, which isn't the most secure way to do transactions.

Again, this all comes down to who do I trust. I don't trust everyone on the internet to do this properly. If nothing else, you'll just cause the spammers to sign up for a one time domain name setup the SPF, spew their spam. Sign up for a new domain name, setup the SPF, spew their spam. They can use register.com to run the DNS, handing out lists of approved zombie computer IP's as approved for sending spam. (They've now handed you a list of computers to black list, but I'm not sure how good an idea that is).

It's a zero sum game. If it is easy for me to do, it's easy for the spammer to do. Thus it will be broken by the spammers. The only way to truely put a hurting on spammers it to change the economics of it significantly. Explain how SPF does that to me. Sending e-mail that is encrypted, changes how much money it takes to send bulk e-mail. Allowing for mailing lists to essentially opt out of that keeps the economics sane for them.

Kirby

Re:Forging IP addresses

[phliar]

In other words, to masquerade as A and talk to B, you have to break into a router that is between them (or you won't see/block replies). I can believe that there's a large number of unpatched/compromised PCs on broadband that can be used for spam. However I have a harder time believing that there's a significant number of backbone routers that are unpatched/compromised. Any numbers?

...you'll just cause the spammers to sign up for a one time domain name setup the SPF, spew their spam....

One of the documents on the SPF site talks about this. There are two things to keep in mind: now you have a sure way of finding out who the spammer is (follow the money to the registrar) so it's easier to enforce any anti-spam laws etc. (and/or permit vigilanteeism!) The other is that you can put in a check for newly registered sites: if a site is newer than X, then it goes through intensive spam checks and perhaps gets shunted off to a "pending" folder. If nothing else, spammers won't be able to use well-known free email places like yahoo, hotmail etc. Since most of my friends use those free services, I won't have to risk their messages being tossed out due to a false positive spam check. (If SPF becomes widely adopted, I will have no problem tossing anything I get from a new domain. But that's just me, the only newly-minted domains I plan to pay attention to are friends' vanity sites.)

I don't believe we'll ever get rid of spam. However SPF seems a decent approach to reducing the amount of spam humans have to see. The FAQ and the objections answered do a good job of treating these issues.

DNS security does remain a problem, of course. That's an independent problem, one we have to fix at some point.

Yahoo And Spam

Yahoo needs to STFU. The first thing they should do to help fight spam is fix their open redirect scripts. Bah. Fools.

Open Source Response to Spam Prevention...

[mok000]

It would be a mistake if the Open Source community sat back and waited for Microsoft and Yahoo to force upon the world their standard for email postage. The idea of email postage is being put forward as a means to put an end to spam, but it is much more than that! The idea opens a floodgate of opportunities for restricting, registering and limiting the use of email as an inexpensive means of communication for ordinary people.

IMHO, the RFC822 standard can easily accomodate an efficient spam-prevention, simply by using some kind of password protection scheme. In the most simple implementation, there would simply be an encrypted password in the header, which has to match for the mail to be categorized as personal.

All it takes is that the addressbook of an email application needs to store passwords as well as the @ddresses of your friends. It would be very simple to implement in existing Open Source email programs, and would be most efficient for preventing spam. When sending an email, the program needs to encrypt the password and put it in the header. On the receiving end, the MUA would have to check the Password: field.

I realize there would be a slight problem sending an email to someone you don't know, you'd have to get hold of the password somehow, but that could be given in a .PNG file on a web page or something.

Incoming mail without a Password: field in the header could be directed into a separate mailbox -- thoroughly filtered for spam, of course!

Such a scheme could be put into motion in a matter of months, and would take the air out of Microsofts recent proclamation... ;-)

Before reading futher comments...

[Pecisk]

It's daydreaming by Microsoft and Yahoo. IT WON'T WORK. NEVER.

Beter get your software fixed, damned. Release secure OS. Forbid 25 port by default from simple box and point to one box of the ISP who can relay then all mail to outside.

IT is possible to stop spam with these tools what we have now. There just must be a admins who do that. Yes, Microsoft, people CAN'T ADMINISTRATE their own boxes if they don't have enough expierence, period. Your dream about non-admin world with Microsoft Windows all over the place is gone. Forever.

*yawn*

[Tom]

Microsoft taking a non-solution to a widely known problem 5 years after everyone else came up with it and turning it into a proprietary product they will no doubt force into their market using every dirty trick they can muster.

Eh, I should add I'm talking about their spam solution, not any of the other 200 things they've done that could be likewise described.

Paying to send e-mails?!

[SlashDotAgent]

Saying that making people pay for e-mail because someones uses e-mail to send SPAM, is like saying that people should pay for pings because someones uses pings for DoS attacks.

The best solutions (but hard to implement due to the stupidity of a major portion of computer users, like those who open attachments and spread MyDoom) is to have verifiable sender and reciever. I.e. have e-mails digitally signed, so that you'll be sure that it's send from that specific someone specifically for you. That would actually also stop e-mails from viruses who fake the "From:" field.

Perhaps if digital signing and verifying will be made seamless in the mail (STMP and POP3/IMAP/HTTP servers) servers, it will actually work!

Hey lets have this feature in slashcode

[RedLaggedTeut]

Lets see everyone who wants me to read his comments on slashdot has to sent me a request first whether I accept his writings.

I'm sure this will reduce the trouble I have scanning slashdot for relevant info to the MINOR TROUBLE OF RECEIVING TONS OF "Please add me to your contact/whitelist" REQUESTS.

Re:Hey lets have this feature in slashcode

[ricochet81]

its a matter of prioritizing aint it?

Paying postage

Y'know, paying real postage with real letters does not stop my real mailbox from getting filled with junk. How is this any different from spam, then?

Yeah this will work...

[gnovos]

This will work just until the day either of these companies discover that they can reduce the postage considerably for "bulk" mail and still make a profit... and at that point you have an automatic list of guaranteed good addresses since people won't be so paranoid about spam.

Karmic - retributive justice

[krusadr]

I'm getting about 800 spams or more each day at the moment across several e-mail accounts. I'd simply love to be able to read them all but there isn't time. Each one politely requests I visit a webpage. I'd love to help those spammers by doing as they ask and visiting those URLs.

What I need is a program that will visit them for me and carefully store their content in my /dev/null directory for my pleasure. Of course it can be tricky to find them afterwards so my program will probably need to revisit each site two or three times. It could even run as a screensaver when I'm away from my PC!

Maybe the spammers that ask the loudest I would revisit the most times.

Now if a few million other people were so dilligently doing the same I reckon that would soon solve the spam problem.

http://karmic.sourceforge.net

Developers wanted.

Actually...

[Moraelin]

The fact still remains, though, that I have _far_ better stuff to do with my time than mess with spam filters and whatnot. It's a real problem. The whole thing is costing the hundreds of millions of end-users both time and money.

So basically:

A) If a small postage fee / whitelist scheme is what it takes to get my time and usable e-mail back... I, for one, welcome our new Microsoft and Yahoo overlords.

Every proposal I've seen so far is basically based on the idea "either pay up _or_ get the end-user to whitelist you". Basically the postage fee is just an incentive to get people to cooperate in setting up the whitelists.

How's that a problem? I'd have my family, co-workers and friends whitelisted, so they don't have to pay a cent. And for the rest of the world, sorry, if what's in that e-mail isn't worth the proverbial 2 cents for you, then it's not worth my time to read it either.

The same goes for mailing lists. If your readers want to read the list, have them whitelist you. There you go.

B) If it does make people get off e-mail and start using some centralized IM service, that's good for me too. I'm still getting the same information, only over a different medium.

Only it's a medium that, unlike SMTP, never was supposed to be an anonymous unregulated network, where everyone can run his/her own open spam relay. When everything goes through a central server (farm), as is the case with IM, it's very easy to notice when someone is spamming.

It also opens a whole new can of possibilities of centrally regulating or filtering it all. E.g., changes like making a whitelist available, can be pushed onto those centralized IM servers without 5 years of debating if we really need to change SMTP.

E.g., you can make mailing lists a centralized service. Now you can tell if 30,000 people actually subscribed to Bob's "H3RB@L V1@gr@" mailing list, or Bob is just trying to spam 30,000 users. And you can probably stop the flood after the first 10 messages sent, if it doesn't go through the centralized mailing list service, instead of letting it pump millions of messages a day. You just made "opt in" mandatory and enforced.

Does that all sound like a disadvantage to me? Nope.

Re:Actually...

And for the rest of the world, sorry, if what's in that e-mail isn't worth the proverbial 2 cents for you, then it's not worth my time to read it either.

Like the charge is ever going to be 2 cents. It's going to be 2 cents (minimum charge $5, special discounts for bulk email).

As for your "valuable" time, fuck you. I sure don't value your views highly enough to be willing to shell out for the inestimable privilege of emailing you.

No, but it limits it

[Moraelin]

As was said already, postage doesn't stop snail mail, but it sure limits it. How often do you get AOL CDs? I bet they're not sending you one per day. I'll also bet that you're not seeing 50 ads a day in your snail mail box. Well, that's the fundamental difference that postage does.

mod parent up

sounds like a good idea to me

You've completedly missed the point

[bratmobile]

The tax is not a monetary tax. It's a MIPS tax. Anyone who wants to send legitimate email will have the opportunity to do, with virtually no impact on how they do it. The sender must run an algorithm - insted of buying a stamp. The only people affected (besides the obviuos spammers) will be those wo run large email redistribution lists. I'm sure that accomodatiosn will be made for em.

A simple way to reduce spam

[DavidHumus]

Why don't e-mail providers adopt a simple and effective way to reduce spam? For instance, even in my own mailbox, I often see multiple instances of the same or similar message - it's not too hard to figure out that this is spam - even a computer could do it.

At the postmaster level, it should be even more evident that a group of similar messages to many users is spam. How hard is it to figure that a bunch of "Subj: hello" from "Ellen deGeneres" messages are bogus if they're going to many people at the same time? Even "Hello, [your name here]" shouldn't be too difficult to catch.

It might be argued that this would cast the net too wide and round up messages from our newbie friends (or moms) who use "hello" as the subject. However, a simple variation on this would be to create phony e-mail addresses and seed spam lists with them. That way an ISP would have a sample of what must be spam because it's addressed to no actual person. Using these messages as templates, it should be easy to round up the look-alikes.

Has something this simple already been tried and found wanting? I'd even upgrade some of my free e-mail accounts to paying ones if that bought me this service. This is something that would have to be done at a higher level than that of an individual user, hence is natural for an e-mail provider.

Dangerous!!!

Seems like they could tax other things also.

FTP connections cost x cents per connection.
HTTP connections cost x cents per connection.
IM connections cost x cents per connection.

Anything they come up with will be the base code for other type of connection oriented billing.

Bad Idea.

When it comes, be looking for a Buddy-net to rise - ie, an internet of friends and organizations connecting with their own technologies and outside the realm of government and commercial use.

Never allow a per email charge for spam!

[vivian]

As soon as there is a charge per email in ANY form (ie. for either sending or recieving email even if only sometimes) , do you seriously think it will stay as a charge on only mail that you deem spam? Pretty soon there would be a charge for every mail you send - once the charging infrastructure is in place it would be a natural extension - at first justified as only being say, 0.1 cents per email.

I expect that pretty soon, that charge would increase like every other tax since the beginning of time has - 0.2 cents, 1 cent, 5 cents, 10 cents. Next thing you know it costs almost as much to send an email as it does to send a snail mail, and we are all left standing around wondering how we let it happen.

Wake up people! allowing there to be any kind of charge per email, either sending or recieving is just opening up the gateway to charges on all email.

The only long term way to stop spam is:
instead of just chasing the spammers, hit the companies/individuals that have their products or services offered for sale via spam.
If they accept payment or orders for a service or product then it should be easy for the FBI etc. to trace who is paying the spammers to send the stuff, and make those guys responsible for (hopefully suitably heavy) legal penalties for getting people to send the stuff to your inbox - just like the guy that hires a hit man is also responsible for murder. If some other country is harboring the original organisation behind the spam, then slap the country with sanctions and/or diplomatic penalties, the same way you would do if the country was actively supporting other illegal activities, or just black hole it.

Filtering is useless - it stops spam at the wrong end - even if it is implemented at your ISP.

Re:Yes, there has to be *some* cost for stranger-m

[vivian]

No! Allowing a charge of any sort simply opens the way for the powers that be (Microsoft, the government, your ISP etc) charge for all emails.

The only real solution is to prosecute the organisations behind the spam - not just the spammer, but the guy that pays the spammer's bills. Make it illegal for companies to advertise in this way, with *really* heavy penalties for spamming, that will do real financial damage to the organisations that are advertising.

Many companies I am sure would be only too happy to be hit with a small charge for the provelidge of spamming your inbox with their latest crap - many companies already pay to send out catalogues and real junk mail, so what makes you think a small charge would stop them?

Re:I like the computational challenge solution bet

[mikeee]

Combine the computational challenge with a whitelist; the spammers will have to run the challenges most of the time, but your poor P166 shouldn't, usually.

Re:Postage doen't need to be money, time is better

[Charles+Dart]

It's a joke dumbass. Everybody knows the Times doesn't accept mere mortal sacrafice, only your eternal soul will do for them.

Have you checked you Snail Mail Box lately????

[heybo]

Charging ANY price would then make any spam sent to you legal as long as the price was paid. It may make the price of spam go up but it would increase the amount sent and then there would be NOTHING you could do to stop it. If you snail mail box is anything like mine 75% of your mail is the useless waste of trees. Go to the Post Office and try to stop it. you can't! Why? ITS PAID FOR!

As a mail server operator. Who get the penny??? Me the guy that has to put of with collecting it? I doubt it!

Open Relays aren't as big as a problem as it used to be. The hardest problem we have is infected home computer that have been turned into spam zombies. Spammer like dartmail.net well you just block them no problem, but with infected home computers what do you do? Reporting the fact the machine is infected to their ISP is useless. Blocking the IP range doesn't work because they don't use the same machine twice.

We block about 60% of our spam just my requireing authication, resolving DNS, and blacklisting.

All it would take to get rid of the last of them is PUT THE BASTARDS IN JAIL!

Ah

[autechre]

You've stated the problem along with your solution in the form of an example. How's that IPv6 deployment coming?

Most sysadmins are as resistant to change as the general population. Windows For Workgroups and BIND 4.x are still in use.

My suggestion is to use a pre-existing standard: PGP. Write good PGP software and push it as a solution to spam. "Tell all your friends to get PGP keys! Keep email safe from prying eyes! Avoid viruses by making sure you know the email really came from where it says!"

I think solving the problem in this way would be much easier. On one hand, you have to come up with standards, write software, and get people to switch. On the other hand, you have to write software and get people to use it.

Re:Ah

[Tokerat]

The problem I see with PGP is that no one wants to copy someone's key to mail them...that and you'd have to post it somehwere public like a web page, forcing people to track it down; that or have an auto-responder...and what happens when spammers start making a list of public keys? Then you get spam from people listed in your graduating high school class (it started happeneing to me, I have no idea how they correlated my name with that e-mail address, but I believe I can thank classmates.com and the like...), encrypted with your public key, and splattered to your inbox from an open relay. Meanwhile, people who want to legitimately mail you wont' be able to as easily, because they'll need the PGP key. This makes spam EASIER.

The reason we need a whole new system is to prevent forging of addresses. It is entirely possible to design an MTA system that only accepts mail with addresses from the domain the delivering connection originated from. Why do we need relay systems for mail anymore? I don't need to bounce between servers to get an http connection. Surely e-mail can be delivered straight and verifiably?

In that way, when abuse occurs, it can be reported and dealt with, because spammers will have a much harder time sending mail that isn't from them, and will break many more laws than anti-spam laws in order to do so.

PS: About IPv6: Yea, it's taking forever. Network hardware is beginning to support it, Mac OS X (as of v10.3) is ready to just hop into IPv6 mode...one day they'll be a service bulletin on RoadRunner about "IPv6 now supported" once they get their act together. It's not happeneing overnight, and it might really take quite a long time actually, and my point was this is exactly the way a change to the e-mail structure would have to happen, especially with millions of people depending on it.

PPS: Yes, Autechre rules! Second Bad Vilbel!

Re:Ah

[autechre]

That's why there are public keyservers. If Mutt sees a message signed with a key that it doesn't recognize, the key can be automatically retrieved from a public keyserver. Whether or not you trust the key depends upon who has signed it; if people whose keys you have signed have signed it with their key, that indicates a degree of trust that the holder of that key is who they say they are.

This already exists now; we just need software that's dead simple to use and an effective "marketing campaign".

So very wrong.

[autechre]

Does it strike anyone as ironic and terrible that in our search for a solution to the commercial exploitation of email, we're considering...the commercialization of email?

Others want to replace SMTP altogether. Let me know when you've managed to force people to upgrade to IPv6 and stop using BIND 4.x.

What I would like to see is easy-to-use, cross-platform software for PGP, along with an effective campaign telling people why they want to use it. My ideas:

1. If you tell your friends and have them get keys too, you can be sure that email saying it's from them is from them.

2. If you convince all your friends, you can tell your mail client (via CoolNewSoftware) to classify signed messages as higher priority. Spammers won't sign messages. If they do, you can hold them to the CAN-SPAM act's promises, or filter their key.

3. Sending email today is like a postcard. With PGP, it's like a private courier with body armor. Got a secret message? Passwords? Phone numbers? Business secrets? Medical data? Don't risk it falling into the wrong hands.

I am a sysadmin/PostgreSQL+PHP weenie, and not qualified to write such software. But I would be willing to coordinate effort, help with "marketing", etc.

No Central Email Authority!

[Jon+Howard]

The problem with email postage, or any like system, is that it would require a central agency to be aware of each and every message's sender and recipient.

How else would it be charged?

I would be tempted to move onto a competitive messaging protocol if this became true, because I value my privacy, though it's possible that the feds are already doing this at the ISP level. Encrypted message contents are great, but if people know who's talking to who, they can strongarm the key out of you in a pinch.

How to fight spam.

[rice_burners_suck]

Email postage is a great idea! I think the rate should be set at 10 times whatever the snailmail postage happens to be, plus 10%.

To make sure that this actually accomplishes what it's meant to accomplish, spammers could file a form 10498-B with Microsoft. This would waive the spammer's postage fees, and instead cause the recipient to be billed for the incoming spam at a rate equal to twice the one in the first paragraph of this post. And all payments would go directly into Bill Gates' personal bank account.

StarManta, it will not work.

You ticked off many, many people. Your posts have been archived and I will ensure that every post you make is countered with a notice of what you did and what opinions you hold on censorship (despite your double-talk in your sig).

Your best bet right now is to abandon your account, get a new one, and never fuck with GNAA again.

Why not Market?

[kentsin]

I just want to ask

Why the general public aginst the solution of Market? Why they aginst the good solution so emotionly?

Re:why? GUI/touchscreen probs, clunkyness...

[mr.+methane]

I suppose I could be wrong, but I really get the impression that it's gotten to be enough of an annoyance that a large enough segment of the public would prefer an authenticated, "postage-like", email system.

That's not to say that regular email will go away overnight (or that it will go away at all - there is something to be said for the "simple" in SMTP)

Both the WSJ and PC magazine have had articles implying that many end users (especially companies) are looking for good ways to move away from traditional email.

Don't get me wrong, I'm "old-school", and I read my email with Pine on a unix box. But nowadays, I don't have time to tinker like I used to. I want a useful communications system that is predictable, reliable, and secure. Traditional email meets perhaps one of those criteria.