Slashdot Mirror
.mail Domain To Eliminate Spam?
steve.m writes "The BBC are reporting on a new batch of top level domain names being submitted to ICANN for approval. By far the most interesting proposal is for a .mail TLD to register legitimate mail servers. Could this eventually be the end of spam ?" *yawn* The same old discussion, with no implementation in sight.
This article advocates a
(x) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work.
(One or more of the following may apply to your particular idea, and it may
have other flaws which used to vary from state to state before a bad federal
law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
(x) Many email users cannot afford to lose business or alienate potential
employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
(x) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(x) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever been
shown practical
( ) Any scheme based on opt-out is unacceptable
(x) SMTP headers should not be the subject of legislation
( ) Blacklists suck
(x) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
The Army reading list
that way email users are guaranteed that all spam will be filtered!
-- ladies and gentlemen we are floating in space!
Give me a break, now on top of my .com .net and .org domain, I need to buy a .mail name to send mail??? I don't think so.
I might have missed something, but how would changing the TLD prevent spam?
.mail TLD be able to send mail to each other?
* I could still sign up for bogus accounts with www.hotmail.mail
* I can still have a poorly configured box that relays spam to www.myisp.mail
Changing the name will not fix this unless the roots of the problem are addressed, unless
it was intended that only servers with a
"That which we call a rose by any other name would smell as sweet" - William Shakespeare
Windows in 6 Bytes (IA-32) : 90 90 90 90 CD 19
A huge amount (if not the majority) of spam comes from open relays and compromised machines which this silly idea doesn't address. A ground-up overhaul of the mail system (with authentication) is what's needed, not another level of bureaucratic nonsense.
Trolling is a art,
Uses for the new domains: .asia - Asian pr0n companies .cat - Feline pr0n companies .jobs - Jobs in the pr0n companies .mail - Pr0n spam companies .mobi - Pr0n to your mobile companies .post - Pr0n through your post companies .tel - Sex chatline companies .travel - Sex tourism companies .xxx - Unknown
Mouse powered Chips, Open source Processors and Lego
Since it's impossible and illegal to fake your domain name registration info, there is no way any .mail named mail server would be used for illicit purposes. Anyone mailing you from server.cheapest-viagra-online.mail.cn must clearly be a legitimate mail server of a pharmaceuticals corporation and should be whitelisted.
Dude, where's my packet?
I have not been a fan of new TLDs for some time, as it seems to promote confusion. I consider it to be more inefficient to have companyname.info, companyname.com, companyname.net, companyname.org, companyname.mail, etc.... than to just have a simple single domain name (or the three majors, org net and com), with subdomains to break out the company functions (support, sales, mail, www, ftp). It seems much more confusing to me to have companyname.mail than mail.companyname.com, and besides that, why would we possibly want to justify the cost to register our domain under several TLDs, when .com has always been enough?
If it's such a stupid / boring idea (which it properly is), why the hell is it in the front page of slashdot?
Mother is the best bet and don't let Satan draw you too fast.
*yawn* The same old discussion, with no implementation in site.
Sorta like making an improved moderation system on slashdot instead of ping-ponging votes around?
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
Great, now you're forced to own two domain names to be able to host your own email server, one .mail for *gasp* your mail and one .*** for everything else. .ftp, .ssh and so on when you're at it.
Why not create
--- No, english is not my mother tongue.
Where can I sign up for my 100 year .mail domain?
- Quick quick, register hot.mail ASAP!!
- Wait for Microsoft to contact me, tell them I take cash and checks
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
it will take some time, but it will eventually work.
#!/usr/bin/english
Now I have to get mycompany.mail to handle mail and mycompany.com for my other uses, and people will get confused because mycompany.mail and mycompany.com are not necessarily the same mycompany. Moreover, there'll be no way to tell if I am from mycompany.com when I give an address of me@mycompany.mail. Yes, you can MX mycompany.mail to handle for mycompany.com, but you could register hiscompany.mail and people might get confused and send mail to him@hiscompany.mail instead of him@hiscompany.com, totally messing with him.
This is why you're supposed to have a mail.yourcompany.com subdomain to handle mail for yourcompany.com - there's only ambiguity if mail.yourcompany.com gets hijacked or your DNS provider gets bribed into giving it to a friend for a can of Coke (that bastard).
I think the appropriate solution to spam is to hunt down everyone who buys the stuff and kill them off. When people stopped buying pet rocks, they went off the market. Kill the demand, because spammers are lowlife who will risk death to supply it if the demand is there.
well, if you use it to receive mail, your mail server is already identified by an MX record...
#!/usr/bin/english
It's pretty light on details, but it seems that the two most logical applications are problematic:
1) When you register foo.{com,net,biz,org,*} you also got foo.mail as a bonus. But if one person rgisters foo.com and also gets foo.mail, what happens to the person who later registers foo.net.
2) As a possible solution to point 1, when you register foo.com you also get foo.com.mail. This just seems ugly.
Also, will it cost me another $15-$45/year to get the benefit of this new domian? What of people who choose to not porticipate?
I still fail to see what the problem is with just doing a reverse lookup on the domain's MX. It utilizes existing infrastructure and isn't as ugly as throwing in another TLD to the mix.
how about a .stupid for ideas like this? maybe even a .pointlessdiscussions or .useless? i'll be the first to sign up for .stupid and .useless. You'll be able to find my blog on them.
I also reply below your current threshold.
but not selling 30 or more domain names to each company makes much less money for the registrars..
the whole thing is driven by greed, and it is EXACTLY what the creators of the internet said would happen as soon as greedy asshats got their hands on it.
anyone want to start Internet 1.5? create a wrapper protocol to run a real internet on top of the current mess?
After reading this article and the one a few days ago about AOL and spam, I came up with this idea
I despise spam as much as most of you. My company is actually about to start a spam campaign against my recommendations. The day they start I will quit. Slashdot, here is my idea on blocking spam. What am I missing?
We all know what IP addresses belong to which countries. At work, we only deal with customers that carry professional certifications within the US. Of our client base, less than 1% of 1% of these customers and potential customers live outside the US or Canada. Therefore, I have blocked most networks outside of the US and Canada. The only exception is .mil. This has reduced my spam problem considerably. Add to this a Bayesian filter and my spam problem is essentially eliminated. This got me thinking...
ISPs should filter e-mail according to the user's requests. When you sign up for an account, by default, you can only receive e-mail originating/relaying from the US. Now, the user can go to their email configuration and pick which countries they wish to receive e-mail from. Most users only receive email from within the US and one or two other countries. If they only receive email from a few people outside the US, then just whitelist those address. If they want, Mexico, for instance opened, then let the user check the box next to allow e-mail from Mexico. Once this is setup, let the user decide if the e-mail failing to meet these conditions should be blocked or just moved to a separate folder for review. Another possibility is that if an e-mail originates from a blocked country and the spam filter thinks it's legitimate or just doesn't get a high spam score, send an NDR that says "Your e-mail looks like spam, but this could be a false positive. In order to deliver your email, please visit this site....." On that site, put one of the many methods to verify a human is actually visiting that site and then deal with the email accordingly.
For most users, the only noticeable impact would be less spam. This would also force spammers to send and/or relay from within the US. Now if they are operating from within the US, we have an IP address within the US's jurisdiction. Granted these may be zombie machines, so if your e-mail server does a reverse lookup before allowing e-mail, these would be denied. Also, we need to get ISPs to block most ports by default. If you want a port opened, you simply request it from your ISP. Add a clause like "by opening these ports, you are taking responsibility for any traffic on these ports. If we find your computer is sending viruses or spam or DOSing, then your service will be terminated." Again, most users would never notice a difference. Those that do notice can have the ports opened.
So now, for the average user, they would only receive e-mail originating or relaying from the US from a registered e-mail server. Now we can track this back to an ISP and shut down the account, seek legal action against the ISP for supporting spam, or black list that ISP. Since the spammer would have to have an MX record, you can get the registration info. This is probably bogus, so if we force registrars to verify the identity of the person, then we could actually track this back to a person. The spammer could probably falsify this too, but every step you add slows them down.
The spammer is going to now have to purchase an account with an ISP in the US and a registrar. Both of these entities should require a method of traceable payment. This means no cash. Now, we should have a means of finding who wrote the check or who the credit card belongs to. We now either have the spammer, the spammer's company (which should lead back to the spammer), or the spammer has now committed fraud. If he commits fraud, we now have the FBI after him and potential of longer jail sentences.
Not that I have to solicit criticism here on slashdot, but I'll ask anyways. What am I missing and why wouldn't this work?
If I drive fast enough at the red light, it'll appear green.
Ohh! TLDs! Lets see how much useless crap we can come up with!:
.spam - everything thats spam
.sex - all those pr0n sites
.troll - because you know they'll stay in their own domain
.h4x - let them h4x0r to themselves
.blog - now we can exclude these from searches!
.trek - for everything except Enterprise NX-01
.estaog - another great tld for your hosts file
.net - just give it to M$'s marketing team already
. - one step closer to having www./.
Yay! More TLDs! Thats just what we need. I cant wait to exclude all these new TLDs from my Google searches just to find that there's nothing left on the net but www.BringBackThePorn.com
Did I miss any?
Im dreaming ofa big bndwdth, That can resist the
Junk snail mail is not spam. Spam exists, precisely because the marginal cost of one more recipient is zero (or indistinguishable from zero). Whilst it is true that junk mail still exists it is considerably less of an issue than spam, not the least of which is because (a) the centralised server [insert your postal service of choice] will respect a "no junk mail" sign and (b) the services offered in the junk have to have legit contact details within jurisdiction for the cost to be even remotely effective, hence they can be drawn to account for unethical action.
"The first thing to do when you find yourself in a hole is stop digging."
Why not change so that SMTP servers ONLY accept connections over SSL? And then only accept certificates that are signed either by a central authority or by people whose certificates are signed by those people...
Then you could have a distributed revocation authority where people could send copies of spams (still over the SSL network to eliminate fake spam for DDoS purposes). You don't want to get your certificate revoked, so maintain your server!
This makes the system more or less secure, and puts the burden onto mail server admins. You want your regular users to be able to send mail? Then don't let random people send spam.
Individual servers could then implement whatever authentication they liked for their users to be able to send. Maybe a C/R system or authenticated logins. Whatever.
Muerte
ps. i keep posting this idea. ha!
although this might *seem* a good idea its not going to work. Good luck implementing this outside the united states. Most of the spammers forge email headers. would it be impossible to forge the email servers on your "soft whitelist"? Again the only real solution to spam is to stop buying from it. once the morons who support spammers financially stop the cash flow spam will stop. Again we still would have probles with worms sending spoofed emails.
So, even if this does go through and we do get a .mail TLD that is for only registerd mail servers. What happens when both companies/people owning the domains x.com and x.net suddenly want to get their x.mail domain to send mail. Who gets it? Maybe they're assuming people will opt for x.com.mail and x.net.mail. But that seems really annoying.
You want every little mom & pop company running a 10 year old mail server to register a new domain and reconfigure their box overnight???
Exactly when is this supposed to happen???
For right now, the best solution is to...
1) Block IPs that are causing problems...this can acutally be automated...I'm working on a script at our site that passes all spam identified by spamassassin as a level 20 or higher into a blocklist for our MTA.
2) SpamAssassin...run SA as a service for all users and give them info on how to tailor it to their own preferences...
3) ClamAV...this catches some of the really nasty stuff...the ones that use exploits to "phone home" or run code on the user's machine...
These ARE and will be the only way to stop spam into the forseeable future. The only real way to stop it all would be a redesign of the protocol from the ground-up and that is just not going to happen...SMTP is already too entrenched into the backbone of the internet...it just won't happen...
Here's the goddamned standard... Make it ultra-easy so it's simple to hit critical mass where everyone uses it.
For your domain, put out a text file. In that text file, put the IP addresses or range of your server.
Name the file: mailservers.txt
For example... I would have (for DracoSoftware.com) a page called mailservers.txt. It would contain:
206.67.56.202
If I had a range, it could be either individual IPs:
206.67.56.202 206.67.56.203 206.67.56.204
OR, a range delimited by a dash:
206.67.56.202-206.67.56.204
Once we get sites to publish their legit mail servers, the rest is easy... Setting up servers who do DNS-like caching at your local ISP is easy. Your individual e-mail program can then do WHATEVER IT WANTS with the e-mail... Whitelist/blacklist/take into consideration for baysian filtering... whatever. The important thing is to get the legit mail servers published.
If a mail comes from legit mail-server... Easy.
If a mail spoofs a publicized server... easy.
If a mail comes from an unknown server, mark it as suspicious.
If people want, I'll start posting names of domains that were cool enough to create a mailservers.txt file.
Ready??? GO!
~D
This sig has been enciphered with a one-time pad. It could say almost anything.
It's apparent that the knee-jerk rejections of .mail are coming from people who haven't bothered to actually read the .mail proposal, or else who conclude that any anti-spam initiative that will not cause an immediate, total, worldwide cessation of spam is not even worth considering. All the .mail domain proposes is a more reliable locus for distributing whitelist information. It is expressly not intended to be user-visible, but rather to be solely for the purpose of automatic sender validation by mail receivers.
.mail domain can be part of the solution.
Whitelists work. Do they eliminate all spam? No. Are they part of a framework for reducing spam? Yes. Snide remarks about the futility of any possible approach to the spam problem may be amusing, but they obscure the fact that real (not perfect, but real) progress is possible. A
I hope they had the foresight to make it compatible with RFC 3514.
I am not a spammer, but I am trying to keep a small company going, which has multiple domains running on one server. Many of these proposed solutions are very poorly documented and seem to just raise the bar for the little guy and do nothing to reduce spam.
Solutions that expect so called "legitamite" companies to have IT departments and multiple servers and multiple T1s will just end up raising the barriers to entry for small business. Spammers, these days, don't follow the rules.
...and I've been advocating that .org address be used to identify porn sites. That hasn't worked either.
The Kai's Semi-Updated Website Thingy