Slashdot Mirror
Attention Bonds Gain Momentum
Thede writes "Hi all - the ABM, a proposed solution to spam first posted to /. back in February, is gaining some momentum and refinement. It has been presented it at the Federal Trade Commission, the ACM, the National Bureau of Economic Research (NBER), and at the ITU in Geneva earlier this month. The original post referenced an academic article that not so accessible. We now have a short FAQ and a very detailed Q and A that covers a lot of the issues raised over the last five months. Next step (barring gaping holes) is to get a standards effort going - and most of the needed standards already exist."
to get the bond, then why can't they use the same technique to simply stop all unauthenticated email. If the sender is forced to use their real name, spam will stop pretty fast.
Hi all - the ABM, a proposed solution to spam first posted to /.
A spam solution that attempts first posts on Slashdot? I think it failed it.
It would be cool if it didn't suck.
Could this stop free mailing lists? If the sender has to pay (even if it is 10cents) to send the email to a whole list of people who have requested it (like, 10000 people on a mailing list for a joke site) will they still send them, at the risk of loosing a lot of money? And besides, they won't really want to be putting possible thousands on the line for a free service.
Short summary: it's an intermediated version of "pay me to read, and I'll pay you back if it's not spam"
Bug summary:
- too many people will keep the money regardless
- the services of escrow agents are not freebies
- nobody will bother to use it when regular email is cheaper, already deployed, and infinitely less fuss
There has to be a working micropayment system and if there isn't one yet, can I be the one who skims 10% of every bond?
DAMMIT! Stop trying to break my email! Spam is not that bad.
Just watch. There will be just one "gaping hole", and a snake will crawl out of it, and sue everyone for patent infringement.
Second, who else will profit from this? The escrow companies. Do we really want bankers in charge of the email system? They will simply see this as an opportunity to print money. Before long, you won't be able to contact your mobile phone provider, electricity company etc. without posting a bond - and they will own the escrow companies, and you will be paying them an annual subscription to use their escrow account. It's as good a scam as having special rate phone lines, which means when you call them they get part of the cost of the call.
Third, increased email traffic around the system due to the challenge/response cycle will partly compensate for any reduction in spam.
The only way to fix spam is to make it unprofitable for the people who pay the spammers. Given that Joe Sixpack is the idiot who buys from spam and so makes the system possible, and that he will no more be able to set up an escrow account than he is able to understand to install Firefox to remove annoying popups,and Thunderbird for the junk mail filter, the system won't work - the majority of users will be unaffected, the ones who are affected are probably corporate users with spam blocking tools in place already.
Panurge has posted for the last time. Thanks for the positive moderations.
I can see the marketing tag line now... "To get rid of spam, take 'a B.M.' "
From the FAQ:
Q: What prevents the recipient from claiming the bond, regardless of the message value?
A:. Nothing, other than perhaps etiquette and good judgment, prevents claiming a bond.
<sarcasm>Yeah, etiquette and good judgment worked so well with the old e-mail system.</sarcasm>
They propose an automatic bond posting system where for example if the bond is less than $0.50 (by the way what happens if I don't use dollars, who determines the the rate of exchange?) the bond is automatically posted. So:
1. Set bond to $ 0.01 to ensure automatic bond posting.
2. Subscribe to 10,000 different mailing lists.
3. Profit!
Frankly I think it would be simpler to just use "pay per email". Something could probably be rigged up with paypal in short order, and if your time/attention is important enough that all this fuss is worth people's bother, they'd find it simpler to just pay you up front and no messing.
For example, I can easily imagine major CEOs having publicly accessible emails with a $1000 reading charge. Those who ought to contact them, or who really care to be heard, could afford to pay.
The biggest problem IMHO seems to be security. Viruses sending out email form one's mailbox will cause many dollars worth of loss to millions of people. The only people benefiting in such scenario is the escrow comapnies. See their extendend Q&A below. It does not rule this out, at all: 6.1 Q: What about possibility of fraud or a virus triggering bond payments? A: There are several types of possible fraud. For example, it might be possible for someone to write a malicious virus that causes a mail program to send messages to addresses owned by the virus writers. The virus writers could attempt to claim and keep the value of the bond. Proper safeguards will be important, but as with any financial network, it may be impossible to completely eliminate the risks. A depleted escrow account would certainly serve as an indicator that something is wrong and the machine or account has been compromised. However, liability, at maximum, would be limited to the current balance in the compromised person's escrow account.
To just put a bounty out on spammers and shoot them in the streets?
The cost of the legal fees would be far less than implementing something like this and getting the whole world to buy into it.
Who run Barter Town?
(As a side note, what happens if you receive mail without an associated bond? 12.2Q in the Q&A says "Well, you could still read it", which OBVIATES THE ENTIRE FUCKING POINT!!! Yet another idiotic spam "solution", in other words. Oh well. Here's where it scores on the Spam Solution Checklist:)
Your post advocates a
( ) technical ( ) legislative (x) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
(x) Microsoft will not put up with it
( ) The police will not put up with it
(x) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
(x) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
( ) Jurisdictional problems
(x) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(x) Extreme profitability of spam
(x) Joe jobs and/or identity theft
( ) Technically illiterate politicians
(x) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
(x) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
(x) Blacklists suck
(x) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
(x) Countermeasures must work if phased in gradually
(x) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
( ) Sorry dude, but I don't think it would work.
(x) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
I am Chaos. I am alive, and I tell you that you are Free. -Eris
THe system also has built in safety to prevent someone from charging an exorbitant amount of money to your account. Your e-mail set-up rules/acount, can be set to not deliver to anyone who charges over a certain amount (again this could be as low as a fraction of a cent)
In order to stop spam then fee would only have to be a nominal amount, like 1/100 of a cent, to ruin their profit margins. SOme sort of group standard will come about - like everyon'es fee will be 1 cent. *ssholes who try to "profit" by charging $100 for "spam" e-mails, just won't get any mail. I like this solution a lot.
..........FULL STOP.
From TFA:
At the mailbox owner's option, the challenge message could include reference to means other than the posting of a bond as a way to get the original message delivered. The sender could be required to take a CAPTCHA (like a Turing Test - a simple test that is designed to allow the sender to prove they are human), which removes the requirement of having an account with an escrow agency. During early days of adoption, this alternative can make things a little easier for the typical sender until the infrastructure becomes widespread. Individuals will generally be able to take the CAPTCHA, while legitimate senders of bulk email will be able to build or buy the systems required to respond to challenges automatically.
And spammers won't?
Best reply ever.
Heres 10 off the top of my head...
1) who pays for bounce messages ?
2) who pays for badnwidth needed for billions of bond requests?
3) adds a number of new points of faliure to already flaky e-mail system
4) relies on everyone knowing the 'reputation' of every possibility in the whole of the possible address-space
5) bombarding everyone outside the scheme with bond request messages will make this the most hated thing since spam itself
6) spammers will ddos the hell out of the infrastructure, giving it a reputation for flakyiness
7) 'exposure is limited to the amount in your escrow account' ie it cuts you off from mail every now & then unless you top it up - people are going to LOVE having to do that
8) Faked from fields
9) Introduces ability to 'escrow-ddos' a company by signing up random valid names to lists who then collect on unwanted mail.
10) 'reputation' system will quickly devolve into ebay feedback style AAAAAAAAAAA++++++++++++ garbage.
I could go on for another page or two. Their 'Extended FAQ' says 'yes but we don't care' to half the above btw.
A pizza of radius z and thickness a has a volume of pi z z a
2: Who e-mails porn sites? Most web-sites that charge for service ike Transgaming, have you fill out a web form, which you then supply your e-mail address. People will wise up very soon (like one messg and 1 cent) and not e-mail dubious sites.
3: It's not designed to be a profit system, but your ISP could hold your money, say as a small deposit with your account.
4: From the concerns you raise, I'm not so sure that you read the article
..........FULL STOP.
...but wouldn't similar results apply if both parties used digital signatures in their mail?
How is this any different? Or am I missing something?
The Penguin Producer
Wow, talk about sledgehammer and fly. This soulution to the problem of spam is far more complex than necessary. Micropayments? Escrow accounts? Easy there poindexter, put down the slide rule and back away slowly.
There is a simple solution to the problem of spam. Users simply set up whitelists, and set email programs to reject any messages originating from addresses (or subnets, or domains) not on the list. Quick and easy. This would of course make it impossible to email someone you are not already acquainted with, but so what? When was the last time anyone recieved an unsolicited email that was worth reading? It's a small price to pay to put a stop to the scourge of spam.
Does this mean we all need a credit card to sign up for gmail and other similar "free" email accounts?
This Sig is removed due to factual inaccuracy
This is an interesting theoretical design. I don't see why to put it into practice, though. "Hash Cash" accomplishes the same thing without using real money, and real money is dangerous because it's a lot more desirable than CPU time (what about iloveyou.vbs sending out high-bond e-mails to a special collection account? This is not a feature we can trust the average user to have enabled.) It also requires much more sophisticated machinery in place, like certificate authorities. (Of course, if we wanted to, we could also use certificate authorities to do post-hoc hash cash bonds. But if the algorithms can avoid certificate authorities, that is much better!)
It's another special case of the same general scheme which I call "tokens". Examples of token-based schemes include whitelists, challenge-response with automatic whitelists, digital signatures, micropayments: the common factor is that the recipient chooses a token that all mail they recieve needs to contain. The token can start out simple (just requiring a special word in the subject line works wonderfully right now) and can be made more complex and expensive as the spammers adapt to it.
The mistake these people make is the same one most "perfect token based schemes" make: they assume that they have to start with the most complex and difficult token that they "know" spammers will never adapt to right from the first day. You don't. You can start out with a simple easily forgable token and worry about switching to one of the cryptographically secure or money-based tokens later... in my case my family has been using simple tokens for a couple of years now and a grand total of two spammers... 419-ers, as it turns out... have bothered to jump through even that simple a hoop.
http://www.boydgraves.com/order/order.html
Ha! A fucking scumbag preying on gullible morons.
If companies have to put up a bond for every outgoing email, and lose that bond when recipients don't want to read it, it might even cut down on the number of clueless twits who forward the same tired old jokes, etc., from their work account.
When someone from IT appears at their desk with a log printout and a total cost, and demands repayment on the spot, the idiot user might get the message. First offence, maybe the money gets donated to the corporate charity; second offence, the user in question gets suspended by their underwear from a 40th-floor window and left to rot.
On the other hand, if IT weren't smart enough to figure out who was doing it (or if the user were smart enough to foil them), what would stop some disgruntled employee sending thousands of stupid jokes just to cost the company money?
Several problems with this:
- Banks will possibly want to make money with every transaction, not just with bonds that get collected, especially if you take into account that bonds will rarely be collected. That means that banks will make a sh*tload of money just in order to prevent criminal or annoying behavior of a few spammers.
- It's not clear how the "challenge" step involving the whitelist is supposed to be implemented. Right now, we have mail servers receive mail and store it until the final recipient (client) polls it, e.g. via IMAP/POP3/Exchange. Would this mail server have to store the whitelist and bond info? Probably yes. Privacy issues?
- How does it integrate with the current e-mail world? Not very well. Sure, you can still accept e-mails without a bond and rank them low (i.e. mark them as potential junk). But for quite a while, people will not be able to discard these e-mails automatically. Therefore, there will be no incentive for senders to move to the bond mechanism.
- There are many parties involved: Right now, we're talking about sender-SMTPrelay-mailserver-client. In addition to these four parties we need two escrow agencies: one for the sender, one for the recipient. these will need to be organized, so they can talk to each other - which means there is some kind of additional club involved. (We can get rid of the SMTP relay entitiy mentioned above - this can be done by the client directly.)
The problem is that with the new entities, things can go wrong. They can simply be down (keeping me from sending or receiving e-mail!). Or their security can be compromised.
The bottomline is: this is too complicated.
I wonder what is better about the bond scheme, compared to the challenge-response idea that circulated a while ago, where sending e-mail is simply computionally expensive enough (unless you're on the recipient's whitelist).
2: Spam is by far the largest user of band width in e-mail. I've seen estimates of up to 80% e-mail is spam, and 15% of TOTAL interent traffic is spam. It's basically a check that can be performed with very little data sent, on the probably the ISPs machine.
3 This should make e-mail more trusted and less flakey.
4: You already trust the people from work and your family/friends. Who else do you need to "trust" - if it's a real e-mail mesg, then it's no prob. If it's fake - you make 10 cents.
5: People will probably never see this, if they are not in the "scheme".
6:Spammers essentially do this now with their milions of e-mail mesgs sent. This tactic would be unsuccessful, since it would prevent them from sending out any of their own e-mails.
7: The fee per mesg will probably be so small, so that 50 cents can last a long time. If it's getting depleted, then your e-mail habits are somewhat suspicious. Why would your friends charge you to read your e-mail?
8: Mesgs need to be verified back to origin. Unverifyable ones are highly suspicious for being spam are are either not sent , or never read.
9: Escrow DDOS will not work, since the fee per account wil make it expensive. ISPS will probably handle this and it should never hapen anyway..
10: Again a "reputation system" will never develop. Once your trusted friends are verified, they make it onto your whitelist and you never worry about it again. There is no need for a rep system - you never need to know it.
..........FULL STOP.
Comment removed based on user account deletion
I'm gonna say something very ugly here : i find spam not to be a really serious problem. I get approx 50 spams per day, and 45 of these go straight to my MacOSX Junk folder. I hardly notice them at all. At the end of the day I quickly glance trough the folder. Never found a false positive in 1,5 years. The 5 spams that do wind up in my inbox are no problem either, since all known correspondents in my addressbook have their own sub-box. So only new peeps end up in my inbox, which is quick to scan.
I sure as hell ain't gonna pay for something that I don't need.
When will I end this grieving ? When will my future begin ?
This is a horrible idea. People won't want to pay for something they used to get for free. If implemented people will avoid this system like the plague. Why would you put at risk your money to use a service that used to be almost free?
I have TWO alternatives for people who might consider using this system. If you want spam free communication, set up a web page using PHP and get people to communicate with you through that after recognizing a word or a Yahoo-style muffled image. If you feel you have too much money, donate it to the United Nations Children Fund. But don't be an idiot and burden the community by supporting a system that intentionally jacks up the price of communicating via e-mail beyond its true cost.
People who would waste money on a system like this aren't socialists because they would be supporting the higher cost of e-mail for everyone, they aren't capatalists because they would be fostering overpriced services, they're just idiots.
...sucks more than spam itself. Who cares? Popfile & Spamassassin are working just fine for me.
I may have been drunk when I wrote this.
YHBT. YHL. HAND.
initiatives, are already wwwildly popular, unbreakable, & work on several (more than 3) dimensions.
whois it that needs yet another phonIE corepirate nazi execrable glowbull warmongering 'committee'?
consult with/trust in yOUR creators.... increasing the efficiency of existence (in spite of us?) since/until forever. see you there?
devise: how whoreabully infactdead it remains.
even if one assumes that all the prior "there's a hole" posts are wrong . . .
Reason #3: SPF. I didn't even need to read beyond the ABM FAQ's TOC. Just look at the length of the TOC itself. Although there's a TOC item "Will the ABM be complicated to use?", the answer is obvious without reading it. Now contrast this with SPF: how long does it take you to understand SPF, or to explain its BASIC CONCEPTS to someone else?
Reason #2: ABM doesn't itself kill anonymity, but it makes it easier for government to do so. As one poster has already said:
"There isn't a central database from which funds are collected that has everyone's name and bank information. The only requirement is that you have funds available to back up your email, and like it says, this can be accomplished by paying in person with cash for an anonymous e-mail account."
It's a bitter lesson of the past three years -- or it should be, if you haven't already realized it -- that there are few limits to the extent to which government will regulate (read "criminalize") financial transactions in order to control individuals, in the guise of "fighting terrorism".
If you don't believe this, then go to the service desk in any large grocery chain where they sell money orders, and look on the wall for the sign which describes the maximum anonymous cash transaction which can be performed without triggering a report to the government. (I'll provide additional detail and examples if anyone chooses to dispute this.)
Implement ABM, and just how long do you think it will take for some publicity-hungry politicians to propose that all ABM payments require identification?
Reason #1: The ITU supports it. I have no problem with organizations like IETF. But in view of recent trends of trans-national political authorities (like the EU) taking action contrary to human rights, I'm immediately suspicious of a proposal supported by an organ of the UN ("tin-foil-hat" insults notwithstanding).
I think this would qualify as propeganda spam. I also get spam telling me about how great Jesus was and how I should seek him, blah blah blah. I always forward stuff like this to abuse@.
Whether or not there is any truth in the email (I have no idea) doesn't matter. Its still spam with the intent to influence opinions. Everyone has the right to protest, but they don't have the right to FORCE me to listen to it. Sending this (or the religious or viagra variety) is forcing me to read their message. I don't diffentiate spam by the content. If its designed to make me do something (spend money, click on a banner ad, accept a deity, etc) and I did not sign up to receive it, then it is spam.
Tequila: It's not just for breakfast anymore!
Correct, however, it would cut down on Spam traffic which is a tremendous drain on the internet backbone. Spam blocking tools do nothing to alleviate that.
That said, I don't like this ABM thing at all. Spammers will always find a way around restrictions.
Not everyone in the world does have access to universal currency. In some countries, you need special permission by the government to buy exchangeable currencies (like, say, USD or EUR). They even put a stamp in your passport if you did, so you don't buy too much! Oh, and btw., most spam doesn't come from there, but from countries with free valuta.
Would you really want to erect yet another economic wall between "us" and "them"?
cpghost at Cordula's Web.
Too complicated, will never work. Besides - it's being considered by governments which means it's obviously never going to work as lets face it, with regard to IT, governments don't have a clue as they are fed constant lies from people who stand to make a lot of taxpayer money.
Would it be possible for me to own my own escrow service and make counterfit escrows?
Honestly, I think the writer of this news article is just advertising this silly antispam idea.
I'll save my breath and just say that it's easy to see from all the replies on this thread how -stupid- idea this ABM thing really is. There's no way this would EVER be accepted as a "standard" solution for fighting spam.
I have no intention of giving my white list over to an ISP. Yes, I know they could determine who I receive email from by monitoring logs, but it just bothers me to go the extra step of doing the work for them. Step 2 is the government requiring all ISPs to have an interface that allows them to read all white lists. Mining of such a complete social map could crack through a lot of privacy.
Systems like this will never catch on with common consumers, they're simply too complicated.
The simplest and most effective solution would be to have a mail server authority, much like the DNS authority is run, and then have everyone register their servers. If the server is abused, they're investigated/deleted from the registry. Users configure their mail clients not to receive mail from unregistered servers, and voila, no more spam.
It won't catch on overnight, but it will be necessary. Such a service might cost a $5 one-time fee or small yearly fee, whatever. Any server that's worth running will pay for this. The real-world analogy is you can't have unlicensed drivers on the road.
On your reason #1: there is no claim that the ITU supports the scheme.
The submitter (also the author of the protocol, as he makes clear) notes only that it was 'presented' at the ITU. That's got nothing to do with being supported by it (save that they generally request presentations on things they support. They also get a lot of presentations on research they don't support).
In fact, the inclusion of then names FTC, ACM, NBER and ITU in the summary is, in point of fact, nearly meaningless. All it claims is that he's told them about it. Well, yeah, but how did they respond? That's the question. Unless that's answeared the only reason I can see to list all those names is for an inappropriate air of legitamicy.
So, your real reason #1 aught to be: The creator is making claims the weasel an air of respectability, but in fact have no meaning. Unless someone want's to show a postive responce from those bodies [0], I take that as an attempt _not_ to stand on the merits of the proposal
Interesting, if you read the proceddings of the conference, the overview papers agree that there will be no single technological solution, and don't mention ABM. This says, to me, that there is no particular acceptance of this particular implementation of postage stamps for email.
[0] And I can't find mention of one on the proposal site.
First problem from the point of a view of an ordinary user.
how do you pay your bond?
without a creditcard or debit card any kind of payment across the internet is near impossible. so even a 1 cent bond becomes difficult to pay the result being you just closed down the ability to send and recieve email for a sizable body of users.
how do you collect on a small size bond?
if it's a 10p bond surely mailing it wil cost a 45p stamp. international money transfer costs sizable amounts no matter what the amount.
Who is holding the money?
even if all users were to have small bonds it is a sizeable sum overall
If every internet user sent me a penny would i need to work again?
how about I am totally careless with my email address, can i then send repeated claims for bond money from all these companies that want to sell me something.
This system sucks and white listing sucks too, unless you never lost contact with old friends or changed your isp or got in touch with a company.
heck thinking about it somebody makes a product gets a lot of customer complaints then claims their repeated emails from dissatisfied customers is
spam and claims the bonds.
seems like another get rich quick scheme to me but not one i want to pay for
Blarney Quality Restaurant, Plants
simply put they want to make a profit
FAIL - you have to get consumers to sign up to a service that their friends do not use
(transition will just be a nightmare )
sorry but why not provide companies with something they want...
like emails that are encrypted
(and maybe for bonus points self destruct)
companies dont like their comunications flying around for all to see
companies dont like the idea that those msg's could go to court
in the end it comes down to what you can sell !
regards
John Jones
What the heck are attention bonds? Sounds kinky to me.
So the idea has been presented to the FTC, the ACM, the NBER and the ITU. Big deal. What about the Internet Engineering Task Force, guys? They have more than a little to do with setting standards for the Internet. Technical flaws aside, any effort to change the way email gets handled that tries to end-run the IETF is doomed to failure anyway.
I would add to this that ,in general, good guys would not require keeping
a very high balance in their escrow account. If a typical bond cost $0.10 as
suggested, you would not need to risk more than one or two dollars in your
escrow account unless you habitually send e-mail to unscrupulous recipients
who claim your bond without justification.
Yes, a successful virus writer could get rich by stealing one dollar from each of a million targets, but would you not want to take part in a system that could hugely improve that quality and value of communications you receive, merely by risking a dollar or two in escrow?
Also, if your escrow account gets raided, it would not mean that you can't send email anymore. All of your friends would presumably have whitelisted you and would allow your messages through without invoking the bond mechanism.
This is crazy. Where there is EFT involved with fraud, there is going to be:
Then, we're going to have to set up rules for EFT regarding which banks are "good" banks in "good" countries... and which banks are "bad" in "bad" countries. And, of course, the "rogue" nations will provide EFT accounts to spammers for the appropriate amount of cash.
Spammers will thus get into the game of money laundering and organized crime... at least more so than they actually are right now. There has to be an intelligent solution without using money and EFT.
This is not true!! General Mbuabua and Abassador Ngibu continue asking me for more money to help them release their funds. One you send them that first check they just don't stop.
"Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
The fact that you can still send emails anonymously is an important advantage of this scheme as compared to authentication-based schemes.
"Hi all - the ABM, a proposed solution to spam first posted to /."
Dang, don't we have enough people spamming first posted as it is? Now they are going for FTC backing and a fancy acronym!
>Next step (barring gaping holes) is to get a
s _4_41/ai_94668338
>standards effort going - and most of the needed
>standards already exist
You do, of course, realize that IBM has already patented this same idea.
They define this as an interrupt cost, but the basic principles are pretty much identical...
Check out http://www.findarticles.com/p/articles/mi_m0ISJ/i
Sorry to mention, but... .hu domain goes straight to waste bin (which solved MY problem of the spam) didn't solve THEIR problem of getting more million spam messages daily, and their servers were overloaded. And if you don't pay anything you can't demand HW upgrades, can you?
phantasma6: "Could this stop free mailing lists? If the sender has to pay..."
>> It does not have to pay. However, if it mails to someone with ABM, it gets an automated response which can be ignored. After all, anyone subscribing to a mailing list can add that address to the whitelist, and therefore receive the letters.
For those, who say a properly configured SA (or any other tool) can solve their problem, let me mention that it took only 6 months for my favourite free web-based e-mail service became unusable due to the amount of spam: I received about 500 messages a day, and even with a simple rule that every message not coming from
So sorting mail with 100% accuarcy, and 0% false positives can only solve YOUR problem of the spam.
cheesybagel:"Yeah, this is full of holes. And the worst thing is that it can mess with my wallet."
>> You mean your $5 initial deposit? Or you send more unsolicited mails then receive?
lachlan76:"I should be able to send email WITHOUT giving someone my BANKING DETAILS, and without losing money because someone doesn't like me."
>> So long live the spam? And anyway ABM does not require you to send banking details...
panurge:
First, look at the opportunities for fraud. Say I set up a porn site with an email address. You email me and the system asks you to post a huge bond to get the message through, say $1000. Somewhere out there will be id10ts who haven't configured their systems properly.
>> And they paid $1000 to their escrow service. In advance. Just for sending emails. Yeah, very likely. But clearly there are fraud opportunities...
router:
Virus writer releases virus that causes your Windows 2k/XP/LongHorn desktop to send spam. (done)
Spam gets sent to address that auto claims bond.
Your escrow account gets raided. (0.50$)
You can't send email anymore.
Virus writer gets paid and retires. (100M x 0.50$)
>> This is a very valid and likely type of freud, for instance.
azaris:
1. Set bond to $ 0.01 to ensure automatic bond posting.
2. Subscribe to 10,000 different mailing lists.
3. Profit!
Aye, this would be... erm... let me calculate... 0 times $0.01 equals... khm... 0. No mailing list over would configure there servers to reply to bond claims.
IMHO the main problems of this system are:
- if whitelists are not located in the servers, you will have to download "bondless" messages too.
- high possibility of frauds
- after sending a mail, (if you don't send bond automatically ) you have to wait (sometimes minutes) and you will not be sure that even after that your mail has arrived. Think of a modem user connecting, downloading his mail, replying offline, connecting again to send answers and new mails, and WAITING for bouncing bond claims. Not comfortable.
Think of a broadband user wanting to send an urgent mail just before he leaves home.
Unless he is on the recipients whitelist, if they use ABM, the sender of the mail HAS to wait.
This could be eliminated only if the automatic bonds processing is done on the servers, which i feel insecure. (think of someone SMTPing into my mailserver and sending a mail (with my address in the From field) to himself. Since SMTP does not have any kind of security check in it, all he has to know is my email address.
So without changing SMTP or implementing some sort of sender identification (which they say to be important because of the whitelist) it wouldn't be hard to fake-send messages in my name (trying to use my automatic bond sending and reclaiming the bond on arrival [and quite possibly immediately "forwarding" the bond to another account])
Interesting part in the document is
Yeah, free Ipod! He is innocent!
claiming that the HIV virus, the virus that causes AIDS, is a virus that was manufactured in American laboratories between 1962 and 1978.
The US government's claim to invention may be invalidated by prior art. HIV was around before 1959 (though there is some dispute ).
If you look up the patent that supposedly proves that Gallo invented HIV, you will see that it is NOT a patent on HIV, it is a patent on a method of reproducing HIV extracted from humans and it was filed after public research on HIV. Reproducing a pathogen is an important part of conducting research, both as an amplifier for presence tests, to make large numbers of identical samples to experiment on, to allow the American Type Culture Collection to archive the virus and make copies of it, and to allow others to reproduce research. It is much better to copy one virus particle than try to extract lots of HIV, and only HIV, from blood. Now, whether patenting such a process rather than placing it in the public domain is assinine is another discussion.
All the Copyright notices by Zygote Media on many of the web sites that report this do not inspire confidence, either. "Media" in the name sure sounds more like a for-profit venture than an activist to me.
For a total of something like $1000, Boyd Graves will sell you copies of public domain government documents that supposedly support his claim. But given that he misrepresents a patent for reproducing HIV as a patent on HIV itself, your money will not be well spent. And if he sent the spams, you would be supporting a spammer.
There are many urban legends about man made HIV.
This is another attempt to sell micropayments. ." you are likely to decide it is not worth bothering.
It has the same problem as the previous: the cost of deciding if you want to pay.
Also, if you mail someone and then get a reply that says "You have mailed who has decided he requires you to post a bond of 2 cents for him to pay attention to your mail. Please use one of the bond posting services listed at
Even if joe-sixpack only makes $5 available, he is going to be pissed if it keeps disappearing.
Right... he should patch his machine to prevent worms, but we are talking about joe-sixpack here...
"When the going gets weird, the weird turn pro" -- HST
The society for a thought-free internet welcomes you.
Or the escrow can become the new VeriSign, charging a truckload of money for a service that costs nothing to provide.
/greger
This might be better.
It is spam filtering that uses the existing SMTP/POP3 infrastructure and is low cost shareware/freeware.
SpamByte: Game Over, Spammers/Computer Crackers.
Sure, there are things wrong with this scheme, but the problems aren't the ones most of you are talking about. Here are some I posted on my Web log:
#1: It creates a great opportunity for traffic analysis by the government, marketers, etc., because the escrow agents can collect data on who's emailing whom. The recipient gets to choose their escrow agent, so an individual participant doesn't have the option of only dealing with reputable or privacy-respecting escrow agents.
#2: It creates a money trail alongside the email trail, making anonymity almost impossible (especially because the recipient can choose the escrow agent, see above). This issue actually could be turned to an advantage because remailers could use the bond system to collect "postage", clear postage between themselves while obfuscating the money trail, and reduce their own spam problem into the bargain, but it'll be a big headache for them, and the anonymity of the remailers to the escrow agencies is hard to maintain.
#3: Trolling can become financially profitable. The business plan goes something like this: 1. Post something to Slashdot or Usenet that lots of people will want to respond to by email. 2. Collect a small enough bond from each responder that they'll be willing to pay it. 3. Profit! One could argue that that's an acceptable business (because you're only collecting money from the people who decide they're willing to give it to you) but I'd argue that it's a bad thing to encourage this business, because it also imposes on many people who do not want to respond to you, and damages the infrastructure for everyone. It's like saying "Selling SUVs is morally okay because I'm only selling them to people who are willing to accept the environmental impact" - hello, it's not just your customers who bear the brunt of the environmental impact!
#4: Participants who are poor, or penniless, just can't have email anymore. That includes children, the homeless, and many people in developing countries. Moreover, even among people with nonzero disposable income, it stratifies email along economic lines: I will demand attention bonds roughly proportional to my income (because otherwise they won't have the intended effect of compensating me for time lost) and then someone with less income than me has to make a disproportionate sacrifice to talk to me, and someone with more income than me can spam me with no hardship. I have received legitimate, important email from a scholarship student in Uganda, and in an official capacity from the legal department of a multi-billion-dollar US corporation; the value of a dollar to those two parties is totally different. Note that it's not good enough to say "Oh, we just won't collect the bond from people who are poor" because they still have to have the money in order to promise it in the first place. Children have no money, not just a small amount - especially if, as would necessarily be the case, enforcement of the bonds is tied to legally binding contracts in jurisdictions where children's right to make commitments is not recognized, so the children wouldn't even be allowed to spend money this way if they got some.
#5: If only applied to email, it'll encourage spammers to move to other media - Usenet, Web BBSes, and referrer logs, for instance. Attention bonds can't be easily applied to some of these.
#6: If you offer to sell your time to all comers for $0.50, then you have to actually do that, and at least glance at all the messages sent to you by people who are willing to put up the $0.50. If it were actually the case that there were lots of evil perverts out there sending pornography more or less at random to innocent children out of sheer perversity (I don't believe that, but many people do), then this kind of arrangement would make it harder to block them. Even under a more realistic threat model for pornography in particular (people only sell that stuff to make money, and so will only send it to you if they think
how long does it take you to understand SPF, or to explain its BASIC CONCEPTS to someone else?
"If this is spam, you get $0.50."
I don't think ABM is hard to explain at all.
I do think it's harder to articulate the anti-spam benefits of SPF, since SPF doesn't stop spam, it just enables better blacklisting, and blacklists are a much more unwieldly and blunt tool than whitelists. (If someone hacks your server and spams with it, for example, it can be notoriously difficult to get yourself off a blacklist even if you've fixed the problem.)
And that's why I really don't understand your Reason #2. I think you've got it backwards. It's SPF that eliminates anonymity, not ABM.
The way SPF works, IIUC, is by eliminating spoofing and tying each mail to a specific ISP. On the SPF front page, they state outright: "If you do get spam that passed an SPF check, then you know you should hold the sending domain responsible for the message." Once you can tie a message to a specific domain or ISP, you can tie it to a specific sender. That's the whole point of SPF. There's no anonymity preserved there.
ABM, on the other hand, doesn't have to change a thing. You can set your policy to accept all e-mails without any bond, and you'll get every e-mail sent to you. You can refuse to send to people who require an ABM bond, as well, if you prefer. ABM is an option, not a requirement.
I'm not totally sold on ABM just yet, but it shouldn't be dismissed for the reasons you give. It's worth exploring.
He who refuses to do arithmetic is doomed to talk nonsense.
point by point on your replies....
1. If bounces never incur a fee, then spammers will use that as a loophole, faking their target as the 'from', and mailing to a known bad address.
2. The beneift of spam recuction only happens when the system is in place. The problem is durnig the (long) time it would take the whole world to adopt the new system.
3. The new system fails if either the sender or recipient's escrow server is down or unreachable, or if any of the challenges and responses are lost. How can adding all these additional points of failure possibly make things MORE reliable?
4. You need to trust everyone you want to send a legitmate mail to... examples include ebay bidders, every customer of your business, that person who got someone else's address wrong and mistakenly mailed you something, the listserv that claims ro run a list that you might want to sign up to, etc. etc. Do you really want to worry that all of these might be ripping you off?
5.People not in the scheme either get told their mail is being ignored baceause it doesn't have a bond (which will annoy them), or they don't get told and their mail is binned (which will also annoy them), or it gets delievered anyway
in which case the whole scheme is pointless.
6. Your point seems to bear to relation to mine. It's in spammers interests to kill off the new system. They will do whatever it takes to kill the escrow servers, in order to stop the scheme being adopted. This is nothing to do with the normal spam traffic over the old system.
7. It only takes one 51 cent fee to kill at 50 cent balance, Once it becomes known that people can make 51 cents (or any other number) from you by tricking you into sending them a mail, every scumbag in the world will be trying to scam you/hack the fee network/ask for $0.0000001 then change their rate to $10000 between you saying yes and them claiming from you.
8. If you can do this, you've solved the spam problem! There would be need for all this escrow stuff at all.
9. You are right... providing of course that the system is infallible, all ISPs in the world are competent and honest, there are no non-isp owned mailservers in the world, and everyone is honest, and no-one anywhere, no matter how dumb they are ever gets scammed. If these conditions are not met, the media will whip up a frenzy about the risks, killing it stone dead.
10. You'd better tell the maintainer of the FAQ that it's not needed then. The FAQ says "With email between individuals, reputation can be established over time, entirely within the context of the medium."
A pizza of radius z and thickness a has a volume of pi z z a
Here's a better design. Incoming email. Whitelisted? Y/N Y - deliver. N - check monetary amount attached. Greater than monetary amount for anon email? Y/N. Y - deliver, keep money. N - bounce mail, money.
No need to pay anyone back. If you want to send me email, and you're not on my list, send me 15 cents with your email. For normal people, that's too cheap and too easy. For a spammer, that suddenly makes their 2 million email address spam run cost 300,000$ if they actually want people to see it.
It adds a cost to email that normal people won't care about, but will destroy spammers because their margins won't exist anymore.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
2. Computers infected with the worm spam random addresses.
3. Sit back and enjoy the chaos.
Or, even better: If authentication is weak, then have the worm email you and collect the bonds.
I read the article and they basically say that this is possible. Their defense is that you can only lose at most the (small) amount that you keep in your ABM account. However, when your account is depleted what happens next? You can't send email anymore? How do you get your money back? Some kind of insurance claims type procedure? No thanks.
I give ABM two thumbs down.
Good short summary.
Here's my thoughts on your bug summary.
1. Too many people will keep the money regardless. The only time a bond is posted when you get an e-mail from someone you don't know or don't like. If an old, forgotten friend e-mails you, you'll refund their money; if a marketer e-mails you, you'll keep it. What's the problem here again?
2. The services of escrow agents are not freebies. Preventing spam isn't free either, and major ISPs and businesses already spend millions of dollars a year on it. Presumably this would decrease the amount they spend, not increase it.
3. Nobody will bother to use it when regular e-mail is cheaper, already deployed, and infinitely less fuss. Infinitely less fuss? Maybe for you. Personally, I like the idea of setting an attention bond and knowing that every single e-mail I get is one I'm going to be happy about, one way or another.
This isn't to say that there aren't any problems with ABM, I just don't think the ones you mentioned are dealbreakers.
He who refuses to do arithmetic is doomed to talk nonsense.
Sounds to me like you're an idiot, buddy. What you should have done before you delved into such an operation was read your beloved books *before* you attempted to install linux. At least check the Mandrake manual to see what is really going to happen before you mess with your partition containing your Windows system files! You should be able to find the manual on the web in only about one million places, so you have no excuse.
And about your "helpful" chat with those knowledgeable about linux? Wow. Maybe you should have really paid attention to what those guys or gals were saying, because IT WAS TRUE, and if you give it some time to sink in, IT MAKES SENSE. Perhaps you should print out the conversation, hop on down to Kinko's and have it bound so it feels more like a "book" to you....
And what is this "I don't know anybody who knows a fucking thing about computers (the reason for this is that I am not working class)."? Is that supposed to be a stab at anyone who works on computers? Are techs somehow "lower" than you? From what you have exhibited here, the class may be lower, but the intelligence level is a different story.
So, let's recap. What we have here is 1)someone who doesn't know anything about linux trying to install Mandrake without any proper preparation or forethought. Then 2)when prompted with a choice of whether the Windows partition should be changed, he still does no research whatsoever and plows right into system-destruction (a warning should pop up in your head when the OS you are installing asks about CHANGING another OS!). When this completely nukes the Windows system, he freaks out because 3)he was stupid enough to THROW AWAY your warranty information. And finally 4)when attempts to seek help from the incredibly intelligent (albeit misunderstood due to a common lack of people skills), linux community fail due to his lack of patience, he immediately tries to chew the helpers' ears of with a barrage of curses.
Well, sir, if this is how you treat the linux community that tries to help you, good riddance. We are glad to not welcome you as a new member. Go back to Windows with your "upper class" and continue to throw money at Microsoft. But remember: Microsoft charges at least $35 to LOOK at your problem. So get a book out next time.
...you'd report it to quality control, or whatever level of management is responsible. You almost certainly have no need to circumvent normal procedures and talk straight to Mr Big. If you do have a need that's pressing enough, chances are $1000 to catch his attention is cheap at the price.
When was the last time anyone recieved an unsolicited email that was worth reading?
Yesterday.
I get several unsolicited emails per month which I actually wish to read. Granted, this is a minority of all unsolicited emails I receive, but I do occasionally get interesting personal emails from total strangers which I'm glad I got.
-kgj
-kgj
The first generation of these schemes included DigiCash, CyberCash, and CyberCoin. Remember?
And I haven't even STARTED on the horrors of trying to run a free mailing list (with or without a confirmation email at signup).
How about this: a legitimate email list would have its own bond, which is a bit larger than normal email bonds. To sign up, you have to send an email to the list subscription address, and when you do, your bond is collected (which you are warned of in advance), even though you are whitelisted.
When the mailing list then sends you messages, if you ever confiscate the mailing list's bond, they cut you off the list. The money the list loses is paid from the money you "lost" when you signed up. (If your bond is bigger than the sign-up bond of the list, it won't send any messages to you, which you are informed of when you sign up.)
Of course, adding this logic will take extra work, but that's no big deal. It's just another protocol to support. It could provide a simple way to charge a subscription to offset costs of running the list, it would tend to keep spam off your mailing list (you both collect someone's bond and blacklist them if they spam), and the above technique would keep people from signing up just to collect a bond from the list owner.
It would be a nice feature for mailing list management software to have.
"Those who have never entered upon scientific pursuits know not a tithe of the poetry by which they are surrounded."
SPAM is a social problem. You can't use market, technical or legislative processes to solve a social problem. Attempts to do so lead to more problems and don't solve the original problem ie: crime, poverty, drugs, all are social problems and none have ben eliminated by any of the above means despite decades of trying.
You need a social solution to the social problem of email spam, though some may call this a technical solution.
numerous aliases, one account.
You have one base email account the address/name of which you never reveal to anyone. No, not even people you trust. Too many worms harvest addresses from messages stored on infected systems.
You then have a web and/or email interface to the mail server with which you can create email addresses on the fly which all dump their mail in the one mail account. These are not "temporary" or "one-time-use" accounts, they are however mutable at will.
You make up an alias for your close family to use, one for your friends, one for each major company you receive email from, one for mailing lists, etc. Despite having many email addresses, all of your mail is delivered in to one mailbox and only one account needs to be checked for mail.
If you should ever start receiving spam on a particular alias, you simply change it alerting the one or few entities that use that address. The remainder of your addresses remain unaffected.
It's also really fun to tell the phone company that your email address is mci@my-domain.com. The look on the librarian's face was priceless when I told her my email address was library@emiaildomain.com.
Does this require work on the part of the email user? Yes. One time for initial setup of the account(s), and then again if spam is received on an address.
The up-side... you only receive spam once on an address, then you change the address. Spam is then stopped before the message is sent from the remote server. Anyone with their own mail server, or an ISP who supports this can start using it right now, it doesn't require any new protocols or changing of any existing ones. It doesn't place any additional burden on the network, and in fact alleviates server loads because sending back a "550 user unknown" after the "rcpt to:" takes up a lot less resources than receiving the entire message and then trying to filter it based on content.
Is it a a perfect solution? No.
What are the flaws:
1. Setting up, remembering and maintaining the list of aliases. This is a problem with laziness of users, not with the idea itself. In the end it will require no more work than installing and training a learning filter.
2. Setting up your mail client to operate with multiple outgoing addresses and only one incoming address. Some mail clients (OS X Mail.app for one) require incoming mail server info for an account (even if it will never receive mail) and require that there be a unique server/username combo for each "account". But there are workarounds.
3. Still susceptible to brute force guessing of the main account or the aliases (which requires changing one or both). Most mail servers today have hardening against brute force attacks though. Even if your mail email address (the one you never give out) is guessed, you can have it changed and all of the aliases re-directed to the new address without having to tell anyone about it. All the aliases stay intact.
Article X: The powers not delegated... by the Constitution...are reserved...to the people
While the idea is interesting, its not exactly new. I wrote about some similar capabilities in 2000 when describing Chronofile® (advanced communications technology, including permanent archival). And, the Chronofile® 1-pager refers to the 1999 book by Marc Stiegler , EarthWeb.
(From the article on Gregor's World)
perl -e 'srand(-2091643526); print chr rand 90 for (0..4)'
Now, dealing with challenges to this:
Mailing lists : simply don't send back acceptance of charges. Any good mailing list requires authorization anyway, so part of that authorization would be adding said list to your whitelist.
Family/Friends : Um, duh. If you are charging your family/friends for sending you an email.... something else is up
Financial (Banks, Retail Stores, etc.) : Again, remember *you* have the whitelist, *you* are in control. If a bank *really* wants you to read their message, they are willing to put up the cash to have you read their message. That is a Good Thing! If you are worried that banks will do that same to you, why? What information would a bank send you via email that you could not find out by going to a teller or calling them?
I think this system could be very workable. Noone needs to track information that is *in* the message. It's much better than a standard whitelist. It doens't require everyone to do it at the same time. I think a well-written RFP could achieve this not too long in the future.
I'm interested in any reasonable arguments to this.
The horror!
Most of your critiques are based in similarly fast and sloppy thinking. (Like your 'bond systems' syllogism. I'll leave the errors in that one to you.)
Linking to a snarky list of bullet points does not an argument make. ABM is an interesting solution that deserves more rigorous thought than you have apparently given it.
This is a complex technical solution for a simple social problem.
These are the simple facts:
A. Spam is advertisement.
B. The Advertiser paid for it.
C. The Adversiser's contact info is in the spam.
Since:
D. It doesn't matter who sent the spam.
E. It does matter who the Advertiser is.
So:
G. Go after the advertiser, not the spammer
Then:
H. Advertisers will stop paying for Spam
I. Spam will stop.
And Finally:
G. Added complications like ABM will be unncessry.
What's the problem?
If a dog poops on your lawn:
Get the Master, not the Dog.
How can one verify that the Sender's Escrow Service is trustworthy and is not posting/reporting a false bond ?
What needs to be put aside for good is the belief that any so-called "momentum" behind ABM and similar schemes comes in some way from an altruistic "industry" intent to free email users from spam when in fact it is one of several attempts to get a "piece of the action" from the most sucessful uses of the Internet based (until when?) on open protocols. Such "altruistic" industry/government moves are usually accompanied by fallacious hand-waving about some impending "tragedy of the commons".
Spam reduction is just one of the baits here; another one is the promise of sharing bits of the money with several players including the end-users, those ultimately affected by the inevitable (but pseudo-authoritavely FAQ-downplayed) security disasters waiting to happen with ABM.
In fact, what this is about is yet another partial privatization of the commons; as your FAQ gently puts it, with this new Internet toll,
In fact, what the ABM toll builders hope for is not a quasi-extinction of spam. Survival of at least some spam is part of the business model, with spammers playing by ABM rules being rewarded with the ABM newspeak label of "legitimate marketers".
Another business opportunity for the toll-masters, helping the targetting of spam (sorry, I meant "legitimate marketing"), is suggested by
Indeed, one would expect "those skilled in database marketing" to be strong supporters of the ABM strategy.
Even your argument on effects on competition is revealing:
Here and elsewhere you seem to presume that all SMTP traffic happens between ISP-owned machines, conveniently forgetting private email servers and even small email providers which are not ISPs, suggesting, on the email services side, that this would be just some
I fell asleep after the 4th or 5th diagram. Any anti -spam protocol has to be simple enough so that coders can code it without ... oh shiney.
Death to America! Death to Israel!