Slashdot Mirror


Beat Spam By Not Using Email

judgecorp writes "We had a press release - by post of course - about a scheme that eradicates spam and viruses. It's not email, oh no. It's digital mail or dmail, a private system that no one else can send messages to. Assuming it's genuine (and the PR person is called Mike Hardware) it uses XML and SQL to build a 1980s bulletin board, to sell to niche markets (such as very close-knit families). Our story is here, and if you don't hear from us again, it's because we are busy emailing ourselves with our two free dmail addresses. Peter Judge, Techworld"

10 of 314 comments (clear)

  1. New concept same stuff... by HackHackBoom · · Score: 4, Insightful

    I'm all for trying new concepts, but pardon my disgust. I'm an entrepreneur myself and I understand money makes the world go-round, but I shudder to think where we'd all be if the guys who came up with Apache were trying to start it now.

    D-Mail, G-Mail, PurplePokaDotMail are just more examples of someone trying to create, patent, exploit, etcetera when there are far more ethical and lucrative methods of making money. Of course this relies on people getting thier heads out of thier proverbial asses, but what can you do?

    --


    "It's not stealing if you don't get caught!"

    1. Re:New concept same stuff... by Anonymous Coward · · Score: 4, Insightful

      Any mail exchange system could be made private by simply blocking port 25 on the external firewall. It's like magic.

  2. eMail replacement. by Amiga+Lover · · Score: 3, Insightful

    IMHO completely dropping email as we have it now is the only way against spam. No matter what's been done so far has kept existing email infrastructure as legacy. A new extension on top of email might get some play, but it's all irrelevant while the same system is still able to be used for spam.

    Drop email. Drop SMTP. Change the ports it uses. Change the entire system, and scrap what's gone before and start again. Make it PURPOSELY incompatible.

    Unless of course you want to keep getting spam. If so, keep using email as it is.

    1. Re:eMail replacement. by bobintetley · · Score: 5, Insightful

      IMHO completely dropping email as we have it now is the only way against spam. No matter what's been done so far has kept existing email infrastructure as legacy. A new extension on top of email might get some play, but it's all irrelevant while the same system is still able to be used for spam.

      This comes up every time someone mentions spam. You simply cannot have a decentralised, free, messaging system without a small minority of people abusing it.

      Think of it as the price you pay for having a decentralised, free line of communication. This is a social rather than technological problem and I'd rather have spam than a tightly controlled mail solution that could be taken away from me or cost me more money.

    2. Re:eMail replacement. by Christopher+Thomas · · Score: 3, Insightful

      IMHO completely dropping email as we have it now is the only way against spam.

      The problems is that any system with the features we demand of email has the faults of email.

      The crux of it is - do you want someone you haven't heard of before to be able to email you?

      If the answer is "yes", then you get spam.

      If the answer is "no", you get something fundamentally different from email. You can also already implement this, by using a whitelist for both email addresses and originating mail servers (to filter forged friends' addresses).

      Authenticating users and rubber-stamping their mail at mailservers doesn't help, because there are always untrustworthy mailservers run by ISPs who don't know enough or don't care enough to fix them. This is half of the source of the _current_ spamming problem. So, any decentralized email-like system is vulnerable to having spamming users and compromised mail servers exist. Compromised mail servers bring back forging, and you're pretty much back to square one. It gets a little harder to convincingly forge a sender address from a different mail server, but you can _already_ filter for that by using a server whitelist or using a DNS lookup (forward or reverse) for server lines in inbound mail.

      Having a centralized mail server makes it harder to insert bogus traffic, but creates a huge bandwidth bottleneck, and concentrates power over mail in a way that's unlikely to be acceptable.

      In just about any scheme, you can also get compromised user machines spewing mail from their own accounts with legitimate sign-in to any type of mail system at all.

      In summary, the spam problem isn't going away under any system that serves the same purpose as email. You can also modify a standard email system to get most of the benefits of the different types of system that _would_ be more spam-resistant. So, there doesn't seem to be much point in proposing a system-wide overhaul.

    3. Re:eMail replacement. by gl4ss · · Score: 4, Insightful

      ***. If *everyone* would just get valid, signed certificates to authenticate themselves as a given entity with a given email address, then *everyone* could turn on a switch in their mail client that says "reject all mail that isn't signed with a cert which matches the sender's address and that's signed by an authority I trust".***

      that wouldn't be free & decentralised anymore.
      if you want to have the ability to receive messages from total strangers, you have the ability to receive totally useless messages(spam) from them as well.

      --
      world was created 5 seconds before this post as it is.
    4. Re:eMail replacement. by MemRaven · · Score: 4, Insightful
      I used to agree with this, except that there are three big issues with it given the current infrastructure:
      • You have to trust that the certificate providers that you're going to "trust" are properly dealing with spamming customers. Because otherwise, it would be relatively easy to send spam, it's just that you guarantee that you can know the email address of the person who's spamming you. Or, rather, you can guarantee that the email address which was on the outbound message matches the one that the provider issued. This means that you can still get spam, it's just that you know an email address was successfully provided at oen point for that spam.
      • What about phishing scams where they take your password? You think they won't find a way to get the private key for your certificate store, and then use your certificate to run joe jobs against you? Think again. As long as you have clueless users out on the internet, they'll be able to do crappy things with anything which relies on user-level security.
      • What do you do with webmail systems? There's no way outside of something like ActiveX for me to client-side sign my outbound email, and even if there was, there wouldn't be a way to deal with the whole kiosk problem (I want to walk up to an internet browser and be able to check my email). I could offload the signing onto the webmail system, but then that's not terribly secure, because the people I send email to can't necessarily trust that it was me (and not Yahoo Mail) who actually drafted the email. Also, if I have a simple password, again, that could be cracked, and anybody could send email as me. While this one might seem a unique problem with things like Hotmail and the like (which you might not want to allow mail from anyway), think of the number of corporate users who rely on things like Outlook Web Access (which will soon support client-side signing, but only if you're running MSIE on Windows and are at a machine where you can control the hardware to get your private key pair installed correctly).
      So while S/MIME and equivalent systems are useful in the fight against spam, they aren't panaceas because the rest of the infrastructure (particularly webmail systems) can't deal with them.
  3. Um, isn't this just a webpage? by Clinoti · · Score: 4, Insightful

    A proprietary system that no one can post to coupled with a password needed to view said content sounds suspiciously like a static second level webpage or a ssl private network. Just...like...a...private forum. We do the same thing here at work for vendors who buy our products, a static page updated weekly by the sales department that only x amount of vendors have access to, they can read their mail "posted specials" and later send updates to the dmail admin "webmaster" or "sales". Let's just face it. Spam as much as I hate it is here to stay. Yes we can all agree that eventually the systems will get better at defeating spam and bulk mailings, but the brilliant minds that are developing the stopping systems have the brilliant minds that are bent on defeating those other brilliant minds. But removing the system from the culprits is a novel approach, lets just not herald it as the end or even a stepping stone to stopping spam.

    --

    Let's keep in mind that patents are in place to keep lawyers employed and keep them litigating. -CatGrep

  4. Which replacement? by jfengel · · Score: 3, Insightful

    The trick is, what do you replace it with? There are a lot of design constraints on email, among them:

    * Sending message should be free or extremely cheap
    * It should not be required to receive an invitation to talk to somebody

    You can quibble with those requirements if you want to design a new system, but if you follow them any system you propose risks being spam-ridden. The spammers will not say, "Oh, gee, they've all moved to a different port and protocol, let's forget it then." They'll adopt any new protocol, faster than users will.

    So what about present email are you willing to give up? Converting from "free" to "extremely cheap" sounds promising, but it's still prone to the army of zombies, and exchanging trivial amounts of cash is still difficult and expensive.

    There are various ways to introduce blocks in the "anybody can talk to anybody" system. Some systems email you back when you send me a message for the first time, which at least proves the existence of a back path and to a small degree a real human (not a zombie) on the other end. Bayesian filters provide extra points to people who have emailed you before without excluding people you've never heard of.

    Or maybe we weaken the second requirement by distinguishing between promiscuous and non-promiscuous addresses. My friends email me at one account, and if I could I'd give each of them a separate address. People I trust less get different accounts. People who break the trust find that the address disappears, and because those addresses aren't promiscuous, relatively few other people are inconvenienced by that. I've effectively whitelisted those addresses.

    But I also monitor info@foo.com email addresses, which really do want to take email from anybody in the world. I can't drop those when they get spammed, because many people are expecting to get to me through them. But if we made promiscuous addresses rare, we could use more whitelists and perhaps change the balance.

    Perhaps if your average spam-buying-jackass@comcast.net were able to receive mail only from people he'd whitelisted, he'd get less spam and the spammers would give up. But that would be wildly inconvenient for him.

    The point is, most of these could be built on top of SMTP, and any SMTP alternative you propose is going to have either promiscuity or conveninence problems. Just dropping SMTP just moves the problem to a new protocol but with massive infrastructure pain.

  5. New Section by zik0 · · Score: 3, Insightful

    Time for a new /. Section:

    Lame Product Announcements