Beat Spam By Not Using Email

judgecorp writes "We had a press release - by post of course - about a scheme that eradicates spam and viruses. It's not email, oh no. It's digital mail or dmail, a private system that no one else can send messages to. Assuming it's genuine (and the PR person is called Mike Hardware) it uses XML and SQL to build a 1980s bulletin board, to sell to niche markets (such as very close-knit families). Our story is here, and if you don't hear from us again, it's because we are busy emailing ourselves with our two free dmail addresses. Peter Judge, Techworld"

New concept same stuff...

[HackHackBoom]

I'm all for trying new concepts, but pardon my disgust. I'm an entrepreneur myself and I understand money makes the world go-round, but I shudder to think where we'd all be if the guys who came up with Apache were trying to start it now.

D-Mail, G-Mail, PurplePokaDotMail are just more examples of someone trying to create, patent, exploit, etcetera when there are far more ethical and lucrative methods of making money. Of course this relies on people getting thier heads out of thier proverbial asses, but what can you do?

Re:New concept same stuff...

[l4m3z0r]

A private mail exchange system is an awesome Idea, I'm sure tons of companies have home grown solutions already using email systems configured to not receive/send mail to people outside the company. This looks very intriguing to companys whose individual employees need to send lots of mail to eachother but not outside the company. Not only does it fight spam/viruses, but it helps keep documents confidential by not allowing employees to mail sensitive data around the net, it helps curb use of company resources for personal interests, and it decreases the amount of intervention IT staff will have in the daily operations of its employees. Less viruses mean less visits from IT staff which means more productivity accross the board. What can you be disgusted about when there is already a demand for the product? They arent trying to force something unwanted to anyone, they are recognizing legitimate need and demand and catering to it. Bravo.

Re:New concept same stuff...

[SkyWalk423]

There is nothing unethical about parting morons from their money. And I might also add, it's a quite lucrative endeavor!

Re:New concept same stuff...

Any mail exchange system could be made private by simply blocking port 25 on the external firewall. It's like magic.

Re:New concept same stuff...

[JAgostoni]

Even more so than that most email systems have a configuration option (sometimes even per-user) that can disable public/internet email exchange. Even Microsoft Exchange has that! At my company, internet email is actually turned off by default until the user takes a "training" course on how to use the Internet properly. Interestingly enough, the words "spam" appear nowhere in that training.

And avoid viruses

By not using computers.

Now where did I put that abacus?

Re:And avoid viruses

[blibloblu]

Ink and paper: tried that also. Unfortunately, people wouldn't appreciate my sending HTML letters (which took so much time to write down).

Re:And avoid viruses

[Feanturi]

Now where did I put that abacus?

I'm sorry, I coughed on it, better make sure to scan it for infection first.

Beat seasonal allergies too!

[JohnGrahamCumming]

I recently beat seasonal allergies without relying on any medicine at all. I simply decapitated myself with a steak knife. It was so easy, no more running nose, or red, watery eyes!

John.

PS And there's an added benefit: I can't see the hideous /. IT color scheme any more!

Waiting for dmail rev 2...

[DamienMcKenna]

I'm waiting for dmail rev 2 that adds on network-to-network communication, so you can dmail your friends without having to have an account on every single different network. Oh, wait..

Damien

Slashdotted

[Nos.]

So I can't read the articles, but I don't see anything here that setting up a whitelist only mail server doesn't do

eMail replacement.

[Amiga+Lover]

IMHO completely dropping email as we have it now is the only way against spam. No matter what's been done so far has kept existing email infrastructure as legacy. A new extension on top of email might get some play, but it's all irrelevant while the same system is still able to be used for spam.

Drop email. Drop SMTP. Change the ports it uses. Change the entire system, and scrap what's gone before and start again. Make it PURPOSELY incompatible.

Unless of course you want to keep getting spam. If so, keep using email as it is.

Re:eMail replacement.

[bobintetley]

IMHO completely dropping email as we have it now is the only way against spam. No matter what's been done so far has kept existing email infrastructure as legacy. A new extension on top of email might get some play, but it's all irrelevant while the same system is still able to be used for spam.

This comes up every time someone mentions spam. You simply cannot have a decentralised, free, messaging system without a small minority of people abusing it.

Think of it as the price you pay for having a decentralised, free line of communication. This is a social rather than technological problem and I'd rather have spam than a tightly controlled mail solution that could be taken away from me or cost me more money.

Re:eMail replacement.

[photon317]

Actually, you can have a decentralised free messaging system that's immune to the types of abuses we see today (spam). We already have the smtp email foundation to build it on top of, and it's pretty damn simple to do. If *everyone* would just get valid, signed certificates to authenticate themselves as a given entity with a given email address, then *everyone* could turn on a switch in their mail client that says "reject all mail that isn't signed with a cert which matches the sender's address and that's signed by an authority I trust". If you make spam completely accountable to a real-world entity via cryptography, it largely solves the problem, because the problem is so easy to solve at that point.

There's already some competing standards for this stuff, and Enigmail (in moz and thunderbird) supports at least two of them. I'm pretty sure you can get an email cert from one of a few authorities pretty cheaply.

So, it really comes down to convincing the users, which is largely the job of email client vendors. When you first set up your account in Outlook, Thunderbird, or whatever, there should be a dialog box to the effect of:

Please click "Use Existing" to use an existing email certificate for this account, or click "Create" to create a new certificate....

With pointers to signing authorities and an explanation that the user would be doing their part to prevent spam if they would just take this simple measure.

Eventually everyone notices that all their legit email is signed, and starts turning on that "kill all unsigned mail" option in their mail client, and poof goes the spam problem.

Re:eMail replacement.

[Christopher+Thomas]

IMHO completely dropping email as we have it now is the only way against spam.

The problems is that any system with the features we demand of email has the faults of email.

The crux of it is - do you want someone you haven't heard of before to be able to email you?

If the answer is "yes", then you get spam.

If the answer is "no", you get something fundamentally different from email. You can also already implement this, by using a whitelist for both email addresses and originating mail servers (to filter forged friends' addresses).

Authenticating users and rubber-stamping their mail at mailservers doesn't help, because there are always untrustworthy mailservers run by ISPs who don't know enough or don't care enough to fix them. This is half of the source of the _current_ spamming problem. So, any decentralized email-like system is vulnerable to having spamming users and compromised mail servers exist. Compromised mail servers bring back forging, and you're pretty much back to square one. It gets a little harder to convincingly forge a sender address from a different mail server, but you can _already_ filter for that by using a server whitelist or using a DNS lookup (forward or reverse) for server lines in inbound mail.

Having a centralized mail server makes it harder to insert bogus traffic, but creates a huge bandwidth bottleneck, and concentrates power over mail in a way that's unlikely to be acceptable.

In just about any scheme, you can also get compromised user machines spewing mail from their own accounts with legitimate sign-in to any type of mail system at all.

In summary, the spam problem isn't going away under any system that serves the same purpose as email. You can also modify a standard email system to get most of the benefits of the different types of system that _would_ be more spam-resistant. So, there doesn't seem to be much point in proposing a system-wide overhaul.

Re:eMail replacement.

[gl4ss]

***. If *everyone* would just get valid, signed certificates to authenticate themselves as a given entity with a given email address, then *everyone* could turn on a switch in their mail client that says "reject all mail that isn't signed with a cert which matches the sender's address and that's signed by an authority I trust".***

that wouldn't be free & decentralised anymore.
if you want to have the ability to receive messages from total strangers, you have the ability to receive totally useless messages(spam) from them as well.

Re:eMail replacement.

[MemRaven]

I used to agree with this, except that there are three big issues with it given the current infrastructure:

• You have to trust that the certificate providers that you're going to "trust" are properly dealing with spamming customers. Because otherwise, it would be relatively easy to send spam, it's just that you guarantee that you can know the email address of the person who's spamming you. Or, rather, you can guarantee that the email address which was on the outbound message matches the one that the provider issued. This means that you can still get spam, it's just that you know an email address was successfully provided at oen point for that spam.
• What about phishing scams where they take your password? You think they won't find a way to get the private key for your certificate store, and then use your certificate to run joe jobs against you? Think again. As long as you have clueless users out on the internet, they'll be able to do crappy things with anything which relies on user-level security.
• What do you do with webmail systems? There's no way outside of something like ActiveX for me to client-side sign my outbound email, and even if there was, there wouldn't be a way to deal with the whole kiosk problem (I want to walk up to an internet browser and be able to check my email). I could offload the signing onto the webmail system, but then that's not terribly secure, because the people I send email to can't necessarily trust that it was me (and not Yahoo Mail) who actually drafted the email. Also, if I have a simple password, again, that could be cracked, and anybody could send email as me. While this one might seem a unique problem with things like Hotmail and the like (which you might not want to allow mail from anyway), think of the number of corporate users who rely on things like Outlook Web Access (which will soon support client-side signing, but only if you're running MSIE on Windows and are at a machine where you can control the hardware to get your private key pair installed correctly).

So while S/MIME and equivalent systems are useful in the fight against spam, they aren't panaceas because the rest of the infrastructure (particularly webmail systems) can't deal with them.

Um, isn't this just a webpage?

[Clinoti]

A proprietary system that no one can post to coupled with a password needed to view said content sounds suspiciously like a static second level webpage or a ssl private network. Just...like...a...private forum. We do the same thing here at work for vendors who buy our products, a static page updated weekly by the sales department that only x amount of vendors have access to, they can read their mail "posted specials" and later send updates to the dmail admin "webmaster" or "sales". Let's just face it. Spam as much as I hate it is here to stay. Yes we can all agree that eventually the systems will get better at defeating spam and bulk mailings, but the brilliant minds that are developing the stopping systems have the brilliant minds that are bent on defeating those other brilliant minds. But removing the system from the culprits is a novel approach, lets just not herald it as the end or even a stepping stone to stopping spam.

multiple Emails...

[Moonlapse]

Just do what i do. One email address for pr0n. One for serious stuff. One for each girlfriend. Then another one for some more pr0n.

Re:multiple Emails...

so you have 2 emails then?

What a stupid idea

[hoggoth]

This is functionally equivelant to using a whitelist-only filter on your email, only worse in every way.

Re:What a stupid idea

[alexjohns]

Dammit, I finally had an insightful comment to something and you beat me to it. Hope you're happy.

You could have at least spelled equivalent right. I would have. :p

At least it's got a limit...

[Tony+Hoyle]

On current trends there are only 25 possible names of mail services (given that E is already taken).

google got G, and these guys have claimed D.

That leaves only 23 more slashdot headlines before people have to start being original! Heck, maybe they'll actually invent someting new (or maybe that's too optimistic)...

Re:At least it's got a limit...

[FooAtWFU]

Bah. I'm waiting for services like Èmail, Émail, Êmail, Ëmail, and Æmail myself.

Re:At least it's got a limit...

[Plutor]

Amail, Bmail, Cmail, Dmail, Email, Fmail, Gmail, Hmail, Imail, Jmail, Kmail, Lmail, Mmail, Nmail, Omail, Pmail, Qmail, Rmail, Smail, Tmail, Umail, Vmail, Wmail, Xmail, Ymail, and Zmail

Sorry.

reminds me of one of our clients

[theMerovingian]

Beat Spam By Not Using Email

To avoid viruses and hackers and such, they used to turn off their servers every night when no one was in the office to monitor them...

It wasn't too hard to get an offsite hosting contract though :)

How is this a solution?

[artemis67]

This is nothing more than a fancy white-list, from what I can tell (the TechWorld article is slashdotted.)

Yes, a closed system that has user authentication built-in from the start has been proposed many, many times. The problem is getting the rest of the world to adopt such a system.

Just like the idea of charging a fractional penny to send an email and collecting a fractional penny when you receive one, so that email costs and revenues are balanced for the average person, but costs are astronomical for the spammer. Interesting idea, now how do you convert the planet over?

The solution to spam seems easy enough; it's the implementation that's the problem.

Different requrements, different solution

This is great because email was really trying to meet two differing and conflicting sets of requirements for two different problems.

1. The 'old-style' email where anyone could send a message to everyone, that all the traditional MTAs (mail transfer agents) supported. Anonymous messaging is desirable in this system.
2. The 'new-style' email where everyone wants to silently drop messages from spammers they don't like; and corporationos want to silently drop messages they don't want employees to get, etc. Anonymous messaging is scary in this system (corporations don't like it); and in contrast, control is a key feature.

The first requirement's needs were very well met by sendmail, etc; and really don't need to be forced in a corporate environment.

Nothing really met the second (intentionally lossy (some would say broken)) requirements for corporations who wanted to make sure that many mails did not get delivered.

I welcome the day that all the guys with different requirements from sendmail simply move on to some other messaging system rather than try to screw with something that's worked well for decades (SPF, etc).

Which replacement?

[jfengel]

The trick is, what do you replace it with? There are a lot of design constraints on email, among them:

* Sending message should be free or extremely cheap
* It should not be required to receive an invitation to talk to somebody

You can quibble with those requirements if you want to design a new system, but if you follow them any system you propose risks being spam-ridden. The spammers will not say, "Oh, gee, they've all moved to a different port and protocol, let's forget it then." They'll adopt any new protocol, faster than users will.

So what about present email are you willing to give up? Converting from "free" to "extremely cheap" sounds promising, but it's still prone to the army of zombies, and exchanging trivial amounts of cash is still difficult and expensive.

There are various ways to introduce blocks in the "anybody can talk to anybody" system. Some systems email you back when you send me a message for the first time, which at least proves the existence of a back path and to a small degree a real human (not a zombie) on the other end. Bayesian filters provide extra points to people who have emailed you before without excluding people you've never heard of.

Or maybe we weaken the second requirement by distinguishing between promiscuous and non-promiscuous addresses. My friends email me at one account, and if I could I'd give each of them a separate address. People I trust less get different accounts. People who break the trust find that the address disappears, and because those addresses aren't promiscuous, relatively few other people are inconvenienced by that. I've effectively whitelisted those addresses.

But I also monitor info@foo.com email addresses, which really do want to take email from anybody in the world. I can't drop those when they get spammed, because many people are expecting to get to me through them. But if we made promiscuous addresses rare, we could use more whitelists and perhaps change the balance.

Perhaps if your average spam-buying-jackass@comcast.net were able to receive mail only from people he'd whitelisted, he'd get less spam and the spammers would give up. But that would be wildly inconvenient for him.

The point is, most of these could be built on top of SMTP, and any SMTP alternative you propose is going to have either promiscuity or conveninence problems. Just dropping SMTP just moves the problem to a new protocol but with massive infrastructure pain.

New Section

[zik0]

Time for a new /. Section:

Lame Product Announcements

obChecklist

[spoonyfork]

Your post advocates a

(*) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(*) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
(*) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(*) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(*) Huge existing software investment in SMTP
(*) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(*) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(*) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
(*) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(*) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

It's for file swapping...

[1u3hr]

From dmails's "background information", page:

"secure messaging system which was instantaneous and able to transfer large files rapidly...a safe and secure platform which can not be penetrated by unwanted visitors or observers...exceptionally fast medium for accessing and exchanging large files such as music, images and film, with huge capacity. For starters, each dmail address will have one gigabyte of space... argeted at several niche sectors where its properties are particularly relevant. These include education, friends/family, teenage and corporate markets"

The *IAAs are going to love this if it takes off. But it has the same vulnerability as any "closed" system, it's brilliant at the beginning but if it grows beyond a certain number you get trolls and spammers.

Re:Dmail already taken... try again

From Email to Dmail sounds like a step backwards. Where's Fmail(TM)?

Of course, Gmail has them all beat.