Certified Email Not Here to Reduce Spam

An anonymous reader writes "Goodmail CEO Richard Gingras surprised Legislators and advocacy groups today when he announced that the CertifiedMail program being implemented by AOL and Yahoo is not meant to reduce spam. Rather than helping to reduce spam Gingras claimed that the point is to allow users to verify who important messages are really from, like a message from your bank or credit card company."

One word.

[dgatwood]

Duh.

Also

[MankyD]

Perhaps also to work as an effective, if limited, white list. Not only will it tell you what emails are "important" but it would certainly be an easy to way to keep a small-sized good-guy mailing list.

Re:Also

[mnmn]

Been there. Tried it for 50-odd users. Impossible.

Re:Also

[wish+bot]

However, I wouldn't want to be getting email from my credit card company or bank, and I certainly don't want to encourage them to start sending important info by email.

Besides the obvious problem of everything being intercepted by NSA+AT&T in the first place, it will only make it more difficult to tell phishing from the real thing, mainly because you'll be expecting it to be trustworthy. Old phishing techniques may have used mass mailings which could be blocked by spam filters, but that's not necessarily the case any more.

Re:Also

[tsm_sf]

Maybe we need an anti-phishing motto along the lines of publishing's "money flows towards the writer" (aka Yog's Law). Something like "you travel to the bank, the bank doesn't travel to you" to discourage unsuspecting email link clickers.

Re:Also

[Poltras]

Been there.
bah you didn't get the t-shirt, stop bragging

Re:Also

[TheSpoom]

Wow! Where can I pay AOL to get my spam company on that list?

Re:Also

He would've, but they didn't have it in his size.

Re:Also

Nice idea, but banks and others unintentionally work against this idea by (a) sending emails from domain names other than the bank's domain name, and (b) not PGP-signing the emails they do send.

The bank wants you to trust the email they send you. But they don't make any effort to make it possible for you to verify the email. Just PGP-sign the goddamn email, banks.

Re:Also

[stunt_penguin]

That's as succinct a way as I've seen anyone put advice on phishing, I'll file that one away for the next time I'm lecturing someone on spam, viruses and phishing :o]

Another way of explaining it person-to-person would be to ask them if they got a phonecall on their mobile phone by someone saying they were from their bank, would they actually give out their detiails? Sure as hell they wouldn't.

Re:Also

ask them if they got a phonecall on their mobile phone by someone saying they were from their bank, would they actually give out their detiails? Sure as hell they wouldn't.

There is probably a large number of people that would.

Re:Also

[theparag0n]

In soviet russia, ban... naah, too obvious

Re:Also

[LordSnooty]

if they got a phonecall on their mobile phone by someone saying they were from their bank, would they actually give out their detiails? Sure as hell they wouldn't.

Interestingly, in the UK at least this is becoming a common way for banks to contact you. Usually when they are seeking money, but still. You are correct, given that the callers generally have difficult-to-understand foreign accents (not that it's a real issue, but it increases doubt in you mind), should I automatically assume that they are genuine? The first thing they ask is for ME to confirm MY postcode. Stop right there! I've taken to not proceeding with the call until they can prove to me that they are really my bank. I shouldn't have to give away personal info without being sure of their identity. On some occasions they are able to tell me a detail about my account, but sometimes they become confused, telling me that they cannot give away that info unless they are sure I am really me - well, same here, you prove that you are the bank! At this point they say, "we'll call back later", or "please go to your branch". I'm sure many people give up this info without a thought. It's the phising vector of the future.

Re:Also

[stunt_penguin]

Yea, I'm Irish but there's not much of that stuff over here as yet, by which I mean people ringing you from your bank about stuff (unless they want money, of course). As with most things, the best way to respond to your bank seems to be 'don't call us, we'll call you.

Re:Also

[MankyD]

That's just it. Because it's pay-per-email, trying to spam using this service will, in theory, be cost-prohibitive.

Re:Also

Hasn't this technology been around a long time -- simply signing the email from a registered certificate authority????
Has anyone else noticed this?

Thats my motto.

[Bill,+Shooter+of+Bul]

Its much easier to succeed, if you never try anything difficult.

Re:Thats my motto.

[tktk]

The first step toward failure is trying. So don't try.

Re:Thats my motto.

Its much easier to succeed, if you never try anything difficult.

I assume that you work for the government? You get promoted faster if you're doing simple jobs and announce it as if it required a lot of hard work to achieve it.

Re:Thats my motto.

[DocLandolt]

Its much easier to succeed, if you never try anything difficult.

True brilliance isn't trying something obviously difficult, it's succeeding at something that's not as obviously easy.

As predicted

As predicted... sell the government one thing and change it in post-production.

Re:As predicted

[Kelson]

Are you kidding? This is what they've been saying all along. The media frenzy has been... inconsistent with what AOL, Goodmail, and Yahoo! have actually been saying in their press releases.

Of course, AOL wasn't terribly consistent even with themselves early on, but if you think Goodmail billed this as an anti-spam solution, you've clearly only been paying cursory attention to the story.

Secondary Effects

[Kuukai]

Rather than helping to reduce spam Gingras claimed that the point is to allow users to verify who important messages are really from, like a message from your bank or credit card company

...leading to more efficent prevention of phishing, and ultimately... reducing.. spam... D'oh!

Re:Secondary Effects

[dgatwood]

Only if all of the banks and credit card companies use it, only if it is sufficiently standardized, and only if users are smart enough to notice that the message isn't "verified".

The problem is, if most of the users were smart enough to realize that, we wouldn't have phishing because people wouldn't fall for it in the first place. I mean, it isn't exactly hard for users to realize that http://666.43.123.666/bankofamerica/mylogin.php isn't a valid BOA website. If they can't figure that out, why do you think this will be any different?

*sigh*

Re:Secondary Effects

[Tackhead]

> Only if all of the banks and credit card companies use it, only if it is sufficiently standardized, and only if users are smart enough to notice that the message isn't "verified".
>
> The problem is, if most of the users were smart enough to realize that, we wouldn't have phishing because people wouldn't fall for it in the first place. I mean, it isn't exactly hard for users to realize that http://666.43.123.666/bankofamerica/mylogin.php isn't a valid BOA website. If they can't figure that out, why do you think this will be any different?

Exactly. This email is (img src=http://myphishingsite.com/yourbank/verified.gi f)Verified!(/img).

And if you require any sort of verification that's stronger than a .gif, well, it's going to involve the email client executing something with the form of (script language = "exploit.js")

And if you go to two-factor authentication (like Bank of America did with "Sitekey"), you'll just further inconvenience the users on secure systems.

My box: lives behind NAT, and my web browser drops cookies after every session. User experience? Go to bank site, enter ID/pass. Because the cookie no longer exists, it doesn't "recognize" my box. So I have to enter a challenge question (one of 3 variations of "What's your mother's middle name", which means I have to remember three more passwords), and then enter my regular password a second time. I know I'm not being phished, because I see my "SiteKey" challenge image - but if I had been phished, I'd have already given up the keys to the kingdom.

Some Insecure Luser's Box: Is already compromised and is running any one of a zillion keyloggers. Cookie is present, so luser is prompted only for ID, not ID/pass. Luser enters ID, which is picked up by keylogger. Luser is shown their "SiteKey" challenge image - but the author of the keylogger doesn't give a rat's ass if it's correct or not. He logs the password. Luser is pwn3d.

The weakest link in this case isn't the end user, so much as it's the dumbfuck management at BofA who got sold a gallon of snake oil

Re:Secondary Effects

[slashname3]

Actually none of the ISPs have any interest in reducing spam. They make to much money off of the spam operators and the sites that host the products provided by the spammers. Taking actual measures to reduce spam would cost the ISPs to much money.

Instead, they want to make money from legimate companies that want to get their messages to end users. This is a win win for the ISPs, but does nothing for end users.

As discussed many times here the only way to defeat spam is to choke off the money flow to the people that use spam to advertise. There are two ways to stop the flow of money. First is to go after the spammers and advertisers. So far this has proven ineffective. Second way is to go after the idiots that actually buy stuff from spammers. This should be relatively easy. Send out spam and when the idiots bite you get their IP addresses and their names and probably their credit card info. Then send the police around to their homes to confiscate their computers, cancel their ISP connections, and ban them from using computers or the Internet forever. It will take about a year or two to track all the idiots down, but once the flow of money has been stopped the spam will stop.

Re:Secondary Effects

[xsarpedonx]

There are some users who might not notice that, but some aren't s obviously bad as that. What if they used http://bankofamerica.secure.com/ , do you expect everyone to realize that there is a huge difference between http://secure.bankofamerica.com/ and http://bankofamerica.secure.com/ ?

Re:Secondary Effects

not really.

what Gingergras does not tell you is that the system is meant to provide a guaranteed delivery of spam, to 100% verified emails, targeted audience... If they are central in handling mailings, think of all the stats they would be able to collect: what mailing lists are you on, what kind of spam do you tolerate, and what kind you unsubscribe from, where do you live (ZIP addy of your university/employer's mail server), etc. etc.

If you think the marketing depts would not pay $0.01 per mailing to such verified and datamined addies, you must be in denial.
After all, the US Post charges $0.37 per letter, but those of us in the US will tell you just how much junk/crap we get in our (postal)mailboxes.

Once again, any advertizer would pay $0.01 for a guaranteed delivery of their SPAM to an authentic address, esp. if they know your location and general interests.

All Goodmail is meant to do is to provide a stigma-free way to spam the hell out of you... What is stopping spamers now is the low success probability of their spam actually getting read by a person (considering the amound of expired hotmail.com et al. and fake johnny@REMOVETHISTOREPLYmailserver.com. They literally have to send out many millions of emails to make any kind of profit, meaning it is that much easier to pick out and blacklist them). Goomail is about to change all that...

Well, what is the upside of using Goodmail, you ask? What would one get in exchange for receiving a flood of "certified" via Goodmail?

Hell, they even paid off some brownnoser at the NYT to push their crap on the editorial page. What a bunch of aceholes

Re:Secondary Effects

[tsm_sf]

I know I'm not being phished, because I see my "SiteKey" challenge image - but if I had been phished, I'd have already given up the keys to the kingdom.

So... You're saying that SiteKey works in that scenario?

Luser enters ID, which is picked up by keylogger. Luser is shown their "SiteKey" challenge image - but the author of the keylogger doesn't give a rat's ass if it's correct or not. He logs the password. Luser is pwn3d.

How the hell is a website supposed to prevent keylogging?

The weakest link in this case isn't the end user, so much as it's the dumbfuck management at BofA who got sold a gallon of snake oil

The article you linked to barely mentions SiteKey, with no criticism. Was that the right article?

Re:Secondary Effects

[brass1]

Actually none of the ISPs have any interest in reducing spam. They make to much money off of the spam operators and the sites that host the products provided by the spammers. Taking actual measures to reduce spam would cost the ISPs to much money.

Spammers steal to advertise a "product." They steal resources from anyone they need to advertise their product. You don't suppose these people run the other parts of the their business the same way? Legitimate IPSs don't enjoy hosting spammers in any fashion. This is why nearly all spamming done using cracked botnet zombies (baring a sizable chunk of mainsleaze spam). A quick check of the spam in my Junk folder indicates that most spammers host their websites on non-US systems, or are broken. On a nearly weekly basis I watch a small shared webhosting provider get hosed when his spamming customer lies to him, then screws him out of payment when the webhoster's provider gets involved. The vast majority of the ISPs in the civilized universe want spammers to loose IP connectivity. The largest of sites spend *millions* blocking spam both inbound and outbound.

Instead, they want to make money from legimate companies that want to get their messages to end users. This is a win win for the ISPs, but does nothing for end users.

It's a win for the users as well. The AOL mail client will be able to tell the user that the mail they're reading is indeed from Bank of America, and that other piece of mail is not from BoA. If AOL and Yahoo! know that BoA's mail all has goodmail tokens, and BoA mail shows up that doesn't have mail, it must therefore be a phish (seriously, go look at Goodmail's website complete with the AOL mail client screen shots). AOL's goodmail implementation is ONLY for transctional mail. That was the basis of Gingras' statement.

The handwaving about AOL charging to deliver mail is, of course, interesting. One would think that AOL is going to make out like bandits on all of the spam they'll be delivering now. That's simply not the case. The goodmail system is designed to support itself, not AOL or Yahoo!. Goodmail will be charging enough to keep themselves in business and keep the accreditation program working. I somehow doubt there's much left in the cost structure to kickback to AOL in any amount they can measure.

As discussed many times here the only way to defeat spam is to choke off the money flow to the people that use spam to advertise. There are two ways to stop the flow of money. First is to go after the spammers and advertisers. So far this has proven ineffective.

Is the strategy ineffective or is our execution of the strategy ineffective? We have weak anti-spam laws that do more to enable the practice than to actually put a stop to it. We have standards bodies that can't come up with effective reputation and sender authorization systems, leaving ISPs to invent their own solution (see goodmail). We have transit providers who don't have the guts to de-peer a rouge network who won't clean up what they're transiting.

Second way is to go after the idiots that actually buy stuff from spammers.

Wow. You don't actually think people *buy* real stuff from spammers? And that the spammers are really selling the stuff they're advertising? Ok, maybe the pharma spammers, but the rest of them? Not so much. These people are theves. They steal for a living.

Going back a week in my Junk box, I see pharma spam, penis pill spam, p0rn spam, mortgage spam, 419 spam, and pump-n-dump spam. Exactly what products are being sold in the spam I've gotten in the last week? Of the things in my list that even sound like products (drugs, penis pills, p0rn, and mortgages) none of those are products that need to be sold by cost shifted advertising. If you have to resort to these tactics to see these products, there's something wrong with the products. That's assuming

Re:Secondary Effects

[slashname3]

Wow. You don't actually think people *buy* real stuff from spammers? And that the spammers are really selling the stuff they're advertising? Ok, maybe the pharma spammers, but the rest of them? Not so much. These people are theves. They steal for a living.

These people are paying money for something, if no one was responding and giving money to these people why would the keep spamming like they do? True, the idiots may not get anything for the money, but if they respond then they should be stopped from ever doing it again, banning them from the Internet and use of computers would fix that problem.

Someone somewhere is making money at spamming, if you interrupt the flow of money the spammers will move on to other schemes to defraud people of money.

Re:Secondary Effects

[TheOldSchooler]

Thanks for posting that link! I needed to check my account balance.

Re:Secondary Effects

> > I know I'm not being phished, because I see my "SiteKey" challenge image - but if I had been phished, I'd have already given up the keys to the kingdom.
>
>So... You're saying that SiteKey works in that scenario?

He's saying that, under SiteKey, by the time he gets to find out if he's being phished, he's already punched in both a valid userID and password into the phisher's site.

His explanation's a little convoluted for someone who hasn't used it. (So's SiteKey - try to figure out "how it works" or "what the user should see" if you don't already have a valid BofA login/password/sitekey/challengepassword combination.) I guess you have to bank at Bank of America to grok just how simultaneously annoying and useless SiteKey is.

Re:Secondary Effects

[castoridae]

Dunno if this will reduce spam at all - but if this provides a more effective way to filter the good stuff from the spam, then we don't *have* to reduce spam. The whole point in reducing spam (from the user's perspective - not the ISP's) isn't to reduce spam, per se, but to more easily find and read the good email.

Re:Secondary Effects

[miley]

> AOL's goodmail implementation is ONLY for transctional mail. s/AOL/Yahoo/ AOL is accepting Goodmail messages for any kind of mail, while yahoo is only doing transactional.

Re:Secondary Effects

[miley]

>After all, the US Post charges $0.37 per letter, but those of us in the US will tell you just how much junk/crap we get in our (postal)mailboxes.

In fact, there are more bulk mail stamps sold in the US than first class stamps (even with a lot of companies buying first class stamps for their, er, valued marketing material :)

Re:Secondary Effects

[BillyBlaze]

That's like asking if we expect drivers to know whether the posted speed limits are minimums or maximums. They damn well should know. Not saying they do...

Re:Secondary Effects

[dodobh]

It costs us a quarter of a million dollars a month to handle spam. You want to reduce spam? Get those Windows boxes off the Internet. If the majority of people don't need anything more than webtv, let them stick with that. Block port 25 outbound for consumer grade connections.

Oh, and bill people if their PCs get compromised regularly. Real money will drive security.

Re:Secondary Effects

Because the valid bank email has few if any credentials that can't be faked by scammers.

1. Domain name easily spoofed
2. Look and Feel easily spoofed
3. Banks often use various domain names for different purposes (e.g. 3rd party mailing house)
4. Message is not PGP-signed.

And on the website:

• Username and Password must be entered before the bank authenticates itself
• It is very hard to prevent against man-in-the-middle attacks.

Re:Secondary Effects

[minuszero]

Actually, they can get a little smarter than that. A recent study at Harvard:
http://people.deas.harvard.edu/~rachna/papers/why_ phishing_works.pdf
showed up that, even seasoned users that should know better can fall for it.
Would you recognise http://www.bankofthevvest.com/ as false?

Re:Secondary Effects

[grimwell]

Username and Password must be entered before the bank authenticates itself

If the login page or better yet entire website is in https, then the site authenticates itself first. If there is a doubt, double check the SSL cert. Of course only the paranoid(sane) folk are going to double check the SSL cert when banking online.

Re:Secondary Effects

It's a win for the users as well. The AOL mail client will be able to tell the user that the mail they're reading is indeed from Bank of America, and that other piece of mail is not from BoA.

They could PGP-sign the goddamn email.

Re:Secondary Effects

[Sandman1971]

Actually none of the ISPs have any interest in reducing spam. They make to much money off of the spam operators and the sites that host the products provided by the spammers. Taking actual measures to reduce spam would cost the ISPs to much money.

This got moderated as insightful? As a sysadmin for a big ISP, I've seen millions upon millions spent to fight spam in just hardware/software solutions, let alone the man hours spent fighting it, keeping the mail platform up, fully manned abuse helpdesk, etc.... Please do some homework instead of just making an off the cuff remark which has no validity.

Re:Secondary Effects

[slashname3]

If ISPs were really interested in fighting spam then they would take the following measures:

Block port 25 in and out to end users (provide a registration process for the few power users that want to run their own MTA)

Implement greylisting on the ISPs MTAs (will block the vast majority of spam bots)

run spamassassin or similar tools on the ISPs MTA

Monitor outgoing message counts and investigate those above a critical threshold (can't be that many legitimate users sending more than a few hundred messages a day, all the rest are probably spammers)

If ISP's were really serious about reducing or eliminating spam there are relatively simple ways to do it. But they make money off of the spammers by hosting their web sites and providing bandwidth. And if you are spending millions on apparently ineffective solutions to fight spam you have obviously selected the wrong solution.

Re:Secondary Effects

[dgatwood]

Sorry, but https is only slightly better than nothing at all. There have been phishing sites reported recently with valid SSL certs. The burden of proof is still on VeriSign and similar to determine that the person requesting the cert probably isn't legit before they start using the domain, which is really hard....

The paranoid (sane) are going to keep a bookmark to their bank's site, or at the very least will know the domain name of that site, and will not trust any outside links to their bank's pages. As of the last count, there haven't been any phishing attacks on any company of significant size that involve stealing control of the company's DNS servers. The reason why is that if they get that far, they might as well take over the company's web servers, which would make the phishing undetectable to the end user. And, of course, such an attack is no longer called phishing, but rather, a data security compromise.

Re:Secondary Effects

[amling]

Oh come on, I think most people could tell that apart from the actual BoA website

CAKE!

[Omnifarious]

CAKE

But, I've not had much time to work on it since I've been employed. :-( And it's a much nicer, decentralized solution to this problem that has potentially much less weight and wider applicability than PGP.

Users won't know that

[Phantombrain]

My bet is that when this comes out, AOL users WILL think anything without they symbol is spam. I'm sure AOL isn't going to try to stop the idea either

Re:Users won't know that

[wile_e_wonka]

It won't take long to realize that in reality anything WITH a symbol is spam. This will be even more true than it initially seems, I think. See, I highly doubt Chase wants to pay money to send me a plain text notice that my CC statement is available online. So I am imagining that when a company asks for an email address to send estatements or notices, a lot of them will reject AOL or Yahoo and request a different email address.

If many companies do this, then the only "certified" mail in the box really will be spam. And then I really will know--little blue ribbon=spam.

Phew, I thought I wasn't going to be able to tell it apart from my legitimate mail!

Re:Users won't know that

[muindaur]

I didn't get the impression that they would have to pay to send their e-mails. They would only pay to ensure they werent sent to the junk mail filter. If that isn't the case then it is a sad, sad day for e-mail. Yahoo Plus would lose too much business if that was the case since its paying users would not be able to use their e-mail addresses with companies that they want to deal with, and therefore complain and just not re-subscribe. Personaly I would switch to a new email provider.

Re:Users won't know that

[wile_e_wonka]

That's a good point--the emails will still go out, they just might get blocked by the spam filter. I really do doubt that any banks will spend the money to get their emails through (I hope they don't, anyway--us customers end up paying for these extra costs). I think the only companies that will actually spend money to get their emails through will be companies that the that cost as an investment; or, in other words, advertisers.

Won't help a bit

[Opportunist]

Remember the paper from Harward dealing with phishing and why it works?

People don't even notice security features. They don't notice HTTPS, they don't notice certificates, they don't even notice bogus URLs. Why should they notice a "verified" mail (or lack of this verification)?

And those who do already know how to deal with phishing mails, they are already capable of discriminating between fraudulent and legit mails.

Re:Won't help a bit

[teutonic_leech]

This is a big waste of time and will easily be circumvented by spammers/fishers by 'faking' to be an authorized message. They'll just make it look very similar and the average senior citizen will happily give their personal data away.
May I point out that by combating spam one would 'implicitly' combat messages from data fishers? ;-)

Re:Won't help a bit

[Itninja]

I agree.

I've got my users so spooked about phishing they are asking permission to even check their mail (not really, but pretty close).

"Fear will keep the local systems in line. Fear of this battle station."

Re:Won't help a bit

[Opportunist]

Keep up the good work. A user too scared to click on a good attachment is by far better than one clicking any bad one coming his way.

Re:Won't help a bit

[mnmn]

Imagine a color flag. Its encrypted by an organization. When that flag arrives in the email, your user agent puts up a color flag or icon or whatever, big enough to be noticed, next to the email.

Now the organization is affiliated with the user agent makers like mozilla and microsoft.. so only encrypted emails from that organization are read and used. Companies etc pay a small fee to the organization, and give them a string (name) and ip (from and reply-to servers, the dns domain name). Their smtp gateway is this special organization which checks the dns claimed name, ip, name string etc to make sure the company is not fooling anyone, and adds the flag before sending it off. Companies can pay more for a 'higher' flag, so that emails from banks etc are more expensive to (attempt to) fake.

Doesnt work? Or how about this?

The company uses the special 'organization' as the smtp gateway. The organization checks the source IP against its member database (maybe the smtp requires auth) and strips the header of EVERYTHING except the subject, quoted name, and the user part of the from email address. It then rebuilds the whole header clean with the provided info and fires the email off. User agent checks if the email is from that special organization (can be just an IP check or smtp auth), and gives the email a different color in the list. Now each member company to the organization pays a minimal sum per email (1 cent?) to discourage mass mailers.

Where does the money go? If its a nonprofit, then a list of charities or telecom standards organizations etc.

Re:Won't help a bit

[NoMercy]

With things like SPF at least, if someone recieves an email which comes from an un-authorised source, and my DNS records say that all my emails come from authorised sources, the email should get bounced before the user even sees it.

Though, I'll admit dispite having a SPF record in my DNS records, I don't have any filters setup on my email server to bounce unwanted emails, but hopfully if one scheme takes off over the others, it'll become included in the examples and default configuration options of many email servers.

Re:Won't help a bit

[Tackhead]

> Imagine a color flag. Its encrypted by an organization. When that flag arrives in the email, your user agent puts up a color flag or icon or whatever, big enough to be noticed, next to the email.

Imagine a compromised machine. When the user runs the email client and a (legitimate) "special" Subject: line has been fetched recently, the rootkit takes a screen grab and crops out the pixels where the flag is supposed to be (we go the extra mile because the user might have selected the color of the flag as part of a two-factor authentication scheme).

If, on the other hand, the rootkit recognizes the client has fetched a (phishy) "special" Subject: recently, the rootkit doesn't take a screen grab where a flag's supposed to be - it displays the previously-snagged flag.

Heck, if you're gonna write a man-in-the-middle attack like this, why not go the rest of the way -- and instead of mucking about with screen grabs and looking at recent SMTP traffic, just include a proxy server with the rootkit :)

Re:Won't help a bit

[Kelson]

They'll just make it look very similar

Well, assuming the encryption scheme is good enough, it should be hard to spoof the header tokens. And the graphic that indicates "certified" mail is supposed to appear in the mail client UI (yes, it requires client support), not in the viewing area. So they'd have to spoof the UI, which is trickier than spoofing the layout or sticking a logo in the message body.

All of which, of course, doesn't mean that people will actually pay any attention to it.

Re:Won't help a bit

[MindStalker]

Yea a rootkit could just interupt your going to a website like your bank and display false SSL info even. There is really nothing a rootkit can't do, why would you use it to interupt emails.

Re:Won't help a bit

[Kelson]

Imagine a compromised machine.

At that point they're screwed anyway. I think phishing someone whose box is already rootkitted falls under the category of Overkill.

Re:Won't help a bit

[dslbrian]

I've got my users so spooked about phishing they are asking permission to even check their mail (not really, but pretty close).

I would think one could easily wipe out phishing problems if the email client to browser connection was disabled (which really exists for no other reason than convenience). There is no reason a web link in an email HAS to open the link in a browser. If you force people to type the URL of their bank into a browser window instead of simply clicking on the link in an email they would always end up at the right site, not some man-in-the-middle portal.

Of course keylogging trojans and viruses are a different problem...

Re:Won't help a bit

[zcat_NZ]

This is what really bugs me about all the 'anti-keylogger' measures banks seem to be taking lately. It's ultimately pointless. At some point after the two-factor authentication or fancy ActiveX keypad where the buttons swap around randomly, or whatever other asinine steps you take (which are invariably hostile to visually impaired users, btw) you actually get to the point of doing a transaction.

At this point some rootkit swaps the actual amount for $500,000 or your available balance which you probably just looked up, and the actual payee for their own account number. When the confirmation page comes back they swap in the original details and wait for you to confirm it.

Amount of work required; slightly more than a keylogger, but not excessive. Slightly trickier to launder the money. In theory the software could look for signed updates on p2p, but otherwise you need to know an account number in advance and have a limited window before it gets closed.

Advantages; less of a trail, login details don't have to be sent anywhere and the bank never gets a chance to log the attacker's IP.

Re:Won't help a bit

[RaNdOm+OuTpUt]

If you force people to type the URL of their bank into a browser window instead of simply clicking on the link in an email they would always end up at the right site, not some man-in-the-middle portal.

Or the message would be something like:

BLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBL AHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAH BLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBL AHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAH BLAHBLAH
Go to: bankname.phishingsite.com/infograbber.html
BLAH BLAH BLAH

The user will just ^C ^V the URL.

Re:Won't help a bit

[NichG]

Spoofing the UI has been done in other cases before, so I don't think it'll provide much of an obstacle. I've seen tons of banner ads that are made to look like an windows error message. I'm not sure how effective that sort of thing is, but I imagine it gets the same sorts of people who wouldn't notice strange URLs or who don't look to see whether the site they're interacting with is using encryption (thats a UI icon too, but most people probably don't even know what it means).

Re:Won't help a bit

[miley]

Rational senders can't publish SPF records that say, 'only mail from these servers are allowed,' since they don't know if their recipients will forward mail, and they want as high as deliverability as possible.

Re:Won't help a bit

[dodobh]

The point of Goodmail is that the message can be cryptographically verified to be genuine. Faked signatures won't work (beyond what they do today).

Re:Won't help a bit

[dodobh]

.forward

Re:Won't help a bit

[ArsenneLupin]

Faked signatures won't work

So instead of faking the signatures, you fake the most-used mail client's "signature-verified" icon instead.

True, a faked icon will appear in the mail rather than in the GUI's "chrome", as it should, but the problem is that most non-technical users don't notice such "subtle" distinctions.

Re:Won't help a bit

[ArsenneLupin]

the bank never gets a chance to log the attacker's IP.

Why do they need the attacker's IP when they have the attacker's account number (you know, the account where the money is being transferred to...)?

That's one thing I never understood about phishing. In order for it to work, one bank (the crook's...) either must be incredibly sloppy, or in on the scam.

Re:Won't help a bit

[zcat_NZ]

It would seem that some banks require very little identification to open an account. If the bank's not giving them any credit, there's very little risk to the bank in not identifying the customer.

Or money can be laundered through any number of online payment systems who mostly only need an email address. And I suppose well-funded criminals could find sufficiently good fake ID if required.

Re:Won't help a bit

[Krow10]

.forward and bouncing are why SMTP needs to be updated to include SPF as a requirement and a Forwarded-by header which is used by SPF at each step. Additionally, home routers should throttle outgoing port 25 connections by default (configurable, originally set to allow at most 1 connection per minute.) That would go a ways towards rudicing spam.

Re:Won't help a bit

[slashname3]

Which why you need to go after the source of the money. Send out a phish and/or spam email to everyone, those that respond or click on the links are traced and have their computers confiscated and are banned from the Internet. Remove the source of the money and the problem will fix itself.

Re:Won't help a bit

[pjt33]

The simple solution to this is for the mail client to turn all HTML messages into plain text, but that wouldn't sell well, alas.

Re:Won't help a bit

[dodobh]

.forward isn't going away. See the number of people who don't use a -all in SPF. Hell, a _lot_ of people would be pissed if their spam-filters were to reject legit mail becuase someone else chose to implement SPF.
SPF isn't a well thought out solution to the spoofing problem, and it isn't a component of the spam solution.

Domain keys are a good idea, though.

Accept then bounce is evil and has been for quite a few years.

Duh...

It's just a method for a company to profit from spam.

Money

[Dorion+caun+Morgul]

It's all about money. I just can't wait until I get to pay 33 cents to send my Parents an email.

Re:Money

[joezakoor]

True, very true.. You do make an interesting point, wonder if there will be a charge for a file attachment though? Like with the USPS.

In other words, we'll still get spam

[GrumblyStuff]

So this is just a paid for whitelist?

Hello, McFly?! If I'm expecting emails from my bank, I'll be putting them on my safelist anyway! Them and everyone in contacts, emails for forum notifications, newsletters that I want.

This doesn't seem to be doing anything other than making money for someone else.

Re:In other words, we'll still get spam

[Kelson]

If I'm expecting emails from my bank, I'll be putting them on my safelist anyway!

And when the cleverly-crafted phish comes in, the one that uses the right layout, the right wording, the right logos, a browser vulnerability to disguise the fact that it's going to the wrong website?

Most people here will probably recognize it by the fact that your bank wouldn't be asking for your SSN online, or you'll use your bookmark to visit the site instead of the fiendish link. But for the average Joe, this could help him tell the difference between the real mail from his bank and the phish that claims to be.

Re:In other words, we'll still get spam

[Nahor]

If I'm expecting emails from my bank, I'll be putting them on my safelist anyway!

When someone registers an account for Orb, we send him an automatic email to welcome him. The "from" field contains a valid email address. I am one of the recipient to that email.

And I can tell you that everyday we receive dozens of automated emails asking us to click a link to verify that we are human beings and not a spam bot.
So good for you if you manually manage your safelist, but other people don't bother with it.

That said, the idea of certified email to fight spam to some level is not a bad idea, afterall, that what other people have been trying to do and they were welcomed (spf). However, I'm not too hot on them charging for it because those who can't afford to pay may become second class citizens.

Re:In other words, we'll still get spam

[GrumblyStuff]

It's a trick. I don't get email from my bank.

Re:In other words, we'll still get spam

There's a far more effective, far more efficient scheme against phishing and joe-jobs already in place: it's called SPF, it doesn't cost a cent, and it allows domains to list those hosts or domains allowed to send email allegedly from that domain. It helps cut worm traffic incredibly by catching forged email from your own domain sent from non-domain members, and by simply assuming that all mail from a domain should use the basic "only from A records or MX records" SPF rules, it provides a very powerful and cheap to implement filter rule.

Better yet, it acts on the first connection from the spammer and blocks the email before it wasts your time and bandwidth loading up the message. It was polluted by Microsoft trying to staple their own special form of "allow me to spam" signature, but SPF version 1 is still alive and kicking at http://www.openspf.org/

Re:In other words, we'll still get spam

[That's+Unpossible!]

If I'm expecting emails from my bank, I'll be putting them on my safelist anyway!

Typical reply heard from someone that has given this 2 seconds of thought, and doesn't have to deal with sending legitimate email to real people on a day-to-day basis.

So you're just going to whitelist everyone you "want" to get email from, like your bank. Uh huh. And which of their thousand email addresses and dozen domains will you know to put in your whitelist? What if they out-source their email sending to a different company? (After all they are supposed to be your bank, not a super email sending service.)

I hope you have a damn smart whitelisting service and you remember to check your "suspect" queue frequently and weed out the legit attempts from unmanned addresses which are common for transactional emails, because most of our users can't.

Re:In other words, we'll still get spam

[GrumblyStuff]

I don't see what's so hard about this. Stupid, lazy people will be fooled one way or another no matter what.

Me? If I get some email out of the blue asking for my SSN, bank account number, or anything sort of information about me that that individual or business should already have, I just mark it spam and delete. If I'm expecting an email because I just signed up, changed some important details, whatever, I'll keep an eye out for it in case it gets sent to my spam folder.

Re:In other words, we'll still get spam

[typical]

SPF sucks, for the many reasons that have already been debated on Slashdot.

I haven't looked at how Goodmail works -- the idea of commercializing mail simply brings too many problems with it to the table.

If you want something that works well, but isn't used by everyone, use PGP. Anything signed by anyone you trust can go right past your spam filter.

It might be possible to do a signing system akin to PGP (or even PGP itself, though it would be expensive) server-side on outgoing mail, if it's too much of a pain to deploy PGP.

But SPF is not a fix for spam. Sorry.

Re:In other words, we'll still get spam

[Achromatic1978]

Most of the reasons debated on Slashdot are along the lines of "it relies on all lefit mailservers having it enabled".

Yeah, it does. And solving the virus/trojan problem relies on all legit computers having antivirus measures in place. I don't hear people saying "AV programs are worthless, because to get rid of viruses, everyone will have to use them."

Implement SPF. Implement SMTP auth. Then reduce restrictions on who can access port 25 of what machine, so when you travel you can still use smtp.isp.com. You won't 'fix' the problem (but neither with PGP signing mail - actually that does nothing, it's a glorified whitelist), but you'll slash a very large majority of it, off the bat.

But what do I know, I've only been dealing with the management of a public email service with ~100,000 active users.

Re:In other words, we'll still get spam

[swillden]

If I'm expecting emails from my bank, I'll be putting them on my safelist anyway!

And when it arrives, and the source address matches an entry on your safelist, how will you know who sent the e-mail? You don't believe the From: header, do you?

Re:In other words, we'll still get spam

[patio11]

Hello, McFly?! If I'm expecting emails from my bank, I'll be putting them on my safelist anyway!

And then you have customers like my mother, who a) is sufficiently behind the times enough to think "Hello, McFly?!" is an edgy reference from a hip new movie b) uses email and keeps bugging me to show her how to do banking online since I rave about the convinience and c) will learn what a "safelist" is the day I sprout wings and fly. Do you want to take a bet at how many AOL customers resemble my mother versus how many resemble you?

Re:In other words, we'll still get spam

[dodobh]

The point is that confirmation messages for transactions often come from addresses you don't know in advance. This allows the server to verify those messages.

Re:In other words, we'll still get spam

[amorsen]

Then reduce restrictions on who can access port 25 of what machine, so when you travel you can still use smtp.isp.com.

ISP's you happen to use when travelling tend to block TCP/25 outbound. Better switch to a different port, perhaps 587 or 465.

Re:In other words, we'll still get spam

[ArsenneLupin]

Most of the reasons debated on Slashdot are along the lines of "it relies on all lefit mailservers having it enabled".

Yeah, it does.

Technically, it does. Practically, it doesn't. We use fallback SPF records for domains that don't publish theirs (a/16 mx/16 ptr -all).

This works surprisingly well, because:

• it's accurate for small-time ISPs whose entire network fits in a class /16
• for large ISPs, it may reject legitimate mail, but most large ISPs do have SPF enabled
• for those that fall between the cracks (too large to fit in a /16, but too small to have heard of SPF), it provides an excellent incentive to go and do enable SPF ;-)

Ok, so we don't really default to -all. We default to ~all. And at our site ~all (softfail) is interpreted as "greylist and set SpamAssassin on hair-trigger". So a mail which just fails our fallback SPF and whose contents lacks any other tell-tale signs of Spam, is accepted anyways, after the small delay for greylisting.

Blue Frog

[Spy+der+Mann]

Why not joining bluesecurity.com and report SPAM automatically? At 370K members, it's guaranteed to slow down the spammer's website (spam victims' slashdotting!) until they opt-out the complainers out of their lists.

They got even a Firefox extension for reporting spam with Yahoo, Hotmail and GMail.

Re:Blue Frog

[GrumblyStuff]

And you didn't post [url=https://addons.mozilla.org/extensions/moreinf o.php?id=1863&application=firefox]the link[/url]?! For shame!

Re:Blue Frog

Holy crap, I fail hard.

Here's the link without looking quite so retarded.

Re:Blue Frog

[MyTwoCentsWorth]

Because it crashes Firefox when accessing GMail for a large percentage of users...

Happy Posting...

Re:Blue Frog

[jftitan]

I have noticed this as well. My firefox crashes at random, whenever I access my gmail account.

The note I take with the issue is, if I open a clean (new window) and go right into gmail, the blue frog will crash my firefox.

But if I have 2 or more tabs running, and I've had the window open for some time, then I never encounter an issue. I have been using blue frog for about a month now, and I seriously like it. Either it just makes me feel like I'm doing something (same feeling I get when (if) I recycle, or it is effectively reducing my spam. On a daily basis I used to receive around 150 spam emails in my gmail account, now I'm lucky if I receive 80. whether or not this is due to bluefrog, I dunno. But I feel better! and thats the whole point.

Re:Blue Frog

Why not joining bluesecurity.com and report SPAM automatically?

Automatically? Surely if there existed a way of reporting spam automatically, then it would be trivial to apply the same technique to filter out spam automatically.

I can only imagine that bluesecurity.com is either not automatic, or reinforces flaws in existing algorithms, making false positives even more harmful.

Re:Blue Frog

[Stan92057]

It doesn't work most of the time,it crashes foxfire on gmail and yahoo for the automatic reporting add-on and i never see the blue frog working. I am just going to report like i did before at least i know that works. On a side note i have over 250 messages waiting to be checked,by the time they do check them the web site is more then likely been removed. BF sounds like a good idea but its wayyyyyyyyyy to slow to do anything thats MO

Re:Blue Frog

[senatorpjt]

From what I see, this only helps the spammer. They have an "encrypted list of email addresses" and a program to remove the addresses for a list. The spammer only needs to run this program on his list, see which addresses disappear, and know that these are valid email addresses.

Oh Really!

[protich]

Nothing to see here...we already knew it.

half right.. we knew that though

[joshetc]

Everyone already knew this wasn't designed to reduce spam. I've got a hunch it isn't to give us something we already have though (whitelists). Maybe they are looking to maximize profits? That sounds about right. I guess most of you already knew that one too though..

Certified delivery of spam

[kitzilla]

In other words, CertifiedMail is here to certify the delivery of spam by the "important" spammers who have the resources to pay for it.

Re:Certified delivery of spam

[caffeinemessiah]

Exactly. Except if they're big and have the money for it, they're called "bulk advertisers", "certified targeted marketing" or a whole lot of other jargon that might lead you to believe they really are in fact something other than spam.

Re:Certified delivery of spam

[Kelson]

CertifiedMail is here to certify the delivery of spam by the "important" spammers who have the resources to pay for it.

Those who can pay, yes, and also agree to abide by responsible mailing list practices, use only opt-in lists (it doesn't require confirmed opt-in, unfortunately) with working unsubscribe procedures, eschew email harvesting and list sharing, use accurate headers, maintain a low level of complaints... and submit to a background check to show that they aren't spammers.

If they enforce their TOS, it'll be really difficult for spammers to get on their list, and harder for them to stay.

But it's OK to ignore all that, 'cause it doesn't make good copy. It's so much more satisfying to claim that this will only legitimize spam, because, y'know, it's being used by AOL, and AOL is evil.

Re:Certified delivery of spam

If you buy what is advertised, is it still spam?

Re:Certified delivery of spam

[Tony+Hoyle]

Precisely. Most spammers call their lists 'opt-in'. Most lists of scraped email addresses sold by spammers are 'opt-in'. Their responsible practices mean nothing unless they mandate proper confirmed opt in.

Re:Certified delivery of spam

[Jugalator]

And then it gets a whole lot harder to profit, given the little (but still existing) profitability from spam. I have to wonder if it's still possible.

Re:Certified delivery of spam

[geminidomino]

If you buy what is advertised, is it still spam?

Yes. The only difference is that now you're a fucking moron.

Re:Certified delivery of spam

[PMuse]

. . . CertifiedMail is here to certify the delivery of spam by the "important" spammers who have the resources to pay for it.

Not that I'm a fan of CertifiedMail, but like any whitelist, it will block a lot of spam. Lots of the spam (a) only exists because sending it costs ~zero and (b) comes from temporary addresses that wouldn't register. Getting a better class of spam (i.e. from people who think they have a chance of persuading me to buy something) would be an improvement.

It would reduce the workload on my filters, for one thing.

There Will Be Spam

[Gamzarme]

Oh yes, there will be spam..it seems to be here to stay.
Just like every other problem the 'bad guys' face when exploiting the rest of the population, they will find away around this too.

The news will be that if this practice does go into wide usage, spammers will turn toward draining large, anonymous bank accounts to fund their e-mail influxes.
This 'tax' will only create more problems than necessary.

My advice: leave what isn't broken alone and if you do have problems, then I suggest you install a good e-mail filter to pick out the spam that does get through.

Re:There Will Be Spam

[screaser]

> The news will be that if this practice does go into wide usage, spammers
> will turn toward draining large, anonymous bank accounts to fund their e-mail
> influxes.

Um... if they are able to drain (other peoples') large bank accounts, why would they waste that money for paid spamming?
Seems that if we they can get away with stealing money directly, they'd just stop at that.

So spam goes down, and then when they get caught it's for a more serious crime -- all in all this sounds like a good plan!

My bank ?....

[i.r.id10t]

My bank or CC company, or just *any* bank/cc company ?

Re:My bank ?....

[Spy+der+Mann]

My bank or CC company, or just *any* bank/cc company ?

Hell if I know! I'm still wondering why Citibank mailed me several times to tell me that they were going to cancel an account that I didn't open in the first place :P

Re:My bank ?....

privacy concerns will keep them from identifying your specific bank, of course. so all banks will be able to mail you. wheee.

Re:My bank ?....

Mr Kantanga of the 'Nigeria world bank' wishes to inform you that he has a $4 billion transfer needing to moved to your account.

Well im glad thats genuine - a with bank phisher phishing from a chinese bank computer im mean its a deal no ? - and it genuine email too whoopie.

Nothing to see here.

[rholliday]

We all knew this wouldn't reduce spam. This is just a launching point for email blackmail, along the lines of BellSouth's bandwidth threats. The legal people at AOL are just trying to cover their butts so people don't have a leg to stand on when they complain that they don't get less spam. Totally stupid program.

Anyone detect hypocrisy?

[suv4x4]

Goodmail's service is built around one single idea: easy to pitch to CEO's of large mail providers.

The providers get paid, and they get a good excuse for charging those fees. End of story.

If Goodmail's intentions were genuine, they wouldn't charge the "businesses" for every separate mail provider, but create globally valid certificates and then discuss with mail providers of accepting them.

However who would care to accept the certificates if he doesn't get the dough (the fees)? So there, we arrive at what Goodmail did.

Can you imagine paying up completely independently to every single ISP in the world so it can accept your SSL certificate? Yea, it's THAT bad...

Re:Anyone detect hypocrisy?

[ruiner13]

You can also look at it this way. Legitimate companies would not tarnish their name by mercilessly spamming people. They have working opt-in/opt-out mechanics and play by all the rules. By having these people pay a fee to stay in the rules, you can bet that gives you an incentive to ensure you have on your list only people who really want to get your messages. Sending to people who don't want it will cost them money, so they keep their lists clean.

Also, right now there is sure to be a good deal of media attention about it, and companies might hitch a ride on the PR wagon by saying they are "Goodmail Certified". If it does catch on, they can further bask in being "the first".

I do think there is a good chance this will fail miserably, either by low adoption or greed by upping rates, etc.

We've heard this before...

[CFrankBernard]

Not meant to reduce spam but to verify sender...SPF/Sender-ID/DomainKeys anyone?

Re:We've heard this before...

Too bad no one in the legit email marketing community uses any of this stuff yet. Goodmail's solution is the first solution that is beginning to be adopted by legit email marketers.

Re:We've heard this before...

[miley]

Huh? Goodmail always talks about exactly 2 customers: Red Cross and New York Times. In contrast, SPF and DomainKeys are used by hundreds of thousands if not millions of domains, including all of the Email Service Provider Coalition.

Can't login

It appears that site you posted, http://666.43.123.666/bankofamerica/mylogin.php, has already been slashdotted. Anyone know a mirror where I can login to my account?

Re:Can't login

[deep44]

I usually hop on one of the bankofamerica.com.geocities.com mirrors, but they also seem to be down right now (or somebody forgot to pay their hosting bill). When this has happened in the past, I usually just open my windows and start shouting my SSN and major credit card numbers until somebody steals my identity.

"Certified"

[oGMo]

Certified, v.tr.
4. To declare to be in need of psychiatric treatment or confinement.

Yeah someone's certifiable here.

Re:"Certified"

[gooman]

That goes without saying, after all, we're discussing AOL users.

Firefox extension requires bluefrog anyway...

[Spy+der+Mann]

Little problem with the extension. It needs the bluefrog software downloaded to work (All the extension does is reporting the mails to bluefrog for analysis. The massive opt-out (slashdotting) is done with your computer via the bluefrog exe.

Re:Firefox extension requires bluefrog anyway...

[GrumblyStuff]

So what all is needed (assuming it's free, of course)?

Re:Firefox extension requires bluefrog anyway...

[jftitan]

Simple actually. just goto download the bluefrog application from bluesecurity.com, install it, setup a new account, and then open your mozilla browser. It will add the plugin automatically, but you'll have to register your email acconts one by one.

The members control panel at bluefrog is simple to use, adding your hotmail, yahoo (non beta), and gmail is cakewalk.

Other than that, thats the same procedure I did to get my bluefrog working for me. (woopie!)

Yeah, this is what we've been saying all along

[wile_e_wonka]

This really isn't news. This is just an acknowledgment of the deceit behind their earlier statements. They did a real crappy job of deceit though, as everyone saw this as something that wouldn't block spam. Instead I'll have spam with little blue ribbons that was paid for. And then I'll have spam that I can't tell apart from my normal mail because it wasn't paid for, but it made it through the spam filter (except really we all cann t311 1t apart fr0m 0ur normal mail for the 0b>i0us reasons).

Trust but verify. That it's crap.

[DysenteryInTheRanks]

The only real solution to stop from being misled by online con artists is to examine each link in a chain of Internet communication to ensure it is from a trustworthy, reliable source.

Email address, Web URL, refering party -- each should be bulletproof BEFORE you extend your trust. Otherwise, you might get scammed.

Take this article. We know it's reliable and trustworthy. How?

Well it was submitted by "anonymous reader," who has posted many a fine gem on this here site.

Then it was filtered by an "editor" named "ScuttleMonkey." How can you not trust a monkey? Monkeys rock!

Then, when you click on the link, you see you have been taken to "Spam Daily News," a bastion of journalistic integrity that makes the New York Times look like the New York Times before Judy Miller got fired.

Finally, the whole thing originated from a little place we like to call "Slashdot." I think the quality of this brand needs no elaboration.

So as you can see, it is not hard to recognize a secure, reliable, not-at-all-misleading-or-shady chain of Internet links. Happy surfing!

Only one thing will work...

[DigitalRaptor]

Capital punishment.

Re:Only one thing will work...

[mrball_cb]

Capital punishment.

At first I thought you said Capitol Punishment...
You could blindside a few politicians whose districts the bulk email corporations are registered in.
But no, regulation is not the answer. Government has screwed up so many things that they stuck their fingers in, I don't want them touching this.

Re:Only one thing will work...

[DigitalRaptor]

Ahh, come on.

A few dead spammers never hurt anyone...

Can't we already do this...

[dteichman2]

Is this just going to be RSA message-signing in a shiny package?

They presented to my organization

[StanSmith]

I spent an hour beating them up on a number of issues, much to the embarrassment of my 'far too ready to sign anything' CTO.

Their VP kept harping on how "it will tell users they can trust your mail". My point that the real challenge was getting users NOT to trust things was not well received, to say the least. I also mercilessly attacked their constant assertion that their widget is "unspoofable", on the simple grounds that a similar widget in a similar location would be sufficient to fool many users.

My CTO has been asking me when we're going to implement Goodmail ever since. Khaaan!

Re:They presented to my organization

[Coniptor]

Care to tell us all who your employer is?
Those in the know should set them selves apart from all of this.
Blacklists of companies not to do business with as well as their partners (out to the edge)
should be maintained. Whiny friends and family members should be left to "burn" them selves
until such time that they are willing to take direction and actually "listen" (and ask questions over what they don't understand).
Ensure there is no gray area to allow them to pander to those not in the know.

Re:They presented to my organization

[miley]

Blacklist is way to strong. The best penalty is just to ignore. The market will take care of this one on its own without screwing up your own delivery.

Re:They presented to my organization

[StanSmith]

I'd rather not. Info I'm comfortable with: we're a non-profit that would be a recognizable selling point for Goodmail, and the meeting took place about a week before they announced their deal with AOL and Yahoo (so before AOL announced that they'd pay the fees for non-profits). The deal they were offering at the time was essentially giving it away (including hardware), so I know they hope to plaster our name all over their marketing.

As of yet, I've been able to fend off any further steps towards adoption.

My argument that Goodmail is harmful to the community, with examples such as mysql, apache, and horde mailing lists which we use to do things we could never afford from a commercial vendor, has fallen completely on deaf ears with management.

Fortunately, they accept for now that we don't want to tell anyone that they can unequivocally trust an email that purports to be from us, which is how Goodmail tried to sell their service. My main weapon here was being able to refer to previous conversations where I successfully shot down antivirus footers of the type "This email certified virus-free".

The way to end phishing is to not use email.

[khasim]

Nothing you do on the receiving end will ever end phishing.

Yet it is very easy to kill 100% for almost every financial organization out there.

Just do not use email to communicate with your customers. That's it. Unless you're PayPal, the problem is solved.

The only reasons that banks continue to use email is because:
#1. It provides a cheap way for them to send ads to their customers.
#2. They don't bear the financial loss when customers lose money.

The only way to change #1 is to change the law on #2.

Today I received an email from Chase. I checked it. It was from Chase. It was for an employee who isn't here anymore. NOTHING I did seemed to unsubscribe him. I just kept getting messages back saying that that address did not receive email. Even clicking on the "unsubscribe" link resulted in that email. Every link pointed back to Chase.

The phishers are SMARTER than the people the banks hire to send email ads.

Until the law changes, the best you can do is try to individually educate every user out there NOT to click on any links or call any 800 numbers that claim they come from their bank via email. And educating millions of people just isn't cost effective.

Re:The way to end phishing is to not use email.

[fimbulvetr]

Are you 100% sure it was from chase? There has been a _tremendous_ amount of chase spam/phishing/spoofing going on lately. By lately I mean within the past 14 days.

Not to curb spam? Then this is BS

[moochfish]

Wait. I don't get it. If the purpose is to ensure the sender really IS the sender, why do I have to pay up again?? If I'm the BankofSlashdot and I send emails to my customers from the email accountdetails@bankofslashdot.org, why is it they can't just add me to a registered senders list with my server's IP recorded? Why's that suddenly cost money?

If the purpose isn't to reduce spam, what does this new pay-for-being-recognized service offer that current ISPs don't already? Most ISPs will begin taking actions against your spam if you start spamming without contacting them anyway, and you are looking at legal trouble if you spam with forged headers or people who have opted out. Through whitelists and regulations, the framework is already in place for the legit spammers to spam. AOL already has whitelists. AOL already negotiates and limits email volume with mass email marketers. AOL already uses blacklists. And this whole thing isn't even mandatory!

So I'm really not sure what this pay system is supposed to do except earn AOL an extra dime at no added cost.

Re:Not to curb spam? Then this is BS

[BCW2]

"So I'm really not sure what this pay system is supposed to do except earn AOL an extra dime at no added cost."

That is the whole point, to add cash to AOhell's sagging profits. Why do you think The boardroom is talking about splitting the company and sending AOhell back out on it's own?

As a tech I only remove more problems from Norton infected machines than I do AOL.

broken way to fix phishing too

say you're the bank of america, and you send your "transactional" mail with this GoodMail thing turned on and the little flag set. what about your other emails that you don't pay for? if any of your mail is sent uncertified, then phishers can just impersonate that "oh this is just one of those uncertified emails we the bank of america send you occasionally - click here to see our latest offers (requires SSN)".

so suddenly you have to pay for _all_ your mail just to maintain your credibility. and then what if you cross the spam-complaint level goodmail sets accidentally and they throw you off their system (as they are contractually obliged to do)? does that mean that nobody will ever trust your mails again? do you get to send out one last certified mail saying "okay from now on pay no attention to that little flag?"

it seems a really bad idea for a big company to place their credentials in trust with a third party and then let them charge them for every mail they send

Mod Parent UP

[wish+bot]

I think that's actually a really sensible idea. In fact I think I'd go as far as saying that the best idea for combating phishing that I've ever heard.

The big problem is - of course - convincing the banks to promote the idea in a consistent way.

I'll sort my own mail, thank you...

[Ossifer]

I already sort my incoming email, by many categories. What purpose is there to having two classifications: "important" and "other"?

Banks? Financial institutions?

[russ1337]

I sent a friend of mine an e-mail, and i got an automated response saying that I have to reply to it for the e-mail to get through, it would then add me to his trusted list, or otherwise it would be marked as spam

So how will the 'genuine' banks and other financial institutions / ebay / paypal, react to that e-mail? Most automated emails, have a 'do_not_reply@provider.com' as their reply address...?

Re:Banks? Financial institutions?

Your friends bank is out of luck. But, that's because your friend didn't give their trusted e-mail address to the bank. Most of these whitelist sites allow you to create a trusted e-mail for each entity. So, they would create of a mybank-user@spamblockyopunkass.com address. Then, if the user ever gets spam on that address, their blocker reports the bank for selling the address, and people get pissed.

So it is to stop phising

[fermion]

If it is about the verfing the sender, then it is a nobel goal. Even though banks do not do the sort of stupid things they used to do, the ability to spoff the URL location bar and universal font sets still allow the motivated phisher to fool the unwary customer.

So there is clearly a need for someone to help the average user discriminate between legitimate and nefarious email. The need could result in a significant market opportunity if an ISP developed appropriate technology and backed up the technology with a meaningful guarantee. People will pay for security, even shallow security.

I also believe this will reduce email that maight be strictly catagorized as spam. Not the broad definition of unsolicited email that has resulting in no meaningful agreement on how to deal with the problem, but email that has a misleading subject, spoofed headers, clearly obtuse text content meant to disguise the HTML rendered message, and links to shady websites. If the ISP allowed users to set up a list of safe addresses, provided the level of protection that the USPS service does for unsolicited mail, and provided a good customer crisis line, that would provide a big competitive advantage. If, however it is just charging spamers for email while the user dangles on the vine, that it is quite useless.

The USPS was suppsoed to do that!

[netringer]

The US Postal Service demoed just such a thing many, many years ago. They had an email encryption and delivery service to verify that the message was not altered. I suppose the problem in certifying the sender and receiver and proving delivery (to a person - not a mail spool) were technical issues they couldn't handle.

The difference of the USPS vs. Goodmail is that the USPS has official legal authority for such thing as mail tampering and proof of delivery.

I suppose if they were to offer the service now, Goodmail would buy a law to prohibit to USPS from competing against a private business as Sen. Santorum is trying to do with the weather service.

Re:The USPS was suppsoed to do that!

[jbolden]

The USPS has internal people that know lots about encryption and servers. Generally though they like partner with companies for their services (i.e. company A buys from company B who buy from the post office) so now worry there. My guess is that people won't pay for verified email.

uh, GPG

uh, isn't this what PGP/GPG are for?

Re:uh, GPG

Or even S-Mime. All we need is the banks to use it and people to understand it.

I had a financial company offer to contact me about my financial details by email. I wrote on the form "Only if you use PGP. Please phone for key details". Will have to see what they make of that.

If everyone used encryption routinely it would be a lot better.

Pretty damn sure.

[khasim]

The unsubscribe link did go to chase.com and I confirmed that that site does belong to Chase.

The email is being send from "bigfootinteractive.com".

I use the raw ASCII message to get the link and when I past it in the browser, I get that reject message.

So, we have more examples of the bank making phishing EASIER by going through a 3rd party and linking chase.com to that 3rd parties email.

It's funny that Chase includes this bit on their email.

The Chase OnlineSM services mentioned above can be accessed through our site directly. The links here are included for your convenience. If you are suspicious of an e-mail, please feel free to use the URL that appears on the back of your credit card, or type chase.com directly into your browser.

Again, all the links go to chase.com and I've verified that in the raw ASCII text of the message, but the response emails come from bigfootinteractive.com......

Seriously, how easy does Chase want to make a phisher's life?

Hey, Chase! Use your own fucking email servers you morons!

If you're still wondering, let me know and I can post their response email for you to check yourself. I've replaced my domain with "DomainReplaced.com" and fucked up the id string, but other than that it is pure.

Re:Pretty damn sure.

[dnoyeb]

I could not agree more. I signed up with Vonage and I had to send them a nasty letter about how they send their users to a 3rd party to complete the registration. This is totally stupid. The 3rd party is not even referenced on Vonage's website and you have absolutely no way to know they are legitimate. Its mind boggling.

Re:Pretty damn sure.

[DSP_Geek]

Bigfoot. Ew. News.admin.net-abuse.email is rife with stories about addresses "leaking" from BFI onto spam lists.

So now all the bad guys have to do...

[EdMcMan]

is to fork over some money to AOL to phish. You'd think this would stop them, but since the mail is now "certified" or whatever you want to call it, people will believe it and probably increase their response proportions.

We already have a better way to do this

[NightHwk1]

GnuPG / PGP signing, with peer-based levels of trust. Or even better: get the public key direct from your bank when you first log in to your account. Added bonus, you have the option of turning on encrypted email.

This might bring up the question of encrypted spam, but your keyring would act as a whitelist. If some random person sent you an encrypted or signed message, then you would be presented with a message asking if it should be accepted.

All we need is a simplified way to do this for the general public. Too bad Thunderbird doesn't come with Enigmail preinstalled. We'd probably need something else for webmail. (FF extension?)

Re:We already have a better way to do this

[collinl]

What about when you want to add or delete accounts to your on-line banking
What happens when you lose you private key, and can't decrypt those important messages about your accounts and the cotracts for service (banking, deposit holding, interest etc are all contracted servies)? And then a tax audit, bankruptcy, or civil suit that requires legal discovery?

Without evidence to defend yourself, life is sooooo much mre difficult.
These sorts of reasons are why PGP, gpg and S/MIME never work in corporate environments - the problems are worse than the benefits.

Lyal

Re:We already have a better way to do this

If you're worried about losing your key, then just keep a copy in a safe-deposit box somewhere, on acid-free paper, with the passphrase. Or set up a system to decrypt each message as you read it and store a plaintext version.

Anyway, this problem doesn't apply if you only use it to sign messages, to prove authenticity. You don't have to encrypt them as well.

Re:We already have a better way to do this

[ratboy666]

I would LOVE to receive a spam email that is singly encrypted with my public key.

It won't happen -- it would be too computationally expensive to encrypt the spam (each recipient would need a customized email). Sort of removing the "bulk" from "bulk email".

Ratboy.

It's not so easy anymore.

[raehl]

I'm a pretty smart guy. I'm 27 and have been using computers for 18 years, online for 17 and on the internet since '95 or so.

I am starting to get emails where it is very difficult to tell if they are real or not - both fake emails that look real and REAL emails that look fake. Figuring out which is which takes time, and about a month ago I actually fell for my first phishing scam about 2 months ago (for an eBay password; I had just gotten up and didn't realize the email that looked EXACTLY like the other seller question emails I get wasn't legit. I wouldnt have fallen for it if it asked for a SS number or something.)

But why should I have to spend time figuring these things out? If there was a service that marked certified mail in one color and non-certified mail in another and gave certified mail delivery priority, that's a good thing. Saves me time, and makes spam less profitable, saving me more time.

Re:It's not so easy anymore.

[Ravatar]

Because it's just a matter of time until the non-certified mail messages are almost discernible from the certified ones, and you eventually end up having the exact same problem you have now.

Re:It's not so easy anymore.

[dgatwood]

Exactly. There is exactly one safe way to handle emails that direct you to a web site: don't click the links. Using HTML in email should be for layout purposes ONLY. (IMHO, the blame for the entire phishing problem can be placed squarely on the shoulders of Microsoft for pushing HTML email instead of a more sane, link-free, layout-only standard, but I digress.) If your company depends on people clicking links to take users from an email message to a login page on your company's website, you WILL become a target for phishing scammers. If your company says "we will never send you email with links to our website and any emails that claim to contain links to our website are fake" then your company can never be an easy mark.

As a policy, I do not ever click on links in email messages unless they are things sent to our company's internal humor list or are links sent by personal friends to their web sites. I've gotten plenty of fake eBay emails claiming things like "you have a non-paying bidder strike" and other such BS. Every time, I go straight to the web browser, go to eBay by typing www.ebay.com into the location bar, and log into my account. In the unlikely event eBay were to show a messages for me along those lines, I would deal with it in that way. Otherwise, I know it's a scam, and I forward it to the appropriate authorities at eBay along with the abuse or administrative contact email for their first and second tier upstream providers, courtesy of ARIN whois, APNIC whois, and similar.

For me, the only exception to this no clicking policy is links to eBay questions about an auction where I'm the seller. In those cases, if I'm already logged into eBay, I'll click on the link to save time getting to the question. If clicking on the link takes me to a login page, I immediately know that it isn't from eBay (since I'm already logged in), so I can simply close the window and flip my middle finger in the general direction of the message's actual sender.

Re:It's not so easy anymore.

[miley]

>or are links sent by personal friends to their web sites Can't even trust those anymore. One of my IM friends gott phished, then his account sent me a 'Hey, I just posted some vacation photos here [link]', with link going to a site mimicing the yahoo photos login. I figured out it wasn't yahoo, but within a few hours, a mutual friend's id sent me the same message. Messages from 'friends' are perfect trojan horses for phishing, for exactly the reason you state :(

Re:It's not so easy anymore.

[dgatwood]

But again, that would take me to a login page. I will click links that friends send to things that are amusing. Any link from an email message that requires me to log in will immediately be closed. Then, I will go to the legit web site if I know it, log in, then go back to email and click the link.

If I don't have a login on the site in question, I probably won't bother to sign up for one even with bogus information, but I might, depending on how bored I am. That said, I wouldn't expect a phishing site to have a working "create account" screen, as it wouldn't do them any good. This is where my endless array of useless, low security passwords comes into play.

Why to reduce spam at all?

[Maljin+Jolt]

I keep all of my received spam at home. All of 5714 this year and 20493 last year total on 14 addresses. And of course feeding filters with it, so my family did never see any. It takes some 0.0000000000??% of my bandwith, I am vasting much more bandwith just reading Slashdot. More, I can study time patterns, botnet spread and even bugs in spamming software passively on that data set with some interesting conclusions.

Emailed Subpoenas

[Soloact]

I sure would hate to receive a subpoena via email, where just reading it constitutes being "served". I can see the ramifications of such emails, especially if it is sent to the wrong person or a "catch-all" email account. One could have a bench warrant for not appearing, for whatever reason, when, in actuality, they really were never served. Or someone else taps into the email, sees the subpeona, then deletes it, and the person it is intended for never sees it. Okay, before you all get into the "security" and "email" thing, think that this could easily happen with a PC used by the whole family.

Re:Emailed Subpoenas

I sure would hate to receive a subpoena via email, where just reading it constitutes being "served".

If you are paranoid like the rest of us you have already turned off open/read receipts in your email client.

And because of that ability I doubt we will ever have email suboenas, there is just no way to verify that: A> the person actually received the subpoena and B> it was the right person who got it.

I think for legal reasons humans will always hand deliver these. We have certified postal mail yet that isn't even considered good enough for sending subpoenas, so I doubt the legal system will except the electronic equivilant of that.

Re:Emailed Subpoenas

Goodmail provides "receipts":

"Delivery Confirmation and Enhanced Reporting. A unique token in every message allows Goodmail to track and confirm delivery at the message level. With this feature Goodmail can manage volume, provide accurate delivery and non-delivery reports to senders, and track recipient feedback for fair and straightforward enforcement of the service."

http://www.goodmailsystems.com/senders/#4

Re:Emailed Subpoenas

[Soloact]

Absolutely, open/read receipts are turned off, as I am as paranoid as we all are. I have gotten weary of having to go to court as a witness to an incident that happened outside the courtroom of another incident that I was a witness to. Talk about being in the wrong places at the wrong times.

Why can't personal certificates do this?

[AusChucky]

Can I ask what happened to using Personal certificates?? Why, when we use SSL certificates to verify that a website we are visting is actually the true company, can't we use personal certificates to verify that the email we are reciving is actually from the company?? Surely they could configure their mail servers to filter out email on this basis without requiring a 3rd part solution that makes you pay for it. Hate to state the obvious but this is just the big companies way to getting their hands in on a great free thing that the internet provides

Re:Why can't personal certificates do this?

[dnoyeb]

Don't we use 3rd parties for SSL certificates?

I think the major players can't make as much money without the 3rd party scheme so they push it. Note how difficult it is for you to create a certificate to sign your email with that outlook will understand/respect (without using 3rd party).

The large email providers are seeing $$$. I think the delay is in thinking up schemes that people feel the need to pay for. Its funny that we can protect a damn movie through unwanted inconvenience and mandated cost to the end user, but we cant protect email.

Cool

Paid e-mail is definately something I am not interested in and can filter out with 100% assurance.
 
Mike

Try this one...

[mattmacf]

Give http://127.0.0.1/bankofamerica/mylogin.php a shot. From what I gather, it uses a super-secret unbreakable open source, ROT26, GNU/Linux, AES, one-time pad, AJAX, NSA, quantum encryption mechanism that guarantees your identity will never be stolen.

Functionality may be limited.

Re:Try this one...

[MC68000]

Wow!! My bank has a huge porno stash!

Re:Try this one...

[xzanthar]

New definition for Home Banking. :)

Re:Try this one...

lol to that.

Blue Frog "algorithm"

[Spy+der+Mann]

Automatically? Surely if there existed a way of reporting spam automatically, then it would be trivial to apply the same technique to filter out spam automatically.

Pardon me. It's not automatic in the recognition algorithm, but it's much faster than having to do a whois and then reporting to the ISP for each SPAM that gets to your inbox.

Let me describe the Blue Frog algorithm.

Suppose your e-mail is somedude@myinbox.com . When you set up a blue frog account, you get a "honeypot" address like somedude@report.bluecommunity.com. The reports are analyzed (by whom or what, I don't know) and then your bluefrog software receives a request to report at the spammers' website asking for opt-out (the opt-out just tells the spammer how to download the "do not intrude" registry, it doesn't give out any e-mails).

The point is that this software actually gives an incentive (html form "SPAM") to spammers to stop sending e-mail to your account.

What I do is sending the SPAM that gets into my junk mail folder at the honeypot account. So, filtering is necessary as a first step, but after a while, you don't have to filter the junk mails, because they don't get to your e-mail in the first place. In my case, I use the firefox extension to send my Yahoo! junk-mail to report the SPAM to blue frog.

Then I just let my blue frog software do the dirty work.

S/MIME

[metamatic]

Indeed. If their aim is really to cut down phishing, they don't actually need to invent a new protocol or charge money; they should just get on with implementing the standards we already have, S/MIME.

If Apple Mail can do it seamlessly, why can't AOL?

I guess they are dropping SSL/TLS, then ... !

[madbrain]

When I worked for AOL / Netscape on security, I suggested they do exactly this - use S/MIME for spam filtering . AOL had a mail client that supported S/MIME - called AOL communicator. I was doing part of the implementation - the NSS S/MIME code in Mozilla . This was back in 2002. But using the very idea of using S/MIME as a spam filter tool fell on deaf ears at the executive level. I guess they still don't get it :-(

Not the problem

[bhalter80]

Email sender authentication is not the problem. That has been solved many times by many different people. Between PGP, GPG, and the Microsoft esque DigitalID there are no shortage of digital IDs. Now I fully agree that the micropayment __idea__ is intended to limit people abusing this to send authenticated junk. Although the USPS essnetially does the same thing and I have to say that before I got off the credit card mailing list I got 2 of thsoe for every piece of legit mail.

The moral of the story is that as long as the cost of postage digital or physical is insignificant in relation to the money made though sales people and businesses will be willing to pay if it gets them more customers.

The other problem as has been pointed out before is that this is open to phishing 1.1 where phishing attacks get attempt to spoof Goodmail too. While that's probably prohibitively difficult to do its probably not that hard to make it look like it is authentic.

Re:Not the problem

[shorgs]

There's a centralized credit card opt out list?

Re:Not the problem

[bhalter80]

Yes, the link is here . I thought it was a scam at first but this page from the FTC links to them. Both my fiance and I have taken advantage of this and it works like a charm.

We're not trying for anything

[SeaFox]

Goodmail CEO Richard Gingras surprised Legislators and advocacy groups today when he announced that the CertifiedMail program being implemented by AOL and Yahoo is not meant to reduce spam.

Of course not, that way when it does not reduce spam, they can't say CertaifiedMail was a failure.

*****
  This article advocates a
 
( ) technical ( ) legislative (x) market-based ( ) vigilante
 
approach to fighting spam. Your idea will not work. Here is why it won't work.
(One or more of the following may apply to your particular idea, and it may
have other flaws which used to vary from state to state before a bad federal
law was passed.)
 
( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
(x) Many email users cannot afford to lose business or alienate potential
employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
 
Specifically, your plan fails to account for
 
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
(x) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
(x) Bandwidth costs that are unaffected by client filtering
( ) Outlook
 
and the following philosophical objections may also apply:
 
(x) Ideas similar to yours are easy to come up with, yet none have ever been
shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
(x) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
(x) Sending email should be free
(x) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
 
Furthermore, this is what I think about you:
 
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.

Of course it's not... Just like SPF.

[Tetard]

It's not meant to limit SPAM (unless your idea of email, as some want it to become,
is a communication medium where you only accept people you "trust" and reject the
others). It's meant to protecte trademarks, and push responsibility away from the
sender (i.e.: "you should have checked who the mail came from, ours are signed).
Yahoo, and of course banks and other institutions who want to defend their
credentials love SPF and similar systems. They don't care about SPAM, they just
don't want to get blamed by customers and their insurers for phishing mails and
the like.

Re:Of course it's not... Just like SPF.

[Forbman]

Hmm... i think it's more of a way for AOL, Yahoo, etc. to instead get SOME money back from the spammers who currently leach off of their systems. As usual, the casual end-user is not even an afterthought.

DON'T CLICK THE LINK

[m50d]

That's one *sick* site he's sending you to!

Hello Newman...

[Liquid+Len]

Newman, the fat postman in Seinfeld: "You see, my dear, all certified mail is registered, but registered mail is not necessarily certified".

Verification, yep, nope...

[WWWWolf]

A few non-technical people I know once had to deal with a nasty virus infection.

That was from an email worm. Of course, they had heard that it's stupid to click on attachments. Of course. Common security education and all that.

The problem was, the worm said that it was an important patch and it had a nice "checked by Norton" kind of pic in it. So, obviously, these people thought "it's an important patch and it has been virus-scanned. let's try it." Even when they didn't run Norton themselves.

Certified email won't help with phishing problem. It's too easy to set up the air of legitimacy. It can also provide a false sense of security: Phishers already make "legit enough"-looking websites, how hard it would for them to make "legit enough"-looking email?

reinventing the wheel

[l3v1]

allow users to verify who important messages are really from

It's not even suprising or funny anymore when some people try to reinvent something under a different name and try to gain money/power on the "idea". PGP/GPG anyone ? Is it really necessary to rename and reinvent the e-mail signing idea over and over again ? Most people don't even know what e-mail signing is, so they won't notice but it's stupid nonetheless. Against all my efforts, among all my friends we are only two who use e-mail signing, the rest won't even consider. From among the thousands of (legitimate and valid) e-mails I read monthly usually _none_ of them is signed. People just don't care. No matter if we tell them why it's good, no matter that we ask them politely to use signing, nothing really helps. And I can't even say that I won't read unsigned e-mails, because I hardly ever receive signed mails...

Re:reinventing the wheel

You're right in that PGP has been doing this for years. Other such "verification" efforts are included in secure mail software that is aimed for businesses. One such company that has been providing to many of the North American carriers lately is Echoworx Corporation http://www.echoworx.com/

Authenticating incoming mail.

Of course this wouldn't really be necessary if Outlook users can view their mail in raw form and examine the mail headers. It's trivial to tell whether or not an Email from PayPall is legit. I just look at the headers.

Of course Outlook users will have a problem with this. It is NOT easy to see mail headers from outlook I'm told, although I'm inexperiened with Outlook because I dont use WinBlows except for work related use.

J

*head desk* D'oh

[thesnarky1]

Sorry, but I'm totally against this idea. Yea, you might get Chase to register, and you might be able to say "Yup, this is from Chase, I If you don't believe me, set up a "bank auditing" web service. Then send out the emails asking for logins. Now, instead of seeing bank auditing and saying, hmm... might be bad, a normal user will say "hmm.. bank auditing, well, AOL says they're good, so I'll trust 'em". Not to mention the fact that unless they're checking the content of the message, one could easily use this to send better "verified" spam. Imagine a request for money "verified" to come from IRS. When you look close you realize that IRS is International Rip-off Scam, but they just registered as IRS.com.

This... is a bad... idea... If the above doesn't convince you, just think about it for a day or so. If I were a spammer I would quickly set up a "legit" business, and pay per email to get my message out. This *will* help spammers get to more people, and make phishing scams more convincing.

Goodmail and AOL

[billstewart]

You don't actually pay AOL, you pay Goodmail. Goodmail's web site says that they've got very strong policies against spammers and that they respond to complaints, so if you're a spammer, not only do you have to pay them too much money per message for typical spams to be profitable, but they'll bust you if they get too many complaints.

Banks and Credit Cards Should Bait Phishers

[billstewart]

There are too many suckers and too many people who occasionally make mistakes to ban them all.

But banks and credit card companies should be playing the other side of the game, baiting the phishers.

• You get a phishing mail and forward it to the bank.
• The bank clicks on the website and fills in the blanks with a fake account number.
• When the account gets used, reject the transaction and trace the user.
• If you find a frequent user that you can trace adequately, bust them.