Slashdot Mirror

← Back to Stories (view on slashdot.org)

Certified Email Not Here to Reduce Spam

Posted by ryuzaki0 on from the you've-got-spam dept.

An anonymous reader writes "Goodmail CEO Richard Gingras surprised Legislators and advocacy groups today when he announced that the CertifiedMail program being implemented by AOL and Yahoo is not meant to reduce spam. Rather than helping to reduce spam Gingras claimed that the point is to allow users to verify who important messages are really from, like a message from your bank or credit card company."

24 of 197 comments (clear)

  1. Thats my motto. by Bill,+Shooter+of+Bul · · Score: 5, Insightful

    Its much easier to succeed, if you never try anything difficult.

    --
    Well.. maybe. Or Maybe not. But Definitely not sort of.
  2. As predicted by Anonymous Coward · · Score: 1, Insightful

    As predicted... sell the government one thing and change it in post-production.

  3. Secondary Effects by Kuukai · · Score: 2, Insightful

    Rather than helping to reduce spam Gingras claimed that the point is to allow users to verify who important messages are really from, like a message from your bank or credit card company

    ...leading to more efficent prevention of phishing, and ultimately... reducing.. spam... D'oh!

    --
    Sendou Wave Kick!!
    1. Re:Secondary Effects by dgatwood · · Score: 4, Insightful
      Only if all of the banks and credit card companies use it, only if it is sufficiently standardized, and only if users are smart enough to notice that the message isn't "verified".

      The problem is, if most of the users were smart enough to realize that, we wouldn't have phishing because people wouldn't fall for it in the first place. I mean, it isn't exactly hard for users to realize that http://666.43.123.666/bankofamerica/mylogin.php isn't a valid BOA website. If they can't figure that out, why do you think this will be any different?

      *sigh*

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    2. Re:Secondary Effects by slashname3 · · Score: 2, Insightful

      Actually none of the ISPs have any interest in reducing spam. They make to much money off of the spam operators and the sites that host the products provided by the spammers. Taking actual measures to reduce spam would cost the ISPs to much money.

      Instead, they want to make money from legimate companies that want to get their messages to end users. This is a win win for the ISPs, but does nothing for end users.

      As discussed many times here the only way to defeat spam is to choke off the money flow to the people that use spam to advertise. There are two ways to stop the flow of money. First is to go after the spammers and advertisers. So far this has proven ineffective. Second way is to go after the idiots that actually buy stuff from spammers. This should be relatively easy. Send out spam and when the idiots bite you get their IP addresses and their names and probably their credit card info. Then send the police around to their homes to confiscate their computers, cancel their ISP connections, and ban them from using computers or the Internet forever. It will take about a year or two to track all the idiots down, but once the flow of money has been stopped the spam will stop.

  4. Won't help a bit by Opportunist · · Score: 5, Insightful

    Remember the paper from Harward dealing with phishing and why it works?

    People don't even notice security features. They don't notice HTTPS, they don't notice certificates, they don't even notice bogus URLs. Why should they notice a "verified" mail (or lack of this verification)?

    And those who do already know how to deal with phishing mails, they are already capable of discriminating between fraudulent and legit mails.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Won't help a bit by teutonic_leech · · Score: 2, Insightful

      This is a big waste of time and will easily be circumvented by spammers/fishers by 'faking' to be an authorized message. They'll just make it look very similar and the average senior citizen will happily give their personal data away.
      May I point out that by combating spam one would 'implicitly' combat messages from data fishers? ;-)

    2. Re:Won't help a bit by MindStalker · · Score: 2, Insightful

      Yea a rootkit could just interupt your going to a website like your bank and display false SSL info even. There is really nothing a rootkit can't do, why would you use it to interupt emails.

    3. Re:Won't help a bit by ArsenneLupin · · Score: 2, Insightful
      Faked signatures won't work

      So instead of faking the signatures, you fake the most-used mail client's "signature-verified" icon instead.

      True, a faked icon will appear in the mail rather than in the GUI's "chrome", as it should, but the problem is that most non-technical users don't notice such "subtle" distinctions.

  5. Money by Dorion+caun+Morgul · · Score: 4, Insightful

    It's all about money. I just can't wait until I get to pay 33 cents to send my Parents an email.

  6. In other words, we'll still get spam by GrumblyStuff · · Score: 5, Insightful

    So this is just a paid for whitelist?

    Hello, McFly?! If I'm expecting emails from my bank, I'll be putting them on my safelist anyway! Them and everyone in contacts, emails for forum notifications, newsletters that I want.

    This doesn't seem to be doing anything other than making money for someone else.

  7. Oh Really! by protich · · Score: 2, Insightful

    Nothing to see here...we already knew it.

  8. Certified delivery of spam by kitzilla · · Score: 4, Insightful

    In other words, CertifiedMail is here to certify the delivery of spam by the "important" spammers who have the resources to pay for it.

    --
    This is my post. There are many others like it. If you don't like what you read here, go try one of the others.
  9. There Will Be Spam by Gamzarme · · Score: 3, Insightful

    Oh yes, there will be spam..it seems to be here to stay.
    Just like every other problem the 'bad guys' face when exploiting the rest of the population, they will find away around this too.

    The news will be that if this practice does go into wide usage, spammers will turn toward draining large, anonymous bank accounts to fund their e-mail influxes.
    This 'tax' will only create more problems than necessary.

    My advice: leave what isn't broken alone and if you do have problems, then I suggest you install a good e-mail filter to pick out the spam that does get through.

    --
    Pat
  10. Nothing to see here. by rholliday · · Score: 2, Insightful

    We all knew this wouldn't reduce spam. This is just a launching point for email blackmail, along the lines of BellSouth's bandwidth threats. The legal people at AOL are just trying to cover their butts so people don't have a leg to stand on when they complain that they don't get less spam. Totally stupid program.

    --
    Xbox reviews.. We think they're funny.
  11. We've heard this before... by CFrankBernard · · Score: 2, Insightful

    Not meant to reduce spam but to verify sender...SPF/Sender-ID/DomainKeys anyone?

  12. Can't we already do this... by dteichman2 · · Score: 2, Insightful

    Is this just going to be RSA message-signing in a shiny package?

    --


    Silence is golden... and duct tape is silver.
  13. Re:Also by wish+bot · · Score: 2, Insightful
    However, I wouldn't want to be getting email from my credit card company or bank, and I certainly don't want to encourage them to start sending important info by email.

    Besides the obvious problem of everything being intercepted by NSA+AT&T in the first place, it will only make it more difficult to tell phishing from the real thing, mainly because you'll be expecting it to be trustworthy. Old phishing techniques may have used mass mailings which could be blocked by spam filters, but that's not necessarily the case any more.

    --
    lemonade was a popular drink and it still is
  14. broken way to fix phishing too by Anonymous Coward · · Score: 3, Insightful

    say you're the bank of america, and you send your "transactional" mail with this GoodMail thing turned on and the little flag set. what about your other emails that you don't pay for? if any of your mail is sent uncertified, then phishers can just impersonate that "oh this is just one of those uncertified emails we the bank of america send you occasionally - click here to see our latest offers (requires SSN)".

    so suddenly you have to pay for _all_ your mail just to maintain your credibility. and then what if you cross the spam-complaint level goodmail sets accidentally and they throw you off their system (as they are contractually obliged to do)? does that mean that nobody will ever trust your mails again? do you get to send out one last certified mail saying "okay from now on pay no attention to that little flag?"

    it seems a really bad idea for a big company to place their credentials in trust with a third party and then let them charge them for every mail they send

  15. I'll sort my own mail, thank you... by Ossifer · · Score: 2, Insightful

    I already sort my incoming email, by many categories. What purpose is there to having two classifications: "important" and "other"?

  16. uh, GPG by Anonymous Coward · · Score: 2, Insightful

    uh, isn't this what PGP/GPG are for?

  17. Re:It's not so easy anymore. by Ravatar · · Score: 2, Insightful

    Because it's just a matter of time until the non-certified mail messages are almost discernible from the certified ones, and you eventually end up having the exact same problem you have now.

  18. Re:We already have a better way to do this by collinl · · Score: 2, Insightful

    What about when you want to add or delete accounts to your on-line banking
    What happens when you lose you private key, and can't decrypt those important messages about your accounts and the cotracts for service (banking, deposit holding, interest etc are all contracted servies)? And then a tax audit, bankruptcy, or civil suit that requires legal discovery?

    Without evidence to defend yourself, life is sooooo much mre difficult.
    These sorts of reasons are why PGP, gpg and S/MIME never work in corporate environments - the problems are worse than the benefits.

    Lyal

  19. Of course it's not... Just like SPF. by Tetard · · Score: 2, Insightful

    It's not meant to limit SPAM (unless your idea of email, as some want it to become,
    is a communication medium where you only accept people you "trust" and reject the
    others). It's meant to protecte trademarks, and push responsibility away from the
    sender (i.e.: "you should have checked who the mail came from, ours are signed).
    Yahoo, and of course banks and other institutions who want to defend their
    credentials love SPF and similar systems. They don't care about SPAM, they just
    don't want to get blamed by customers and their insurers for phishing mails and
    the like.