Certified Email Not Here to Reduce Spam

An anonymous reader writes "Goodmail CEO Richard Gingras surprised Legislators and advocacy groups today when he announced that the CertifiedMail program being implemented by AOL and Yahoo is not meant to reduce spam. Rather than helping to reduce spam Gingras claimed that the point is to allow users to verify who important messages are really from, like a message from your bank or credit card company."

Also

[MankyD]

Perhaps also to work as an effective, if limited, white list. Not only will it tell you what emails are "important" but it would certainly be an easy to way to keep a small-sized good-guy mailing list.

Re:Also

[mnmn]

Been there. Tried it for 50-odd users. Impossible.

Re:Also

[wish+bot]

However, I wouldn't want to be getting email from my credit card company or bank, and I certainly don't want to encourage them to start sending important info by email.

Besides the obvious problem of everything being intercepted by NSA+AT&T in the first place, it will only make it more difficult to tell phishing from the real thing, mainly because you'll be expecting it to be trustworthy. Old phishing techniques may have used mass mailings which could be blocked by spam filters, but that's not necessarily the case any more.

Re:Also

[tsm_sf]

Maybe we need an anti-phishing motto along the lines of publishing's "money flows towards the writer" (aka Yog's Law). Something like "you travel to the bank, the bank doesn't travel to you" to discourage unsuspecting email link clickers.

Re:Also

[stunt_penguin]

That's as succinct a way as I've seen anyone put advice on phishing, I'll file that one away for the next time I'm lecturing someone on spam, viruses and phishing :o]

Another way of explaining it person-to-person would be to ask them if they got a phonecall on their mobile phone by someone saying they were from their bank, would they actually give out their detiails? Sure as hell they wouldn't.

Thats my motto.

[Bill,+Shooter+of+Bul]

Its much easier to succeed, if you never try anything difficult.

Secondary Effects

[Kuukai]

Rather than helping to reduce spam Gingras claimed that the point is to allow users to verify who important messages are really from, like a message from your bank or credit card company

...leading to more efficent prevention of phishing, and ultimately... reducing.. spam... D'oh!

Re:Secondary Effects

[dgatwood]

Only if all of the banks and credit card companies use it, only if it is sufficiently standardized, and only if users are smart enough to notice that the message isn't "verified".

The problem is, if most of the users were smart enough to realize that, we wouldn't have phishing because people wouldn't fall for it in the first place. I mean, it isn't exactly hard for users to realize that http://666.43.123.666/bankofamerica/mylogin.php isn't a valid BOA website. If they can't figure that out, why do you think this will be any different?

*sigh*

Re:Secondary Effects

[Tackhead]

> Only if all of the banks and credit card companies use it, only if it is sufficiently standardized, and only if users are smart enough to notice that the message isn't "verified".
>
> The problem is, if most of the users were smart enough to realize that, we wouldn't have phishing because people wouldn't fall for it in the first place. I mean, it isn't exactly hard for users to realize that http://666.43.123.666/bankofamerica/mylogin.php isn't a valid BOA website. If they can't figure that out, why do you think this will be any different?

Exactly. This email is (img src=http://myphishingsite.com/yourbank/verified.gi f)Verified!(/img).

And if you require any sort of verification that's stronger than a .gif, well, it's going to involve the email client executing something with the form of (script language = "exploit.js")

And if you go to two-factor authentication (like Bank of America did with "Sitekey"), you'll just further inconvenience the users on secure systems.

My box: lives behind NAT, and my web browser drops cookies after every session. User experience? Go to bank site, enter ID/pass. Because the cookie no longer exists, it doesn't "recognize" my box. So I have to enter a challenge question (one of 3 variations of "What's your mother's middle name", which means I have to remember three more passwords), and then enter my regular password a second time. I know I'm not being phished, because I see my "SiteKey" challenge image - but if I had been phished, I'd have already given up the keys to the kingdom.

Some Insecure Luser's Box: Is already compromised and is running any one of a zillion keyloggers. Cookie is present, so luser is prompted only for ID, not ID/pass. Luser enters ID, which is picked up by keylogger. Luser is shown their "SiteKey" challenge image - but the author of the keylogger doesn't give a rat's ass if it's correct or not. He logs the password. Luser is pwn3d.

The weakest link in this case isn't the end user, so much as it's the dumbfuck management at BofA who got sold a gallon of snake oil

Re:Secondary Effects

[slashname3]

Actually none of the ISPs have any interest in reducing spam. They make to much money off of the spam operators and the sites that host the products provided by the spammers. Taking actual measures to reduce spam would cost the ISPs to much money.

Instead, they want to make money from legimate companies that want to get their messages to end users. This is a win win for the ISPs, but does nothing for end users.

As discussed many times here the only way to defeat spam is to choke off the money flow to the people that use spam to advertise. There are two ways to stop the flow of money. First is to go after the spammers and advertisers. So far this has proven ineffective. Second way is to go after the idiots that actually buy stuff from spammers. This should be relatively easy. Send out spam and when the idiots bite you get their IP addresses and their names and probably their credit card info. Then send the police around to their homes to confiscate their computers, cancel their ISP connections, and ban them from using computers or the Internet forever. It will take about a year or two to track all the idiots down, but once the flow of money has been stopped the spam will stop.

Re:Secondary Effects

[xsarpedonx]

There are some users who might not notice that, but some aren't s obviously bad as that. What if they used http://bankofamerica.secure.com/ , do you expect everyone to realize that there is a huge difference between http://secure.bankofamerica.com/ and http://bankofamerica.secure.com/ ?

Re:Secondary Effects

[brass1]

Actually none of the ISPs have any interest in reducing spam. They make to much money off of the spam operators and the sites that host the products provided by the spammers. Taking actual measures to reduce spam would cost the ISPs to much money.

Spammers steal to advertise a "product." They steal resources from anyone they need to advertise their product. You don't suppose these people run the other parts of the their business the same way? Legitimate IPSs don't enjoy hosting spammers in any fashion. This is why nearly all spamming done using cracked botnet zombies (baring a sizable chunk of mainsleaze spam). A quick check of the spam in my Junk folder indicates that most spammers host their websites on non-US systems, or are broken. On a nearly weekly basis I watch a small shared webhosting provider get hosed when his spamming customer lies to him, then screws him out of payment when the webhoster's provider gets involved. The vast majority of the ISPs in the civilized universe want spammers to loose IP connectivity. The largest of sites spend *millions* blocking spam both inbound and outbound.

Instead, they want to make money from legimate companies that want to get their messages to end users. This is a win win for the ISPs, but does nothing for end users.

It's a win for the users as well. The AOL mail client will be able to tell the user that the mail they're reading is indeed from Bank of America, and that other piece of mail is not from BoA. If AOL and Yahoo! know that BoA's mail all has goodmail tokens, and BoA mail shows up that doesn't have mail, it must therefore be a phish (seriously, go look at Goodmail's website complete with the AOL mail client screen shots). AOL's goodmail implementation is ONLY for transctional mail. That was the basis of Gingras' statement.

The handwaving about AOL charging to deliver mail is, of course, interesting. One would think that AOL is going to make out like bandits on all of the spam they'll be delivering now. That's simply not the case. The goodmail system is designed to support itself, not AOL or Yahoo!. Goodmail will be charging enough to keep themselves in business and keep the accreditation program working. I somehow doubt there's much left in the cost structure to kickback to AOL in any amount they can measure.

As discussed many times here the only way to defeat spam is to choke off the money flow to the people that use spam to advertise. There are two ways to stop the flow of money. First is to go after the spammers and advertisers. So far this has proven ineffective.

Is the strategy ineffective or is our execution of the strategy ineffective? We have weak anti-spam laws that do more to enable the practice than to actually put a stop to it. We have standards bodies that can't come up with effective reputation and sender authorization systems, leaving ISPs to invent their own solution (see goodmail). We have transit providers who don't have the guts to de-peer a rouge network who won't clean up what they're transiting.

Second way is to go after the idiots that actually buy stuff from spammers.

Wow. You don't actually think people *buy* real stuff from spammers? And that the spammers are really selling the stuff they're advertising? Ok, maybe the pharma spammers, but the rest of them? Not so much. These people are theves. They steal for a living.

Going back a week in my Junk box, I see pharma spam, penis pill spam, p0rn spam, mortgage spam, 419 spam, and pump-n-dump spam. Exactly what products are being sold in the spam I've gotten in the last week? Of the things in my list that even sound like products (drugs, penis pills, p0rn, and mortgages) none of those are products that need to be sold by cost shifted advertising. If you have to resort to these tactics to see these products, there's something wrong with the products. That's assuming

CAKE!

[Omnifarious]

CAKE

But, I've not had much time to work on it since I've been employed. :-( And it's a much nicer, decentralized solution to this problem that has potentially much less weight and wider applicability than PGP.

Won't help a bit

[Opportunist]

Remember the paper from Harward dealing with phishing and why it works?

People don't even notice security features. They don't notice HTTPS, they don't notice certificates, they don't even notice bogus URLs. Why should they notice a "verified" mail (or lack of this verification)?

And those who do already know how to deal with phishing mails, they are already capable of discriminating between fraudulent and legit mails.

Re:Won't help a bit

[teutonic_leech]

This is a big waste of time and will easily be circumvented by spammers/fishers by 'faking' to be an authorized message. They'll just make it look very similar and the average senior citizen will happily give their personal data away.
May I point out that by combating spam one would 'implicitly' combat messages from data fishers? ;-)

Re:Won't help a bit

[NoMercy]

With things like SPF at least, if someone recieves an email which comes from an un-authorised source, and my DNS records say that all my emails come from authorised sources, the email should get bounced before the user even sees it.

Though, I'll admit dispite having a SPF record in my DNS records, I don't have any filters setup on my email server to bounce unwanted emails, but hopfully if one scheme takes off over the others, it'll become included in the examples and default configuration options of many email servers.

Re:Won't help a bit

[MindStalker]

Yea a rootkit could just interupt your going to a website like your bank and display false SSL info even. There is really nothing a rootkit can't do, why would you use it to interupt emails.

Re:Won't help a bit

[ArsenneLupin]

Faked signatures won't work

So instead of faking the signatures, you fake the most-used mail client's "signature-verified" icon instead.

True, a faked icon will appear in the mail rather than in the GUI's "chrome", as it should, but the problem is that most non-technical users don't notice such "subtle" distinctions.

Money

[Dorion+caun+Morgul]

It's all about money. I just can't wait until I get to pay 33 cents to send my Parents an email.

In other words, we'll still get spam

[GrumblyStuff]

So this is just a paid for whitelist?

Hello, McFly?! If I'm expecting emails from my bank, I'll be putting them on my safelist anyway! Them and everyone in contacts, emails for forum notifications, newsletters that I want.

This doesn't seem to be doing anything other than making money for someone else.

Blue Frog

[Spy+der+Mann]

Why not joining bluesecurity.com and report SPAM automatically? At 370K members, it's guaranteed to slow down the spammer's website (spam victims' slashdotting!) until they opt-out the complainers out of their lists.

They got even a Firefox extension for reporting spam with Yahoo, Hotmail and GMail.

Oh Really!

[protich]

Nothing to see here...we already knew it.

Certified delivery of spam

[kitzilla]

In other words, CertifiedMail is here to certify the delivery of spam by the "important" spammers who have the resources to pay for it.

There Will Be Spam

[Gamzarme]

Oh yes, there will be spam..it seems to be here to stay.
Just like every other problem the 'bad guys' face when exploiting the rest of the population, they will find away around this too.

The news will be that if this practice does go into wide usage, spammers will turn toward draining large, anonymous bank accounts to fund their e-mail influxes.
This 'tax' will only create more problems than necessary.

My advice: leave what isn't broken alone and if you do have problems, then I suggest you install a good e-mail filter to pick out the spam that does get through.

My bank ?....

[i.r.id10t]

My bank or CC company, or just *any* bank/cc company ?

Nothing to see here.

[rholliday]

We all knew this wouldn't reduce spam. This is just a launching point for email blackmail, along the lines of BellSouth's bandwidth threats. The legal people at AOL are just trying to cover their butts so people don't have a leg to stand on when they complain that they don't get less spam. Totally stupid program.

Anyone detect hypocrisy?

[suv4x4]

Goodmail's service is built around one single idea: easy to pitch to CEO's of large mail providers.

The providers get paid, and they get a good excuse for charging those fees. End of story.

If Goodmail's intentions were genuine, they wouldn't charge the "businesses" for every separate mail provider, but create globally valid certificates and then discuss with mail providers of accepting them.

However who would care to accept the certificates if he doesn't get the dough (the fees)? So there, we arrive at what Goodmail did.

Can you imagine paying up completely independently to every single ISP in the world so it can accept your SSL certificate? Yea, it's THAT bad...

We've heard this before...

[CFrankBernard]

Not meant to reduce spam but to verify sender...SPF/Sender-ID/DomainKeys anyone?

Re:Users won't know that

[wile_e_wonka]

It won't take long to realize that in reality anything WITH a symbol is spam. This will be even more true than it initially seems, I think. See, I highly doubt Chase wants to pay money to send me a plain text notice that my CC statement is available online. So I am imagining that when a company asks for an email address to send estatements or notices, a lot of them will reject AOL or Yahoo and request a different email address.

If many companies do this, then the only "certified" mail in the box really will be spam. And then I really will know--little blue ribbon=spam.

Phew, I thought I wasn't going to be able to tell it apart from my legitimate mail!

Can't login

It appears that site you posted, http://666.43.123.666/bankofamerica/mylogin.php, has already been slashdotted. Anyone know a mirror where I can login to my account?

Re:Can't login

[deep44]

I usually hop on one of the bankofamerica.com.geocities.com mirrors, but they also seem to be down right now (or somebody forgot to pay their hosting bill). When this has happened in the past, I usually just open my windows and start shouting my SSN and major credit card numbers until somebody steals my identity.

"Certified"

[oGMo]

Certified, v.tr.
4. To declare to be in need of psychiatric treatment or confinement.

Yeah someone's certifiable here.

Yeah, this is what we've been saying all along

[wile_e_wonka]

This really isn't news. This is just an acknowledgment of the deceit behind their earlier statements. They did a real crappy job of deceit though, as everyone saw this as something that wouldn't block spam. Instead I'll have spam with little blue ribbons that was paid for. And then I'll have spam that I can't tell apart from my normal mail because it wasn't paid for, but it made it through the spam filter (except really we all cann t311 1t apart fr0m 0ur normal mail for the 0b>i0us reasons).

Trust but verify. That it's crap.

[DysenteryInTheRanks]

The only real solution to stop from being misled by online con artists is to examine each link in a chain of Internet communication to ensure it is from a trustworthy, reliable source.

Email address, Web URL, refering party -- each should be bulletproof BEFORE you extend your trust. Otherwise, you might get scammed.

Take this article. We know it's reliable and trustworthy. How?

Well it was submitted by "anonymous reader," who has posted many a fine gem on this here site.

Then it was filtered by an "editor" named "ScuttleMonkey." How can you not trust a monkey? Monkeys rock!

Then, when you click on the link, you see you have been taken to "Spam Daily News," a bastion of journalistic integrity that makes the New York Times look like the New York Times before Judy Miller got fired.

Finally, the whole thing originated from a little place we like to call "Slashdot." I think the quality of this brand needs no elaboration.

So as you can see, it is not hard to recognize a secure, reliable, not-at-all-misleading-or-shady chain of Internet links. Happy surfing!

Can't we already do this...

[dteichman2]

Is this just going to be RSA message-signing in a shiny package?

Re:As predicted

[Kelson]

Are you kidding? This is what they've been saying all along. The media frenzy has been... inconsistent with what AOL, Goodmail, and Yahoo! have actually been saying in their press releases.

Of course, AOL wasn't terribly consistent even with themselves early on, but if you think Goodmail billed this as an anti-spam solution, you've clearly only been paying cursory attention to the story.

They presented to my organization

[StanSmith]

I spent an hour beating them up on a number of issues, much to the embarrassment of my 'far too ready to sign anything' CTO.

Their VP kept harping on how "it will tell users they can trust your mail". My point that the real challenge was getting users NOT to trust things was not well received, to say the least. I also mercilessly attacked their constant assertion that their widget is "unspoofable", on the simple grounds that a similar widget in a similar location would be sufficient to fool many users.

My CTO has been asking me when we're going to implement Goodmail ever since. Khaaan!

Not to curb spam? Then this is BS

[moochfish]

Wait. I don't get it. If the purpose is to ensure the sender really IS the sender, why do I have to pay up again?? If I'm the BankofSlashdot and I send emails to my customers from the email accountdetails@bankofslashdot.org, why is it they can't just add me to a registered senders list with my server's IP recorded? Why's that suddenly cost money?

If the purpose isn't to reduce spam, what does this new pay-for-being-recognized service offer that current ISPs don't already? Most ISPs will begin taking actions against your spam if you start spamming without contacting them anyway, and you are looking at legal trouble if you spam with forged headers or people who have opted out. Through whitelists and regulations, the framework is already in place for the legit spammers to spam. AOL already has whitelists. AOL already negotiates and limits email volume with mass email marketers. AOL already uses blacklists. And this whole thing isn't even mandatory!

So I'm really not sure what this pay system is supposed to do except earn AOL an extra dime at no added cost.

broken way to fix phishing too

say you're the bank of america, and you send your "transactional" mail with this GoodMail thing turned on and the little flag set. what about your other emails that you don't pay for? if any of your mail is sent uncertified, then phishers can just impersonate that "oh this is just one of those uncertified emails we the bank of america send you occasionally - click here to see our latest offers (requires SSN)".

so suddenly you have to pay for _all_ your mail just to maintain your credibility. and then what if you cross the spam-complaint level goodmail sets accidentally and they throw you off their system (as they are contractually obliged to do)? does that mean that nobody will ever trust your mails again? do you get to send out one last certified mail saying "okay from now on pay no attention to that little flag?"

it seems a really bad idea for a big company to place their credentials in trust with a third party and then let them charge them for every mail they send

I'll sort my own mail, thank you...

[Ossifer]

I already sort my incoming email, by many categories. What purpose is there to having two classifications: "important" and "other"?

So it is to stop phising

[fermion]

If it is about the verfing the sender, then it is a nobel goal. Even though banks do not do the sort of stupid things they used to do, the ability to spoff the URL location bar and universal font sets still allow the motivated phisher to fool the unwary customer.

So there is clearly a need for someone to help the average user discriminate between legitimate and nefarious email. The need could result in a significant market opportunity if an ISP developed appropriate technology and backed up the technology with a meaningful guarantee. People will pay for security, even shallow security.

I also believe this will reduce email that maight be strictly catagorized as spam. Not the broad definition of unsolicited email that has resulting in no meaningful agreement on how to deal with the problem, but email that has a misleading subject, spoofed headers, clearly obtuse text content meant to disguise the HTML rendered message, and links to shady websites. If the ISP allowed users to set up a list of safe addresses, provided the level of protection that the USPS service does for unsolicited mail, and provided a good customer crisis line, that would provide a big competitive advantage. If, however it is just charging spamers for email while the user dangles on the vine, that it is quite useless.

The USPS was suppsoed to do that!

[netringer]

The US Postal Service demoed just such a thing many, many years ago. They had an email encryption and delivery service to verify that the message was not altered. I suppose the problem in certifying the sender and receiver and proving delivery (to a person - not a mail spool) were technical issues they couldn't handle.

The difference of the USPS vs. Goodmail is that the USPS has official legal authority for such thing as mail tampering and proof of delivery.

I suppose if they were to offer the service now, Goodmail would buy a law to prohibit to USPS from competing against a private business as Sen. Santorum is trying to do with the weather service.

uh, GPG

uh, isn't this what PGP/GPG are for?

Pretty damn sure.

[khasim]

The unsubscribe link did go to chase.com and I confirmed that that site does belong to Chase.

The email is being send from "bigfootinteractive.com".

I use the raw ASCII message to get the link and when I past it in the browser, I get that reject message.

So, we have more examples of the bank making phishing EASIER by going through a 3rd party and linking chase.com to that 3rd parties email.

It's funny that Chase includes this bit on their email.

The Chase OnlineSM services mentioned above can be accessed through our site directly. The links here are included for your convenience. If you are suspicious of an e-mail, please feel free to use the URL that appears on the back of your credit card, or type chase.com directly into your browser.

Again, all the links go to chase.com and I've verified that in the raw ASCII text of the message, but the response emails come from bigfootinteractive.com......

Seriously, how easy does Chase want to make a phisher's life?

Hey, Chase! Use your own fucking email servers you morons!

If you're still wondering, let me know and I can post their response email for you to check yourself. I've replaced my domain with "DomainReplaced.com" and fucked up the id string, but other than that it is pure.

We already have a better way to do this

[NightHwk1]

GnuPG / PGP signing, with peer-based levels of trust. Or even better: get the public key direct from your bank when you first log in to your account. Added bonus, you have the option of turning on encrypted email.

This might bring up the question of encrypted spam, but your keyring would act as a whitelist. If some random person sent you an encrypted or signed message, then you would be presented with a message asking if it should be accepted.

All we need is a simplified way to do this for the general public. Too bad Thunderbird doesn't come with Enigmail preinstalled. We'd probably need something else for webmail. (FF extension?)

Re:We already have a better way to do this

[collinl]

What about when you want to add or delete accounts to your on-line banking
What happens when you lose you private key, and can't decrypt those important messages about your accounts and the cotracts for service (banking, deposit holding, interest etc are all contracted servies)? And then a tax audit, bankruptcy, or civil suit that requires legal discovery?

Without evidence to defend yourself, life is sooooo much mre difficult.
These sorts of reasons are why PGP, gpg and S/MIME never work in corporate environments - the problems are worse than the benefits.

Lyal

Why can't personal certificates do this?

[AusChucky]

Can I ask what happened to using Personal certificates?? Why, when we use SSL certificates to verify that a website we are visting is actually the true company, can't we use personal certificates to verify that the email we are reciving is actually from the company?? Surely they could configure their mail servers to filter out email on this basis without requiring a 3rd part solution that makes you pay for it. Hate to state the obvious but this is just the big companies way to getting their hands in on a great free thing that the internet provides

Try this one...

[mattmacf]

Give http://127.0.0.1/bankofamerica/mylogin.php a shot. From what I gather, it uses a super-secret unbreakable open source, ROT26, GNU/Linux, AES, one-time pad, AJAX, NSA, quantum encryption mechanism that guarantees your identity will never be stolen.

Functionality may be limited.

Blue Frog "algorithm"

[Spy+der+Mann]

Automatically? Surely if there existed a way of reporting spam automatically, then it would be trivial to apply the same technique to filter out spam automatically.

Pardon me. It's not automatic in the recognition algorithm, but it's much faster than having to do a whois and then reporting to the ISP for each SPAM that gets to your inbox.

Let me describe the Blue Frog algorithm.

Suppose your e-mail is somedude@myinbox.com . When you set up a blue frog account, you get a "honeypot" address like somedude@report.bluecommunity.com. The reports are analyzed (by whom or what, I don't know) and then your bluefrog software receives a request to report at the spammers' website asking for opt-out (the opt-out just tells the spammer how to download the "do not intrude" registry, it doesn't give out any e-mails).

The point is that this software actually gives an incentive (html form "SPAM") to spammers to stop sending e-mail to your account.

What I do is sending the SPAM that gets into my junk mail folder at the honeypot account. So, filtering is necessary as a first step, but after a while, you don't have to filter the junk mails, because they don't get to your e-mail in the first place. In my case, I use the firefox extension to send my Yahoo! junk-mail to report the SPAM to blue frog.

Then I just let my blue frog software do the dirty work.

Re:It's not so easy anymore.

[Ravatar]

Because it's just a matter of time until the non-certified mail messages are almost discernible from the certified ones, and you eventually end up having the exact same problem you have now.

We're not trying for anything

[SeaFox]

Goodmail CEO Richard Gingras surprised Legislators and advocacy groups today when he announced that the CertifiedMail program being implemented by AOL and Yahoo is not meant to reduce spam.

Of course not, that way when it does not reduce spam, they can't say CertaifiedMail was a failure.

*****
  This article advocates a
 
( ) technical ( ) legislative (x) market-based ( ) vigilante
 
approach to fighting spam. Your idea will not work. Here is why it won't work.
(One or more of the following may apply to your particular idea, and it may
have other flaws which used to vary from state to state before a bad federal
law was passed.)
 
( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
(x) Many email users cannot afford to lose business or alienate potential
employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
 
Specifically, your plan fails to account for
 
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
(x) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
(x) Bandwidth costs that are unaffected by client filtering
( ) Outlook
 
and the following philosophical objections may also apply:
 
(x) Ideas similar to yours are easy to come up with, yet none have ever been
shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
(x) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
(x) Sending email should be free
(x) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
 
Furthermore, this is what I think about you:
 
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.

Of course it's not... Just like SPF.

[Tetard]

It's not meant to limit SPAM (unless your idea of email, as some want it to become,
is a communication medium where you only accept people you "trust" and reject the
others). It's meant to protecte trademarks, and push responsibility away from the
sender (i.e.: "you should have checked who the mail came from, ours are signed).
Yahoo, and of course banks and other institutions who want to defend their
credentials love SPF and similar systems. They don't care about SPAM, they just
don't want to get blamed by customers and their insurers for phishing mails and
the like.