Slashdot Mirror
'Leak-Proof' Anti-Spam Solution?
sikandril asks: "In an effort to help the Internet community and user-base at large in fighting spam, I have decided to put up this white paper for public review and remarks. As you will see, the system provides an almost 'waterproof' solution to spam blockage via an opt-in system. The main drawback is that everyone (except spammers or other evildoers) has to have this installed in order for it to work perfectly. A small number of installs means that unknown legit contacts still might show up as spam, albeit only for the first e-mail and/or until they too elect to install the software. I'm an independent developer located in Israel, and would love to hear your ideas regarding this."
From TFA: "In an effort to help the internet community..."
Bollocks, this is an attempt to get investors. What's the patent number?
Am I a cynic? Hell yeah!
This article advocates a
(x) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work.
(One or more of the following may apply to your particular idea, and it may
have other flaws which used to vary from state to state before a bad federal
law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential
employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(X) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(x) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever been
shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
(x) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
liqbase
Won't work, because everyone has to change.
Naaah, the only way to stop it is to make it sufficiently unattractive to spam. Like by nailing their balls to the wall. And, most importantly, doing the same to the people who have their products spamvertised.
Was just about to post this form - thanks for saving me the work.
According to the article, this system is completely unbreakable! Unless, of course, the spammers decide to do things that are against the law.
Heck, since we know that all spammers are good, law-abiding citizens, why don't we just pass laws against the spam, instead of trying to convince everybody in the world to use the same mail client?
This signature carefully hand-crafted from recycled electrons.
I don't understand people who buy products marketed by spam.
Are they Crazy ?
Oh, yeah, I got 1/16 inch increase of my p***s with the magical pills, or, did I putted the ruler at the same place as the last time ?
This idea has been used before, I know sometimes when I email folks I have to jump through a load of hoops for it to actually get received by them.
Mailing lists are a nightmare too, as would be getting any kind of automated response (invoices from online shopping etc) through.
R.
Would-be spam fighter posts email address on public internet, gets linked to by /.
Oops!
You are not the customer.
EVERYONE has to change to a NEW SOFTWARE/PROTOCOL and trust a CENTRAL SERVER controlled by a CENTRAL AUTHORITY and spammers have to STOP USING FAKE DATA and STOP USING BOTNETS (and probably all of us have to LICENSE THIS TECHNOLOGY).
I clearly see this could work - NOT.
"Store on server" email. When an email is sent, only the sender information, subject, and location of the full email would be sent. When this header hits the recipient's mailbox, it is checked against a whitelist, and if it's there the email is downloaded (from the location given) immediately. It is then checked against a blacklist, and if it appears there it is deleted without confirmation.
If it isn't on either list, the originating server has to wait for approval by the recipient before the complete email is sent. This would ensure four things: the recipient expresses interest based on the subject and who it's from, the incoming mail server is not spam flooded by thousands of huge emails at once, the sender gives a valid location for the completed email, and the server is still accessible when the recipient asks for it. This prevents bogus return addresses (since there would be no way to see if a response was received) and IP hopping to keep ahead of spam blockers. It would also move much of the network burden from spam from people who receive emails to the people who send them.
From the article:
"6. Sixth, the system provides additional security and control over computer viruses which spread by e-mail - Client (1)'s connection with Server (2) is much harder to hack into than simply taking control of a regular e-mail client. Large and suspect amounts of key (4) requests from suspect client (1) can simply be blocked at the server level."
Who said anything about hacking "the connection"? Once we have everybody using the same client, I am sure it is only a matter of time before somebody finds a vulnerability in it, and crafts a virus / trojan to take control of it. And you *know* that people will open it up. "It came completely verified from somebody on my whitelist! It can't be faked or a virus!"
So Mom gets infected. It sends to everybody on her list. Because it was verified, it gets through to all of them, and they open it. Then to all of their friends. And so forth and so on. Not enough key requests from any one client to result in a block at the server level, and impossible to get ahead of it without blocking a significant portion of your userbase.
Congratulations. You've reinvented Outlook, and given people a better reason to click on that attachment and perpetuate it.
This signature carefully hand-crafted from recycled electrons.
Blah.. to accomplish true leak-free system, use two mail accounts, public spam account (use gmail), where user requests access to your real mail address, and the true account which you could host elsewhere, but it only allows mail if the sender address is listed on whitelist manually generated from the requests.
Most spam will be caught in google filter, other stuff you can just label away. You should still see all valid mail access requests even if some spam gets through.
If you get spam to the primary mail, it gets automatically deleted, because the sender or recipient is unknown.
This works, unless you receive mail from gazillion random people every day.
There are no atheists when recovering from tape backup.
The proposed solution relies on a centralized authority producing new keys for each person periodically, which is a recipe for disaster if a billion users sign up for it.
... but this probably wouldn't work because it seems to be a hastle for the people who would use it, from your white paper:
"The defining characteristic of the client above (1) is that it does not allow placing of a large number of e-mail addresses in the to: cc: or bcc: sections (does not allow sending of the same message to more than e.g. 50 recipients) unless each one of the recipients has expressly given his authorization to the sender to be included in such a multiple e-mail distribution list/mass emailing from that sender."
I run a mailing list for a society that I am the chairman of, at the moment we are fairly small and as such it wouldn't matter if I sent the weekly newsletter to all members under your system (being less than 50 of them). Next year we will be expanding through a more intensive marketing campaign and better organisation. Let us suppose that we get 49 members, I can happily send this out to everyone on the list and we are all happy. One week later another member joins and we now have 50 so I would have to send out 50 e-mails individually asking people to go somewhere, download something and accept to have e-mails from me when I am sending them out to everyone(they wouldn't do this... hell, getting them to turn up to a meeting is hard enough)... it seems a hastle. I would rather take my chances with maybe occasionally getting an e-mail which I can delete because it is obviously spam than have some of my legitimate e-mails being blocked or what have you. (if the cut off point is 50 or below and 51 or above move the numbers up to account for it)
*''I can't believe it's not a hyperlink.''
Seems like I would use my "mail" command. Unacceptible!
http://www.amazon.com/gp/product/B000FBTLZ4/qid=11 45745767/sr=1-23/ref=sr_1_23/103-6532887-6437405?_ encoding=UTF8&n=3760931&s=hpc&v=glance
Now THOSE are leak proof!
So, let's see, it's a glorified white-list relying on a central server and a dedicated email client. Ignoring the fact that we already have white lists (they don't work) and that a dedicated email client is a silly idea (you still have to cater for everyone who doesn't want to use it (e.g. spammers), so it's useless), how exactly do you imagine that central server thing working? Specifically, what happens if the server goes down? Email stops working? Or does your anti-spam system stop working? I bet it's the latter. It better not be the former!
Oh well.
The one good thing about your system then would be that the time and duration of the DDOS attacks against your server will give interesting statistics about when spammers like to send their crap out.
I don't know if there is a solution to spam, but this isn't it. (It just occurred to me that finding a solution to spam is NP. I need to get out more.)
However, I feel your efforts would stop more spam if you were to aquire some AK-47s and hunt spammers. Make a documentary about it and upload it to video.google.com to spread fear, uncertainty and doubt into future would-be spammers.
Kathleen Fent recommends these
Would you go out to sea in an almost waterproof boat?
Would you drink coffee from an almost waterproof cup?
The only way to prevent spam without completly reconstructing the email system is to use disposable email addresses.
Give a different email address to every person that wants to be able to contact you. If one address gets compromised, disable it. Good email servers even have support for creating aliases using the + sign. (User+code@example.com will be sent to User@example.com). What is missing is an email client that automatically generates and tracks codes for each person you know.
The above method only works with personal email. Since public email addresses can't be revoked every time a spam bot picks them up it becomes a little more difficult. One way to reduce spam on these kind of addresses is to time limit them so the address is valid for a limited time only.
The advantage with the method I have described is that it is a technical solution that doesn't need redesigning of email on a global scale. The biggest problem is that it isn't possible to give an email address to someone when you don't have access to the email client. This could of course be solved by pregenerating a bunch of addresses that can be printed out and kept on a piece of paper.
Really, what's needed is a second mail system. This communications system would take advantage of all we've learned in the 30 years or so since the first e-mail system was implemented. It would include voice, video, and IM communications as hooks to try to get people to join. Communication would necessarily be secure, signed, and verified along the channel to protect against attack. It would be somewhat decentralized, well-routed, and wouldn't fall prey to the middle-of-the-day mail floods.
In short, it would look to the end user a lot like AIM with a reliable delayed-send function.
It wouldn't be required, it wouldn't solve the problem short-term. But it can't just be "e-mail without spam" It needs to not just solve the problem elegantly but add functionality so that people actually use it.
Why was the Usenet abandoned? It wasn't just because it was a crapflood... it always was a crapflood. It was abandoned because something better came along: the high culture that are the forums of the Internet.
Replace e-mail with something that makes it utterly obsolete, or come up with solutions that don't require users to change. People aren't going to change their behaviors unless something tremendously better is available to them.
The ______ Agenda
This is nothing short of a sneaky way to advertise a would be product for interest. Translated, it is SPAM about a product the author knows wont work but he also knows there are enough people out there, who don't get it, who will eventaully pay for it. Somebody hand me the puke bucket...
While I was thinking about the OP's half-assed Microsoft-plagiarized antispam idea, I realized a slightly modified idea might work. You see, most antispam systems that can see your mailbox will whilelist everyone in your address book, and everyone you send emails to. Now clients like Thunderbird could once a day send your address book, and whoever you sent emails to, to a central server which will just collect the addresses and mark them. Emails which have a high incidence of ending up in someones address book will be given higher points which means theyre less likely spam addresses. All thats needed here is the client developers' cooperation like Mozilla, outlook, lotus etc.
Of course theres the whole issue of people allowing their addresses and address books to be sent to some server outside. *shudder*
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
I'd give you a dig, but the link doesn't work.
ModusMail by Vircom. Assuming you have a Windows server and a bunch of cash to throw at the problem, spam is pretty much toast with their software. Yeah, I know it's not FOSS, but it is the best tool for the job in my situation and worth a look.
There are always going to be imperfections. Wise people plan for imperfection, rather than trying to hammer the world into one method.
Also, isn't there something to be said for software diversity?
Perhaps we'd like to recall the fun of Sasser and cousins thanks to the fact that everyone runs Windows.
Yup. Getting everyone on one system sure helped there, right?
I scream. You scream. I assume that means we're both acquainted with the problem. We proceed.
Why not use Blue Security's hashed "do not intrude" list? It comes with a spam reporting software, which (after manual processing by hired experts on the Blue Security facilities) sends complaints to the website in question.
The real effect of CAN-SPAM has been that most spam either gets deleted by filters, or involves a felony by the sender. The remaining spammers are either selling drugs illegally, trying to manipulate the stock market, or running a scam. That's ordinary law enforcement work, and it's now routine to hear of spammer arrests and convictions. We used to just have ineffective civil suits. That's over. Now they're doing hard time. It's not a safe business to be in any more.
SpecialHam.com is still up, and the usual suspects are still at it: "Looking for people with botnets to run ads! pm me for more details". But it's clearly a board for the clueless now.
In the posts I see here (I didn't read them all so I may have missed it) noone seems to have mention this HAS been thought of before and it never took off for the same reason that many have mentioned. I know I wouldn't consider using something of this nature for many of the already mentioned reasons.
Being perfectly honest, as an ISP I wouldn't mind spam NEAR as much as I do if the @#$%@#%@# would atleast clean out invalid email addresses from time to time and wouldn't resort to harvest attacks. I'm still getting email going to accounts that haven't existed for almost 10 years. But then, if frogs had wings they wouldn't bump their butts when they jumped.
Hear that, spammers? If you didn't abuse so many people's networks....we probably wouldn't loathe you so much.
The home user who connects to his/her ISP and downloads his/her email with POP3 and sends via the ISP's host has different needs than
Your method works great for the home user who occasionally gets email from new addresses. And, as you've noted, it doesn't scale very well.
It's useless to search for THE Ultimate Solution to ALL spam. Instead, look at ways to better handle segments. And realize that the solution that works for a small company may not be applicable for a company based on selling over the Internet.
The only problem with SpamAssassin is that it is ALMOST perfect.
Most of my users have setup rules so that the stuff SpamAssassin tags is automatically dumped into their trash. But they don't bother checking their trash much any more. They expect the system to always be right.
Which still leads to the situation where someone thinks you've received their message but you haven't read it because it scored just over the spam level and it's sitting in your trash can.
I would prefer a system that rejected messages at the SMTP connection time rather than one that tags suspected spam after accepting it. I run Exim4 at work and it does pretty good. Of course, I still run the messages through SpamAssassin. We're down from 80% of all accepted email being spam to only 5%.
No offence but you are uber optimistic.
12 hour key rotation for the database for probably the trillion e-mail addresses that are active?
keys are inserted by the client of the sender and not by the actual smtp server? gee well I sent that e-mail to you 24 hours ago I wonder why it didnt show up... smtp servers couldnt connect for 12 hours and so my keys expired.
wow I my name being directly tied to my e-mail address so the cops can just look at the centralize database.
I can just see the lag as every single person who uses e-mail requests a key at the same moment.
Nothing like a small bomb to take out the net.
wow and people wont be able to track when I sent e-mails or when I read them.
Centralization is great for all systems
lets just rant more and more
I stopped accepting spam and wrote an article about it. Free tools exist today to restrict almost all UCE, so I'm not sure why there's a great rush to fix a non-broken system by replacing it with a giant unknown.
Dewey, what part of this looks like authorities should be involved?
My idea for a completely "spam-proof" system:
/dev/null.
/var/mail/$LOGNAME and users pick it up by POP3}.
..... the public and secret keys are inverse functions of each other, so if you encrypt a known plaintext with the secret key, anyone with the public key can decrypt it ..... but only the person who knew the secret key could have encrypted it in the first place}. I don't think that can be a bad thing at all.
Have the mailserver check that the OpenPGP signature on every message corresponds properly to the sender and is not on a blocked list. Otherwise, or if the message is not signed, it goes in
There's little point doing this on the outgoing SMTP server because most spam is sent from hastily-bodged-up SMTP servers running on compromised Windows boxes. It really should be done on the POP3 server {which, of course, receives mail by SMTP but then drops it in
Insisting on signatures would also mean that all users would have access to decent strength encryption {since it's the same key pair
Je fume. Tu fumes. Nous fûmes!
AND you also have to sieze the spammer's client list. Not their spam list (ie: everyone they've sent an email to), but their actual, real live CLIENT list. Everyone they've sold stuff to.
Then you track down those people, and nail them to walls as well.
That way you've eliminated (or at least terrorized into submission) the spammers, their suppliers, and their clients. All areas of revenue are cut off. No one will buy from a spammer because their either dead or afraid of being dead. No one will hire a spammer to sell stuff for them because they are dead or afraid of being dead. And no one will spam their own stuff because, well, you get the picture.
It may be harsh, but I think this world's gene pool could stand a massive cleaning. Just get the client list, and send cyanide capsules shaped like blue pills sent to everyone on it. "Teh fre3 medz!!!1"
UTF-8: There and Back Again
I've been using spamgourmet.com for a while now, and it works relatively well. Once you have an account with them, you can generate disposable addresses on the fly which encode a maximum number of messages that will be allowed through (you can change this number later if needed, or specify certain senders that will be allowed to use that address indefinitely). Allowed mail forwards to an address you set; blocked mail gets deleted. You can look up stats on all your disposable addresses to see which keep getting spammed long after it's stopped reaching you.
It's not a perfect solution, but it has been extremely handy and has lots of options I haven't even tried yet.
your client should have to bear the brunt of such a thing, if he needs to send it out in that manner.
A lot of complaint re-spam is- the recipient (or his isp) bear the brunt of the costs.. this would fix that.
Further. you could (as with mail backup) have a server which is a stand in (specified with an MX (or XM?)) which also supplies outgoing email.
Yes- I quite think keeping outgoing email on the senders email server... until the recipient client asks for the email- makes a hell of a lot of sense..
every day http://en.wikipedia.org/wiki/Special:Random
Just install greylisting on your mail server, and you just got rid of ~98% of your spam with next to no effort, and with no ongoing maintenance requirements. Now if you care about the 2%, throw in a couple regex filters to block shit like forged gmail/yahoo mail, and mail with helo/ehlo with your mail server's name.
The remaining spammers are either selling drugs illegally, trying to manipulate the stock market, or running a scam. That's ordinary law enforcement work, and it's now routine to hear of spammer arrests and convictions.
Um, no. Spammers have been performing illegal scams and stock market manipulations ever since the first spammer. And I've never heard of any of them getting arrested. Heck, every time send such a scam to my local law enforcement agency, nothing happens and I don't even get so much as a reply telling me to go away.
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
Your post advocates a
( ) technical ( ) legislative ( ) market-based (x) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
(x) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
(x) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(x) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
(x) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
(x) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
(x) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(x) Extreme profitability of spam
(x) Joe jobs and/or identity theft
( ) Technically illiterate politicians
(x) Extreme stupidity on the part of people who do business with spammers
(x) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(x) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(x) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
You want a proposal for spam blocking? Here's a proposal, based on a "hashcash" paradigm.
When someone sends an email, they take the sender's email address, the receiving address, and 8 random alphanumeric characters (we'll call this "K"). The sender then initializes an 8-byte counter starting at 8 x 0x00. The sender then does a SHA-1 hash of the string with the counter appended on the end, and then increments the counter and repeats until the last 4 bytes of the SHA-1 are 0x00. It then saves the number of steps it took to reach this point, increments the counter again, and repeats the process until it has a list of 12 increments where the SHA-1 result is zero. It then sends this list, along with "K", in the email header. (It can also cache this for future use.)
The receiver takes "K" along with the email addresses and verifies that it gets SHA-1 hash results that are zeros with those counter increments.
The end result is, it takes a significant amount of processing power to send a (first) email, which should be acceptable to someone sending a legitimate message but will significantly slow down the performance of a spambot.
Several cases of spammers getting arrested and sent to jail (usually for crimes other then sending spam) have been reported on Slashdot; maybe you just weren't paying attention?
But you're right anyway. It hasn't been enough to make a difference.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Spam filtering technology works well enough that I only get an average of one spam every seven hours in my inbox. The rest are filtered - which of course I have to verify to make sure I didn't miss anything.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
However, I feel your efforts would stop more spam if you were to aquire some AK-47s and hunt spammers. Make a documentary about it and upload it to video.google.com to spread fear, uncertainty and doubt into future would-be spammers.
Your post advocates a
( ) technical ( ) legislative ( ) market-based (X) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
(X) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
(X) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
(X) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
(X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(X) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
New to the group so bear with me... I have an SMB and when we went looking for an Anti-SPAM appliance we came accross the DS200 (see http://www.tyrnstone.com/emailfilter.asp if interested). Got a positive review from Brian Livingston at WindowsSecrets.com So far so good. Has anybody else seen/reviewed the DS200?