Slashdot Mirror
The Time Has Come to Ditch Email?
Krishna Dagli writes to mention an article at The Register claiming that it's time we stop using email to communicate. From the article: "The problem is, email is now integral to the lives of perhaps a billion people, businesses, and critical applications around the world. It's a victim of its own success. It's a giant ship on a dangerous collision course. All sorts of brilliant, talented people today put far more work into fixing SMTP in various ways (with anti-virus, anti-phishing technologies, anti-spam, anti-spoofing cumbersome encryption technologies, and much more) than could have ever been foreseen in 1981. But it's all for naught."
Short version of story:
E-mail shouldn't really go away, we need to recreate it from scratch with builtin security, authentication, encryption, etc, and those mechanisms need to be as transparent as today's e-mail.
EOF
E-mail will probably go that way, but I don't see it being recreated from scratch. Postfix evolved out of perceived difficulties with sendmail (still one of my favorite packages... obtuse, obtuse, obtuse, but lots of fun.) while in-flight.
The fixes for e-mail likely will also occur in-flight... there's too much momentum, and too many transactions dependent on e-mail for it to stop, then go.
The single most important step for me would be transparent authentication, via certs, whatever. As phishing becomes more insidious and the stakes go up, someday someone (or a bunch of someones) will be phished severely, escalating the urgency of authentication. It may start out clunky (ever tried to get friends and family to do PGP handshakes?), but as with other technology I think it can be done with transparency.
E-mail stays... (btw, if you want to send e-mail feedback to the author, this is the link.
http://slashdot.org/~ellem/journal/104280
Mail really is broken. It does not work as expected or as wanted by users.
This
It's time to ditch reality. It's fundamentally broken and inherently insecure. We should have predicted that 13 billion years ago.
Whatever works!
FTP Dead? Riiight. Just like BSD.
It is not a god that would do evil biddings, but only a mortal and its limited knowledge would let such atrocities exist
Sorry, but to be taken seriously, you'd at least have to have a basic framework already thought out. Just claiming that it's broken and maybe one of these TLA's that you've heard of might be used to fix it
Go back, think about it and then write a real article.
I realize basic language skills are a difficult thing for a slashdot editor to grasp, but come on! Rather than taking the title of the Register article and slapping a question mark on it, it makes a whole lot more sense to actually rearrange the words into the form of a question: "Has the Time Come to Ditch Email?" or even "Is it Time to Ditch Email?"
This guy's the limit!
From TFA: "Use existing, proven technologies and a few new and novel ideas - starting with the latest encoding mechanisms, a reliable hashing algorithm, fast compression, strong encryption and signatures. "
So in 25 years time today's technology will stop 90% of communication being spam? Spam exists in the spite of the best efforts to stamp it out. Whatever we do it'll be the same. Writing an article full of buzzwords and hypothesis doesn't really help a lot.
I recently had an opportunity to meet Eric Allman. He had people in his office, so I did not get to say hi. Afterward, I thought if I met him, what would I even say? I figured there would be an equal number of praises and complaints.
For the record: smtp rules.
Click here or here.
I express myself verbally when "talking" to the other developers:
FIX YOUR FUCKING CRAPPY CODE!
I also use sign language, but I don't have much of a grasp of it and stick to the usual middle digit up in the air.
Summation 2
Put another way, if you run your own mailserver and still get spam and viruses, it's because you haven't chosen to address the problem. If you use someone else's mailserver and still get spam and viruses, it's because they haven't chosen to address the problem. Nothing stands between you and a clean inbox but motivation, whether your own or your ISP's.
And no, broken hacks like DJB's "Internet Mail 2000" will never get real-world acceptance as they make it as difficult for legitimate bulk senders to broadcast as for spammers. SMTP is here to stay as the standard method for (somewhat) reliably routing messages between people on unaffiliated networks. Replacing it with a similar system with new pitfalls isn't the answer we're looking for.
Dewey, what part of this looks like authorities should be involved?
"ever tried to get friends and family to do PGP handshakes?"
Yes, I've tried... and I've been and am quite successfull with it. Using GPG to send/receive encrypted mail and check signatures with a good plugin isn't rocket science.
Agreed, setting up keys and such is hard, but with friends and familiy we geeks can help. We do that with E-Mail, Games, Wordprocessors, why not with PGP?
My experiences with PGP with friends and family: Do You Use PGP? - Encryption is not just for techies any more.
Who's the first one who wants to actually do it?! Go ahead, ditch e-mail! Yeah sure, I'm sure that will happen! I wish I could go back to the eighties when doing IT jobs was still fun. We had no e-mail back then. No cell phones either. You could read the newspaper and smoke a cigar on your lunch break. We used to go to the restaurant in downtown and eat lunch there. There was no hurry and we fucking knew every single piece of our systems we administrated back then. Now it's impossible to know everything and now it's constant fucking rush every single moment!
As much as I hate to admit it, copyright treaties have been extremely successful in perpetuating the DMCA.
why not use it for something beneficial for a change, and introduce treaties to the UN for the harsh enforcement of anti-spam measures.
Once the international safe havens are removed or severely curtailed, there will be less of it, and everyone but the ad nazis and the "big data" industry which has arisen to serve them will be better off.
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
And of course, the NEW system won't be vulnerable to ANYTHING - right?
No, wait, let's think that through. Let's take video games as the paradigm. Every year companies spend upwards of 20 million per video game. Every year, they come out with the newest, latest, greatest in copy protection. This copy protection is only limited by their imaginations (and the hardware). And yet days after release, and sometimes prior to release, their code is hacked, cracked, and distributed.
This author somehow thinks that going back and redoing everything will fix it. The author is naive.
Call my analogy a bad one if you will, but the SECOND you put ANY type of system into the hands of the criminals / spammers, they will find ways to exploit it. This is proven time and again.
How exactly does this new email system stop phishing? Oh, right, it can't. Have a link, go to a malicious website, etc. How exactly does this new email system stop users from clicking executables thinking that they are going to see nudie pictures of Katie Holmes? They don't. How does this new email stop virii? It won't.
Encrypt your email if you want security. Password protect your account. Use filtering to dump spam before you read it.
OH, and I forgot to mention - I'll be sending you a snail mail letter that looks completely official. It's about a man I met in Nigeria, who has some money he'd like to give you.
Since we're thinking about ditching email, when are we going to ditch snail mail?
Anyways, these suggestions for improving email are full of fancy features (hashing and compression!) but all they really serve to do is complicate the protocol. Right now, SMTP is so simple that it can be implemented by the tiniest of embedded systems. Take that away and whatever protocol you come up with probably will never be as popular SMTP.
Besides, most of these proposed changes don't do too much to prevent spam without any of the questionable side-effects encountered with the current proposals to counter spam (ex., lost of anonymity, cost, proving identity a la SSL certs)...
I'm Trappped at Berkeley.
Agreed, setting up keys and such is hard, but with friends and familiy we geeks can help. We do that with E-Mail, Games, Wordprocessors, why not with PGP?
Because we're looking for a long term, widespread, permanent solution. There aren't enough of us geeks to hold the hand of every user in the world.
"The legitimate powers of government extend only to such acts as are injurious to others." Thomas Jefferson.
If I'm to apply the same logic to regular mail, well, regular mail is doomed too; it's full of phishing, spam, and spoofing. I guess I'm not sending anything by mail from now on!! Duh!
If you get a letter from a car dealer stating that you won $3000 in credit if you buy one of his cars, do you automatically go and buy one? NO. Same thing goes for email, you don't open all emails and follow all links blindly.
The problem is with educating people how to use email and the Internet as a whole. When enough people stop being click-happy... spamers will lose interest as no one will be paying for such a service, and phishers/spoofers won't find enough people to fall for their tricks.
Simply, educate people about this powerful tool before you through them in! this is not only for email, it goes for anything to do with the internet and any form of communication as a whole.
Just my $0.02.
I find that the people who gripe loudest about the problems with e-mail are the ones who have poor or no spam filtering.
I guess I'm lucky that I have an ISP who takes spam blocking seriously, using a combination of Brightmail and a user configuarable Spam-Assassin install that seems to block 98% of spam and which has virtually no false positives. On the weeks when I monitor it, they may mis-label one in several tens of thousands of messages, usually from mailing list or other source that just barely triggers the filter.
Most people assume that the lousy, error prone spam blocking offered by many ISPs is the best than can be acomplished. That's simply not true.
Unlike the article author, I still find e-mail a reliable and essential tool, and can't see a need to make significant changes at this time.
Three Squirrels
A peak of ~75 messages a minute?
Me thinks you need several zeros on the end of that to get to a medium to large installation....
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
I've had people get pissed at me when I don't respond to their email. Reason I didn't respond is that it was sitting in a queue somewhere and I hadn't gotten it yet. Plenty of other examples I can think of but that'll do for now.
What we need is a locked out system. Something that doesn't interact with SMTP at all. True, people using that system could only email people in that system, but that wouldn't be a problem once it caught on. If you could guarantee delivery and zero spam, people would flock to it. Google could adapt Gmail to be that system inside of a half a year if they wanted to.
I know people would initially say "No way! How will I communicate with everyone I normally have to email?" Well...it'd be like when my friends discovered ICQ back in the late 90's. Everyone said "Hey...download ICQ and we can talk in real time." And eventually I did. And for a few years, I didn't do email at all (until ICQ died from bloat anyways). This new email system would be adopted just like that. "Hey, I know a messaging system that'll give you something like email, but zero spam and a guaranteed delivery time. Just download the client and make an account. It's great."
Wouldn't be hard to make, either. Just fix things so that you have to log in to send a message, and put something in your TOS that you cannot spam people. Also have an active admin system. Someone does something against the TOS, you yank their account. Maybe have a "report abuse" function built in to the client, or some such. Maybe something like Slashdot Karma. Enough complaints and your account gets locked for admin review.
And ditch relays - they're too hackable. Make each server isolated. We don't need to do the relay thing anymore. It was important "way back then" when you could only send email by queueing them up to transmit at 3am when the grad students finally get off the mainframe, but it's not like that anymore. Make the new system isolated. If you want to send email to someone@someserver.com, you have to have an account on someserver.com. And if you spam someone@someserver.com, they report you and you get locked out.
You could implement all sorts of good ideas into a system like this. Don't allow people to send more than 1 email every minute or two. Don't let people automatically get an account you the system - let them apply and then wait for verification to stop bots from making accounts.
It'd take more thinking and planning than what I've got here, but the point is that something more safe and secure could easily be made. I'd love to see it.
Weaselmancer
rediculous.
What somebody needs to do is curb the fucking spammers!
And I don't mean "curb" as in curtail their activity, I mean "curb" as in stick their fucking heads on a curb and stomp on them!
You're using her as bait, Master!
Not to mention that the majority of so-called "noobs" use Webmail services, who could use GPG/PGP 'wizards' that would automagically setup up signed e-mail.
Setting up GPG/PGP e-mail is not a technical or knowledge problem, its an implementation problem, in terms of e-mail client design.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
I am not saying that it HAS not use, but it is an evolutionary dead-end. Usenet could hang on for another 20 years. But, AFAIK, no new uses are being developed for it. It is probably loosing users a lot faster than it is gaining (except maybe the "alt.binary.*" secion, but that is for other reasons).
You can get web and e-mail on your phone. Companies are developing small PDA-sized tablet computers to access the web and e-mail. When have you heard of a news reader for a phone?
My guess is that porn and warez is the ONLY reason that usenet still exists. Yes, I know that there are some useful groups, but with the low traffic that those get, they could esily be moved to web forums. The only real advantage of a usenet forum is that the bandwidth is distributed, so that you do not have one "host" being stuck with the bill.
It is not that I am biased against usenet. If you search back far enough, I even have a post or two on "alt.swedish.chef.bork.bork.bork." But I fail to see the need for it any more.
"-1 Troll" is the apparently the same as "-1 I disagree with you."
As a systems administrator working on a few large scale mail servers the 'investment' required to cut spam and virus emails is very low if the system has been designed properly. I use open source tools on a system with in excess of 150,000 active users and it costs nothing in licenses and its on four servers and a central NetAPP filer for the mailstore. Realistically if we distribute the total cost over the user count and support issues are very low. its simple design the system. Our email service uses the following
-Qmail, vpopmail, simscan, spamassassin and clamav. On a userbase with the amount of users we have its very easy to distribute, its easy to scale and the performance is great.
Not. Look around for usage statistics and you'll see that USENET traffic and messags are up, and that doesn't include the binary groups. You are right about the "average" internet user not using usenet, but that's a good thing IMO.
I've used gopher. Gopher was actually replaced by the web and HTTP. When web browsers and HTTP came along, they started to do the job Gopher was doing and doing it better than Gopher itself. That's why gopher went away.
The nntp situation is different. There's something to be said about groups of messages organized in a heierarchical category that are primarily text based. Usenet fills a need that no web service can match, and that goes for the alt groups as well. Don't kid yourself, there's a lot of good stuff on the alt groups - you just need to know where to look. Let me say right here that none of my comments are meant with an eye toward the binary groups. Sometimes I wish they would go away just because of the bandwidth and disk space concerns.
Writing clients / servers for these protocols is horrible. They were made within 30 years ago and for humans to interact with. I've been writing an SMTP server and its hell because the protocol is just disgusting and its horribly abused. If someone doesn't step up to create better protocols, I will! Beyond that point no one can complain xD!!
The problem with E-mail is the store and forward model of the servers, which allows people to inject spam, remain unaccountable, and impose the costs on others. That design made sense 20 years ago, but it doesn't today.
The solution is fairly simple: change to a different E-mail protocol; one simple approach is to have a protocol in which the sender stores the message until deliver and the only thing that gets delivered to the recipient is a small notification.
On a related note, it really is pretty silly as well that there is SMTP in addition to IMAP; in the future, the client-to-server protocol might well just be simple IMAP (with an "outgoing" folder), and there can be a separate server-to-server protocol like the one described above.
You can prevent forgery now with SPF (v1, "classic" - forget that stupid broken patent-encumbered Microsoft SenderID that claims to be SPF v2). There's obviously a problem with sites that refuse to participate still being easily forged, but since the biggies (Gmail, AOL, etc.) are using it already the number of forgeable sites is shrinking.
DKIM (successor to Yahoo's DomainKeys) will do even better when it gets more traction in the MTA and MUA segment, but for right now do SPFv1 and get the issues with forwarding worked out (if you have any - many sites won't) before DKIM arrives.
Anti-forgery is only part of the solution, though - it just forces the spammers to register real domains (throwaway domains, granted) or use exclusively cracked hosts and botnets. The other parts of the solution are 1) heavy punishments for crackbot spammers (yay AOL and Microsoft for pushing this!) instead of law enforcement looking the other way as they have in the past and 2) consumer reaction against domain registrars that knowingly support spam gangs.
The key thing to understand about anti-forgery measures is they allow other techniques (like blackholing and legal prosecution) to work. If your mail administrator isn't implementing at least the publishing side of SPFv1, that person is not doing his or her job properly.
Geez, I said "Yay AOL and Microsoft". You don't see that on Slashdot much!
Each of the items I listed are too large and complex, and are beyond repair, but in the same respect could NEVER be recreated in a reasonable time frame.
Two questions:
1) By suggesting email "could NEVER be recreated in a reasonable timeframe" you are inferring that a reinvented email system must be complex. Why would that be? We don't have to re-invent security, authentication, encryption from scratch for use especially for email--we already have the technology and use it extensively (HTTP(S), LDAP, Kerberos, SSH, etc). What is missing in email is an elegant integration of these technologies.
2) Even if architecting a next-generation email system would take a long time, why would that be a problem? What would be a "reasonable" timeframe? Personally I don't think that a W3C-like standards body would take more than 5 years to craft a usable standard, and by the time it hit 1.0 there would already be a lot of early implementations. Sure it would take a long time to adopt, but there could be email gateways like there was between the internet and old-school nets like Fidonet, and those gateways can handle the spam and other crap before they hit any "new and improved" email servers.
When something gets as broken as email people are more motivated to fix it. There are already some interesting ideas out there that could catch on...
> There aren't enough of us geeks to hold the hand of every user in the world.
:)
Who exactly wrote all the software we have now that the non-technical users rely on every day? Geeks. There are plenty of us around
My other car is first.
But the zombies are vulnerable. The lamest Windows OSs, the DOS/Win95/98/ME family, are slowly dying off. XP is at least potentially fixable, and Vista is much tighter.
We've made real progress. It's tough to send spam today without committing a felony. Spammers are routinely going to jail. Spam as a means of even vaguely legitimate marketing is dead. Spam-friendly hosting is getting harder to find. Ironport gave up selling its "spam cannon" rackmount spam sender. Spam filtering is better than ever. Spammers have been reduced to using zombies because anything more direct gets them hammered.
How does this stop the hordes of zombies on home broadband accounts with the default password for their SMTP sever stored in their e-mail client?
Your company advocates a
(X) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(X) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(X) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(X) Requires immediate total cooperation from everybody at once
(X) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(X) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(X) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Extreme stupidity on the part of people who do business with Microsoft
( ) Extreme stupidity on the part of people who do business with Yahoo
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
(X) Outlook
and the following philosophical objections may also apply:
(X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
(X) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid company for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
[T]here are enough of us geeks to code up the proper secure behavior ... Then it's just a matter of waiting for everybody to update their email client (i.e. 5-10 years, ...)
;-)
Actually, some of us geeks did a lot of it 15 or 20 years ago. Lotta good it did us all. Most of the email users are using Microsoft email software, and clearly will never upgrade to anything without the MS imprimatur, so our work was pretty much in vain.
So how about some of the geeks here mention the more-secure email packages you've worked on, and when. This should give us a good idea of just how hopeless it is to expect everybody to adopt it.
(Either that or nobody will ever notice this message or reply to it.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
grossout factor, for example, say you have an individual who needs some help setting up their next gen email, and this geek runs up to help, his mouth still dripping blood from the chickenhead he just bit off, the poor email using individual is going to just freak out and run away.
What makes Spam and Malware unmanagable is the sheer number of vulnerable and hacked systems.
When vulnerable boxes disappear, the bad guys would have little ammunition. My guess is that over
time, as computing matures and our OSes stabilize, security holes will be plugged faster than they
are created. When that happens, vulnerable boxen will become rare, and the bad guys will find it
harder and harder to send Spam and Malware with impunity.
And then the rainbows will soar and unicorns will return.
And you can be sure Microsoft wouldn't be one of them, or, if they did, they'd do it all wrong.
.net FrontPage and ASP development tools spewed out atrocious, non-compliant code and ActiveX has been a sourge on the Web. In the early days on Vista development MS boldly declared teh web browser as a distinct application obsolete and abandoned new IE development. Microsoft has, as a result, suffered the consequenses (buggy, insecure software, backlash from users and web developers for its inconsistent rendering behaviour, resurgence of Mozilla browsers, etc).
Well, we have lived through this with the WWW and we still have standards. Yes, Microsoft was involved. Yes, Microsoft did it all wrong and yes, many IE quirks became defacto standards. However, there is still a standard and at a fundamental level it is still adhered to by all imporatant players. And guess what? Microsoft is being forced to step in line, albeit slowly. Pre
Now, MS has had to admit they still need a browser and are readying a long-overdue major release of IE and with every version of Visual Studio.Net the HTML generated by ASP.Net apps is more compliant and cross-browser compatible. Standards DO have an effect and given the climate MS is now in (with extra regulatory scruitiny and a slowly but surely growing competition) they may still botch the implementation, but they wouldn't blatanly flout standards like they have in years past.
I may have gotten this wrong, but to me it seems simple to secure E-mail without changing the current method drastically.
... Well, tough luck, unless you are of category 1 through 4, of course.
... well, if you want new customers, you should probably expect a certain amount of spam, shouldn't you?
First I must look at the types of E-mail I receive (more precisely, who I receive E-mail from):
1. Friends and family
2. Friends of friends and family
3. Businesses I know
4. Mailing lists
5. Spammers
For businesses there are another two categories:
6. Customers
7. Potential customers
It must be possible to find a simple way to create a digital signature without making it rocket science, which is an underlying assumption of my suggestion.
Similarly, it must be possible to disseminate a digital signature to potential recipients in an easy way, a scheme like tinyurl springs to mind -- or any of the other publicly available, free "certificate authorities" (CAs). I submit the public part of my signature to tinysig or whatever it is called and tell my friends and family about it.
Businesses would probably register their signatures with the "official" CAs (but could use tinysig as well) and display proper links to them on their websites -- as could plain people with homepages. I would suggest something on the form of pubsig://tinysig.com/al1ga2r and pubsig://thawte.com/BigCorporation/12437265190. Those links would return a public signature id, which would go directly to the E-mail program for storage, much like the mailto: does for automatically opening a new E-mail.
1. Friends and family would give you their tinysig signature, which you quickly incorporated into your E-mail program. The E-mail program disseminates it to whatever server(s) it collects mail from.
2. Friends of friends and family would ask your common connection to forward their tinysig signature.
3. Businesses I know would either provide me with links directly (i.e. by phone or mail) or through their websites.
4. Mailing lists would provide their signature ID when you subscribe to the list.
5. Spammers
6. Customers of businesses should probably provide their public signature ID to the business if they want them to receive their mail, but otherwise the business could open for specific E-mail adresses like current whitelists in current spam filters.
7. Potential customers
This suggestion could easily be grafted on to current, prevalent E-mail protocols, i.e. SMTP/ESMTP, POP and IMAP, and I am sure it would reduce the problem quite substantially and (provided the signatures are properly generated) be rather safe from crackers/hackers and spammers.
Big E-mail providers like Yahoo, Hotmail, G-mail and the like, would certainly have to incorporate it into their systems for this to work properly, but again, it is not too difficult.
Please bear with me if this is not thought through properly, but I have a plane to catch.
I'm all with you about needing a secure alternative, but then I hear stuff about mandatory ID, etc.
Corporate whistleblowers, Chinese democracy activists, union organizers, etc. all have a legitimate reason to want to be able to send an email without it being traced back to them. How do we support that without opening the floodgates for spam/phishing/etc?
Essentially, I should be able to somehow generate an ID, where I am the only one that can connect the ID to my person. At the same time, if I send an email, my recipient will receive it - they will be aware of the fact that the email is from someone who is hiding their personal identity, but some other form of information will be connected with that ID that shows that the email can be trusted more than some bulk-mailed viagra ad. Ideally the system would not require human intervention to screen. For example, maybe the ID is such that it requires 1 week of CPU-time to generate, and the encryption method has a secure method for storing the total number of emails sent using the ID.
This way, a spammer would have to have acess to a million machines for a week to be able to send 10 million emails with a ID that has a count of less than 10.
On the receiver end, they would get the email, and it would be flagged as unsolicited and anonymous, but they would know that I've only sent 5 other emails with the same ID and that the ID was difficult to obtain.
The basic idea is that with each email you receive, there would be a set of information that you are guaranteed to know about the sender, with some of it optional. The email reader would only accept mass emails from trusted known IDs, but non-mass emails could come from anonymous IDs.
Another possibility would be some form of trusted anonymous emails. Without further external knowledge, a single message from that ID would not be trusted, but it would be possible for an ID to create some form of trust structure. For example, imagine you anonymously donate $100 to some charity, using the ID. Then you send an email using that ID to people who respect that charity. The message header would include information that would allow automatic verification that the same ID was used for the donation and the email. The receiver would then be fairly certain that the message was not spam, but they couldn't trust it enough to give out their credit card number or other info.
Anyway, this is the sort of thing I'm thinking of - decentralized, and secure in the sense that the sender and receiver can in some secure way communicate a level of trust to each other without outside interference or exposure.
Dude, your web page is so bad, I uninstalled my browser.
[To moderators: before modding me down, please visit it first]
You forget that the vast majority of the users does not have enough clue to realize why the client they use sucks, and thus will not switch to an alternative unless a miracle happens. Look at MSIE, Outlook Express. They have the vast majority of the market because people cannot really be explained that switching to another client is better for them. A couple of months a lot of noise was made about Firefox and some people reluctantly tried to install and use it, but when looking at a non-techie website at work the wave is mostly over and nearly everyone is back to MSIE.
Even while you can keep a development team that maintains a better client and gets a couple of thousand users to install it and be very happy, that does not mean you have done something "for email", when 99.99% of the users is mailing using other clients, that suck.
Viewed this way, there really is competition. Only clients that have a respectable market share have the possibility of changing anything to "email". When I mail using mutt or pine, I can flame people sending me HTML messages whatever I like, that won't change the fact that the world mails in HTML, even when I would want to see this changed.
Two protocols which have grown beyond their initial specifications. SMTP was never meant to be any of the following: 1) Secure 2) Secure 3) Secure HTTP was never meant to do anything but display documents. Look at the both of them today. To try to implement security into a technology that was never meant to secure transmitted data and defeat spoofing is the same problem with implementing executable script and code-behind technologies into documents. Both were ideas which predate their abuses, when the 'net was more populated with people who benefitted from a general white-hat attitude and at the time had no need for rigorous secure technologies. That's no longer the case, and any technology which assumes it is technically out-of-date.
But I think there are better things to do. For instance, setting up an international task force that does nothing but go after these bastards. Sort of a Jack Bower / CTU kind of organization that tracks the sales these sites make and goes after them.
I agree with those who suggest that as long as there's email, there will be spam. Therefore, the only real option here is to make it not so profitable.
"...Well, there's egg and bacon; egg sausage and bacon; egg and spam; egg bacon and spam; egg bacon sausage and spam..."