ISPs Starting To Charge for 'Guaranteed' Email Delivery

Presto Vivace writes "Under the guise of fighting spam, five of the largest Internet service providers in the U.S. plan to start charging businesses for guaranteed delivery of their e-mails. In other words, with regular service we may or may not deliver your email. If you want it delivered, you will have to pay deluxe. 'According to Goodmail, seven U.S. ISPs now use CertifedEmail, accounting for 60 percent of the U.S. population. Goodmail--which takes up to 50 percent of the revenue generated by the plan--will for now approve only mail sent by companies and organizations that have been operational for a year or more. Ordinary users can still apply to be white-listed by individual ISPs, which effectively provides the same trusted status.'"

Fighting spam?

[LordHatrus]

How does it fight spam if the spammer can ask to be whitelisted, or if the spammer can pose as or actually be a business operating for more than a year? Lame.

Re:Fighting spam?

[nacturation]

How does it fight spam if the spammer can ask to be whitelisted, or if the spammer can pose as or actually be a business operating for more than a year? Lame. You combine it with other techniques, such as whitelisting only specific IP addresses and rejecting mail from those IPs if spam reports get too high. A business approaching Goodmail and saying "please whitelist these 500,000 zombie IP addresses" would be just a tad suspicious.

Re:Fighting spam?

[tacocat]

No, you are really wrong.

The point behind guaranteed delivery is that the ISP will not blacklist your domain/ip address regardless of how many spam reports they receive. This is the whole point behind goodmail.

I just spend hours in a meeting discussing this very topic. Our company was blacklisted by AOL because too many people reported our email as spam (it's all mail that they opted in for -- default is out). The result was all of AOL delivery was blacklisted. Eventually we got it fixed, but the next tier to the solution is to pay GoodMail $$ to effectively certify our domains as legitimate senders and they pay AOL a portion of their proceeds to guarantee permanent whitelist status no matter what the users do.

The only criteria that AOL has leveled against us is if someone tags our email as spam, we have to remove them from the mailing list. But I don't know if this will change or not with the introduction of GoodMail into our mail delivery system.

Re:Fighting spam?

[Ucklak]

Same boat as you my friend. We decided that AOL email addresses aren't allowed to be used in our monthly drawing for a free product(meal) so we don't accept AOL addresses on our web form.

The problem is that part of the registration sends a message to the recipient that the user has to acknowledge. That message sent to AOL addresses gets tagged as SPAM. Secondly, the newsletter we send out also gets tagged as SPAM by a good percentage of AOL users. So my opinion of this crap is to discriminate against people with goodmail services.

Re:Fighting spam?

[tacocat]

If he tags what you sent as confirmation to his request, what do you think the chances are that they will also tag your newsletter?

A lot of AOL users tag messages as SPAM when they don't want to see them anymore. It's easier than opting-out and so they abuse the process. They have no repercussions to their actions.

But a lot of users do this. I see it in my house where I run my own mail server and my own spam filter. It's a bayesian filter so you have to tell it when it was wrong. Wife won't tell it anything but she complains about the spam she's getting. Can't help her. She's being obstinant and dumb.

Re:Fighting spam?

[Kjella]

A lot of AOL users tag messages as SPAM when they don't want to see them anymore. It's easier than opting-out and so they abuse the process. They have no repercussions to their actions.

Hey, I do this too with newsletters that suddenly start showing up in my mailbox, probably hidden away deep in some terms of some signup or the other. A just punishment for anything deceptive, even though I'm sure it's technically legit.

Re:Fighting spam?

[Not_Wiggins]

I work for a major corporation and assist with the email policy.

For AOL, they required only two things from us, and we haven't run into problems:

1) Publish an SPF record (they were pushing it big-time). I'd recommend a loose policy that states "if it doesn't pass the SPF check, make your own decision" (which is the ?all option).

2) Establish a complaint/opt-out email box and process the messages that come from AOL.

Of course, there are vultures out there looking to make a buck by selling everyone a solution that is of questionable effectiveness.

We've resisted paying the "marketing tax" and haven't seen a drop-off in deliverability.
If more businesses refuse, then this trend will die off.
I hope it goes the same way as the "linux license" that a business could purchase from the SCO; let it be known to be tantamount to extortion! ;)

Re:Fighting spam?

[asamad]

Time to trade in for a newer model 8)

Re:Fighting spam?

[gbjbaanb]

I do that too - only I try the opt-opt website/email first, give them a week to get me off the list and then blacklist them if I receive further emails. Strangely, I've only had 1 instance of the website opt-out form work.

* for purposes of this discussion I do not include real, obvious spam in the opt-out - only 'legitimate' companies that I have had some sort of email relationship with.

Re:Fighting spam?

[Charcharodon]

Yeah right, more likely your company defaulted everyone in instead of out for all the junk mail. In my book that is called spam, and they were correct to label you as such.

Re:Fighting spam?

[tacocat]

They didn't. They can't. They have to verbally get the email address from the consumer as part of the verbal conversation of "Would you like our monthly newsletter?" Kind of difficult to hide something like that in a fine print. I suppose they could whisper...

More likely they don't default everyone in and more likely that they did exactly what they described because that is exactly what we saw happening.

More likely you aren't thinking of how users might behave.

Re:Fighting spam?

[Ucklak]

The problem with AOL is that once one person tags a domain as SPAM, the domain is flagged as SPAM for automatic settings. People who have AOL addresses that "want" the newsletter aren't able to get it if they have their spam setting to automatic.

The repurcussions of their actions is that they are ineligible for a free dinner with a value of $100 - and yes, this is an upscale restaurant.

Re:Fighting spam?

[Jay+L]

Of course, Goodmail can't guarantee that the *recipient* isn't filtering. And it doesn't blacklist anyone. It's just an accreditation scheme like DKIM, but at the per-message level instead of the per-domain level. It does three things, from what I can tell:

1. At the sender side, for those senders who are paying Goodmail, it adds a token to the e-mail that recipients can verify. This part could be great, if they open up a public way to validate that token (and it's in their interest to, I think). Spam filters like SpamAssassin could then score the e-mail differently. Either Goodmail is useless, or it's useful. If it's useless, recipients can ignore the token. If it's useful, recipients can decide to apply less filtering - or they can apply all the usual filters, and just (using SpamAssassin as an example) apply a negative point or two to Goodmail so it's less likely to get filtered.

2. At the recipient side for those recipients who are Goodmail "partners", it guarantees that your mail will bypass all other filters. This part is dubious. Will they regret becoming partners? Maybe, if people start sending spam that's signed by Goodmail. Can they get out of their partnership or change the terms? Dunno. Will the market sort this out? You bet. If Goodmail partners start delivering more spam than non-partners, people will switch to the non-partners.

2. Also at the recipient side for those recipients who are Goodmail "partners", it adds a pretty blue ribbon, etc. to the "chrome" of the e-mail. Yes, the chrome is unforgeable. No, users can't tell the difference between a blue ribbon in the chrome and a blue ribbon in the body. AOL tried this years ago with "Certified E-Mail", so you could tell when a message was REALLY from AOL. Did it stop phishing? No. This part is security theater.

Nobody gets blacklisted. Right now, ALL our mail is essentially second-class mail, subject to all sorts of filters. GoodMail creates a first-class tier that potentially bypasses all that if you pay for the "postage" (which is only 1/20th of a cent for non-profits). Again, the market will sort out whether or not that postage is useful. In fact, "postage" is probably the wrong word - it's more like "notarized" e-mail.

Re:Fighting spam?

[datlas]

Actually being Goodmail requires *fewer* complaints than even regular white listing. The point of Goodmail is NOT that the ISP will not blacklist you regardless of how many complaints you get -- exactly the opposite. If you get a lot of complaints you won't even qualify for CertifiedEmail: http://www.postmaster.aol.com/whitelist/certifiede mail.html : How is eligibility determined for participation in the CertifiedEmail Program? The CertifiedEmail program is open to qualified, accredited senders with a history of good sending behavior. These senders will be further accredited to make sure the sender's programs conform to CertifiedEmail acceptable use policies. Senders accepted into the Certified Email Program will maintain status in the program by keeping complaint rates below threshold across recipient mailbox providers. Violation of complaint thresholds will result in the sender being placed on probation or excluded from the CertifiedEmail Program.

Re:Fighting spam?

[Charcharodon]

Most business these days want an email address to send an invoice to, whether they be virtual, mail-order, or brick and morter, and it amazes me how often I end up getting junk mail from them anyway, even after I specifically request not to. This is why I have my personal email address and a secondary one. That way my main address stays nearly 100% junk mail free and the other well let's just say I get lot's of monthly specials from all those companies I've opted out from.

I say instead of the ISP auto-charging for emails they just include a "Bill them tab" on my web-email site, so if I click on it for yet another special offer, the sender gets charged six cents. A penny for the ISP/mail server and a nickel for me. I could pay my entire montly ISP service fee with all the crap that clogs up my box.

Re:Fighting spam?

[rolfwind]

It doesn't. From my personal reading of the situation, this will only encourage "official" spam that is whitelisted by companies that can afford to pay it. An oldie but a goodie:

Your activities advocates a

( ) technical ( ) legislative (X) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
(X) No one will be able to find the guy or collect the money
(X) It is defenseless against brute force attacks
(X) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
(X) Microsoft will not put up with it
( ) The police will not put up with it
(X) Requires too much cooperation from spammers
(X) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
( ) Jurisdictional problems
(X) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(X) Extreme profitability of spam
(X) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(X) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
(X) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
(X) Countermeasures must work if phased in gradually
(X) Sending email should be free
(X) Why should we have to trust you and your servers?
(X) Incompatiblity with open source or open source licenses
(X) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you and/or your company:

( ) Sorry dude, but I don't think it would work.
(X) This is a stupid idea, and you're a stupid person for suggesting it.
(X) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:Fighting spam?

[IngramJames]

AOL... I do that too

Surely you meant to type:

"Me too!"

Ahem. Thank you, thank you. The old jokes are.. well.. old.

Re:Fighting spam?

[PopeRatzo]

A lot of AOL users tag messages as SPAM when they don't want to see them anymore. It's easier than opting-out and so they abuse the process. They have no repercussions to their actions.

"No repercussions"?? What kind of "repercussions" should we get for calling junk mail "spam"? Maybe have to pay a penalty? Should we lose our internet access for a few days? Why not jailtime?

I'm not an AOL user, but I only give "spamcatcher" addresses to any company I think is going to send me junk. I commonly will tag their stuff as spam when I'm tired of getting it.

Funny, I NEVER opt in to get any "special offers" but somehow, the "special offers" come anyway. If I tag them as spam, that's exactly because they are, indeed spam.

I don't trust the parent and grandparents who are so righteously complaining about how customers have all "opted in" for their junk mail. I've had way too many occasions where I've gotten junk that I've supposedly "requested", when what I really did was click a link that said nothing about me getting daily "special offers" that are just junk mail. Just because I want to pay a bill or register an application online does not mean I want to get sent advertisements. I'm betting if these jokers actually said what kind of email they're sending people, most of us would immediately recognize it as irritating spam.

I'd like a universal opt-out for all email advertisement. End of story. But this will never be offered because you know that millions of people will want to permanently block advertisement. It's the same as the famous "Do Not Call" list that stops me from getting bothersome phone spam, except that Banks, Credit Card Companies, Insurance Companies, Health Care Companies, Charities, and a hundred other categories are NOT FRIGGIN' COVERED by the "Do Not Call" list. Oh yeah, and PHONE COMPANIES, of course. Phone companies would NEVER make an irritating sales call at dinnertime, right?

If you're going to choose to try to squeeze out that extra profit by bothering people, then don't complain when you are universally loathed. And if you're in the email advertising business, then you ought to find a less ugly way to make money. Maybe breeding animals for medical experiments or something.

Re:Fighting spam?

What a stupid entity you must be. People most likely report your email as SPAM because they consider it to be exactly that. You must be one of the many hucksters that manage to sneak in "opt in" check boxes that are automatically filled in "checked".

That is NOT OPT IN. imNOTSOho you should be blocked and also incarcerated for abuse of the human race.

Find a hole and .....

The world is Disgusted with this "rationalization" approach to unwarranted spam harrassment.

Re:Fighting spam?

It's an oldie, but no longer a goodie. It's a fucking tired worn-out schtick and thus guaranteed to get a +5 Insightful mod.

Re:Fighting spam?

my book that is called spam, and they were correct to label you as such.

I subscribe to a signature based anti-spam solution, so I get to see what even "reliable" users label as spam. A LOT of my opt in newsletters wind up being filtered as SPAM, because too many users either define "Mail I don't want to read" as spam or are too lazy to unsubscribe and just label it as spam instead.

Next time don't be so quick to jump to conclusions

Re:Fighting spam?

Shamelessly copied and pasted from http://digg.com/tech_news/Top_5_ISP_s_To_Charge_Gu aranteed_Delivery_Fee_For_Emails Wow, never thought I'd see Digg comments duplicated on Slashdot and not visa versa.

Re:Fighting spam?

Hang on. It is pretty common procedure for people on AOL to click the "Spam" button to unsubscribe from legitimate sources.

I hate spam with a passion, but not everyone accused of being a spammer is a spammer.

Re:Fighting spam?

[falconwolf]

How does it fight spam if the spammer can ask to be whitelisted, or if the spammer can pose as or actually be a business operating for more than a year? Lame.

And why should I have to pay or apply to be whitelisted? As far I can think of this is just another money grab.

Falcon

Re:Fighting spam?

[cheater512]

I'd make a small fortune. Screw the net bill, I'm thinking of what kind of house I'd be able to buy.....

Re:Fighting spam?

[tacocat]

I was thinking of the repercussion as something you would experience if you were using a bayesian filter.

If you tag indiscriminantly everything that you don't want delivered for any reason, they you will start getting more false positives because it's an adaptive AI process. There is a little care and feeding of the whole filtering process you have to pay attention to.

I don't believe that AOL is going to use something like this. If you tag email as spam, AOL takes it upon themselves to send you a warning email and if you don't opt them out they black list you (eventually). What would be a repercussion to the consumer is the eventual increase in false positives -- giving the consumer a repercussion to their indiscriminant feedbacks. No one is made aware that there is an effect.

And just to clarify -- I'm not talking here about the obviously unsolicited email, but the email that is solicited but no longer wanted. The consumer took a positive action to get the email and now no longer wants it. What I am definitely not talking about here is the email that you never asked for, or where opted-in by means of fine print that few can even read at light grey and 6pt font.

Re:Fighting spam?

A lot of AOL users tag messages as SPAM when they don't want to see them anymore ... I see it in my house where I run my own mail server and my own spam filter.

I wonder how come you can send e-mail to AOL users at all. I run my own mail server, and for the past year or so, no amount of attempting to find the right person to talk to at AOL, compuserve or verizon.net has succeeded in getting my e-mail through to their customers (and it's always completely benign personal e-mail, not business). As far as I have been able to tell, it's because each one of them has decided that my IP address is a dial-up IP address (it isn't), and they unconditionally reject all e-mails that originate from dial-up IP addresses. Yes, I could force all my mail through the e-mail application service provider foisted on me by my ISP, but why should I be forced to do that (and thereby allow a third party to store and make use of the contents of my private e-mails for whatever purposes they want)?

Or I could pay extra to send all e-mail through some other e-mail service provider; but again, I wouldn't trust any of them not to use the contents of the e-mails somehow to commercial advantage. Good intentions and promises not to make use of the ability to use e-mails that pass through their system to advantage are all very well, but they tend to become null and void once money or government power become involved.

Re:Fighting spam?

[It'sYerMam]

"No repercussions"?? What kind of "repercussions" should we get for calling junk mail "spam"?

The GP was talking about people who flag things as spam that they asked to receive so talk of repercussions was legitimate.

Re:Fighting spam?

No, the problem with the no consequences marking as spam is that people are idiots.

I've had several companies I've worked for get marked as spam. People would mark invoices or order confirmations or support responses as spam. If you send an email to billing or support and they respond to it, it isn't spam by any definition. Getting these servers and email addresses flagged as spammers shuts all of aol off from support.

If you are a large company, you will eventually get enough of these idiots to flag you that you'll get blacklisted.

Re:Fighting spam?

[Jasin+Natael]

I don't trust the parent and grandparents who are so righteously complaining about how customers have all "opted in" for their junk mail.

Your personal incredulity is not a rebuttal. I actually developed and run a site where each user pays us close to two thousand US dollars per year to receive our email updates, and some users on AOL still mark our messages as SPAM. About every six months or so, delivery to AOL email just gets blocked wholesale, and they aren't the friendliest people to deal with.

And we give the users many ways to opt in or out as they choose. They can even call or email customer service and we have a girl who will set up their account preferences for them -- so that each specific type of message, product category, or messages related to certain businesses, are excluded. And they still mark it as SPAM. I'm not sure if it's a penny-per-four emails problem, but it is certainly a problem.

Re:Fighting spam?

[Leuf]

She's being obstinant and dumb. Well, at least your last words were modded +5 insightful. Some people live far longer but only get modded funny.

Re:Fighting spam?

[falconwolf]

I say instead of the ISP auto-charging for emails they just include a "Bill them tab" on my web-email site, so if I click on it for yet another special offer, the sender gets charged six cents. A penny for the ISP/mail server and a nickel for me. I could pay my entire montly ISP service fee with all the crap that clogs up my box.

This woud of paid my isp years ago, back when I got a lot of spam, but I infrequently get more than 10 emails a day. My isp has both whitelists and blacklists. Everyone in your online email adddress book is on the whitelist and email from them go to your inbox. Users can add email from specific addies to their blacklist. Then all other email is placed in a "suspicious" folder.

Falcon

Re:Fighting spam?

[ryanov]

No results found for obstinant.
Did you mean obstinate (in dictionary) or Abstinent (in encyclopedia)?

Re:Fighting spam?

[martin-boundary]

Sounds like your company is a spammer without realizing it.

IF your subscribers have opted in, and they think what they are getting is spam, then perhaps you should think about the fact that MAYBE they are right? Just because YOU think that what you send isn't spam doesn't mean it really isn't for OTHERS.

In any case, paying some company like Goodmail to open doors for you isn't a smart thing to do. The smart thing to do is to PROMINENTLY place instructions on how to OPT OUT inside your messages. That way, people won't be tempted to tell AOL that you're a spammer because they can opt out themselves. And if you're REALLY smart, you'll add a text box so that they can give feedback why they think it's spam, so that you can fix the bits that need fixing.

Re:Fighting spam?

[Tim+C]

While I sympathise with your rant, the OP was talking about AOL users specifically and deliberately opting to receive mail, then when they later decide that they no longer want it, tagging it as spam rather than cancelling their subscription.

He's not talking about or defending spammers or companies that bury opt-in check-boxes way down a registration page (and I've seen them a good screen or more below the submit button). He's talking about lazy, idiot users misusing the spam controls.

Re:Fighting spam?

[martin-boundary]

People's interests change over time. Opt in may be valid for the very first newsletter they receive, but once users have seen an example of what the newsletter is like, they may or may not change their mind. It's unreasonable to expect that a newsletter is wanted for all future time. Also if you cram a lot of different types of information in a newsletter, the risk that some of it is unwanted will be higher.

Here are some things you can try, if you're _really_ interested in helping users choose if they want your newsletter or not.

1) Put an opt out procedure prominently in each and every one of your emails (ie first thing users see at the top).

2) Make the newsletter opt-in at the bottom of the message: By default, you stop sending the newsletter unless the user opts in at the bottom, which they usually would only look at if they've read the message. Tell them if they do nothing, they won't receive another newsletter.

3) Have a javascript popup message which lets people opt out when they click on the message to view it. (this depends on what sort of mail reading software they use, so it's not a great universal solution, but it does target the kind of clueless people who don't know much about email).

The trick is to make the opt out easier than marking the message as spam for most ordinary people.

Re:Fighting spam?

[martin-boundary]

They pay two thousand dollars a year? And they have some random AOL email address? That seems... hard to believe.

Re:Fighting spam?

[WilliamSChips]

I think we should kill all spammers in the mots painful method imaginable.

Re:Fighting spam?

[techno-vampire]

Spam is unsolicited commercial email. If you opt in to a mailing list, you have agreed to receive mail from that list. If you don't like it, opt out; if they don't take you off the list in a reasonable length of time, then, and only then, they're spamming you. The OP specified that the default is opt out, which means that anybody receiving those emails went out of their way to ask for them. If they don't want to receive them any more they should just opt out, but complaining that they're being spammed is easier and doesn't require them to think.

Re:Fighting spam?

[Jasin+Natael]

Exotic car dealers. They are who they are. ;)

Re:Fighting spam?

[MightyYar]

So you're the guy :) I've stopped sending newsletters to AOL addresses altogether because it is more trouble than it is worth. Even Florida Hurricane alerts were being marked as SPAM on AOL, so what hope does a commercial newsletter have? On the other hand, I don't blame you - it's usually a bad idea to respond to something that you don't remember soliciting... you'd just be confirming a live address if it is a true spammer.

Re:Fighting spam?

[caffeine_high]

We get this a lot, people just mark a legitimate message as spam because it is easier. This is particularly common with with aol users.

The best option I have found is to include a unique identifier in the message and setup a 'feed back loop' with aol. They send you a notification when someone marks a message from your domain as spam. We remove them from our system and then contact them to explain why their lazy actions effect other aol users. Usually they are shocked that they have been caught and vow never to do it again. They often also ask to get included in the system again.

Re:Fighting spam?

that sucks. If you're using exim or qmail, you can set up a redirect gateway to send aol.com email messages through your isp's smtp server. If you're using sendmail, let me know your ip address, I want to root your box.

Re:Fighting spam?

[rolfwind]

Yup, I forgot to tribute this iteration of it, thanks for pointing it out:)

Re:Fighting spam?

[MightyYar]

You aren't the typical AOL user... Put up a real estate related site with a sign-up form... watch the contact info fly in. I don't know what it is about that demographic, but they sign up for EVERYTHING. Of course, that doesn't stop them from using the SPAM button as "unsubscribe". I'm not going to complain, though, because you'd be nuts to click on an "unsubscribe" link for something that you don't remember signing up for.

Re:Fighting spam?

[mccoma]

I guess it will be abstinent after she sees the obstinate and dumb remark

Re:Fighting spam?

[hey+hey+hey]

this part could be great, if they open up a public way to validate that token

When I looked at Goodmail about a year ago, it was just an implementation of Domain Keys, but they owned all the Public/Private keys (your mail app would generate the hash, then it would need to contact the Goodmail servers to get the encrypted hash). Assuming this hasn't changed (and I'm not interested enough to crawl through their site to find out), then all the info you need to do a validation is publicly available.

Re:Fighting spam?

[Nazlfrag]

I hate to say it, how can anyone differentiate FREE DINNER as any different to FREE IPOD or FREE HOLIDAY or any of the other thousands of FREE xxx spam that people receive? Perhaps you should ditch the contest and just offer useful information so as not to get tagged spam.

Re:Fighting spam?

[Zonekeeper]

I think you meant "ME 2!!!!1111LOL"

Re:Fighting spam?

[Ucklak]

Being that the mailing doesn't have FREE anywhere in it, that pretty much sums it up.

The free dinner is only on the web form. The mailings are informative pieces about wines, steaks, deserts, and events regarding such. Users agree to the mailings once signing up.

Re:Fighting spam?

[Raideen]

I see that problem with AOL fairly frequently when our clients wonder why they can't e-mail AOL users anymore. I confirm that out clients don't have open relays, do have proper reverse DNS, and that their mail server is advertising itself using a FQDN that resolves to its real IP address. Then I call AOL and get them taken off of the blacklist and fill-out the white list and feedback loop forms. The problem has never returned. I've done that more than half a dozen times.

On a related note, I've witnessed people using the spam button (or equivalent in other programs) like they were just hitting delete. I've had to explain that if they don't want to see e-mail that they subscribed for, they should unsubscribe. Tagging non-spam as spam increases false positives, which is usually worse than a few spam messages leaking through.

Re:Fighting spam?

This list has been around forever you asshat.

Re:Fighting spam?

"If you are a large company, you will eventually get enough of these idiots to flag you that you'll get blacklisted."

Yes. That's an issue I've never been addressed by "blacklisters". I recently worked for a corporate client marked as spam. The story is that five times the main corporate MTA had been marked as spam by somebody. I can believe it is possible for it to have sent spam (probably due to virus within the network). But surely five times when you send mail in the thousands diary makes you not a "spammer".

Re:Fighting spam?

[darkpixel2k]

I'm going to setup a domain called no-freakin-email-gets-through.com which will block their "Guaranteed Delivery".
Sounds like a good opportunity for a lawsuit.

Re:Fighting spam?

[Dan541]

It's the same as the famous "Do Not Call" list that stops me from getting bothersome phone spam, except that Banks, Credit Card Companies, Insurance Companies, Health Care Companies, Charities, and a hundred other categories are NOT FRIGGIN' COVERED by the "Do Not Call" list. We now have the same thing in Australia. Whats the point in exemptions i hang up on them all what good is it doing denying me the right to block morons from calling me!

Re:Fighting spam?

[Charcharodon]

Next time don't be so quick to jump to conclusions

Exactly which website do you think you are on? That's rich, no jumping to conclusions, hahahahahaahhaahahaha.

My bad I didn't think there was anyone out there that actually likes getting spam. It's not like the guys that sign up for as much junk snail mail as possible and use it to heat there home. I can't possibly think of one single newsletter that isn't just bullshit adds that has ever had a problem getting through to my inbox.

But seriously if companies weren't such a bunch of gits with newsletters and promotional material and made it retarded obvious how to unsubscribe (As in the very first line of the newsletter should read click here to unsubscribe.), and then actually unsubscribe you in a prompt manner, then maybe then your precious newsletters wouldn't get blocked...but alas they don't and probably never will, so boo hoo you won't get all those special offers you so live for.

Re:Fighting spam?

[gevantry]

If I don't want your mail, I just flag it as spam and my built-in junk filter forever after will send your mail marked read to my Junk folder, which automatically erases its contents after 48 hours. If for some reason I decide that I want your mail after all, I rescue it from the Junk folder. I don't need AOL or any ISP protecting me from you.

Usually, I will use the opt-out link at the bottom of your message (if I see that you are legitimate) and ask you to take me off your list. If you're an honest business, you'll do that.

Re:Fighting spam?

[Jay+L]

Ah, but you still have to know the public key, and their servers might only allow whitelisted IPs to check the hash.

Their site's all marketing stuff, no real deep technical info. They're clearly not thinking about getting small-time ISPs on board right now. But Dave Crocker, Martin Hellman and Avi Rubin are all consulting for them, so you gotta think someone will bring it up in a meeting...

Re:Fighting spam?

[JohnBailey]

Its not just the lazy ones. I've seen requests to be unsubscribed from a non advertising, opt in only email group where the unsubscribe instructions are very simple and included at the end of every email.

Re:Fighting spam?

[forgotten_my_nick]

> It's easier than opting-out and so they abuse the process.

They are not abusing the process the newsletter does not allow you unsubscribe easy so the user takes the easiest method.

For example I'm on Dr Dobbs Mailing list. I don't read them anymore as its mostly kack so I hit unsubscribe. Yet I still get them. I've tried a number of times to unsubscribe without any luck. So I just created a mail rule to move them directly to the trash.

I would of marked it as spam except I orginally signed up for it. But anyone else sends me a newsletter without asking for it first gets marked as spam. I don't even bother going through the hoops.

so don't blame the consumer for the business model failings.

Re:Fighting spam?

[Tony+Hoyle]

If they're still sending you the email after you have specifically unsubscribed it *is* spam. Treat it as such, and report it using whatver system you have up for dealing with it.

I've seen quite large companies do this. Once they're on spamcop and razor they tend to get the hint though.

Re:Fighting spam?

[Tony+Hoyle]

If goodmail just allow anyone to pay to have the mail whitelisted they're very likely to become a good spam source. If that happens then it's a simple matter of a 'signed with goodmail -> trash/spamcop/bayes' rule.

It's been tried before.. remember that company that put haikus in 'good' emails - that became a near 100% reliable spam source *very* quickly. They're at +5 on my spamassassin rules and have been almost since they came out.. and I've never had a false positive from that rule.

Re:Fighting spam?

[tacocat]

Ten years ago I would agree. But now I don't.

The confirmation of an email address isn't valuable anymore. It's too easy to get real addresses en masse without anyone confirming the address. There once was a time when people would pay big money for lists of confirmed email addresses as a list for spamming. I don't know that there is much value in this anymore.

The process of sending spam is basically Fire and Forget so there's no added value to having a confirmation to the address. I have many records where people try to send email to random names or even characters on my domain and none of them could have ever been confirmed. And they keep coming. Add to that the back-scatter spam and you've no need for addresses being confirmed.

Go ahead, confirm your address. The spammers already have it and they don't really care if it's confirmed or not. They'll keep using it for months to come. And at least it gives the legitimate mailings a chance to play honest and opt you out without getting punched in the nose.

For legitimate purposes, if the sender provides and opt-out mechanism then it's the consumers responsiblity to use it and the marketers responsibility to honor it without qualification. But if you don't provide this mechanism then you should be labelled spam and prosecuted.

Re:Fighting spam?

You're missing the whole point of Goodmail.

Essentially, these ISPs are defining spam as "anything we didn't get paid for".

IOW - As long as you pay them, you can send whatever you want to those recipients. Just like in the real world with the US Postal Service.

On the flipside, if you *don't* pay them - "nice e-mail you have there, be a shame if anything happened to it" - don't expect your e-mail to go through.

Re:Fighting spam?

[Sparr0]

AOL email addresses aren't allowed to be used in our monthly drawing for a free product(meal) ... the newsletter we send out also gets tagged as SPAM So you get people to sign up for a drawing, and start sending them a newsletter? Hello spam.

Re:Fighting spam?

[DilbertLand]

I think informative is a relative term. Just because the business believes it is informative doesn't mean the recipient does. I've opted in for a few newsletters before expecting that they would send me something once or twice a month only to be barraged with 4-5 e-mails a week. To me that's spam. Then, to make it worse, it often takes multiple attempts to get off their list. Somebody saying it's ok to send them stuff is not same a saying "please feel free to spam me all you want", although many businesses seem to think that.

Re:Fighting spam?

[Belacgod]

If the spammer isn't going to make 1/4 cents per email sent, it's not worth it to sign up. This may lead to more targeted spam emails, as the cost of sending each email becomes nonzero. (Of course, 1/4 of a cent is miniscule, so the effect may be practically nonexistent too).

Re:Fighting spam?

[Bassman59]

3) Have a javascript popup message which lets people opt out when they click on the message to view it. (this depends on what sort of mail reading software they use, so it's not a great universal solution, but it does target the kind of clueless people who don't know much about email). Oh, great .. javascript in e-mail. I've got that crap disabled.

Re:Fighting spam?

[PopeRatzo]

I understand that AOL can be stupid. I just believe that all emailed advertisement is evil. Whether or not my assent to receive it was buried in 14 pages of some user agreement I was supposed to read before joining some online forum.

Re:Fighting spam?

[tacocat]

Forward your email through your ISP or pay for a static IP address that isn't in the DHCP subnet

Re:Fighting spam?

[GWBasic]

No, you are really wrong. The point behind guaranteed delivery is that the ISP will not blacklist your domain/ip address regardless of how many spam reports they receive. This is the whole point behind goodmail. I just spend hours in a meeting discussing this very topic. Our company was blacklisted by AOL because too many people reported our email as spam (it's all mail that they opted in for -- default is out). The result was all of AOL delivery was blacklisted. Eventually we got it fixed, but the next tier to the solution is to pay GoodMail $$ to effectively certify our domains as legitimate senders and they pay AOL a portion of their proceeds to guarantee permanent whitelist status no matter what the users do. The only criteria that AOL has leveled against us is if someone tags our email as spam, we have to remove them from the mailing list. But I don't know if this will change or not with the introduction of GoodMail into our mail delivery system.

You should remove ANYONE from your mailing list who says you're SPAM. It's important to remember that the reciever, not the sender, defines what SPAM is.

I recieve SPAM from many legitimate companies that think that I opted in to their lists. For example, Macromedia continues to SPAM my work email, even though I've clicked on their unsubscribe list. (Their emails are legitimate marketing that I don't care to read.) Honda asked for my email when I bought my car, without any indication of an "opt-in" list, and continues to SPAM me even though I've clicked on un-subscribe many times. The company that handles my student loans sends me a SPAM about once a month, even though my preferences are to not recieve marketing emails.

Thus, even though Marcromedia, Honda, and my student loan company think that they're not sending SPAM, because I've directly expressed that their marketing emails are unwanted, they are SPAMMING me.

Thus, when a customer marks you as SPAM, it means that you're sending SPAM, because in this case, the customer is always right.

finally

[goathens]

while charging for email would suck, i think it is one of the few ways that would actually stop spam: making it too expensive to send a lot of email.

of course, having not RTFA, i wouldn't say how well this would work for non-US countries being certified... this could turn out to be more like the current net neutrality issue (pay the isps money or your traffic/email won't go in the "good pipes"/"certified")

Re:finally

[Harmonious+Botch]

I RTFA. It was a quarter of a cent each. As parent says, that makes it too expensive to spam. But it is a not even a blip on my budget to send all my email ( 50+/- per month )

Re:finally

[abertoll]

Yes, but I'm not sure it's expensive enough at 1/4 cent. That kind of price sort of sounds like they're hoping the spammers use them so they can make a lot of money. Not that they're going to help prevent spam.

Re:finally

[mikelieman]

You're not getting junkmail in your reality-based mailbox, then?

This has NOTHING to do with stopping Spam.

This is all about generating revenue from Spam.

Re:finally

[MadAhab]

Wrong.

It would definitely bring e-mail communications out of reach for thousands - millions - of legitimate organizations. But spammers spam because their communications are profitable.

So the only thing this would do is raise overhead costs for organizations with non-money-making email.

Re:finally

[tacocat]

Give this man a cigar.

Not only will it generate revenue for delivering spam, but it will also mean the end of non-cost based mail delivery. Think mailing lists and personal domain servers.

Re:finally

I maintain a listserv with traffic of about 1000-1200 messages a month. That's a significant "blip" in my budget, which is running it out of pocket as a hobby.

Re:finally

[timeOday]

It was a quarter of a cent each. As parent says, that makes it too expensive to spam. But it is a not even a blip on my budget to send all my email

I wouldn't mind being on the receiving end of $0.0025 x billions per month though!

Re:finally

[Dogtanian]

I'm not saying that this is wrong:

It would definitely bring e-mail communications out of reach for thousands - millions - of legitimate organizations. Nor am I saying that the plan as a whole is necessarily a good idea. However, *this* point is flawed:

But spammers spam because their communications are profitable. The reason they're profitable with such a low return rate is (as has been said before) that the cost of each email is tiny. Even a nominal fraction-of-a-cent charge upsets the balance here.

Re:finally

[smittyoneeach]

I don't mind paying a nominal fee for email for projects I care about. Perhaps there is a project-to-be/service of Sourceforge that does some back-end aggregation of email into a single, fat, (navigable?) digest for various arbitrary mailing lists.
Either such a thing could be signed to pass as good traffic, or the cost/value could be made such that all but the biggest Scrooges wouldn't mind a nominal fee.
Note that I did not use the letters X, M, and L in describing the deliverable.
Possible Summer of Code project for the energetic whipper-snapper.

Re:finally

As a medium-size business owner, I would never use this. I'd rather let the customers get pissed off because they aren't receiving our emails and let them fight it out with their ISP than pay for a service again that I'm already paying for (email access).

Re:finally

[IngramJames]

I RTFA. It was a quarter of a cent each. As parent says, that makes it too expensive to spam. But it is a not even a blip on my budget to send all my email ( 50+/- per month )

How about for a genuine startup company with an amazing business plan and a website which becomes popular overnight in (say) Zimbabwe right now?

Don't get me wrong; I like the idea of certifying people who follow procedures laid down by Right Thinking People (i.e. me) and allowing their emails to be delivered. I don't like the idea that USD0.0025 (or even USD 0.0001) per email is affordable for everyone who acts correctly worldwide, and I don't see how you can "guarantee delivery" when any ISP is at liberty to create a blacklist based on the people on the whitelist.

It sounds like a bias towards companies who can afford to pay a "tiny" overhead. I need to think about it more.

Re:finally

[cheater512]

Fact is that many spammers can afford 1/4 cent per email. They just need to be a bit more selective about their address lists.

It also kills too many innocent bystanders. Non-profits, legit mailing lists, etc...

Re:finally

[Dogtanian]

Fact is that many spammers can afford 1/4 cent per email. They just need to be a bit more selective about their address lists. Yes, but on what basis should they filter their lists?

Anyway, whilst spam may generally be defined as any unsolicited email, I believe the use of the term (and the implied problem) here relates to largely untargeted bulk spam. Anything more than trivial list filtering really alters the nature of the game.

It also kills too many innocent bystanders. Non-profits, legit mailing lists, etc... Yes, but the OP already said that, and I made clear in my reply that this wasn't the part I disagreed with.

Re:finally

[trawg]

So if you're a business operating in the US that has to deal with any of these ISPs onine, you just pass on your extra costs to the customers of these ISPs. The cool thing about doing business based on email address is its easy for you to find out who you should be charging more!

This move by the ISPs is just a lame, cheap, extortionist way of trying to produce some more revenue. If you're on one of these ISPs, vote with your feet.

Re:finally

[cheater512]

Fact is that many spammers can afford 1/4 cent per email. They just need to be a bit more selective about their address lists. Yes, but on what basis should they filter their lists? You misunderstood me. I meant the spammers would just send emails to the addresses which look the most promising instead of carpet bombing every one they find.

Re:finally

[Jay+L]

Taco, why will Goodmail spell the end of non-cost-based delivery?

Re:finally

[westlake]

I would never use this. I'd rather let the customers get pissed off because they aren't receiving our emails and let them fight it out with their ISP

Chances are good your emails won't be missed and that all your customers will see is an in-box that is a little less cluttered than before. Your competitors are never more than one click away on the web.

Re:finally

[turbidostato]

"The reason they're profitable with such a low return rate is (as has been said before) that the cost of each email is tiny"

And the reason why their email costs are tiny is because they don't use their own servers for the most part. Obviously paying per email isn't going to increase their costs anyway.

The real point (again) is making money out of things we gave for granted till yesterday. And we took them for granted till yesterday because it is the way it is supoused to be: it is the mixture of the greed of some companies to make money out of unethical things mixed with the stupidity of some people who won't see the real consecuencies of their elections. I know it only too good: I have my own domain and my own mail server on my DSL line from home; I even have a fixed IP. To the best of my knowledge spam *never* got out from my server; still the fact that my IP is marked as dynamic/residential on some blacklists makes my e-mails rejected on some servers and somehow it's *my* fault and somehow the means to reach them goes by *me* paying money to some third party company on top of the money I'm already paying to my ISP both for my DSL line and my fixed IP.

Stupid if not pathetic.

Re:finally

Remember this is Verizon! It is not $0.0025 but $0.25 per message.

Re:finally

[sjaaklaan.com]

Since it is now free to send as much email as you wish, there is no regulation. Compare it to flyers in your real (no email) mailbox. Why is this not flooded? because it costs money to create the flyers and send it. It is too expensive to send 100.000.000 letters to everyone. By using email is it free. I think therefore that having some (very limited) cost for external email would not be so bad. Even if it would cost only 1 cent per email, spam would self-regulate.

Re:finally

[Dogtanian]

You misunderstood me. I meant the spammers would just send emails to the addresses which look the most promising instead of carpet bombing every one they find. No, I didn't misunderstand you. I meant how would they know which ones are the most promising?

Re:finally

[cheater512]

Obviously you havent run your own mail server.

They often just aim for catch all addresses or dictionary attacks searching for valid addresses.
That would cease.

Crawling the net for addresses and buying addresses from websites would continue.

Re:finally

[Tony+Hoyle]

So would all other email. I send lots of emails.. I don't send letters any more. Why? Too expensive.

I have a mailing list with 1000 people on it and peak around 20 messages a day. This should cost me $5000 dollars a day to run? I'd shut it down. And so would everyone else with a list.

I shudder to think what the linux kernel mailing list would cost to run on your scheme. Probably more than redhat make in a year.

Re:finally

[PunkXRock]

Everyone still gets a bit of junk snail mail, sure. But for every 1 piece of junk snail mail, there are tens or hundreds of pieces of legitimate mail. Direct mailing has significant costs (especially when you're talking about blasting tens of thousands of pieces around) that prevent it from being very cost-effective. This is A Good Thing, as it keeps the amount of junk snail mail very low.

Meanwhile, with email, it's the exact opposite. Mail is so cheap to send that spammers can afford to blast millions of messages out with little worry of losing money. So whereas snail mail might have a 10:1 or 100:1 snail mail:junk mail ration, email looks more like 1:10 or 1:100.

As for the particular scheme, I don't know if it would work or not. I do know that making it cost more to send mail may well be the best solution to the problem of spam, as it will greatly increase the costs of sending mail, without (necessarily) affecting most average users. Everyone wants free email, and everyone wants no spam, but it's starting to look like the two may be mutually exclusive. Email can still be cheap, however, and I'd rather pay a couple bucks a month to get rid of spam.

Breach of contract

[KiloByte]

Well, assuming an user pays for the e-mail account, isn't this a breach of contract and false advertising? By "providing an e-mail account", it can be assumed no real mail is ever meant to be knowingly dropped.

Declaring those who haven't paid the protection racket as not "real mail" is not really something that I would envision as something which would pass a non-bribed judge.

Re:Breach of contract

[bwd234]

"Well, assuming an user pays for the e-mail account, isn't this a breach of contract and false advertising? By "providing an e-mail account", it can be assumed no real mail is ever meant to be knowingly dropped.

Declaring those who haven't paid the protection racket as not "real mail" is not really something that I would envision as something which would pass a non-bribed judge."

Guess what, this is exactly how the USPS works. They are not responsible for making sure the mail is delivered unless you pay more for it, like certified mail, etc.
How do I know? I was told this in so many words when I had mail lost and complained to the Post Office about it.
It was basically, "if you want to make sure it gets there, have it insured, otherwise..."

Yeah, nice little racket the USPS has too!

Re:Breach of contract

[asamad]

Slightly different analogy, you are already paying for you packets to make it to the internet, why should you have to pay again ?

Re:Breach of contract

[codegen]

I have not read your terms of service, but I can *almost* guarantee there
is a clause that specifies that the ISP can modify the terms at any time
by posting them on the website and that you agreed to it.

Re:Breach of contract

[cheater512]

When your talking about spam, whats the bet that all the non-bribed judges disappear?

Re:Breach of contract

[ryanov]

You already paid for stamps too -- why should you have to pay again for insurance?

Re:Breach of contract

[Midnight+Thunder]

Declaring those who haven't paid the protection racket as not "real mail" is not really something that I would envision as something which would pass a non-bribed judge.

It should also be noted that high level spammers usually make enough to more than cover costs anyhow. A small business is would love to in such a position, but usually they are trying to control every expense. Having to pay to have their e-mail delivered, when they didn't have to before is not welcome news, but it would just end up being put down to the 'price of doing business'.

Let's rate the ISP's

Comcast - EVIL
Cox - not very evil yet
Time Warner - The incarnation of Evil
Verizon - Pure evil

They didn't say who the other three are, but I'll guess here
AOL - Strange evil
BellSouth - Pure Evil
Mediacom - Incompetent Evil

Re:Let's rate the ISP's

[Checkmait]

Wait a second, but didn't Microsoft buy evil from the devil? So wouldn't being evil be a civil offense or something like that?

Re:Let's rate the ISP's

[HouseArrest420]

No matter what either of the 2 providers tell you, at least on the East Coast, Comcast owns Time Warner. Literally and in the same way as Sprint = Nextel, not in that gamer tongue as in, "I pwned you f001!"

Re:Let's rate the ISP's

[jpetts]

Cox - not very evil yet

You can be "not very evil": the bit is either set or clear...

Re:Let's rate the ISP's

[Zantetsuken]

Its more of an analogue analogy - its not so much black and white/digital, but because pretty much everything can be seen as evil (cute little bunny rabbits that hand out millions of $$$ for no reason? Theres something evil about that rabbit, just not as much as Nazi persecution of Jews). So since everything is evil, its really a choice of which is the lesser evil...

Re:Let's rate the ISP's

[servognome]

cute little bunny rabbits that hand out millions of $$$ for no reason? Theres something evil about that rabbit

Damn bunnies are causing massive inflation, I can no longer afford a pack of soda on my salary :( EVIL I TELL YA

Re:Let's rate the ISP's

[Phroggy]

You forgot that BellSouth is now part of "the new AT&T", which is much more evil than BellSouth used to be.

Re:Let's rate the ISP's

[symbolic]

Pardon my ignorance, but why is Comcast evil?

Re:Let's rate the ISP's

Easy: Comcast Controversies

Some stuff from that:
Comcast spends millions of dollars annually on government relationships.[6][7] Regularly Comcast employs the spouses, sons and daughters of influential mayors, councilmen, commissioners, and other officials to assure its continued local monopoly and preferred market allocations, many of which have been questioned as unethical.[8][9]

Comcast's monopoly on cable television has historically been enforced by local governments, Comcast maintains over 6000 such defacto monopolies.

....

Re:Let's rate the ISP's

We use the evil byte around here, so there are 254 shades of 'grey evil.' Handy for stuff like differentiating between Microsoft and Sony.

Not that I like spam but....

[ralphart]

This is pretty freaking outrageous.

If there's any way to organize and refuse to relay mail from any of these greedy self-appointed guardians, I'd certainly be interested. Blacklisting all mail out of their domains would probably be extremely educational for them.

Good for the goose...good for the gander.

Re:Not that I like spam but....

[tacocat]

So you're proposing we blacklist AOL, TimeWarner, ComCast...

I'm all for it. But if they don't blacklist each other there's not much affect this is going to have.

Read up on the early history of Radio. It used to be free to broadcast. Now it's really expensive. Soon the only web pages and mailing activities will be those that are sanctioned by the key masters.

Pure Capitalism is self destructive. Moral Capitalism is not.

Re:Not that I like spam but....

[BeerCat]

So you're proposing we blacklist AOL, TimeWarner, ComCast...

I'm all for it. But if they don't blacklist each other there's not much affect this is going to have.

It will create a "them" and "us" style internet. Except that AOL, Time Warner and so on have loads of cash, so will whitelist each other and become the self styled "fair and balanced" ISPs, while everyone else will be part of the "if you're not with us, you're against us", and hence AOL et al will blacklist those not in their circle of friends.

I think this would be an unintended consequence.

recipe for disaster?

[jb.cancer]

apart from the initial shock (face it, evryone wants to plug the tube that is the internet), won't this generate more unwanted e-mail traffic? think of all the people who would now send >1 copies of each of their mails just to increase the chances of delivery.

of course it's all assuming that the real intention is not 'end-of-free-emails'(which cud be quite naive)

Genius

[jswigart]

Real smart. Fight the symptom not the problem. Spammers should have to pay for all the time they waste of every single person they send their trash to, and all the bandwidth it consumes. It blows my mind that this shit isn't considered as big of a problem as it needs to be with lawmakers.

Re:Genius

Spammers are the ones being made to pay. They are paying to make sure their spam makes it through your spam filter.

Re:Genius

[trolltalk.com]

"It blows my mind that this shit isn't considered as big of a problem as it needs to be with lawmakers."

Why should you be surprised? Remember, politicians exempted themselves from the "Do-not-call" list. Self-interest before your interests == business as usual.

Re:Genius

"It blows my mind that this shit isn't considered as big of a problem as it needs to be with lawmakers."

I must be doing something wrong. Despite having 8 very active e-mail addresses I get very little spam. Occasionally (less than twice a year) there's a flurry where I get a few each day but filtering it on my end quickly eliminates the problem. Usually I go weeks between e-mails that could be considered spam. Granted, the ISP's do heavy filtering but I get more warnings from subscribed to mailing lists, far more, about blocked legitimate e-mails, then I ever get spam.
I've found that there are a few rules to follow and you'll minimize the problem.
1. Don't use the free online e-mail services. Yahoo, Hotmail and the like are plagued with spam. Whether they sell your e-mail addresses or it's just machine generated random spam targeting them if you use them you get spam.
2. Don't put "mail-to" links on any personal web pages. If you have a commercial site set up a contact form. You can do the same on a personal site or easier, just put an image containing your e-mail address for people to contact you.
3. Don't hand your e-mail address out willy-nilly to any and everyone who requests it. If a site asks for an e-mail address to download or use something react very carefully. Read the privacy policy. If you find any reason to be suspicious your suspicions are probably justified. If someone asks for an e-mail and there is no justifiable reason to give it to them don't do it. Even if you have to look elsewhere for what you want.
I use e-mail far more as a medium for personal contact than I do the phone. Treat your e-mail address as you would an unlisted phone number.
The last thing we need to do is get the government heavily involved with e-mail. Can you spell TAX?

Maybe I could see it if....

[the+eric+conspiracy]

It really was guaranteed delivery using a transactional scheme with software that supported it. This could be something actually worthwhile.

Re:Maybe I could see it if....

Hmmmm. Some form of transactional email protocol. Like SMTP for example?

Re:Maybe I could see it if....

[kasperd]

Exactly. SMTP already does this. Problem is, in the name of spam fighting, people started randomly and silently dropping emails. If you don't want to deliver an email at least produce an appropriate error response. It's not that hard to respond with an error code at the end of DATA, if you don't want to deliver it. That way the sender will at least know why it was not delivered. And before anybody starts complaining, that this will just produce lots of invalid bounces, I'd like to point out, that they are easy to prevent. A bounce is easy to identify from the empty sender, when you see one look inside the data for a Message-ID matching one that was sent from this account in the last 14 days. If none is found this is a bounce of a mail with a forged sender address, refuse to accept the mail. Oh, and if you see log entries on your own mail server indicating, that it couldn't deliver bounces, then at least you are one step closer to the source, that the person who rejected them. That means it is time to figure out why your mail server accepted the messages in the first place. Eventually the spam will be stopped at the source.

Well, that is the theory at least. The problems are: People don't respect the protocols. Very few actually try to stop the spam at the source, since you don't make a lot of money from that. And for ISPs being a good netcitizen have a far lower priority than making money.

Reciprocal?

[unamiccia]

And how much will they pay me if my mail doesn't arrive?

Re:Reciprocal?

[FutureDomain]

Only $0.0025.

Re:Reciprocal?

Is that 25 cents or 25 dollars?

Sincerely,
Verizon

Re:Reciprocal?

[falconwolf]

And how much will they pay me if my mail doesn't arrive?

No they won't pay you. Instead they'll call it a "good" service they provide and charge you more.

Falcon

Re:Reciprocal?

[dbcad7]

Followed by different pricing tiers...
"bettermail"
"bestmail"
"bestmailplus"
"bestmailultra"
"bestmailultraextreme"

Death of the Internet

The Internet isn't just TCP/IP. It's an agreement amongst its members to carry each other's traffic and cooperate. I guess rather than dying the net might just shrink to retain good Netizens. The world will then contain two networks: Netizens connected by the Internet and selfish bastards sort of connected by a broken network.

Well

[ShooterNeo]

Honestly, I don't see what the problem is. Charging some sort of cost - whether it be responding to a whitelist request, paying in CPU cycles to complete a hash, or just flat out paying a quarter of a cent - is the only practical way to fight spam. Spamfilters always have a small false postive and false negative error rate, while charging money or a cost does not. A quarter of a cent is many times the expected monetary return on a pure spam.

Since it costs money to set up an infrastructure to accept a cost of any type (reliable servers, an organization, ect) charging actual money rather than hash cycles or CAPTCHAs makes the most sense, and is also the only practical way for a big organization to send emails to a bunch of users.

Re:Well

[Brandybuck]

I agree. Unless they're deliberately dropping other folk's emails, I don't see the problem here.

Slashdot geeks are too obsessed with everyone having utterly identical outcomes. "You can't guarantee their email for a fee!", they sputter, "unless you guarantee mine will get through as well, for free!"

Re:Well

[ShooterNeo]

And presumably, this company offers an alternate "payment" scheme if you just want to send an email to an individual user. By registering for the whitelist, you fill out some sort of captcha, and it must cap you to sending emails to just a few people in that ISP.

Spam is so horribly inefficient a form of advertising that even a tiny cost in time or money per email sent is enough to completely wipe it out.

Heck, ISPs could go back to accepting email from places where the incoming email is almost all spam, like China. A legitimate business in China with American customers would just pay that quarter of a cent cost.

Re:Well

[tacocat]

But who do you think it going to pay that cost?

I'm on a lot of mailing lists. So 300 emails a day works out to 75 cents US. Which adds up to $273 a year that I have to pay. If you look at it from the point of view of the mailing lists, they might have 10,000 users which means every email costs them $25US. For someone like Debian this is death. For someone like Microsoft -- They'll just add $25 to their product prices.

When the F... are you going to realize that pay per use is not a means to being effective for anything. It's a means of generating money. It doesn't save you money and it doesn't get you any more freedom, happiness, or flexability

Re:Well

[hxnwix]

So, because Verizon et all are too incompetent to set up filtering ala gmail, I should pay them?

WTF?

Re:Well

[davidkv]

On the spot. It is a means to cut the little guy out. The big guys could continue to spam you, they'll just have to pay up.
ISP:s are bountiful (in most places), play them against each other if they misbehave. If you don't have that option, explain and complain.

Re:Well

[trolltalk.com]

"Charging some sort of cost - whether it be responding to a whitelist request, paying in CPU cycles to complete a hash, or just flat out paying a quarter of a cent - is the only practical way to fight spam"

I've seen marketers pay up to $3.00 per name for "good" phone numbers (though the usual fee is a lot less). Then they spend even more money having someone phone you. Do you really believe that $0.0025 per email is going to stop them? Heck, the'll gladly pay that to be able to send to every single legit address of the ISP.

Next step - your ISP forwards the spammers messages directly to all members inboxes, whether they want them or not, for a fee. Oops - they already made deals to do exactly that.

Re:Well

[falconwolf]

ISP:s are bountiful (in most places), play them against each other if they misbehave.

While isps may be plentiful many people can't get broadband and many of those who can only have one choice as to who they get it from. Wireless broadband will help those who live in urban areas but not those in rural areas. If broadband were plentiful then the big access providers wouldn't be fighting against city provided wireless, and most of these cities only decide to provide it after businesses refuse to provide it.

Falcon

Bot Net?

[Lead+Butthead]

These days a lot of spam are being sent by bot-net. How does this in any way help to combat this? It does not. All it does is guarantee a revenue stream for them.

Easy to do

[Skapare]

If there's any way to organize and refuse to relay mail from any of these greedy self-appointed guardians, I'd certainly be interested.

This is easy to do. Most mail server software lets you block by domain name of the SMTP client host and/or the host part of the sender email address. If you don't have this option, but can refuse email from SMTP client hosts without valid reverse DNS, you can force the reverse DNS to be bad by adding empty zones for their domain to your DNS server that your mail server uses.

Blacklisting all mail out of their domains would probably be extremely educational for them.

They cannot be educated. They would never notice, anyway. Their customers may notice. A few might even quit. But they (the corporate executives) won't notice.

What we do is create the "invisible alternate internet". This is the internet where all the "good stuff" is. It would be based on an alternate set of DNS root zones with distinctive new top level domains that "they" don't have access to. Eventually more and more of their customers will want access to "the other internet". But they (the evil ISPs) won't be able to provide it because those alternate DNS root zones will have the evil domain names blotted out with strange addresses like 0.6.6.6.

Oh wait, there already is an alternate internet. Sorry, I cannot disclose the location.

Re:Easy to do

[Dogtanian]

Oh wait, there already is an alternate internet. Sorry, I cannot disclose the location. Wait, wait.... awww, I know this one, it's..... a DNS server running on an old Pentium II at your school's computer club, and seven or eight nerds pointing their computers at it?

I want my share too.

[140Mandak262Jamuna]

For every mail delivered to me with a blue ribbon I will charge 0.125 cents. If the ISPs dont pay me I will not read the mails. Howz that!

Re:I want my share too.

[oyenstikker]

How many people setting up their spam filters to drop anything with a blue ribbon would it take before this scheme is junked?

Re:I want my share too.

Drop? Bounce them instead.

Re:I want my share too.

[loxosceles]

Is the cost per email .125 cents or .125 dollars?

Re:I want my share too.

[amber_of_luxor]

How many people setting up their spam filters to drop anything with a blue ribbon would it take before this scheme is junked?

It will take goodmail a little longer to die than that organization that issued a license to use a haiku in the headers to gaurantee the message was not spam.

Amber

Re:I want my share too.

That's the same thing!
Verizon can't do math.

And this will help how?

So the spammers who use botnets will just cause the hijacked computer's owners to pay thousands in email fees?
I can imagine the new "training" course at the grade schools:
Don't download music because you'll get sued for thousands of dollars by the RIAA and then have to pay thousands of dollars because a "virus" sent out emails from your computer!

evil is cool

you have all the fun when you're evil

This is extortion

[HellYeahAutomaton]

Its kind of like if the mob owned the USPS and said "You might get your mail in one piece...and you might not if you don't pay up."

Re:This is extortion

[Aladrin]

The USPS -already- guarantees your mail -won't- be delivered if you don't pay their fees. (Stamps?) However, in addition, they also offered higher-priced services (first-class mail) that has a better chance of being delivered. Third-class mail has -no- guarantee.

So what does the 'mob' have to do with this?

Re:This is extortion

[jobsagoodun]

From the sound of it, its more like the Mob don't own USPS, but want some money for not stopping your mail anyhow.

Re:This is extortion

-you dont have to pay to recieve mail from the usps. only to send. it's called "universal service". no tax dollars have been used to fund the usps since 1982. it is entirely funded on sales of its own products.

-the only real guarenteed service from the usps is express mail. if its not delivered by noon next day, sender gets full refund.

-you can't walk into your local post office and buy thrid class stamps. businesses with bulk mail permits are the only ones who can use third class stamps.

Guaranteed.. hmm

[Loconut1389]

So if I send (and pay for) mail to joe blow and his mail server is down- how are you going to deliver the mail to him and still call it 'guaranteed delivery'?

Re:Guaranteed.. hmm

[Teifion]

So if I send (and pay for) mail to joe blow and his mail server is down- how are you going to deliver the mail to him and still call it 'guaranteed delivery'? I believe that they're looking at one of the following for this particular problem
1) You won't think of this
2) Magic
3) Hopefully you've already forgotten

I'm not amazingly clued up about the exact mechanics of email and ISPs, how will this affect things such as GMail which are provided by someone other than me? I'm guessing they'll get charged and then forward the charge onto me?

And thus Gmail became standard for businesses...

It was nice while it lasted.

Well the PROBLEM is that...

[shmlco]

The "problem" is that there are a ton of non-profits, news sites, news groups, blogs, lists, whatever-of-the-day sites, schools, churches, and other organizations that send out a lot of requested put-me-on-the-list email to their members.

Have a decent-sized list on which you're doing a daily run, and even at a quarter of a cent you're suddenly looking at thousands of dollars a month out of pocket.

So now all of those sites and services and lists either: A) Stop sending email and/or go out of business, or B) Start charging for the stuff you used to get for free.

Is it so hard for people to figure this stuff out? Apply a cost somewhere and--one way or another--you're going to pay it.

Re:Well the PROBLEM is that...

[ShooterNeo]

Don't see the problem.

(a) if the organization is truly, REALLY important then you would pay or manually add the sender to the whitelist yourself.

(b) A lot of these organizations are jerks about these things, and demand your email. Even "good" organizations like churches can abuse the priviledge.

Re:Well the PROBLEM is that...

The "problem" is that there are a ton of non-profits, news sites, news groups, blogs, lists, whatever-of-the-day sites, schools, churches, and other organizations that send out a lot of requested put-me-on-the-list email to their members.

This is a solved problem.

RSS feeds.

IE7 supports RSS. There's no reason to still be sending out email lists when you could instead be using an RSS feed.

Except, of course, that using an RSS feed would require the people sending the list to pay for the resources, and not the people reading the list...

Re:Well the PROBLEM is that...

[Jay+L]

So now all of those sites and services and lists either: A) Stop sending email and/or go out of business, or B) Start charging for the stuff you used to get for free.

Or C) keep doing what they're doing and keep being delivered like they're being delivered now, mostly OK, occasionally trapped by errant spam filters.

Re:Well the PROBLEM is that...

[trolltalk.com]

"Except, of course, that using an RSS feed would require the people sending the list to pay for the resources, and not the people reading the list..."

Most content management systems let you also send your sites' newest content out as an RSS feed. In postnuke, the default is http://sitename/backend.php.

Re:Well the PROBLEM is that...

[billstewart]

For semi-commercial organized organizations, e.g. Greenpeace or churches or whatever, which have enough organizational and financial structure to get themselves a 501c3 registration, charging 1/20 cent per email message (or 1/4 cent if non-501c3) may be affordable - it certainly beats charging $25-50/year for membership that includes a snail-mail newsletter and several fundraising snailmails.

But there are lots of interest groups, discussion groups, and projects that don't have a financial structure, and it'd be really annoying to have to build a Paypal tip jar to accept payments to stay on their email lists, especially if they're a discussion-heavy group.

I'm currently on one or two high-volume mailing lists, and I've been on others in the past, where half the people might not bother paying $5/year to get certified email, and they're not organized in ways that would support a 501c3 which would cut the certs down to $1/year. And if half the people aren't participating, then it's less valuable to be on the list.

I also run a small social-group mailing list with dinner and party announcements. It probably gets about 200 messages/year for 200 people, so it would cost me $100/year to pay for Goodmail certs if everybody were on Goodmail ISPs (90% of the people are techies who don't use the kind of ISP Goodmail markets to, and I suppose I'd pay $10/year for certs, just as I've paid for the domain name most years, but if this stuff really caught on I'd probably build a tip jar, which would be annoying.)

Re:Well the PROBLEM is that...

[Wayne247]

The solution to this will be exactly what people have done in the past, do like the masses do.

Can't read my .DOC file? Get office.

So people who operate lists will request their members to open an account at yahoo/hotmail/gmail in order to receive the list emails. This will effectively put people off their ISP generated account, which in turn will render the (already next to useless) ISP emails to actually useless.

Re:Well the PROBLEM is that...

[shmlco]

"... occasionally trapped by errant spam filters..."

You don't think, once they have these mechanisms in place, that they're not going to tighten down the filters and dramtically increase the chance that your email is blocked? Especially when the alternative is to transfer you to a system where you pay them for the privilage of sending their members email?

Re:Well the PROBLEM is that...

[Jay+L]

I think they may try to ratchet things down, but I also think that if/when that fails, and people can't reliably get the e-mail they want, they'll switch providers. That's been true in the past, and I see nothing different about this scheme. There have always been multiple "tiers" of mail - heck, at AOL, for a while, there weren't even any filters on AOL-to-AOL mail, because the spammers hadn't figured out how to spam from AOL clients. And I'm sure the filtering systems are still very different - it's pretty easy to tell when an AOL account is spamming if you're AOL - yet most mailing list mail still gets through. So just because there's now another trusted path to AOL, I don't think that spells doom to all, no.

Yeah, that works

[scribblej]

I mean, my postal mailbox is totally free of spam-like mail, because companies have to /pay/ for postal mail.

Re:Yeah, that works

[tacocat]

That's about all I get in my postal mailbox. Where have you been?

Re:Yeah, that works

[maxume]

I get 3 or 4 mailers a week(probably partly because I live on a rather underpopulated route) and at least 3 or 4 spams an hour(that are almost universally filtered). I wouldn't care if I got 3 or 4 spams a week, filtering or no.

Re:Yeah, that works

[Duhavid]

Sarcasmville.

Re:Yeah, that works

"That's about all I get in my postal mailbox. Where have you been? "

There is no comparaison between getting 30 emails a day advertising rolexes, meds, and millions of dollars from Nigeria than getting one or two mailers a day advertising supermarkets and possibly millions of dollars from the publishing clearinghouse.

And sure, I do hate getting stupid flyers and coupons through the US postal mail as much as you do, but please let's try to keep things in perspective -- this later kind of mail is annoying -- even scummy -- but somewhat manageable -- while the first kind of mail (internet SPAM) has become so unmanageable that some of us had to close down lifetime email mailboxes as a result (and many of us have possibly lost a number of legitimate emails through over-aggressive filtering as well).

And in the US for postal mail at least, there is also the added bonus that you can opt-out yourself from unsolicited credit card offers, and there is also the added satisfaction that when a junk mailer sends you a post-paid reply envelope, that he/she will be forced to pay something like $1.50 every time you send the envelope back with shreds of their materials inside.

Re:Yeah, that works

[Jamie+Lokier]

Some people are lucky. On bad days, I get a spam every 15 seconds on average. On good days, it's every 80 seconds.

So /. nerds

[aztektum]

What say we band together and start a new Internet? This one is quickly becoming useless.

Re:So /. nerds

Wot, Internet2?

Re:So /. nerds

[nurb432]

No. "PeopleNet1"

With the current trend of censorship, use restrictions, 2 tier web access, and now 2 tier email, the entire concept of the 'internet' is going out the window. Its turning into just an extension of the 'big media'.

Re:So /. nerds

[overlordmead]

How about a grassroots wireless network(i'm thinking nextwork or meshosphere... damn I should be in marketing) that incorporates as much of the world as is possible. From countries that claim to be democracies while selling "our" frequencies for megabucks, golf trips to Scotland, etc, the least we should expect is a bandwidth "tax" on technologies that require saturation of their service area; let's call it Public Access and make sure every kid on earth has, at the very least, basic access. Sounds a little too altruistic to me.

Personally, I'm more in favour of anarchistic frequency piracy, but I'd settle for a scheme that made available frequencies as they best fit your needs at that moment(in fact I might even pay for that.). In a digital world I can't see the benefit of frequency lock-in.... maybe someone smarter than I can explain it to me sometime.

Re:So /. nerds

Great, it will be the most highly advanced network ever with 0 content except maybe Star Trek Fan forums and Slashdot/Digg type news services.

Fun with contractual consideration!

"For this fee, I may or may not deliver your email."
"Ok, deliver my email, and I may or may not pay your fee."

Infrastructure problem

[Loconut1389]

OK- so you've got the infrastructure to do pay-by-email set up. Now the end user has something like an iTunes account backed by paypal and it just sort of automagically charges your account every time you send an email, what happens when your machine is compromised by a bot-net and you're sending millions of emails for a quarter?

Re:Infrastructure problem

[guruevi]

That's a good thing, then the TCO of Windows would be even higher! Also, all dumb users on the Internet would be bankrupted and not able to afford a fast internet line, more bandwidth for us, less crap on the web.

Scam

This is like privatized jail system in the USA. The moment it was set up, the number of people sent into jail has started to grow steadily, since there is direct financial interest to "maximize" profit on investment.

If you need to pay fee to get your email for sure, the same companies can make sure that the emails of non paying people will get lost.

Re:Scam

[Charcharodon]

Nice bit of hype. Privatized jail has not been accused of increasing profits by increasing the number of prisoners, the Justice systems hand out the sentences not the jails, but by treating prisoners...well you know...like prisoners.

No cable tv, shitty food, bare minimum health and mental care, no Internet access, etc, etc. Oh the horror, those poor people, what did they ever do to be treated that way, oh wait a tic, yeah that's right they're scumbag criminals.

I say we haven't had a good penal colony is some time, look how well Australia turned out. Anyone have a good idea on where we can send the cream of our societal crop?

Re:Scam

[dbIII]

America was also a penal colony before the formation of the USA so the lessons from the events that led to the formation of your country (British prison overcrownding) should have been something you learned about in the school. The big problem as I see it is that giving people harsh sentances is a certain vote winner - so it heads towards banana republic showtrial justice instead of the rule of law.

Re:Scam

[IgnoramusMaximus]

Nice bit of hype. Privatized jail has not been accused of increasing profits by increasing the number of prisoners, the Justice systems hand out the sentences not the jails, but by treating prisoners...well you know...like prisoners. No cable tv, shitty food, bare minimum health and mental care, no Internet access, etc, etc.

You forget one, but rather crucial, element: the jail operators thus make sure that the only thing the inmates can do is to join gangs and/or learn more about their "trade" from other fellons. That way they are far more likely to re-offend and thus generate more revenue for the operator.

Oh the horror, those poor people, what did they ever do to be treated that way, oh wait a tic, yeah that's right they're scumbag criminals.

In a sane society, instead of being subjected to an idiotic, sadistic and wholly counter-productive "revenge", they would be required to make full restitution to their victims and an effort would be made in that process to try to readjust them to the society, so that they do not become a permanent danger/expense to it. This serves the victims, the society and the offenders.

Some crimes are of course not easily directly repaired and so a number of alternative schemes would have to be put in place, all however with the same goal in mind.

And yes, some, very small minority, of offenders are incurably sociopathic and those would have to be locked up for life.

Some neanderthal "law and order" types however are under an impression that torturing, killing and maiming anyone who they suspect of being a "bad guy", usually completely out of proportion to his/her crime, based on some sort of warped set of religious delusions (start a war, kill tens of thousands, steal billions in a war profiteering scheme and do no time, get a blowjob by a teenage classmate and do 20 years), is going to improve the situation. They do forget that in the medieval times the "criminals" used to be hang maimed in cages until they died and rotted on street corners, they were publicly quartered, skinned, burned on stake, impaled and what not ... and the "crimes" kept reocurring. That is why we call that insane, useless system ... well .. medieval.

I say we haven't had a good penal colony is some time, look how well Australia turned out. Anyone have a good idea on where we can send the cream of our societal crop?

To demonstrate the utter stupidity of this argument, one has only to realize that pregnant mothers were being sent to that penal colony for "high crimes" of the day, such as belonging to the wrong religious sect. Employing a similar system now would of course mean that the offspring of fellons would also be sentenced to life in the penal colony, presumably for the crime of being born to the wrong, unlike yours, parents. Never you mind that by the very nature of it, the deportation to that colony must also be a one-size-fits-all penalty, for crimes ranging from pickpocketing to mass murder.

So in effect you are suggesting that we sentence unborn children to starvation, lack of medical care and other unspeakable hardships (until many generations later when the colony becomes a functional society) because you would so very much like to see their parents suffer, since they are, in your view, a group of "undesirables" which should not offend your delicate sensibilities with their presence in the same country as you.

The words "elitist" or "supremacist" do not even begin to describe your attitude. I am afraid that the only "cure" for your and your peers world-view would be to get subjected to the vagaries of this wonderful, privatized "justice" system you have over there, in its full glory, presumably for some really "serious", "terrible" and heavily punishable offense, such as, say, having child pornography of unknown, magical origin discovered on your computer.

I'm not surprised

[maxrate]

E-mail is becoming increasingly difficult day by day to deliver as there are a variety of spam filtering techniques used on the recieving party. Simply setting up an SMTP server no longer cuts it, there is much that needs to be done including continous monitoring on shared SMTP servers. If there was no spam, (administratively) there would be no problem. If you are running a simple SMTP server on a cheap DSL or cable connection, chances are your reverse DNS lookup isn't going to match your intended host name. Most ISPs won't do a custom reverse DNS lookup name entry on a cheap connection.

Re:I'm not surprised

[tacocat]

Might be more effective if we killed the assholes who actually bought this stuff

They're probably responsible for a lot of stupidity in the world. Buying herbal "Biggus Dickus" cream is only one of them. Hell, if you want your dick bigger, try Jergens and rub it on thoroughly...

Re:I'm not surprised

[Just+some+bastard]

If you are running a simple SMTP server on a cheap DSL or cable connection, chances are your reverse DNS lookup isn't going to match your intended host name.

If you're running an MTA on a cheap connection you need to use your ISP's smarthost, mail that appears to come from dynamic addresses is increasingly rejected due to zombies.

Matching forward & reverse DNS (and sometimes helo) is an additional requirement for delivery to certain servers.

Re:I'm not surprised

[BrowserCapsGuy]

Might be more effective if we killed the assholes who actually bought this stuff Sigh. I'm embarrassed to admit you'd have to kill my sister. She loves spam. She buys lots of stuff from spammers. I also get a new laptop every year when hers gets so clogged with malware that she demands a new one. My only consolation is we're both adopted so I'm not really related to her!

Re:I'm not surprised

[tacocat]

You'll still have to kill her...

I won't tell anybody...

Re:I'm not surprised

[BrowserCapsGuy]

On the bright side at least I'd get her half of our inheritance. That should help assuage my grief and guilt!

Re:I'm not surprised

[pe1chl]

I don't believe that!
I am regularly monitoring our incoming SMTP traffic to see what extra rules I can implement at the protocol level (instead of in the scanning of the incoming mail), and there really isn't any filtering that can be done on reverse DNS without MASSIVE false-positives.
Many, many valid businesses are running mailservers without rDNS or with generic rDNS based on their IP number.
Also, manu valid servers send bogus names in their EHLO/HELO, including domain names ending in .local or servernames not present in external DNS.

About the only thing I have been able to block recently is the EHLO/HELO with a name without any dot in it. That blocks lots of botnet spam but still it occasionally blocks valid mail from clueless senders.

Re:I'm not surprised

[awdau]

I just want to mention that it may not be rejected, it may be dropped, or tagged or even quarantined.

I know some places that use a points system and depending on how many RFC rules (ie Non-FQDN in the helo, or reverse not matching forward or no reverese record, etc etc) you get delivered, quarantined or rejected.

Re:I'm not surprised

[Just+some+bastard]

there really isn't any filtering that can be done on reverse DNS without MASSIVE false-positives.

Anything below res.rr.com or adsl.tpnet.pl [east|dsl-w|fios].verizon.net (for example) are residential dynamic IP allocations.

Many, many valid businesses are running mailservers without rDNS or with generic rDNS based on their IP number.

And they can expect to have mail rejected until they find an admin who has enough of a clue to comply with widely praticed receiver policies.

Also, manu valid servers send bogus names in their EHLO/HELO, including domain names ending in .local or servernames not present in external DNS.

Which is wrong according to RFC2821:

The domain name given in the EHLO command MUST BE either a primary
host name (a domain name that resolves to an A RR) or, if the host
has no name, an address literal as described in section 4.1.1.1.

HTH.

Re:I'm not surprised

[pe1chl]

Anything below res.rr.com or adsl.tpnet.pl [east|dsl-w|fios].verizon.net (for example) are residential dynamic IP allocations.

I recently blocked all rr.com addresses and all IP nets that I could find belonging to rr.com because their admins are completely clueless.
Multiple times I have sent abuse reports to abuse@rr.com about mail that arrived via their servers (multiple hops even) but they always immediately return a reply, probably automatic, that it is not their customer.
In that case, it is easiest to block the entire provider and all its clients.

But I can only do that because we are not in the USA and do not do business with the USA.

have mail rejected until they find an admin who has enough of a clue

Note that it often is not the local admin, but their ISP that has no clue. Many ISPs selling business connections here do not worry at all about getting rDNS right.

Which is wrong according to RFC2821

There is a difference between something that is wrong, and something you can use as a base for blocking. At least, when you want to use it in a mailserver running for a business or for customers.
Of course, in your own mailserver you can block anything you (don't) like, and so do I. But at work, when I block everything that is not completely RFC2821-compliant there is little mail left to process, and the boss will not like it.

Even as it is today, sometimes people wonder why they don't receive a certain message. A common way to "test" is to send the same message to another account, and when it arrives there the claim is "the sender is OK because someone else can receive it". Outsourced network admin does not help either.

I have a guarantee to make that is absolutely free

[loudersoft]

I guarantee I'll never pay an ISP for 'Guaranteed' delivery of anything because the only thing I can guarantee they'll deliver to me is a bill.

Whitelisting is a solved problem: Hashcash

[loqi]

One word: Hashcash. Basically you prove that you wasted a couple seconds worth of CPU to send your message. I believe SpamAssassin already recognizes Hashcash headers, not sure about other filters. But if you're really ready to start dropping email en masse in favor of a whitelist-style approach, this is the simple and elegant solution.

Re:Whitelisting is a solved problem: Hashcash

[jrumney]

Hashcash is a fine solution to spammers circa 2003, sending out all their mail from a single server on a cheap hosting service. But how does it help against botnets?

Re:Whitelisting is a solved problem: Hashcash

Sorry, but no cigar. You just can't make it expensive enough for it to deter spammers while at the same time making it cheap enough for ordinary people to use without nuisance.

IMHO, reputation systems are the way to go. However, there's the little matter of getting the entire world to use SPF first.. otherwise the spammers can just joe-job someone with good reputation.

Re:Whitelisting is a solved problem: Hashcash

[tomstdenis]

It slows them down too. Hehehe, that was easy.

If you get a 1000x advantage by using your botnet as compared to last year, but I force you to use a 1000x slowdown hashcash, let me check ... 1000/1000 = 1, yup, right where you started. w00h00.

Tom

Re:Whitelisting is a solved problem: Hashcash

[LiquidFire_HK]

That's a great idea, but it still doesn't seem to fully work with non-spammy mass mailings, like opt-in daily/weekly newsletters and such. Your web site has to send an email with a major announcement to 100 000 addresses? If we assume it takes 0.01 sec to calculate a hashcash, there go nearly 20 minutes of CPU time.

Re:Whitelisting is a solved problem: Hashcash

[Ant+P.]

Presumably with a mailing list that large you'd have a dedicated email server which sits idle the rest of the time.

Re:Whitelisting is a solved problem: Hashcash

[loqi]

I think Back proposes that opting into a mass email would generally involve explicitly whitelisting that sender (thus obviating the need for a proof of work token), which seems pretty reasonable to me.

I foresee a hackable solution....

[r_jensen11]

...how about asking for receipts of emails? That's what I do for important documents that I email out any way, just so that I know that the recipient doesn't accidentally delete it and then blame me for not sending it. It also helps confirm that I don't email something out to the wrong person without knowing about it.

Another solution would be to extensions with Thunderbird or whichever email client you use that provides a certificate and requests a confirmation upon receipt automatically. This could be protected from spam by only sending automatic receipts to addresses found in your address book.

Dubious statistic

[asuffield]

According to Goodmail, seven U.S. ISPs now use CertifedEmail, accounting for 60 percent of the U.S. population.

This is probably true as stated, but almost meaningless. Each of those ISPs will be counting the number of users that have email accounts with them, and then they just added up those numbers. The problem with this is that many users have more than one email account and don't use the one provided by their ISP - a large chunk of that 60% probably uses yahoo, hotmail, or gmail. Many people will also have another account provided by their employer.

It is not particularly useful to count email accounts as a fraction of the US population.

Worthless.

People need to understand what these things are: SCAMS.

They don't cut down on spam, what this means is a list to bypass all spam filters.

I lost faith in any system like this a while back when Yahoo decided to have a gauranteed signature bs thing.... oh it sounds good but then you realize they whitelist any yahoo account and bypass ALL spam filters for whitelist.

Overnight the spam for my yahoo account increased by a factor of 20, and it's still like this today. Spammers realized what was going on and started to hack the yahoo mail system so their crap would be guaranteed to go through.

Spam Filters are Broken

[tacocat]

I think part of the problem is that spam filters are generally broken and don't work that well. Part of the problem is that no one has seriously thought about how crappy the approach is. The other part of the problem is that their is little or no personal ownership of the filtering of spam.

When the ISP/customer have no relationship on identification of what is spam the ISP has to aim really high and take the approach that anything that is obviously spam is not delivered and everything else is. The net effect is the ISP might not deliver porn spam, but they'll deliver many other things with impunity. If there was a more aggressive involvement of the customer/consumer of the email then you could better tune the filters to match each user better.

SpamAssassin is the worse offender. It's origination was to do static regex checks and add points for each hit. And when you were done, the points put you either IN or OUT. But in order for SA to work you have to tune the number of points added for each regex test. And this is constantly changing. But for it to work, you have to be constantly monitoring the results. No one does this on a consistent basis.

A critical drawback with their approach is the constant game of catch-up they have to play in order to get the filtering to work correctly and then someone has to run some update script to hopefully get everything working correctly. Again, this has to be done continually like the tuning or it will start to fail.

Bayesian filters offered a great alternative but they quickly turned into their own problems. SA uses Bayes, but it's not effective because of the lack of feedback from the consumer (in most cases). It's also prone to over-rides by their own auto-whitelisting. Convenient, but deadly. Where Bayes lacks goes back to the original problems of non-customized feedback and involvement. It's very inconvenient to try and set up something like bogofilter to run for every individual in a group of 1000's so the mail admin makes one file for everyone thereby generalizing the statistics and making them less effective because they have to be good enough for everyone but not so good they remove any of the really serious spam.

And yes, SA does user specific Bayes filtering. I used it for three months and it sucked. It was not a very effective spam filtering system even with user specific bayesian filtering included. It's also getting pretty darn slow. Slow enough to become a consideration.

DSpam is effective, customized, and slower than molasses in january. It will also lose email. But YMMV and I don't really care to hear about how great it is. I lost a lot of email and a lot of money as the result of it. Perhaps some day they can get their act together, but there will always be a severe performance penalty for CRM114. But Bayesian filtering can still compete with CRM statistical success with 100X performance increase.

So what do you do about spam filtering?

The technology exists to effectively and efficiently filter spam. But that's not the problem. The technology that is used today is relatively lame because there are shortcomings abound that prevent a good solution for someone really large (like an ISP).

The problem is to redefine how the consumer is going to own their own spam filtering effectiveness. No more auto-whitelist. No more auto-blacklist, No more auto-update of Bayesian tokens. All of these can be carefully manipulated to taint the statistics and allow delivery in droves. The consumer must take ownership of their mailbox in the same manner that they are expected to take ownership of their credit card information on the internet.

Pity the fool

[stabiesoft]

who is paying for this service and gets infected. Ouch, what a bill that will be, and
all guaranteed to be delivered. New bot target:Certified senders!

Re:I have a guarantee to make that is absolutely f

I wouldn't be so confident about that even... I have Brighthouse cable internet, they're supposed to send monthly bills... I never got a bill, I called them, they told me I have no pending balance and told me how to access my account online. I repeatedly asked them if everyone was ok as I wasn't getting billed, and they said yeah, I'm fine. 6 months down the line, I never receive a bill, but I log into my account and there is a just posted bill for all of the previous 6 months. I knew it would come eventually, so I paid it, and after that I'm billed monthly. Another 6 months go by, never receiving a paper bill and paying online every month, and I started getting calls from a collection agency.

It took me getting my lawyer talking to them for a little while, and they eventually refunded all my payments for a year for the inconvenience and reversed the mark on my credit rating, but they are totally incompetent. Now I FINALLY get a paper bill in the mail every month after all of this. Took them long enough. I wish there was competition in the cable market, its them or nothing unfortunately :( (and they're not very reliable either, the cable goes out daily)

a bad figure if I've ever heard one

[briancnorton]

accounting for 60 percent of the U.S. population

This is making a REALLY bad assumption that an ISP generated email address is used by the account holder. Problem is, once there became multiple ways to get online about 10 years ago, LOTS of people switched to web-mail for the permanence and convenience. (Hotmail, Gmail, yahoo, etc) I would guess that any major ISP has less than half of their accounts use their provided email services.

Re:a bad figure if I've ever heard one

[Charcharodon]

Bingo!

I got tired of losing track of friends every time I or they changed ISP's. Gmail is my poison of choice, since they keep the unsolicited "Penis Enlargement" spam to a minimum, but man is my secondary email account choked with newsletters and special offers from companies I've done business with. Gmail does make that fairly easy to deal with since their search function works well enough to find the important stuff.

No gurantee of service?

[nurb432]

Then what value is the ISP?

This cant be legal. "here is your service. Oh, you want it to actually work, well pay up"

Net Neutrality

[SanityInAnarchy]

I'm thinking I should bookmark this and use it as an example to anyone who claims ISPs won't attempt to charge websites for "prioritized" delivery, and degrade people who don't pay up.

In short: They already have.

Of course, I don't think net neutrality legislation will cover email -- not that I care much, I really don't send mail to many people at AOL -- but it's just a perfect example to all the Libertarian idiots out there of why we do need government intervention sometimes.

The free market will sort it out? Sure...

Re:Net Neutrality

[HiThere]

So you want to trust the government to be honest and fair?

What this is a perfect example of is why centralized control of the internet is a real evil. Mind you, I'm not sure how to get around it, but not being able to get around it doesn't mean it isn't evil.

I have partial answers:
1) Local governments should be allowed to offer utilities, including electricity, water, phone, etc. They should not be granted a monopoly. (I'll grant that a tax subsidy is a real advantage over any competition, but it's of a different order of magnitude than a legally mandated monopoly.)

2) Utilities with more employees than the government of a small town (population say, 5,000-50,000 people) has should be subject to oversight by a Public Utilities Commission, which is appointed by the state governor. Smaller utilities should not be so regulated.

3) Low power transmission should not require a license from the government. (Something around the power of WiFi is what I'm thinking of here.)

4) Beamed, as opposed to broadcast, transmission should only be regulated for safety, honesty (if commercial), etc. NOT for content or connection to large commercial enterprises. (It should be as legal for Alice and Bob to set up their 100Km beamed transmission station as for Lockheed. And they should face the same requirements for safety, interference, etc.)

5) Contracts should not be allowed to be changed after they have been agreed to except by negotiation. Especially they should not be dependant on the contents of a web page that is under the control of one of the parties. Including such a specification in a contract should be sufficient to allow the party that did not draw up the contract to void it AT HIS OR HER PLEASURE, and such changes should still have no legal effect.

6) EULAs, including click through license agreements, should be void unless the person accepting the license knew and understood the terms BEFORE he paid money or other advantage to receive the goods.

7) It should always be legal to be anonymous, even by deceit, unless the intention is to fraudulently deprive someone of a valuable commodity. In particular it should always be proper to decline to give personal information that may be used for advertising.

8) It should be considered fraud for a purchased produce to cease working because the hardware on which it is running has been modified, unless such modification caused the hardware to become inoperable. (I'm thinking DRM here.)

Note that this would not be a sufficient answer, only a partial one. Note also just how probable it is that these changes would be enacted. But a strong central government is likely to be worse than a bunch of strong corporations. The solution to a bunch of strong corporations is to strengthen their smaller competition, not to strengthen the central government. Strong local governments are superior to strong central governments because, even if for no other reason, it's easier to move away from a local government that you don't like.

Re:Net Neutrality

[SanityInAnarchy]

So you want to trust the government to be honest and fair?

Let me put it this way: Lately, when the government hasn't been honest and fair, it has tended to lean towards supporting corporations in what they wanted to do anyway. If they do that here, it's no worse than what we've got now, but at least there's a chance they'll implement some sane restrictions. So I don't exactly trust government, but I think it's our best shot now.

What this is a perfect example of is why centralized control of the internet is a real evil.

It's not necessarily centralized. I think it kind of proves the point that even multiple ISPs have the capability to cooperate.

Unless by "decentralized", you mean directly controlled by the people, and I'm not sure how that would physically work.

1) Local governments should be allowed to offer utilities, including electricity, water, phone, etc. They should not be granted a monopoly.

So in a town where any utility is probably going to have a near-monopoly anyway, that's going to be the government now. Ok.

5) Contracts should not be allowed to be changed after they have been agreed to except by negotiation.

Agreed, mostly. I would say that it's fair to allow a contract to expire, and to present a new one, but every contract should have a name and a version number unique to that contract. In other words, it can change, but not without notification.

6) EULAs, including click through license agreements, should be void unless the person accepting the license knew and understood the terms BEFORE he paid money or other advantage to receive the goods.

I would be happy if it was a choice between that and a money-back guarantee. In other words, if you bought a product which requires an EULA, and you didn't know and understand the terms when you paid for it, you can return it and get your money back, similar to "Windows Refund". This should be stated clearly and simply enough that you can take them to a small-claims court if they give you the runaround.

7) It should always be legal to be anonymous, even by deceit

I would say this requires a bit of mechanism that simply isn't there yet. And we have a long way to go.

For instance: I can pay for something with a credit card, but that requires a lot of my information, and at any rate, it's effectively a shared secret, no matter how many more retarded numbers they add. (What the FUCK makes them think a number on the back of a credit card is any harder to get than the number on the front?)

Paypal is a step up from that -- you don't automatically give them the ability to make purchases on your behalf, and they cannot control the amount of money you authorize to send to them. There are two problems here, though. First, Paypal itself is only one such service, and there are others, but there is no standard way to accept payments from any of them. Second, it does require me to give out the email address associated with the account. They may not be able to trace it back to me, but they could track some entity called "ninja@slaphack.com" around the world.

I would say, to go beyond this, it has to be decentralized about as much as the current banking system is. Which ultimately isn't very much -- as far as I know, the federal reserve controls quite a bit.

It would be nice for such a rule to apply at least to anything other than financial transactions. But then, the real trick is, how do you define "fraudulently deprive someone of a valuable commodity"?

I would say that it should be possible to verify someone's identity, absolutely and securely, but in pieces. For instance, when buying a product, they only need to know that I can afford that particular product. They don't even need to know where to ship it -- a service like FedEx, in theory, could work anonymously. (They

Meh

[EtherAlchemist]

I think if I had an email that was so important I felt I needed to pay for guaranteed delivery of it, I would just pick up the phone.

Google already does this

Gmail started rejecting mail from my home system back in April. At the time the rejection was "Our system has detected an unusual amount of unsolicited mail originating from your IP address."

This turned out to be a lie, but I wasted time making very sure it wasn't true. Nor was it an inherited IP problem from DHCP because I'd had the same for months.

To make it more fun, much confusion was caused because some of my 'rejected mail' had actually gone through.

Eventually I got a response from complaining to Gmail as a Gmail customer. There was no other way to contact them about the problem, and they still took two weeks to make a generic reply to the effect of 'thank you for calling ... our engineers work hard constantly to improve the system ... are you still having trouble?"

Hell yes I was, but what they did in the meanwhile was tweak their error response. Now the rejection was "The IP you're using to send email is not authorized to send email directly to our servers. Please use the SMTP relay at your service provider instead." Which is already what I'd ended up doing while waiting around of course.

I told them that and got another two-week later canned reply saying "Thank you for your reply. We suggest that you utilize the SMTP relay from your service provider."

It's horseshit, and just laying the foundation to charge for 'guaranteed delivery'. Our machines are supposed to be able to connect to one another. This Gmail mess was proof positive it's not about spam because there was none. It's about making money by lying that it's about spam.

Re:Google already does this

[Just+some+bastard]

Our machines are supposed to be able to connect to one another.

An unfortunate side effect of zombies is that mail obviously sent using dynamic addresses is rejected. It's wrong to blame receivers for their policies, the blame lies with botnet operators and users who fail to take adequate security precautions. Neither can you expect receivers to whitelist dynamic addresses, the solutions are:

1. Relay through your providers smarthost
2. Get a static IP
3. Get a VPS and relay through that

It sucks much less than expecting receivers to accept spam.

Re:Google already does this

[dbIII]

I should add that there are quite a few places that reject dynamic IP adresses, which is what I found out when the static address I got had previously been a dynamic one. I think the main place to get this taken off the list was spamhaus, but for quite a while I was getting the firewall to fake where the email was coming from to match another address I had for another mail server that was linked via another ISP (so a very different address).

If you are on a dynamic address a lot of mail servers will just ignore you by default.

There is not, and will never be such a thing

[badger.foo]

There is not now and will never be such a thing as 'guaranteed email delivery'. SMTP is a collaborative, best effort thing. Read the fine RFCs.

In practice, with the myriad spam fighting methods out there, and the fact that some of the companies which pay up for the service will at some time or other have some of their systems take over by spam sending robots, there *will* be legitimate reasons to not accept (and optionally tarpit) attempts at mail delivery from hosts or networks whose owners have paid up for the 'guaranteed delivery' scheme.

This is some of the stuff I was on about in my BSDCan paper (now accessible at http://home.nuug.no/~peter/malware-talk/silent-net work.pdf).

Now, of course it is legitimate to dream about a mail delivery system without SMTP's warts and wrinkles, but this is not it, and it is not going to help solve any real-world problem.

Email is useless

[cdrguru]

You can forget about using email for commercial purposes - a good size fraction of the anti-spam community considers any use of email for commercial purposes to be SPAM. So commercial email gets blocked. If you send an email to someone using Outlook with the word "sale" in the email address, it gets trashed. Examples like this go on and on.

If you are using email to communicate with customers, a large number of your customers aren't getting their receipts, confirmations or even their purchases. And of course the customers don't know anything about it - their ISP or email provider is dumping the email before they even see it.

Guaranteed delivery? Yeah, sure. Pay a fee so your email isn't blocked for one reason and it will still be blocked by 37 more reasons. Nobody can stop this from happening and charging for such a service is a sucker move designed to take in the ignorant. And I bet it works for at least six months before it dies.

Don't use email for anything commercial or important. It doesn't work.

Re:Email is useless

You can forget about using email for commercial purposes - a good size fraction of the anti-spam community considers any use of email for commercial purposes to be SPAM.

That's because any use of email for commercial purposes is spam.

Don't use email for anything commercial or important.

Don't use email for anything commercial, and then at last we'll be able to use email for important things again.

Re:Email is useless

If you send an email to someone using Outlook with the word "sale" in the email address, it gets trashed. Examples like this go on and on.

What is this "Outlook" you speak of?

Competing Vendors.

[OgGreeb]

I have yet to see an adequate defense proposed against the problem of multiple "certified email" vendors in the same mail stream, where one vendor has been paid and the others haven't. How does one vendor ensure that validated mail gets delivered?

This is exactly the same problem with backbone pipe vendors wanting to get paid for "premium" bit transfer.

Re:Competing Vendors.

[Jay+L]

I'm not sure why multiple vendors should be a problem. If you're an ISP, and you've become a partner of Goodmail, you agree to deliver 100% of mail that's signed by Goodmail. So you do. Just because it isn't signed by ReallyGoodMail doesn't mean you HAVE to trash it.

That's like saying believing movie recommendations from your friends is problematic, because what if all your friends haven't seen the movie that one friend recommended?

Re:Competing Vendors.

[OgGreeb]

That's great, for the recipient ISP. But if you host a legitimate mailing list, and 10% of your destination addresses are to AOL which accepts Goodmail, and 15% are to Hotmail, which requires MicrosoftHappy, and 12% go to GMail, which requires ReallyGoogle, and there are another 15 vendors represented amongst the 30% of smaller ISPs, then how much will it cost to get messages through again?

And what kind of mail transfer infrastructure will be needed to handle all the certification and payments?

Re:Competing Vendors.

[Jay+L]

Ah, sorry - I was thinking as a recipient mail server, not a sender, and I wasn't thinking about exclusivity (AOL only accepts Goodmail, Hotmail only accepts MicrosoftHappy).

Yes, you're absolutely right. If a thousand accreditation flowers bloom, and each recipient domain is exclusive, it becomes a real pain for senders. You wouldn't want to "cross-sign" your messages, because that would be expensive, so you'd have to keep track of which recipient domains accept which accreditation schemes, and partition your recipient lists accordingly - HotMail addresses get signed by MicrosoftHappy, etc.

I wonder if there's an incentive for recipients to be "exclusive" like that, though. Obviously, the fewer schemes they have to implement, the cheaper it is for them - but the more schemes they implement, the larger the ratio of signed-to-unsigned, and the more accurate their spam filters can be.

It's hard to predict, since this is the first message-signing implementation. My instincts say that there's a critical-mass effect, and that (other than small ISPs toying with shiny new products) there will be only a few major players. Why sign up with a service that nobody uses? Why start a service if nobody will pay you for your cryptographic time? Remember that costs are per-message, not just per-domain, so there's a much higher barrier to entry than starting up a DNSBL, of which there are 150 or so. Starting a mail-signing service would be more like starting a non-interoperable IM service, which doesn't happen very often.

Then again, in 1996, my instincts said that spam wasn't worth worrying about.

Its not supposed to.

[tubapro12]

Isn't it obvious this is only a ploy to a) make people think they care and b) make more money?

Now I understand why the block port 25.

[twitter]

Nice plan.

1. Keep users helpless.
2. Provide "service" for helpless user
3. Profit.

Give me back my ports and I won't have to worry about spam or your fees.

Spam Filter

[Joebert]

Where can I get an up-to-date list of theese companies, so I can add their addresses to my spam filter ?

new button

[kurtis25]

I want my gmail to have a new button, "opt-out." This way when I get sick of having your stupid weekly update and don't remember my password to your site I can hit opt out and gmail does the work I don't want to do.

Big brother

[farker+haiku]

Of course they are doing it 'Under the guise of fighting spam'. That's how you disguise reporting your information to the government. This way you can call it a surcharge instead of calling it a tax.

We must be vigilant.

It was not immediately clear what Gonzales and Mueller meant by suggesting that network data be retained. One possibility is requiring Internet providers to record the Internet addresses their customers are temporarily assigned. A more extensive mandate would require companies to keep track of e-mail messages sent, Web pages visited and perhaps even instant-messaging correspondents.

Feedback Form

[SeaFox]

Your post advocates a

(X) technical ( ) legislative (X) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(X) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
(X) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
(X) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(X) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
(X) Sending email should be free
(X) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

( ) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
(X) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Re:Feedback Form

Your post advocates a

( ) technical ( ) legislative (X) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(X) Mailing lists and other legitimate email uses would be affected //Such as businesses operating for less than a year, free bulletin boards, etc
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(X) It will stop spam for two weeks and then we'll be stuck with it //The spammers will pay the ISPs
(X) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
(X) Many email users cannot afford to lose business or alienate potential employers //Senders who don't pay extra could have their mail dropped, recipients would not accept this
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
(X) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
(X) Eternal arms race involved in all filtering approaches //Sign up to our service _is_ a filtering approach, and spammers will pay for it
(X) Extreme profitability of spam //A spammer can afford a shell company paying for this service
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(X) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
(X) Whitelists suck //Sorry, you missed an obvious one there
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(X) Countermeasures should not involve sabotage of public networks //Holding email hostage is sabotage
( ) Countermeasures must work if phased in gradually
(X) Sending email should be free //Damn right
(X) Why should we have to trust you and your servers?
( ) Incompatibility with open source or open source licenses
(X) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

( ) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
(X) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Socialized cost (of spam)

[jihadist]

Damage to the public is distributed in cost to all of us, when we can't find some sucker to blame. In the case of spam, we're all going to have to pay a "get it right fee" now that spam has ruined normal email. Good work, society.

Why Do-Not-Email lists don't work

[billstewart]

First of all, spammers won't use them as block lists. If they do anything with them, they'll use them as lists of valid email addresses to send spam to. And any laws about do-not-spam lists are just laws, and most spammers aren't bothered by violating them, especially Nigerian scammers, zombie-abusers, stock scammers, and fake pill sellers.

Any laws about do-not-spam lists only apply in the country that makes the laws - so spammers will send mail from other countries. They often do that today, simply because it's harder to get a Chinese ISP to shut down spammers, and a lot harder to get Korean zombie farmers to shut them down.

It's possible to make the do-not-email lists a bit safer - instead of listing the email addresses directly, list hashes of them, which lets anybody who wants to check an individual address see if that address's hash is in the list, but doesn't let you recover the address from the list. But it's still a losing game.

[Insert the usual checklist here....]

pay me to spam me

[Wise+Dragon]

I've always thought the best way to eliminate spam is by default charge a fee for each email, say a penny each. You could whitelist your friends and mailing lists to exempt them, and any time a company wants to advertise to you, you make a little money, even if you choose not to read it. Its P2P e-postage.

Re:pay me to spam me

[tomstdenis]

A penny per email isn't economical. And I already pay to send emails. It's called my ISP fees. The ISP provides IP [including TCP and UDP] service which means they have to deliver my packets to the best of their ability.

Some sort of "pay us [more] or we may drop your packets" is a protection racket of sorts. Remember that an email is no more than a TCP stream of SMTP commands.

Tom

Re:pay me to spam me

[stdarg]

For a spammer it's not economical, for your friends it's free. There would have to be a query function to determine the charge in advance so that mailing lists (and other legitimate mass mailers) don't get screwed by users not white-listing them properly, but that's not hard.

I can see it now... start composing a new message and when you type in the address it does a background query. "This email will cost X" appears near the send button. It also gets a token that locks in the rate in case the recipient sets their rate to $100 right after the query.

You can set your own rate, including 0 if you get a lot of email from strangers. A portion of it goes to your ISP for transaction costs. Distributions are paid monthly when balance reaches a certain threshold. Sign me up!

Re:pay me to spam me

[Tony+Hoyle]

That *only* hurts legitimate email. It does not hurt spammers one tiny little bit.. they don't send their own email they use botnets to do it. So someone gets their machine pwned and has a $100,000 bill the next month.

It would also mean the end of mailing lists, the end of legitimate businesses sending out newsletters, a drastic reduction in the amount of personal email sent... so basically in your scheme the spammers win.

Re:pay me to spam me

[stdarg]

When an infected computer sends email, it doesn't do it by logging into your actual email account, does it? As in, connecting to gmail, sending your username/password, etc? I thought the infected computers because their own smtp server.

If you're right then yeah, that would be bad. Even more important than harming legitimate email, it would allow spammers to charge large amounts for mail sent from infected computers to their own account.

I suppose the system would need some sort of captcha to ensure that a person authorized the charge. That would be the end of spam botnets.

Lots of people do have trouble with AOL blacklists

[billstewart]

I'm glad to hear that your company hasn't had trouble with AOL's blacklisting - 99% of the comments I see about it are the opposite, either email senders complaining that AOL incorrectly blacklists them and it's hard to get reinstated, or AOL users complaining that they sign up for mailing lists and AOL blacklists the senders so they don't get them. Of course, the people who don't have trouble don't bitch, and the AOL users who didn't know a given email was coming generally don't know that it's been junked so they don't complain much either.

AOL's in a touchy position - they really do receive infinite quantities of spam, and it's hard to tell some kinds of spam from legitimate mail without having humans read it, and it's hard to tell legitimate senders asking to be reinstated from spammers asking to be reinstated, and the financial incentives for allowing good email aren't very high so they can't afford to put lots of humans into the loop. But their reputation is such that lots of mail senders are simply not willing to deal with them.

No, it's *not* about fighting spam

[lseltzer]

It's an old canard against Goodmail to claim it's an anti-spam system and then comdemn it as an ineffective solution. It's not supposed to be an anti-spam system. It's a system for legitimate senders to avoid false positives.

It's not just a matter of ponying up the money to them. You have to demonstrate that you are a legitimate business and a legitimate e-mail source, and not a significant source of complaints by users.

Re:No, it's *not* about fighting spam

[LeoHat]

It's an old canard against Goodmail to claim it's an anti-spam system and then comdemn it as an ineffective solution. It's not supposed to be an anti-spam system. It's a system for legitimate senders to avoid false positives. It's not just a matter of ponying up the money to them. You have to demonstrate that you are a legitimate business and a legitimate e-mail source, and not a significant source of complaints by users. Just how is that not the very definition of a anti-spam system?

Re:No, it's *not* about fighting spam

[lseltzer]

This is why the canard works: because most people don't get a really obvious point.

Goodmail does nothing to prevent spam from getting on your system. All it does is to ensure that legitimate mail is not stopped mistakenly by anti-spam filters.

Isn't that clear? Why is this hard for some folks?

Re:No, it's *not* about fighting spam

[billstewart]

They're not trying to reduce the amount of spam in the world, or even the amount of spam in your mailbox. They're trying to increase the amount of non-spam that gets to your mailbox instead of getting junked.

The problems are related, of course - if they make it easier for your ISP to deliver some kinds of non-spam into your mailbox, that makes it safer for them to crank up their anti-spam filters so that more junk mail gets junked (so maybe there's less spam in your mailbox after all) but unpaid non-spam has a higher risk of getting junked too. The latter is the risky part of it; the less risky part is that if Goodmail does a lousy job of policing the few spammers who are willing to pay to send you mail, then users will complain to their ISPs, and their ISPs might pull out of Goodmail.

I stand corrected

[loqi]

Interesting read, thanks for the link. They do make a pretty convincing case that proof-of-work isn't enough to outweigh the biggest botnets. I wouldn't go so far as to say "You just can't make it expensive enough for it to deter spammers", though, because clearly it's going to be a deterrant for any spammer without a sufficiently powerful botnet (e.g., just spamming through a relay) or for someone operating on a very limited time-frame. It just can't meet the goals outlined in the paper.

A small additional consideration is that zombies will be somewhat easier to detect if spammers are constantly maxing the CPU to calculate POWs. Small because of course that will go largely unnoticed, as the zombie in question didn't have enough attention paid to it to keep it secure in the first place.

Re:I stand corrected

A small additional consideration is that zombies will be somewhat easier to detect if spammers are constantly maxing the CPU to calculate POWs. Small because of course that will go largely unnoticed, as the zombie in question didn't have enough attention paid to it to keep it secure in the first place.

Not really. I have Folding at Home running on both my Linux and Windows machines constantly maxing the CPU and it has little impact on performance since their priority is set to the lowest level, that's all the botnet owner has to do to minimize the risk of the zombies being discovered.

The recipient ISPs are Webmail Providers

[billstewart]

If the end-user recipients were running full-scale Mail User Agents, you couldn't guarantee that they're not filtering, but in this case most of them are using the webmail services provided by the recipient ISPs, so there's really no extra filtering that's going to happen. (Of course, that doesn't mean that the user won't look at the sender's name or subject line and junk the message anyway.) That may change if Goodmail succeeds in enticing more ISPs to use their services, but they've already got a good chunk of the US market, and for many commercial email senders, simply not having to hassle with AOL's blacklisting may be worth paying for.

Some or most of those ISPs do also offer POP/IMAP mail services, so the user has a chance to do filtering, but that's not most of the users, and just guaranteeing that the ISP *won't* junk the message may be valuable enough for some senders to pay for Goodmail.

Some of the commercial email senders will probably be spammers, especially if you read their AUP carefully and notice that it doesn't require confirmed opt-in, but at least the economics of a quarter cent per message make it likely that there won't be a *lot* of spammers using the service - only the ones who are doing a good job of targeting customers\\\\\suckers for high-value services.

radio

[falconwolf]

Read up on the early history of Radio. It used to be free to broadcast. Now it's really expensive. Soon the only web pages and mailing activities will be those that are sanctioned by the key masters.

No, it's cheap to radio broadcast, Pirate radio stations do it all the tyme. There's even pirate radio on the internet. What's espensive is getting a license to broadcast. And that's just how the mass media wants it. Clear Channel doesn't want more competition, it wants less.

I don't see what the problem is

[falconwolf]

Honestly, I don't see what the problem is. Charging some sort of cost - whether it be responding to a whitelist request, paying in CPU cycles to complete a hash, or just flat out paying a quarter of a cent - is the only practical way to fight spam. Spamfilters always have a small false postive and false negative error rate, while charging money or a cost does not. A quarter of a cent is many times the expected monetary return on a pure spam.

The problem is is I already pay for my email and I don't want to pay twice. I wouldn't want to pay extra either if I ran either a business or a nonprofit.

Since it costs money to set up an infrastructure to accept a cost of any type (reliable servers, an organization, ect) charging actual money rather than hash cycles or CAPTCHAs makes the most sense, and is also the only practical way for a big organization to send emails to a bunch of users.

Yea, right, everyone's born with a silver or gold spoon in their mouth. NOT!!! The cost of the infrastructure, as well as profits, are made by providing net access to begin with. If providers can't make a profit then maybe they need to get out of the business.

Falcon

Just a signature?

[dschuetz]

When I first read about this earlier in the week, my first thought was "isn't this just a signed message?" It sure sounded like it -- it shows up in your inbox with a little blue ribbon next to it, and so forth. So why pay some company a per-message fee for this? Just get an honest-to-God email signing certificate, that's signed by trusted authorities (that is, has a chain of trust that goes back to what's included in your browser / email client), and then sign all your email? Then people can easily tune their inbound SPAM filters to give a lower score to properly signed messages.

And this would have the side effect of finally getting signed/encrypted mail to the masses, at least on a low-level. Why the hell I can't just get myself a certificate and have my bank email me my statements, encrypted, automatically is beyond me. I really hate having to remember to go out to everyone's site once a month to download PDFs.

Just a thought...

You're checking the wrong boxes

[billstewart]

Yes, it's market-based. That does mean that most spammers won't be willing to pay for it. But some legitimate email senders (and a smaller number of well-targeted spammers) will find it worthwhile to pay to get mail through big ISP blacklists - anybody who's running a legitimate mailing-list service or doing things like product registration spends a lot of time bitching about AOL.

There isn't a central authority controlling email - but they've got the ISPs that are over 50% of the US mailbox market. (Microsoft MSN isn't one of them, though :-) And these countermeasures _do_ work if phased in gradually; otherwise they wouldn't be able to make a profit (not that we know yet if they'll make a profit or if they'll die out in a year.) It doesn't require cooperation from everybody at once - they've got enough mailbox ISPs signed up that it's at least potentially worthwhile for an email sender to pay them for the service. And they're not trying to solve the *whole* spammer problem - they're trying to get some non-spammers to pay them for delivering non-spam, which is a difficult but much simpler problem. It's not a "find the spammer to make him pay" system - it's a "pay up front to claim you're not a spammer" system.

Joe-jobs, Forgery, Worms and Zombies, etc. - The press releases don't say *how* they handle their certification other than to mention cryptography. But their board of technical advisors is interesting - Marty Hellmann, Avi Rubin, Dave Crocker - so there's a good chance they've done it right. Cryptography does take a fair amount of horsepower, but it's scalable dumb horsepower, and if they've done things well they can avoid having to verify the crypto on most forged messages. If they've designed things well, it's not incompatible with open-source tools, but they're writing Press Releases, not technical documentation, so it's hard to tell.

Asshats, and trusting Goodmail's servers - yes, that's still a problem. Their terms of service are appallingly weak - they'll accept unconfirmed opt-ins, and their "interpret complaint as unsubscribe" is inadequate, so dishonest spammers can still pay to get service delivered for a while, until they get enough complaints. But at least the quarter-cent per message means that only well-targeted spammers will be willing to pay for it, so it won't be really high volumes of spam. If there's much of that going on, then email users won't stand for it, and they'll bitch at their ISPs (though that's more effective with AOL who charges money than with Yahoo who's giving you that email account for free anyway...)

And yes, email should be free, and whitelists suck, but blacklists also suck and some email senders may be willing to pay to deal with whitelists that suck instead of getting stuck on blacklists that suck.

Guaranteeing Delivery, and Charging Money

[billstewart]

The reason they can guarantee delivery is that they have contracts with big mailbox ISPs to accept and deliver their mail - they're not guaranteeing delivery to ISPs they don't have contracts with, and senders aren't going to pay them for sending to random ISPs. But they've got something over 50% of the US mailbox market signed up, so there's some reasonable market share.

This isn't saying that everybody should have to pay money to send email - it's saying that there are people who are willing to pay money to get email delivered to recipients who've asked to receive that mail, and that Goodmail is willing to make a sufficiently credible case to the big ISPs that they're only going to send mail to people who've asked to receive it, and the per-message fee is partly to make money and partly to discourage dishonest senders by making it unprofitable to get Goodmail stamps for their spam.

There is a downside - if you make some categories of email privileged, then ISPs are more likely to tighten their filters on the non-paid email and incorrectly reject more of it. On the other hand, that's already happening to some extent - if you read some of the spam and operations mailing lists, you'll hear lots of people bitching about how AOL incorrectly blacklisted them and how difficult and slow it is to get things corrected, and there are lots of companies and sites that simply don't accept AOL addresses for mailing list subscriptions or especially for transactional emails.

Goodmail's tried to add some balance to the community complaints about this kind of service by charging a much lower price to non-profits that want to certify their mail - I'm not thrilled with that approach, but there are enough non-profits out there that use snail mail for their newsletters or fundraising begging, and .05 cents is a lot cheaper than stamps, so at least some kinds of non-profits may be willing to pay for it or at least less likely to protest loudly to the ISPs.

protection racket much?

[c6gunner]

"Nice e-mail account you've got here. Be a shame if something were to happen to it...."

Goodmail ISPs are Recipients, not Senders

[billstewart]

They're not saying that these big ISPs are signing up to be Goodmail senders who pay 1/4 cent per message to whitelist the email they're sending. These ISPs are the mailbox providers that will accept and deliver Goodmail-certified messages without spam-filtering them, and Goodmail is bragging about them because it says that they have a large enough fraction of the US mailbox market that various commercial senders might be willing to pay to certify the messages they're sending.

So blacklisting the ISPs doesn't make sense here - Goodmail isn't claiming that Comcast is certifying that mail from ExampleUser@Comcast.com or InfectedZombie@Comcast.com isn't spam. (That'd be nice, but it ain't happening any time soon.) They're claiming that if you have a Comcast/Yahoo/AOL/etc. mailbox, and a message shows up in it with a Goodmail certificate on it, then it's from a well-behaved non-spammer who paid to deliver it, and that if you want to do transactional mail with somebody like your bank, then your Goodmail-accepting ISP won't junk the message so it's ok to give your bank that email address if they pay for Goodmail.

If you don't like the Goodmail system, the answer isn't to blackmail Goodmail senders at your ISP - it's to boycott ISPs who accept Goodmail (or at least, not use them for your important email, though you might still use their free for your ExampleISPgroups email), plus send complaints to blackhole\\\\\\\marketing@ExampleISP.net. Blacklisting people who pay for Goodmail stamps doesn't really make sense either - senders aren't going to pay for stamps that don't go to the ISPs that accept them. You could unsubscribe from any email lists sent by senders using Goodmail stamps, if that's what you want to do, and that might be more visible; Goodmail tracks that kind of thing and requires senders to respond to the unsubscribes.

You'd pay to reduce costs or increase revenues

[billstewart]

RTFWS - Goodmail is targeting the money-charging part of their business to companies that have a financial incentive to successfully deliver messages (e.g. transactional mail, subscribers paying for newsletters, etc.) and can therefore increase revenues if they can successfully deliver to users of AOL and the other big mailbox ISPs. Think about banks sending online statements, or online bookstores that want to deliver receipts to their users, or companies that want to send bills online instead of by snailmail.

They're also selling to companies that already pay a lot for email admin time keeping their mail with the big ISPs working and tracking mail delivery. If making sure AOL doesn't blacklist you is critical, and you're a medium-large volume mail sender, then it's already costing you a lot of work to keep everything working, and Goodmail not only promises that your mail won't get junked, but that they'll give you a delivery receipt for each message. So it might cost you less to pay Goodmail to do that rather than do it yourself.

If you're not doing kinds of business that are going to get more revenue or reduce costs by using Goodmail, then you're not the kind of person they're trying to sell to, so it's not worth their time to grab money from you. But if you _are_, then yes, it's a blatant money grab but might be worthwhile for you as well as them. Spam's a big enough problem that there are lots of opportunities to grab money while making life easier for the people you grab it from. :-)

RTFA - they're not certifying non-US/CA senders

[billstewart]

They're not certifying countries, they're certifying senders of mail, and they're not certifying senders who aren't based in the US or Canada. There is a bit of neutrality risk here - if enough senders are willing to pay for certification, then ISPs may be more likely to junk non-certified email. On the other hand, if the ISPs do too much of that, their email users can switch to other ISPs, which is especially a risk for the free-mailbox providers like Yahoo, so they've got some incentive not to do it.

Re:Feedback SuperForm

[TaoPhoenix]

Bravo. Unbelievable.

I saved a dated copy of this, because it's the answer to some 1000 SlashDot discussions.

"Your X May Vary"

RTWS - Goodmail actually does this

[billstewart]

If you look at Goodmail's web site, you'll see that they actually do track that each email was delivered to the user, using some variant on a web bug. That doesn't mean that the user paid attention to it, but at least it got to them and didn't get junked.

Of course, lots of commercial email sending systems do this kind of thing, including legitimate ones and spammers. A lot of the email I get at work from technology vendors has graphics and subscribe/unsubscribe URLs that come from email handling companies rather than the vendor themselves. (From a personal and technical standpoint, I think this is really tacky - it takes very little work to have URLs from http:mail-response-handler.examplevendor.com/stuff as opposed to http:example-mail-handler.com/examplevendor/stuff, even if the subdomain mail-response-handler.examplevendor.com actually points to a machine run by example-mail-handler.com. And of course they're not really named example-mail-handler.com - they've got short names like p0.com that don't say who they are or what they do and look like spammers, which gets extra-tackiness points when examplevendor.com has some network security product or seminar.)

Re:RTWS - Goodmail actually does this

The confirmation is that the message was delivered to the inbox, not that anybody actually read it. The ISP provides a log to Goodmail, no need for any web bugs.

Re:Feedback SuperForm

[SeaFox]

I only chose "Nice try, asshole..." instead of "Sorry dude..." because the approach is little more than extortion of companies.

Thats a nice email

[Mantrid42]

That sure is a nice email you've got there. It'd be a shame if anything happened to it, eh?

That model is available - feel free to use it :-)

[billstewart]

A lot of the discussion about market-economics solutions to spam proposed models like that. [insert standard checklist here :-)] Some of them get it wrong and have arbitrary prices for delivery that get paid to the wrong people, so they're not likely to work economically, while others of them realize that the real cost of spam isn't the bandwidth, CPU, or storage costs, it's the recipient's attention wasted reading the junk, so they propose ways to let the sender pay the recipient for reading the mail. Some of them use artificial payments like hashcash (where the sender has to burn CPU time, and therefore can't send spam very fast), while others use real cash, typically with some kind of stamps paid for with Paypal.

In one sense, that's absolutely the right model for reducing spam - you don't care how much spam there is in the world, you just care how much of it gets into your inbox, and if some Nigerian princess is willing to pay your price for consulting service for reading your mail, your mailbox has negotiated an appropriate price with her and waited for the Paypal to clear so you really don't mind spending two seconds of attention span to junk her message.

In reality, enough of the email that most people receive is something that they do want and therefore whitelist or perhaps even pay for, so you can't enforce this mechanism on all your email, so the spammer arms race would focus on how to impersonate email sources you *did* want to hear from, and you'd use crypto to keep them out, and the financial or technical transaction costs would be annoying enough that there would be useful email that you're not going to receive because the senders didn't want to bother haggling with your robosecretary about it.

So it's not implemented very often, and it may be hard to find off-the-shelf implementations, but if you're a corporate executive, you can always hire a secretary who will not only get rid of the junk, but prioritize the non-junk mail for you.

And of course, while this sort of thing is annoying enough that most people won't bother sending you mail if you're using it, if spam becomes sufficiently annoying that many people do adopt it anyway, you'll start seeing lots of advertisements for mail systems that pay you to read email! Right there at home on your couch! ...5 PROFIT!!

Doesn't comcast already do this?

Every so often I send emails to people in various countries and the response I get from my provider Comcast is nonsense like this:

550 Permfail destination not valid within DNS

Of course resending works because the comcast system has too aggressive a DNS T/O policy and don't know the difference between a temporary and permanent error class. Its unfortunate that many have reported the same problem over and over again and yet they continue to ignore their customers. Its even more unfortunate that I'm not surprised.

RTFA - You're checking the wrong boxes

[billstewart]

• Users won't put up with it? That one's possibly correct - if Goodmail lets too much spammy mail through, then enough users will complain to their ISPs that the ISPs stop accepting Goodmail, but that remains to be seen. Their AUP looks pretty wimpy, but charging 1/4 cent will at least cut out most of the spammers and encourage any that do use the service to only target spam to people who are likely to want their products.
  
• Requires immediate total cooperation from everybody at once Nope - senders will only pay to deliver mail ISPs that have deals with Goodmail, so it's incrementally scalable. And they've got the ISPs who handle over half the US mailbox market on board with them, so that's a big enough potential market that some senders may find it worth paying them, especially senders who have trouble getting through to those ISPs already (e.g. AOL.)
  
• Open relays, worms - Nope. This system doesn't purport to keep spammers from sending spam. This lets non-spammers avoid getting blocked by spam filters, by attaching cryptographically validated stamps to the non-spam messages. It'll probably let a few spammers avoid getting blocked as well, but they'll be upfront spammers paying money and lying about how they're legit and you forgot you opted in, not hidden spammers abusing worms open relays.
  
• Unpopularity of weird new taxes - Maybe, maybe not - "Tax" approaches are unpopular not only because they suck, but because they don't reflect the underlying economics correctly, so they're trying to charge the wrong people the wrong amount of money for the wrong things because some wrong-headed "expert" thought it would be a good idea. Goodmail thinks they've found a sufficiently large market niche of mostly-commercial businesses willing to pay money to get email delivered reliably (reducing their email-admin costs and increasing opportunities for revenue) and ISPs willing to accept their mail (reducing help-desk and spam-filter costs; I forget if their model also pays part of the tax to the receiving ISP.) They may be correct, and if they aren't, then The Invisible Hand will drop them fast enough.

Re:RTFA - You're checking the wrong boxes

[amber_of_luxor]

but charging 1/4 cent will at least cut out most of the spammers and encourage any that do use the service to only target spam to people who are likely to want their products.

That will work for about ten minutes --- long enough for a spammer to figure out how to create zombie nets in those systems, so their email automatically has legit GoodMail header.

And they've got the ISPs who handle over half the US mailbox market on board with them,

Not quite. All of the listed ISPs allow between 1 and 10 mailboxes per customer. Thus 1 000 customer accounts can equate to as many as 10 000 mailboxes. The uses of those accounts can have mailboxes elsewhere. Gmail and Yahoo being the most probable candidates. What you need to look at, is the number of mailboxes that those ISPs have, and compare it to the total number of mailboxes everywhere on the Internet. IF you do that, I expect you'll discover that those 7 ISPs have less than 5% of the mailboxes on the internet.

so that's a big enough potential market that some senders may find it worth paying them, especially senders who have trouble getting through to those ISPs already (e.g. AOL.)

There still is no guarantee that the email will make it thru the rest of AOLs anti-spam filters.[AOL has the stellar ability to certify email as being legit, and reject it as being spam, even though the email neverleft the AOL domain.]

This lets non-spammers avoid getting blocked by spam filters, by attaching cryptographically validated stamps to the non-spam messages.

There is nothing that prevents the spammers from also attaching cryptographically validated stamps to their email. More to the point, I see this as a means of ensuring that spammers get to blast even more email to even more people, with the full sanction of those companies who alleged that they are anti-spam, but have failed to do anything significant to stop spam --- Like blocking total internet access to the companies that have pink contracts with spammers.[So what it AOL is forced out of business, becasuet they have the most pink contracts.

not hidden spammers abusing worms open relays.

Hidden spammers using botnets still get a break. And those hidden spammers using botnets are the ones that send the most spam.

If companies were serious about stopping spam, thy would blacklist not only the top 10 spammers, but the companies that those spammers do business with. IOW, blacklist Verizon, Comcast, RoadRunner, and BellSouth. The second step would be for the FTC to shut down every company that writes a pink contract with a spammer, and mandate that the board of directors, and entire sales staff clean up litter in a state for 5 years, working 40 hours a week, and paying the state $5.00 for every hour they work.

Amber

Re:RTFA - You're checking the wrong boxes

[billstewart]

You don't seem to understand the system. It's not certifying that mail from Comcast, AOL, etc. is non-spam - it's letting people who want to send mail _to_ those ISPs certify it as non-spam. So Botnets aren't particularly an issue, because the botnets live on large numbers of mostly-non-managed PCs on consumer broadband networks, universities, and similar environments. These mail senders will be running on a small number of mailing list servers with administrators, which will probably have enough firewalling capability to prevent being taken over by bots (at least in large volume.)

Furthermore, if the crypto is done competently, you won't be able to fake a Goodmail stamp on your message without having first paid Goodmail actual cash up front. If it's not done competently, then sure, they'll be pwn3d in 10 minutes and they'll die. While they haven't published their crypto methods on their websites as far as I can tell, they list their board of technical advisors, which includes Marty Hellmann and Avi Rubin, and presumably the ISPs they're selling to would have done some due diligence on it as well. It may be possible to replay use of a stamp, but if they've done it correctly, that'll only work if you're replaying the same message, so it'll still be a copy of the original message, not the spammer's message (and again, if they haven't done that, they're toast.)

If someone succeeds into breaking into a Goodmail sender's system, it'll drain their supply of stamps pretty quickly, so that still limits the quantity of spam that can be sent that way.

Goodmail's PR says that if your message has a Goodmail stamp, it gets handled by the ISP's Goodmail-handling server, and doesn't go through the rest of their spam filters. If they *didn't* implement it that way, then they don't really have the ability to guarantee delivery, so presumably they've got contracts with the ISPs to actually do that. For the ISPs that support POP or IMAP users, it's still possible for those users to run their own spam filters, of course, but most of the business here is the Webmail and AOL clients, who wouldn't have separate filtering capabilities.
And we can quibble about exactly what fraction of the market these ISPs own, but it's large enough to attract customers - enough people bitch about AOL that that one alone may keep them in business.

The real question for me is "can a spammer afford to use Goodmail, and will Goodmail let them do it?" There will probably be some spammers that can live within Goodmail's AUP, which strikes me as fairly wimpy. But not many of them can afford 1/4 cent per message - at least not unless they target their market to people much more likely to buy than the average spammer's distribution list. There'll probably be a few, but hopefully Goodmail will spank them after they've been caught once. There won't be a lot.

Charge them back...

[Dave21212]

Seems a simple enough solution... have the ISPs that don't participate charge those that do to have messages originating from their systems delivered, or converesly, if Verizon doesn't pay google, then google won't accept SMTP from Verizon (well, maybe not at that scale, but it would be nice to see).

Auto training

[CustomDesigned]

I see it in my house where I run my own mail server and my own spam filter. It's a bayesian filter so you have to tell it when it was wrong. Wife won't tell it anything but she complains about the spam she's getting. Can't help her. She's being obstinant and dumb.

Pymilter doesn't need user training. It uses mail to honeypot addresses to train for spam: create an address and put it on your website where spammers can see it, but use all email to that address (or addresses) to train the filter as spam. Then, add all addresses a user sends to and add it to a whitelist. If incoming whitelisted mail can be authenticated via SPF or DKIM, use it to train the filter as ham. I also have a blacklist. All mail from blacklisted domains is used to train the filter as spam. Emails are auto-blacklisted if they cannot be authenticated via SPF or CBV (call back validate to check that DSNs can be sent to alleged sender).

The only thing the user has to do is check the quarantine via a webapp if they think a message might be missing. False positives are extremely rare. An enhancement would be to accept feedback when offered. But the honeypot and blacklisting already provide a huge source of confirmed spam for training. It is harder to get confirmed ham for training. (Messages released from quarantine are of course confirmed ham.)

opt-out?

[CaptainNerdCave]

and when a user clicks the "opt-out" button/link... it opts them IN to how many other lists? it's easier to ignore the emails (which often results in them ending) or tag them as spam.

OK, how do you recognize and filter this spam?

[Animats]

We went through this before, with Bonded Spammer, which wanted spam filters to let their stuff through. I dump Bonded Spammer email into a separate folder, and it's almost all spam. It looks like we'll have to set our filters to recognize this new stuff, and dump it into the "bulk" folder. So how do you check for these new guys?

Re:OK, how do you recognize and filter this spam?

[Tony+Hoyle]

It's a signed email but there's probably some easy text you can match on (no point in wasting CPU on your email server decrypting their junk).

I too will be doing this when it arrives.. if it's all spam, it gets a +5 spamassassin score and I forget about it.

Something smells here...

[BrokenHalo]

It doesn't really matter if someone filters mail into a spam bucket. The mail has been successfully delivered. The point is that all mail should actually be delivered to the addressee by default, not at the whim of an ISP making assumptions about whether the sender is friend or foe.

We're going about fighting spam the wrong way. We should just execute spammers (and maybe those who employ them) in the most painful, messy way that can be devised. Or maybe burn "THOU SHALT NOT SPAM" into their hides with a blow-torch. ;-)

Good

Who needs ISPs anyway? :)

Seriously, I'll better pay for a domain name and have my own mail server that I can guarantee it delivers my mail. Or give up email, or live with may/may not paradigm. But paying for email is so 90s.

pay pay and oh yes, pay again

[l3v1]

So, you buy a server, you invest time and/or money to install your mail server. you pay for an internet connection and/or bandwidth usage, you pay for the space your server takes up and the power your server consumes. Then someone knocks on the door and tells you hello mister, from this day on you pay me $x for every mail that leaves your server. Hope the gods would forgive me 'cause I'd certainly smash a chair or two on the guy's head.

Re: Well - enforce it

[neutrino38]

I take the risk to be modded down but:

I really believe that one should make the difference between recreational e-mail and corporate and official/corporate e-mail. For the first kind, we do not need anything and e-mail needs to remain free. For the second, this is another story and corporate e-mail should be a charged service

In my view, each country should mandate and certify at least three or four companies like goodmail and international agreement would establish peering relationships between those certifiers

- companies and administration should only accept incoming certified e-mail except of course on support@mycompany.com or sales@mycompany.com. They could even receive a fraction of the money involved.

- by law any non certified e-mail should not have any legal or binding value.

- certifier should take technical measure to enfore sender identity and retain e-mail record (only the sender, receipient and subject trace) available by both sender and recipient for two years.

- certified mail should be encrypted and signed and it would be up to the certifiyer to provide signing keys for free in exchange for the charges collected.

- all ISP should propose at least 5 certified e-mail / month on their accounts bundled in the ADSL fee. Above, subscriber should be charged.

- web mail provider could provide such certified e-mail but would eventually pay the certifier.

- per mail price should be kept very low (a couple of cents)

- no single account or IP should be allowed to send more that 100000 / month

Ok, you do not like it? But its a real way to make spammer actually pay for the bandwith that they are wasting (reminder, more than 50% of e-mail)

You will not able to use your corporate e-mail to send silly jokes to your buddies outside the company? Use gmail instead.

You won't be able to send more that 5 certified e-mail a month to corporate addresses from your personal e-mail ? How many e-mail are you actually sending to corporation from your private e-mail ?

ToS

[leek]

Does that include hop tracking and filter insurance?

foot in the door for paying postage for e-mail

i will not use this system. its token will be looked for by my linux e-mail program and used to blacklist all mailers to me that use it. i have no interest in commercials in my e-mail, so anyone using these 'tokens' will be automatically assumed to be spammers. The danger is the next step, and that is the potential involvment of commercial closed source systems like micro$$ to force users of, say, IE8 or whatever to download and view each and every 'tokenized' e-mail from whatever source for so many seconds before being allowed to open any of their real mail. Imagine being forced to click through ten thousand or more junk viagra peddlers who paid 'postage' letter by letter. Imagine being forced to use 'windows' in order to use an e-mail program at all?

Users should charge ISP's a "SPAM FEE"

[bratwiz]

The answer is simple. Users should start charging their ISP's a "SPAM DISPOSAL FEE". Say $1.00 per instance. And then while they're at it, a $100 per instance "putting up with your bullshit rules and regulations and outrageously stupid fees" fee....

And then maybe user's should band together and charge providers a "PREMIUM USER ACCESS RATE" for permitting blocks of users to connect to and move traffic across their networks. So they want to charge users for premium access?? It can work both ways-- no users, no revenue.

And the users don't have to be out either-- just start building free, community wifi points and connecting the wifi points together. It would be a struggle at first, assuredly, however, we've all been here before-- rememeber the beginning? When it was really difficult and challenging to get the bits through? We had to deal with stupid phone company policies and bureaucratic red-tape and we did it then, we can do it again-- the Internet CAN be free if we want it to be. Free in the sense of speech AND beer.

All those phone companies and cables companies are hoping we CANNOT get together and speak as one voice. However, I believe in the collective power of the Internet. It isn't easy, but its happened before-- and if enough people get together on an issue, our collective voice would be like a laser-beam that could vaporize damn near any opposition whether commercial or political.

When enough people want it-- the world bends to the will of the masses. That is the lesson from history that's been taught over and over. The trick is getting the masses to stop being selfish long enough to notice.

Email is the wrong technology...

[Colin+Smith]

Really it is. It's a one to one technology, mailing lists are a kludge which have been grafted on top. Things which are currently sent via mailing list to groups of people (and this applies in the corporate world too) should really use a one to many technology, historically that would be usenet, though today I think we're talking RSS feed.

So frankly if you are abusing email by sending them out to hundreds or thousands of people when you could be using RSS, or even your own Usenet server then I really don't have much sympathy when they mark your emails as spam and cut you off from customers.

Re:Email is the wrong technology...

[tacocat]

Except RSS and Usenet aren't very good for mailing out my phone bill records including all the phone numbers I've dialed in the last month. I would rather have that in a private email that public knowledge.

AOL doesn't play fair, that's why.

[Medievalist]

AOL's in a touchy position - they really do receive infinite quantities of spam, and it's hard to tell some kinds of spam from legitimate mail without having humans read it, and it's hard to tell legitimate senders asking to be reinstated from spammers asking to be reinstated, and the financial incentives for allowing good email aren't very high so they can't afford to put lots of humans into the loop. But their reputation is such that lots of mail senders are simply not willing to deal with them. AOL has consistently refused to build an RFC-compliant email system. The RFCs require maintenance of a postmaster address that is not an auto-responder, but an actual human postmaster. This is a very important feature of SMTP and it's simply not optional. If they can't do it, they need to stop offering email to their clients. We don't let butchers sell tainted meat because they can't afford a refrigerator, we tell the butchers to solve their own problems and stop poisoning the public. Why should anyone let AOL get away with their excuse of "oh, that's too hard and we couldn't make a profit if we employed human postmasters"? There are other ISPs who would flourish if bottom-feeders like AOL weren't totally distorting the marketplace with their broken services that effectively push AOL's costs onto others.

AOL used to be listed at RFC-ignorant, for perfectly valid reasons, but I guess they must have bullied the owners of that site into submission. They are still not doing real Internet email (i.e. RFC-compliant SMTP) and they have no intention of ever doing so, by their own admission. The ultimate arrogance is AOL's insistence (touched on in the grandparent post) that other spam generators (yes AOL still generates huge amounts of spam, though they are slowly getting that problem under control) must maintain valid postmaster boxes.

Hopefully DKIM will eventually solve all this for us. Don't hold your breath, though.

hmm

[kerika]

It seems to me that the ISPs have forgotten who their customers are. Asking people who pay at least $20 a month for internet access (and associated email accounts) to accept unblockable emails into their inbox is a lot like asking moviegoers to drop $9 on a ticket, and then having them sit through 15-20 minutes of advertisements before the movie starts. ... oh, wait.