Postfix's Creator Outlines Spam Solution

SATAN writes "Wietse Venema started out as a physicist, but became interested in the security of the programs he wrote to control his physics experiments. He went on to create several well-known network and security tools, including the Security Administrator's Tool for Analyzing Networks (SATAN) and The Coroner's Toolkit with Dan Farmer. He is also the creator of the popular MTA Postfix and TCP Wrapper. SecurityFocus chatted up Venema to talk about software security, how to improve the code quality, what solutions we might have to fight spam successfully, the principle of least privilege, and the philosophy behind the design of Postfix. Venema is currently a researcher at IBM's T.J. Watson Research Center."

It's easy

[smartin]

Just get everyone to sign their mail including companies that send you receipts and opted in spam.

I would be happy if I could reject any mail that is not digitally signed and then manage the signed mail by signature.

Re:It's easy

[Xugumad]

As a big fan of signed e-mail, I see something like this:

Anything signed by someone I trust, arrives in my inbox. Anything signed but not by someone I trust, goes into a holding box from which I can fish e-mails I want. Anything not signed, or with a corrupted signature is rejected as unacceptable at the MTA level.

Now, anything arriving in my inbox can only be spam if someone I know has a hacked system, which should be rare AND I can contact them to tell them to fix it, because I know who it is from the signature (unlike e-mail viruses that could be practically anyone I know). This means that I know when I get e-mail in my inbox, it's worth me looking at.

Unexpected e-mails are still an issue, and may get lost, but frankly that happens anyway (I get somewhere over 200 spam per day, only a couple of dozen of which make it through enough filters for me to even glance at the subject line).

Filtering could be multi-stage, too; regular inbox for trusted people, a secondary inbox for people who I have been introduced to (for example, by a mailing list), then signed but unrecognised, and then everything else.

Re:It's easy

[crunzh]

You can do this with spf, but that have not solved the spam problem.

Re:It's easy

[Xugumad]

That's because there's very little actual use of SPF. I can do with it X.509 certs (Thawte do free e-mail certs at https://www.thawte.com/secure-email/personal-email-certificates/index.html - highly recommended), or GPG, as well, but the problem is getting uptake high enough for it to work.

Re:It's easy

[crunzh]

Its not only due to small uptake of spf, but your solution doesn't solve the spam problem. I (and many others) need to recive e-mail from stranger I don't know in advance, as I don't know their signatures, I cant filter on them and would have the normal spam problems. The problem with spam, is that most people need these email from stranger, and a solution that don't handle them does not solve the problem.

Re:It's easy

[Xugumad]

Maybe not solve, but I imagine most people get the vast majority of their e-mail, and ALL critical e-mail, from people they know in advance. This means that "uncertain" e-mail can be ignored safely for significant lengths of time, confident in the knowledge that if your boss e-mails you, you'll still get notification ASAP.

Make sense?

Re:It's easy

[Chrisq]

There are some people who receive most of their email from strangers, ans this would not work for them.

If you receive most of your email from people you know then this helps, as their emails can go directly as authenticated into the inbox. You would receive emails from new addresses in an unknown box, where once only for each address you would have to decide whether it was spam or not.

Id does not cure spam 100% but for most people it improves things.

Re:It's easy

[vidarh]

How often do you get spam where the "From" address is someone you know? Nothing is stopping you from doing this today - in fact there are many packages providing "greylisting" which improves on it by sending a message back allowing the sender to "prove" they are not a spammer - no real spammers take the hassle (if the from address is even genuine).

Re:It's easy

[antifoidulus]

Dude, if we could get everyone to do something then there would be a super easy way to stop SPAM: namely get everyone to stop clicking on stupid shit.

Not only does that action give spammers income, it is the #1 vector for the spread of botnets.....

Re:It's easy

[swillden]

Dude, if we could get everyone to do something then there would be a super easy way to stop SPAM: namely get everyone to stop clicking on stupid shit. Not only does that action give spammers income, it is the #1 vector for the spread of botnets.....

Actually, it doesn't give spammers income. Spammers don't care if you click the links. By the time you're deciding whether or not to click, the spammer has already done his job and made his money.

If you think not clicking links is gonna convince all the get-rich-quick scheming fools to stop paying spammers to send their crap then you sadly underestimate the supply of fools.

Re:It's easy

[seek31337]

Yeah, like customer support centers or contract companies already know everyone who will contact them.~

Re:It's easy

[smartin]

That used to be true. postgrey worked great for about 6 months, it no longer does much as the spammers adapted.

Re:It's easy

[Sloppy]

A signature means there is someone taking credit/blame for the message: an identity. Identities can accrue reputation. This guy is a spammer (and his messages can be discarded before wasting any human's time) and this guy is not a spammer, so go ahead and expose the user to his messages.

Re:It's easy

[nabsltd]

No greylisting implementation that I know of requires the sender to do anything special to "validate" their e-mail. What you are thinking of is a challenge-response system, and those suck because they create blowback spam.

Greylisting works on the principle that most spam comes from systems that don't follow RFC because they do not retry if they receive a temporary error. The MTA with the greylisting implmentation always returns a temporary "4xx" error code for any e-mail with a "new" sender/recipient/source IP triple and stores the information in a database. The greylist server keeps returning a temporary error for anything that matches this tuple for the configured timeout (usually about 5 minutes). After that, it lets the connection through as normal (where other anti-spam measures may be taken).

This stops most bot networks from sending spam. It still works remarkably well, as I only use that and SpamAssassin with a reject score of 10, and I see about 1-2 spam e-mails per week.

Re:It's easy

[turtleAJ]

This means that "uncertain" e-mail can be ignored safely for significant lengths of time

LoL

d00d, you are so going to miss out on big cash hand-outs from Nigerian families...

Re:It's easy

[DamnStupidElf]

The PGP web of trust or a hierarchical PKI solves the spam problem. People will revoke their trust in a key used for spamming, and be much less likely to trust a key from the same person again, and Verisign and other companies will stop issuing certificates to entities that send spam.

Obviously some spam will be generated because it's always necessary for new people to enter the trust network, but ultimately there will form a core group of trust or certificates that never send any spam because they're trusted by people who don't like spam. Getting into that group will require the trust of enough other trusted people as to make spam almost nonexistent.

The problem with the idea is getting enough people into the trusted group to make it effective at both preventing spam and incorporating new legitimate users into the trust group quickly and effectively so they can communicate.

Re:It's easy

[swb]

I just implemented on my home email system and it cut spam remarkably. For me, this means somewhere around 10 a week, where I was seeing somewhere around 25 a day.

Re:It's easy

[Xugumad]

> what, you think that the person isn't going to check, "Save the password to my digital signature?"

I haven't. Erm. Yeah, totally agreed, most people will check that box :) Well, in reality, I think most people will pull the password off it, but same net result.

Re:It's easy

[jaxtherat]

I work for a scientific consultancy, and they receive a lot of their email from people they've not received anything from before.

Also, in regards to your "Hey, you got e-mail" thing wave , you can turn that off you know. Most dev shops I've worked at recommended at least 2 hours a day no email time, and during project crunch times all email would be off. Period.

Re:It's easy

[Skrapion]

That's not exactly a solution to the problem. I think we all agree that doing customer support through a web form sucks.

Re:It's easy

[drinkypoo]

Let's not forget that using firefox with FireGPG you can sign anything, including a forum post (although the lameness filter will, of course, filter it out so it doesn't work so you'll have to use a site less lame than slashdot if you want to sign your comments. It also has gmail integration, which works very nicely thank you.

Will Not Work

[mfh]

Your post advocates a

(x) technical (x) legislative (x) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

(x) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
(x) No one will be able to find the guy or collect the money
(x) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
(x) Microsoft will not put up with it
(x) The police will not put up with it
(x) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
(x) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(x) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

(x) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
(x) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
(x) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
(x) Eternal arms race involved in all filtering approaches
(x) Extreme profitability of spam
(x) Joe jobs and/or identity theft
(x) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(x) Dishonesty on the part of spammers themselves
(x) Bandwidth costs that are unaffected by client filtering
(x) Outlook

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
(x) Blacklists suck
(x) Whitelists suck
(x) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
(x) Countermeasures must work if phased in gradually
( ) Sending email should be free
(x) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(x) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
(x) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.
(x) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:Will Not Work

[pla]

(x) Spammers can easily use it to harvest email addresses - How do digital signatures allow easy harvesting of email addresses?

(x) No one will be able to find the guy or collect the money - If the signature doesn't validate, the message never even gets to your inbox. Yeah, people can still send bogus-signature messages, but they wouldn't get to anyone.

(x) It is defenseless against brute force attacks - Of what nature? Few organizations on this planet have the resources to brute force a valid bogus digital signature, and no one can do it on the sort of scale you'd need to send spam.

(x) Microsoft will not put up with it - Microsoft actually suggested a variant of that approach, except server-signed rather than user-signed.

(x) The police will not put up with it - 100% traceability of every message? They've wanted that for years. Now, if enough people realize it takes no more effort to actually send encrypted mail over merely signed mail, we could have a problem, but the GP didn't go that far.

(x) Requires too much cooperation from spammers - How? It depends on the fact that spammers can't cooperate.

(x) Requires immediate total cooperation from everybody at once - Easy to obtain, in that we really only need the mail server admins to cooperate, then everyone (who wants to get their email) will play along pretty damned quick.

(x) Many email users cannot afford to lose business or alienate potential employers - So they would cooperate even quicker.

(x) Anyone could anonymously destroy anyone else's career or business - How do you anonymously send a signed message?

(x) Laws expressly prohibiting it - Clinton actually made digital signatures legally binding under US law... So quite the opposite.

(x) Lack of centrally controlling authority for email - There, we agree. This would require a community rather than central effort.

(x) Asshats - Simply wouldn't get (or receive) mail.

(x) Jurisdictional problems - The GP didn't suggest a legislative solution, so not applicable.

(x) Willingness of users to install OS patches received by email - No one can save those who lick plugged-in lamp cords.

(x) Armies of worm riddled broadband-connected Windows boxes - Can spam as much as they want, it will never get read.

(x) Eternal arms race involved in all filtering approaches - Unless someone finds a trivial crack to RSA, not applicable.

(x) Extreme profitability of spam - Irrelevant.

(x) Joe jobs and/or identity theft - Would require either knowing their private key, or even in the easiest case, physical access to their machine.

(x) Technically illiterate politicians - Have IT staff paid to make sure the bits flow.

(x) Dishonesty on the part of spammers themselves - Once again, irrelevant, this does not require any cooperation on their part.

(x) Bandwidth costs that are unaffected by client filtering - We already get tons of spam, that wouldn't really matter, but it would get better as the spammers eventually give up.

(x) Outlook - To repeat, MS already proposed something similar.

(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical - Because of naysayers, not because of any real barriers to implementation.

(x) Blacklists suck (x) Whitelists suck (x) We should be able to talk about Viagra without being censored - Which all have what to do with signed mail???

(x) Countermeasures must work if phased in gradually - Like IPV6 or changes to daylight savings time?

(x) Why should we have to trust you and your servers? - You shouldn't - So block me, you'll know with 100% certainty who you've blocked.

(x) Feel-good measures do nothing to solve the problem

Re:Will Not Work

[Undead+NDR]

(x) Blacklists suck
(x) Whitelists suck

(x) Greylists suck as well

Re:Will Not Work

[calmofthestorm]

False, there are multiple standards for signing email. Certificate signatures are only one method, GPG is also used.

A larger concern is that once someone's computer is infected with a spambot you get their key.

V for Venema

[digitaldc]

I always said if you had poorly-written code or spam clogging up your inbox, you would need a Venema.

I lost a lot of respect for Wietse Venema

[SuperBanana]

...once I started reading his replies on the postfix-user mailing list. He's extremely blunt. While many are VERY helpful and detailed, a number are a sentence or two long that, paraphrased, consist of "you're an idiot."

However, he's nothing compared to Victor Duchovni (who works for Morgan Stanley, and is a major poster on the postfix-users list). His signature, and I'm not making this up:

--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Yeah, you read that right. 11 lines long...and this asshole thinks he's so fucking important, he lectures you about how to thank him so he can delete your acknowledgment/thank you as quickly as possible. He's often more willing to insult than help, and on numerous occasions, comes to the wrong conclusion. Worse still, he often presents his solution with complete authority and confidence, putting the helpless user on a primrose path.

Re:I lost a lot of respect for Wietse Venema

[Camel+Pilot]

and this asshole thinks he's so fucking important

errr maybe he is... I mean important. If someone has specific and in depth knowledge and spends time helping the less knowledgeable, being an asshole sometimes come with the territory.

Re:I lost a lot of respect for Wietse Venema

[shis-ka-bob]

Let me get this straight. Two men help strangers to use free software and you are calling one an ass because he wants to 1) share the results of a fix with future users of the group, and 2) avoid flowery 'thank you' follow ups because he has high pressure work to do (there is no other kind of work at Morgan Stanley). Is that the jist of it?

Re:I lost a lot of respect for Wietse Venema

[superskippy]

It's quite simple. If you write an MTA, you have to be an asshole. It's the law.

Re:I lost a lot of respect for Wietse Venema

[Free+the+Cowards]

For some reason many people prefer to have polite, useless help than have someone who directly solves their problem without a bunch of extra words on the side. It boggles the mind, and it's a large part of why I significantly curtailed the time I spend helping people work through their problems. For some reason, a whole lot of people with questions get angry with people who ask things like "what are you actually trying to do here?" or who tell them that their whole approach is wrong, but are perfectly fine with people who go along answering questions politely and wrongly for dozens of messages.

Re:I lost a lot of respect for Wietse Venema

[m50d]

No, it's the hypocrisy and self-righteousness involved in adding eleven lines onto every email you send to tell people you don't want them sending you redundant information in emails.

Re:I lost a lot of respect for Wietse Venema

[nyctopterus]

Yeah, it's really mind boggling how people dislike being insulted and patronised. Idiots.

Re:I lost a lot of respect for Wietse Venema

[nyctopterus]

You know, even if you're doing something good, if you do it with ill temper and lack of grace, you're still being an arse.

Re:I lost a lot of respect for Wietse Venema

[X_Bones]

The problem with this guy browbeating others into not thanking him on the mailing list is that idiots like me, who don't subscribe to postfix-user, have no way to browse the archives a year later and be able to differentiate between questions that have working answers and questions that the asker just gave up on. That means I'm gonna ask him the same question again, and I'd bet a dollar that he'd remember answering it the first time and just tell me to go check the archives instead of wasting his time. And if he gives bad advice with anywhere near the frequency that your parent's post mentions, then I sure as hell would like to know when any of his posts actually lead to a useful and working solution to a problem so I can ignore the others.

It's not my job to make life easier for anyone's email filter. His need for an uncluttered inbox is trumped by the need for the community to archive useful information.

Re:I lost a lot of respect for Wietse Venema

[SuperBanana]

The "flowery" thank-you follow-ups you speak of are actually the norm, not vise-versa. On the Sun Managers list, it was EXPECTED that you post a follow-up to your question, explaining what responses you received, what was correct, what you learned, and who to acknowledge for responding and providing correct solutions. It's the de-facto standard on other lists I'm on, though not to as great a degree. It's a user community, not a help-desk queue.

Victor thinks he's so important that he can demand people not extend the courtesy of saying thank you in exactly the way he wants it, because it wastes his precision brainpower and precious seconds to have to read the message body to see whether to hit the "delete" key. If that's not unbridled arrogance, I don't know what is. I'd be willing to bet he doesn't even do that- I bet he's got a rule that deletes any message with "thank you" in the subject.

The funny thing is, I've seen a couple of Postfix-users posters specifically go out of their way to thank him, not put "thank you" in the subject line, AND cc the list. It's delicious.

Re:I lost a lot of respect for Wietse Venema

[Atario]

If someone has specific and in depth knowledge and spends time helping the less knowledgeable, being an asshole sometimes come with the territory.

Slashdot itself is proof enough of that.

Re:I lost a lot of respect for Wietse Venema

[Free+the+Cowards]

The problem is that they take direct talk for insults, and direct answers for patronizing. People come onto these lists with the attitude that they're smarter than everyone, yet somehow they still need help. If your question is wrong then it's in everybody's best interests if someone points out that the question is wrong and guides you on how to approach things better, and it's in nobody's best interests to take it at face value and be happy and polite while leading you both into darkness.

Re:I lost a lot of respect for Wietse Venema

[mandelbr0t]

Actually, if someone deals with the unwashed masses regularly, it might be a good idea to learn some manners and/or diplomacy. There's no excuse for being an asshole, not even being ridiculously intelligent and having to deal with real idiots. Everyone has stress in their lives, and it's like geniuses can't be bothered to deal with it gracefully. Quietly ignoring the "it works, thanks" e-mail saves just as much time, without alienating the person with his first response.

Re:I lost a lot of respect for Wietse Venema

[greg1104]

If you don't get the "it worked" follow-ups to the list, others looking through the list archives trying to resolve the same issue don't know whether a) the proposed solution really worked, or b) the person just gave up or resolved it another way. It's unfortunate that Viktor doesn't understand confirmed answers are therefore useful for reducing his long-term support workload.

Re:I lost a lot of respect for Wietse Venema

[Fjan11]

He's extremely blunt.

In his defense: He's also Dutch and male. You could say he is double handicapped. (Most Dutchmen, like me, are not very politically correct. It's a cultural thing that tends to offend those not in the know)

Re:Just use gmail

[rolfc]

Google have experienced mail-administrators, while your work has someone who knows how to point and click?

Not only that.

[khasim]

From TFA:

In my personal opinion, the reliability of email reached its maximum near 1998; it has gone down ever since as the result of increasingly aggressive anti-spam/virus measures. This observation has led me to conclude that the spammers aren't destroying the email infrastructure, it's the well-meaning people with their countermeasures.

I use Exim4 as a pre-processor for a GroupWise system.

This allows me to reject messages during the SMTP connection (no receive and then bounce back) and I have customized the rejection messages to include my phone number. As long as YOUR email admin handles error messages in any sane way, you'll get a phone number to call and talk to the guy who set up the system that rejected your email. I get a call about every other month now.

The real problem is not "aggressive anti-spam/virus measures".

It is that 80%+ of the inbound connections are spam-related. So just about ANY action taken will reduce the amount of spam. But the email admins still need to continually evaluate their processes.

Re:Not only that.

[theshowmecanuck]

I think he is talking about reliability in that every email sent gets to its destination. Right now, email can be blocked as spam. It doesn't matter whether you do the blocking at the SMTP level or not, it is still being blocked including some legitimate emails. If legitimate email is being blocked for any reason, it means the service is not reliable. Your caveat "As long as YOUR email admin handles error messages in any sane way" doesn't solve anything since the person sending the email is usually not responsible for how their email server is configured. Meaning that for them, the service is either reliable or it isn't. This ultimately means that if someone's legitimate email gets blocked by you/your server for some erroneous reason, that your email server is not reliable, and less so than in 1998. The article is saying our current anti spam counter measures are what is making email less reliable.

If programming was a million times more difficult

We wouldn't have fewer people interested in it, we would just have a million times more bugs or one millionth the number of programs available.

Just because it is more difficult doesn't mean the people attempting it are going to do a better job at it. Flying men into outer space is difficult, just because flying men to Jupiter is a million times more difficult doesn't mean the approach we create will be more successful at it.

If anything, programming needs to be easier, so more people would do it then we could have more solutions to choose from. A parallel brute force approach with selection can produce better solutions for everybody.

My Solution to Spam?

[Archangel+Michael]

Spam Assassin.

No, not the program of the same name, an actual assassin that kills spammers, CEOs of companies that use SPAM etc.

And if he has some extra time, assassinate some of the Wall Street Pirates responsible for the mess we're in.

I suggest 1 Trillion Dollars as a bounty, since the Government is handing money out like candy.

Re:Er...Spellcheck much?

[halcyon1234]

Little typos like that don't matter. I mean, things work just fine whenever I sign into BankFoAmercia.com. Okay, sometimes the initially login fails, and I have to login at BankOfAmerica.com again, but after that things are fine.

Strange, though, I never can seem to make my paychecks last more than a day or two. Hrm.

Greylisting

[CaptSaltyJack]

greylistd is an option, though I haven't tested it thoroughly. For those not familiar with it, greylistd works alongside your MTA and rejects ALL incoming e-mails on their first attempt. On the second attempt after some time has passed*, it accepts the email and whitelists that IP/sender for a user-specified amount of time (defaults to 60 days I believe?).

The idea is that spambots do not attempt to redeliver rejected emails, whereas regular "legit" mail servers do. When an email is greylisted, the MTA sends back a special response similar to a rejection, though it does indicate that it's a greylist response. I can see that spambots will eventually get around this by attempting redelivery, I would think. So I don't see greylisting as a long-term solution, but I'd welcome any comments on this.

By the way, if anyone knows a sure-fire way to get spam mail sent to a particular email address, please reply to this comment and let me know. I need a real-world test.

*I noticed most servers attempt to send again within 15-20 minutes; that is also rejected as I suppose the greylist server thinks that's too soon...?

Re:Still waiting for a "one solution" email produc

[tomz16]

Getting these to flawlessly get set-up from scratch is a feat in itself. Why don't we have such a product? I am no coder so I cannot do much except reporting problems.

I imagine a single script a user can run then have all those services running within parameters to be supplied. Linux folks are capable of a lot more so this should not be that difficult.

... because mail IS complicated, and each of these products has its own quirks and gotchas.

Someone who cannot be bothered to read the teeny fraction of relevant documentation necessary to properly set up this software probably has no business administering it (especially on a production network). Since a poorly configured mail server really has the potential to piss thousands of people off around the planet, I'm actually content with the current state of affairs...

P.S. you are looking for a product called Microsoft Exchange. It has nice big buttons you can point and click on. Luckily the costs involved and the presence of an official certification program serve as an effective barrier to entry for most amateur admins.

I don't see how the pull model helps

[kwerle]

I've seen a few folks advocate the pull model for email and say that the burden then rests more on the sender than the receiver. I just don't see it.

I'm a spammer sending as much email to as many folks as possible. What would I rather do: send the message itself (let's say it's 2K), or send tiny receipts for a message (let's say 1/2K or less)? Then when the receivers pull their message I send the 2K message. And if I start to get flooded I dynamically reduce the size to 1K or even less? And if I'm slow, I increase the size to 5K or more (pretty pictures, etc).

I don't have to store the content - I can just generate it dynamically. And I can even send a bunch of receipts and change the spam content over time depending on who is paying me and how effective some spam solution is at any given time.

So, seriously, how does the pull method help? It seems to me that it's worse than push.

The real problem

[geekmansworld]

This man is a God-Damned genius:

"...The technical arms race will continue unless politicians and law enforcement join the battle with effective measures that work across national borders.

This observation has led me to conclude that the spammers aren't destroying the email infrastructure, it's the well-meaning people with their countermeasures."

Yes! Yes! Yes!

As a system administrator, I can't tell you how many times a failure to receive a customer's e-mail was due to a poorly-configured junk scanner on the customer's network.

And fighting spam is indeed a two-pronged approach. Sysadmins AND politicians need to be proactive about fighting spam. Spam is an issue that affects communications, especially business communications, with unacceptable severity. It's time for politicians to do their fair share.

Re:Just use gmail

[theCoder]

The pull model really isn't a good idea, because that is what spammers are already trying to get people to do. They want you to open the email and click the link. A pull model just makes that automatic. Not to mention all the marketing people (pseudo-spammers) that would just love to know which of their recipients actually look at their emails, and how long they look at them, etc. I already get mailings (alumni stuff, etc) that are just links to a web page where I can read the actual letter.

And of course, "just use gmail" isn't really a solution. It only works until someone figures out how to get through gmail's filters, or Google really sells out and starts allowing select "partners" to advertise to members directly. Though there is some irony in the idea that you can avoid email advertising by using a system that has ads in the email viewer. I'm not saying anything bad about Google or gmail, just pointing out the irony :)

Re:Still waiting for a "one solution" email produc

[Luyseyal]

One email every 3 seconds is not a difficult task, unless you work for a lawfirm that likes to email around PDF attachments running in excess of 100 MB. Then we'll talk.

-l

Proof of Work

[Agripa]

I am inclined white list and then require a Proof of Work to bring any message not on the white list to my attention without error prone automated spam checking. When possible, reject at the smtp level of course to avoid relying on the easily forged headers and provide immediate feedback.

Unfortunately, no Proof of Work authentication systems are available yet.

Re:Er...Spellcheck much?

[kv9]

Not that Spelling Nazi's are prevalent here or anything, but...

Spelling Nazi's what?