Slashdot Mirror
Why Public Email Needs a Police Force
jfruhlinger writes "Those of us who had email addresses in the early days of the Internet age remember sending notes to webmaster email addresses to report malicious email behavior — and actually getting a response back. But today, a huge majority of mail comes from public services like Gmail or Yahoo mail, and getting anyone at those companies to take responsibility for abusive users is nearly impossible. 'If they could agree on a third-party service that could be the receptacle on a 24/7 basis for rapid account suspension, the 419 Fraud problem might dwindle down to a trickle quickly. It would take trust among the email providers to do this, but it would also alleviate big problems that law enforcement officials are usually unable to handle. Call them the email cops.'"
So now you can ACTUALLY report people to the cyber police?
craphound.com
Help stamp out iliturcy.
Those of us who had email addresses in the early days of the Internet age remember sending notes to webmaster email addresses to report malicious email behavior
Webmaster@ will get you the webmaster.
Postmaster@ will get you the postmaster.
They might be the same person but the RFC states these address have to resolve to a human. If they don't with gmail, yahoomail, or whatever they these sites should be listed on rfc-ignorant.
Email police? No, won't work. What happened to that standard spam solution form slashdot used to use?
enough with the voluntary fascism.
Jehovah be praised, Oracle was not selected
Yet another itworld/computerworld shit-stirring post. Seems like over 50% of the front page posts on Slashdot are from them.
In nazi germany they where called the SS
No it doesn't. That is why you have an ignore feature. Grow up and stop trying to cry to mommy and daddy when you feel the slightest bit offended.
Do police actively monitor normal mail? No? Well why the hell would they bother with email. There are already solutions in the market for things such as spam and fraud. Having an "email police" won't change anything considering how friggin easy it is to spoof emails as well as zombie networks (why do people bother trying to propose "solutions" when they don't even fully understand the technical problems). If anything, this would only increase abuse as well as reduce privacy.
Hmm, maybe that is the point of this "solution"....
...we get email tazers, email guns and email beatdowns.
And how did I manage to get through the BBS days through today without being bothered by spam. In fact, my only interaction with a spammer lead to a happy transaction to get some nice valium. I would settle for bring those days back.
Without doubt the most stupid thing on slashdot today. So far.
It's a lot easier to put giant IP blocks on your ban list for countries like China, Cyprus, and any country at all in Africa. Of course I realize that's fairly racist and geo-centric, but the "policing" alternative just isn't feasible because it's a slippery process which would require enormous volumes of man power. There needs to be an automated mechanism. I was thinking that gmail/hotmail/yahoo/whoever could auto-append a "flag this as spam" link to all emails which users could click. This would allow email providers to know exactly which user sent it and which message it was and dramatically streamline the process or complaint rather than forcing someone to parse email headers and sort it all out. Additionally it would offer very structured data for spam complaints that would facilitate algorithmic analysis to determine whether a ban (or just throttling) might mitigate and/or outright solve the problem.
But then again, this system could also be abused.
I think what the author of the article intended was not necessarily to improve spam control but actually to being law enforcement into the issue. Unfortunately, the article is rather poorly written and seems vague and diffused. I tend to concur that more legal punishment should be involved in the realm of scams and spamming.
yeah... no.
We don't need an internet police, another organisation susceptible to politic bickering, bribes, ect.
What we need is a better, more secure way of handling certain types of traffic.
~men are from earth. women are from earth. deal with it.~
This is a job for the postmaster.
Yahoo and Gmail are NOT public services! They are services that are owned and operated by corporations, not the government. Public services mean services provided by the government, like the postal service. Don't try and make it seem like email is a public service. It's not.
So just keep it where it belongs, with the postmaster@*, that way the better policed operation will eventually be the most economical and successful.
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
like facebook, g+ or whatever.
you obviously don't want email protocol but a closed garden, maybe you'd like people to submit passport photos for access too along with proof of their career, housing, address and sexuality.
419 fraud or personalised nigeria letters would still happen in that closed garden of yours.
world was created 5 seconds before this post as it is.
Abuse.net seems to be trying to move away from it, but they still offer a single-point reporting service where you can forward spam from $DOMAIN to $DOMAIN@abuse.net and they'll forward to whatever the best contact is that they know of at $DOMAIN.
"Once you've registered, when you send a message to domain-name@abuse.net, where domain-name is the name of the domain that was the source of junk e-mail or another abusive practice, the system here automatically re-mails your message to the best reporting address(es) we know for that domain. For example, if you wanted to send a message to example.com you'd send it to example.com@abuse.net. "
If that gets implemented anyone can pretty much get anyone they want banned from email.
a single email from 200 or 300 of the machines in a botnet could get you banned in an instant and the mail-cops would never figure it out.
And before you say it will stop the botnets, they would just get bigger and post fewer emails per zombie so it wouldn't affect them either.
Your post advocates a
( ) technical (X) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
(X) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
(X) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(X) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
(X) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
(X) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
(X) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
(X) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
(X) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(X) Sorry dude, but I don't think it would work.
(X) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
Go green: turn off your refrigerator.
But who do we report the abuse-reporting system abusers to?
It's an interesting idea, but how would it be funded? Almost like a postal service for the internet. I'm trying to think of a value added service that would make users and ISPs want to sign up with the internet post office and can't think of one. There would have to some kind of fee to fund the agency and I'm not sure a reduction in spam would be enough incentive.
If the major service providers told people they had to register with the internet post office before they could send mail, how do you enforce that?
Internet protocols were designed to thwart central control and a single point of failure.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
(The post and linked article are so very vague, that filling this out was a bit of a challenge, but here goes:)
Your post advocates a
[ ] technical [X] legislative [X] market-based [ ] vigilante [X] vague
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
[ ] Spammers can easily use it to harvest email addresses
[ ] Mailing lists and other legitimate email uses would be affected
[ ] No one will be able to find the guy or collect the money
[X] It is defenseless against brute force attacks
[X] It will stop spam for two weeks and then we'll be stuck with it
[ ] Users of email will not put up with it
[ ] Microsoft will not put up with it
[ ] The police will not put up with it
[X] Requires too much cooperation from spammers
[ ] Requires immediate total cooperation from everybody at once
[ ] Many email users cannot afford to lose business or alienate potential employers
[ ] Spammers don't care about invalid addresses in their lists
[ ] Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
[ ] Laws expressly prohibiting it
[X] Lack of centrally controlling authority for email
[X] Open relays in foreign countries
[ ] Ease of searching tiny alphanumeric address space of all email addresses
[ ] Asshats
[X] Jurisdictional problems
[ ] Unpopularity of weird new taxes
[ ] Public reluctance to accept weird new forms of money
[ ] Huge existing software investment in SMTP
[ ] Susceptibility of protocols other than SMTP to attack
[ ] Willingness of users to install OS patches received by email
[X] Armies of worm riddled broadband-connected Windows boxes
[ ] Eternal arms race involved in all filtering approaches
[ ] Extreme profitability of spam
[X] Joe jobs and/or identity theft
[ ] Technically illiterate politicians
[ ] Extreme stupidity on the part of people who do business with spammers
[X] Dishonesty on the part of spammers themselves
[ ] Bandwidth costs that are unaffected by client filtering
[ ] Outlook
and the following philosophical objections may also apply:
[X] Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
[ ] Any scheme based on opt-out is unacceptable
[ ] SMTP headers should not be the subject of legislation
[ ] Blacklists suck
[ ] Whitelists suck
[ ] We should be able to talk about Viagra without being censored
[ ] Countermeasures should not involve wire fraud or credit card fraud
[ ] Countermeasures should not involve sabotage of public networks
[ ] Countermeasures must work if phased in gradually
[ ] Sending email should be free
[X] Why should we have to trust you and your servers?
[ ] Incompatiblity with open source or open source licenses
[X] Feel-good measures do nothing to solve the problem
[ ] Temporary/one-time email addresses are cumbersome
[ ] I don't want the government reading my email
[ ] Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
[X] Sorry dude, but I don't think it would work.
[ ] This is a stupid idea, and you're a stupid person for suggesting it.
[ ] Nice try, assh0le! I'm going to find out where you live and burn your
house down!
(Specifically, it looks like the plan is "I got an email claiming to be from joe@hotmail.com! Hotmail, delete that account!", when 1. It's trivial for a spammer to make more accounts, and 2. The address joe@hotmail.com is probably faked, so the account had nothing to do with it.)
"Rapid account suspension" as opposed to more deliberative approaches to account suspension? What could possibly go wrong?
"In prison you just have to shut your eyes and take it. Here you have to shut your eyes and give it."
Let the market sort it out. People who are stupid enough to get swindled out of their money will soon not be able to afford internet anymore, reducing the number of people too stupid to use it. Ahh, ain't darwinism a great thing?
No, seriously. I don't quite get it why people who combine the insanely useful traits of greed and stupidity in one person should get any protection from having both exploited. Sorry, but my pity with people who turn off their brain when facing a computer is very, very limited.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
He's focusing on 419 scams. He wants an instant (or almost instant) way to shut down the accounts that the 419 scammers use.
Which means either an automated system (yeah, how'd you like your account killed because of something you posted on /. that someone took offense to)
or
A staff monitoring the abuse@ and postmaster@ accounts for the various email systems around the clock, every single day.
And what would this accomplish?
It would save the gullible people from themselves. Maybe. As long as the scammers didn't target their emails with enough different reply_to addresses to bypass this.
I'm not getting a very good feeling for this guy's technical credentials.
This will clearly work, because we know that no one would ever make accusations in bad faith.
A fast track to account suspension is a nice dream but it would end up being a quick way to shut up comments people don't like. As the traffic amounts are massive reading and vetting all complaints would not get done. And (just like DMCA take down notices) the "email police" would err on the side of caution and block by default.
I would rather not have my email under the control of a 3rd party.
if i'm stupid enough to fall for a 419, then i deserve it.
---- Booth was a patriot ----
Good and necessary answer. Don't forget abuse@ for all kinds of bad behaviour, not just email.
Gmail and yahoo both sign all outgoing messages cryptographically using dkim. That means that if you get a spam claiming to be from one of their accounts, you can verify that it really is from such an account. Once you've done that, you can report it: gmail, yahoo. So if the author of TFA is complaining that this can't be accomplished by sending email to abuse@gmail.com or postmaster@gmail.com, then I suppose he has a valid complaint that they're not complying with RFCs...but...that's the way it is. It's not the end of the world. Gotta use a web interface instead. Boo hoo.
The author of TFA is upset that he can't get spamming accounts shut down instantly, 24/7. I actually don't really want an internet where any random person can get my ability to send email shut down instantly. What if it's a joe-job? What if the complaint is from one of these people who just clicks on "spam" when they don't want the mail, even when it's not spam? A much better way to handle this is to limit the number of messages per hour that can be sent from a newly created account. Then if it takes a day, or three days, to shut down a spam account, the consequences aren't that bad; the spammer can't use the account to send a million emails in 24 hours. I assume that gmail and yahoo already do this kind of rate-limiting.
What would be a huge improvement would be if the remaining big email providers other than gmail and yahoo would start using dkim. Once dkim becomes universal, we can establish actual reputations for people as spammers or non-spammers.
Virtually all the spam I get these days is from small domains. Recent examples include education-portal.com, spacesaver.com, and mg-style.net. The solution proposed by the author of TFA is to bug education-portal.com to respond to email sent to abuse@education-portal.com by deactivating jones@education-portal.com. Um, that isn't going to work, because jones works for education-portal.com, and they want him to spam me. The solution is to make dkim universal enough that people can stop accepting mail from domains that don't dkim-sign. Then education-portal.com can get an online reputation as a spammer, and everyone can start blocking them in their spam filters.
Find free books.
And after some time, who would stop this 3rd party "police" from buckling under pressure from governments/corporations and start scanning all email accounts for other "unfit", "inappropriate" and "potentially harmful" content and banning accounts on a whim? Thanks, but no thanks.
-- I am the Monkey Guru.
Just give me the top authority and immunity from any civil or criminal litigation!
No problem
Hotmail, Yahoo, Gmail, AIM (amongst others) are all going to get real mad when their mail all goes in the scrapper.
Then users will be mad that their mail gets dumped because their service is lame.
Then I will be out of a job.
ENFORCE the laws and regs in place, that's not going to happen either, as there is no money to be made (or tangibly saved) by doing so.
Useless laws and regs with no teeth and too many wormy lawyers hired by lying spammers.
Please fill out form as necessary......
Rick B.
after the fbi outsourcing hacks NO . THIS is just about as foolish , stupid and assinine as it gets seriously EMAIL cops whats next HTTP cops and TCP/IP cops , i know facebook cops oh wait...OH and how about World of warcraft cops and ...WHERE DOES IT END AND COST......
The 419 problem will be around as long as there are idiots who fall for them.
The spam I get uses forged headers anyway, and was sent from botnets.
So even if abuse@(yahoo|gmail|hotmail|whatever) would cooperate, there is nothing they can do about a bot sending directly to the recipient's server with a fake From: header.
All this plan could accomplish would be to suspend perfectly innocent email accounts from people who were unlucky that their address was used in spam headers.
This email police is not necessary, and YOU are a control freak, that's obvious enough from the summary.
If you are not smart enough to set up your email client with rules which toss email from specific
addresses into the trash immediately, then just use your delete button. If you cannot or will not use either of
these solutions, maybe you don't need to be using a computer at all. Your mindset reminds me of the lowest
of all forms of internet users, the AOL moron.
Little fascists like you drag the human race down with your paranoid need for more and more rules. Mind your own
business, and leave the rest of us alone. That's not a request, that's an order, bitch.
Unless there's a serious sanction[1] for making false complaints it will be abused to enforce FOSBOWIAWI[2].
It should be the same for DMCA takedowns and some patent claims too.
[1] jail time, or a ban ten times as long as the falsely accused would have got.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
I think this would be a perfect way for the USPS to renew their relevance in the digital age. They'd need to invent a more secure form of email, where the sender is not so easily spoofed; but getting it accepted as a standard should be easy for an organization with their credibility. Then they could accept micropayments for sending authenticated email. The average person could pay for the service by cleaning under their sofa cushions, but it would be cost-prohibitive for spammers to send millions of messages. (They might try to use stolen accounts, but since the messages would be authenticated by one agency, spikes in traffic originating from a single account would be easy to detect and block.)
I would gladly pay for a USPS "email" address that could never receive spam.
Sorry but the protocol was never built for this and whilst it has had people add protocols for securing and signing data and verifying identity only limited people really use them.
If you can't prove an identity then the emails are just bits on the wire. You might as well take people to court for the dust they create.
Email is SMTP. There is no practically way to police it like the article describes. The author simply doesn't know how email works. What we need is a new message standard. An Advanced Mail Transfer Protocol. It should include:
1. Encryption system where mail server publish the public keys. Mail server can also hold the recipient private key. This way an email can easily be signed. My server can check signature to see if the mail really comes from whoever says is the sender.
2. Approved senders AKA friends request. On many social media sites you have the option to only get contacted by those in your contact list. Email should work like this to. I should be able to lock my email account from getting mail from anyone I haven't approved.
This could be implemented with backward compatibility with regular SMTP. All regular unsigned SMTP mail will just be marked as just that. Simple and untrusted. As the net upgrades to AMTP2 there will be a point where the majority is over on the new protocol and spam as we know it will die.
#find
You know, anyone who hasn't been around long enough to have an email address ending in .ARPA really should just STFU and stop proposing ridiculous nonsense
like this. Not only is it highly annoying to be exposed to idiocy of this magnitude,
but it distracts from measures that have actually been proven -- repeatedly -- to work.
or let people learn the lessons?
1. If a deal is too good to be true, it is.
2. People lie on the internets.
3. A fool and his money are soon parted.
There is no way to patch dumb. You cannot have a free society that is free from personal responsibility.
Choose. Freedom or nanny-state.
Setup your spam filters and not worry about it.
Erm, Yahoo and Google are PRIVATE. Nice try to blame the government, though. Back to your free market!
Ain't nothing a baseball bat to the face can't fix.
How long would it before people use the service to get emails banned from people they don't like??
This suggestion -- promptly killing someone's E-mail account without giving them time to defend themselves -- is a recipe for denial of service. All I have to do is file a complaint against someone I don't like. Zap. They have no E-mail. I don't have to prove my complaint is valid.
Hmm. Someone running a botnet could quickly eliminate all E-mail for a nation. Cyberwar!!
This is exactly what the internet nor any country needs!
jfruhlinger is a coward and idiot extrodinare.
jfruhlinger should be banned from /. for "its" brazzen attempts at sexual contact through social networking.
jfruhlinger, go to Facebook and Suck It UP, then swallow.
--//++
Have gnu, will travel.
What if the complaint is from one of these people who just clicks on "spam" when they don't want the mail, even when it's not spam?
If I clicked on the spam button, it's spam. I don't care why you think we have a business relationship. We don't, I'm not interested.
If I buy a product online and have to register I *always* untick any "send me product updates" checkbox. If you didn't ask that question, you have no permission to send me any emails, and are thus sending me spam.
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
I've been using spamcop for years, used to report a lot of garbage, actually got some confirmed kills - replies from webmasters claiming account sending had been closed. Haven't bothered in a long time, seems like the worst are coming from sites owned by the spammers, so the complaint is being sent to the guy sending it...
419 fraud isn't a problem, it's a never-ending source of hilarity.
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
It's nice that you always remember which buisnesses are allowed to send you newsletters.
Don't you think it's plausible that someone signs up for a newsletter, and when they get it 3 weeks later have forgotten, and mark it as "spam"? Wouldn't that be a problem with the suggested anti-spam system, especially for smaller buisnesses?
Which is fine, but it should hardly get the sender banned permanently for what might be an honest mistake. What if I send you an email by accident because I make a typo while reading a name off a business card?
A much better way to handle this is to limit the number of messages per hour that can be sent from a newly created account. Then if it takes a day, or three days, to shut down a spam account, the consequences aren't that bad; the spammer can't use the account to send a million emails in 24 hours. I assume that gmail and yahoo already do this kind of rate-limiting.
That wouldn't work very well. The spammer would just sign up for a lot of email accounts instead. Or rent a server, linode is like $20 for a month, and I bet you can send a lot of spam before it is shut down.
Religion is regarded by the common people as true, by the wise as false, and by rulers as useful.
You can report some to the BBB if they operate in the US.
For people pretending that they're the IRS or some other government agency, they usually have an anti-phishing address you can forward the email to and then it's their problem.
Don't know about the rest of the countries, though.
it's mostly spam anyway and has failed.
It's time for another set of protocols/standards.
Use a debian spam filter with zen.spamhous as the rbl and things will be nice and quiet.
Having to work for a living is the root of all evil.
Here is the rfc in question: http://tools.ietf.org/html/rfc5321
It requires the server to accept mail for postmaster, it does not require it to deliver it to anyone.
Odds are, sending an email to the webmaster about email issues would get you a "not my job" response in any era. The address you're thinking of is "postmaster," subby.
Furries make the internet go.
There are some people, and some I know that consider spam as anything they don't want to see. They might say that my first sentence is spam. Any posts they agree with are okay. none they don't. A mail list I run had a person who posted a tasteless and stupid political screed. I had several requests to "get rid of the spam that was taking over the list". One post, and it wasn't spam, just stupid. I contacted the person involved, he said he was sorry. Then after the second day of ceaseless bitching, I put the list on full moderation. Problem is, that first sentence is correct. You and I might know what spam is or isn't, but being a spam cop will mean that you are going to have to put up with more idiocy than we did before.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
I've actually had people complain to me about a message to a mailing list that was on topic for the list. They called it spam but the message was simply questions about a planned event for the mailing list subscribers.
Interestingly enough, these paragons of what should be allowed cannot grasp the simple concept of a filter.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
There are plenty of idiots out there that voluntarily sign up for whatever shiny-of-the-week marketers make available, forget, and then mark that as spam.