Slashdot Mirror
Why Public Email Needs a Police Force
jfruhlinger writes "Those of us who had email addresses in the early days of the Internet age remember sending notes to webmaster email addresses to report malicious email behavior — and actually getting a response back. But today, a huge majority of mail comes from public services like Gmail or Yahoo mail, and getting anyone at those companies to take responsibility for abusive users is nearly impossible. 'If they could agree on a third-party service that could be the receptacle on a 24/7 basis for rapid account suspension, the 419 Fraud problem might dwindle down to a trickle quickly. It would take trust among the email providers to do this, but it would also alleviate big problems that law enforcement officials are usually unable to handle. Call them the email cops.'"
So now you can ACTUALLY report people to the cyber police?
craphound.com
Help stamp out iliturcy.
Those of us who had email addresses in the early days of the Internet age remember sending notes to webmaster email addresses to report malicious email behavior
Webmaster@ will get you the webmaster.
Postmaster@ will get you the postmaster.
They might be the same person but the RFC states these address have to resolve to a human. If they don't with gmail, yahoomail, or whatever they these sites should be listed on rfc-ignorant.
Email police? No, won't work. What happened to that standard spam solution form slashdot used to use?
enough with the voluntary fascism.
Jehovah be praised, Oracle was not selected
Do police actively monitor normal mail? No? Well why the hell would they bother with email. There are already solutions in the market for things such as spam and fraud. Having an "email police" won't change anything considering how friggin easy it is to spoof emails as well as zombie networks (why do people bother trying to propose "solutions" when they don't even fully understand the technical problems). If anything, this would only increase abuse as well as reduce privacy.
Hmm, maybe that is the point of this "solution"....
...we get email tazers, email guns and email beatdowns.
And how did I manage to get through the BBS days through today without being bothered by spam. In fact, my only interaction with a spammer lead to a happy transaction to get some nice valium. I would settle for bring those days back.
Without doubt the most stupid thing on slashdot today. So far.
It's a lot easier to put giant IP blocks on your ban list for countries like China, Cyprus, and any country at all in Africa. Of course I realize that's fairly racist and geo-centric, but the "policing" alternative just isn't feasible because it's a slippery process which would require enormous volumes of man power. There needs to be an automated mechanism. I was thinking that gmail/hotmail/yahoo/whoever could auto-append a "flag this as spam" link to all emails which users could click. This would allow email providers to know exactly which user sent it and which message it was and dramatically streamline the process or complaint rather than forcing someone to parse email headers and sort it all out. Additionally it would offer very structured data for spam complaints that would facilitate algorithmic analysis to determine whether a ban (or just throttling) might mitigate and/or outright solve the problem.
But then again, this system could also be abused.
I think what the author of the article intended was not necessarily to improve spam control but actually to being law enforcement into the issue. Unfortunately, the article is rather poorly written and seems vague and diffused. I tend to concur that more legal punishment should be involved in the realm of scams and spamming.
yeah... no.
We don't need an internet police, another organisation susceptible to politic bickering, bribes, ect.
What we need is a better, more secure way of handling certain types of traffic.
~men are from earth. women are from earth. deal with it.~
So just keep it where it belongs, with the postmaster@*, that way the better policed operation will eventually be the most economical and successful.
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
like facebook, g+ or whatever.
you obviously don't want email protocol but a closed garden, maybe you'd like people to submit passport photos for access too along with proof of their career, housing, address and sexuality.
419 fraud or personalised nigeria letters would still happen in that closed garden of yours.
world was created 5 seconds before this post as it is.
Abuse.net seems to be trying to move away from it, but they still offer a single-point reporting service where you can forward spam from $DOMAIN to $DOMAIN@abuse.net and they'll forward to whatever the best contact is that they know of at $DOMAIN.
"Once you've registered, when you send a message to domain-name@abuse.net, where domain-name is the name of the domain that was the source of junk e-mail or another abusive practice, the system here automatically re-mails your message to the best reporting address(es) we know for that domain. For example, if you wanted to send a message to example.com you'd send it to example.com@abuse.net. "
If that gets implemented anyone can pretty much get anyone they want banned from email.
a single email from 200 or 300 of the machines in a botnet could get you banned in an instant and the mail-cops would never figure it out.
And before you say it will stop the botnets, they would just get bigger and post fewer emails per zombie so it wouldn't affect them either.
It's an interesting idea, but how would it be funded? Almost like a postal service for the internet. I'm trying to think of a value added service that would make users and ISPs want to sign up with the internet post office and can't think of one. There would have to some kind of fee to fund the agency and I'm not sure a reduction in spam would be enough incentive.
If the major service providers told people they had to register with the internet post office before they could send mail, how do you enforce that?
Internet protocols were designed to thwart central control and a single point of failure.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
"Rapid account suspension" as opposed to more deliberative approaches to account suspension? What could possibly go wrong?
"In prison you just have to shut your eyes and take it. Here you have to shut your eyes and give it."
Let the market sort it out. People who are stupid enough to get swindled out of their money will soon not be able to afford internet anymore, reducing the number of people too stupid to use it. Ahh, ain't darwinism a great thing?
No, seriously. I don't quite get it why people who combine the insanely useful traits of greed and stupidity in one person should get any protection from having both exploited. Sorry, but my pity with people who turn off their brain when facing a computer is very, very limited.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
He's focusing on 419 scams. He wants an instant (or almost instant) way to shut down the accounts that the 419 scammers use.
Which means either an automated system (yeah, how'd you like your account killed because of something you posted on /. that someone took offense to)
or
A staff monitoring the abuse@ and postmaster@ accounts for the various email systems around the clock, every single day.
And what would this accomplish?
It would save the gullible people from themselves. Maybe. As long as the scammers didn't target their emails with enough different reply_to addresses to bypass this.
I'm not getting a very good feeling for this guy's technical credentials.
This will clearly work, because we know that no one would ever make accusations in bad faith.
I would rather not have my email under the control of a 3rd party.
if i'm stupid enough to fall for a 419, then i deserve it.
---- Booth was a patriot ----
Gmail and yahoo both sign all outgoing messages cryptographically using dkim. That means that if you get a spam claiming to be from one of their accounts, you can verify that it really is from such an account. Once you've done that, you can report it: gmail, yahoo. So if the author of TFA is complaining that this can't be accomplished by sending email to abuse@gmail.com or postmaster@gmail.com, then I suppose he has a valid complaint that they're not complying with RFCs...but...that's the way it is. It's not the end of the world. Gotta use a web interface instead. Boo hoo.
The author of TFA is upset that he can't get spamming accounts shut down instantly, 24/7. I actually don't really want an internet where any random person can get my ability to send email shut down instantly. What if it's a joe-job? What if the complaint is from one of these people who just clicks on "spam" when they don't want the mail, even when it's not spam? A much better way to handle this is to limit the number of messages per hour that can be sent from a newly created account. Then if it takes a day, or three days, to shut down a spam account, the consequences aren't that bad; the spammer can't use the account to send a million emails in 24 hours. I assume that gmail and yahoo already do this kind of rate-limiting.
What would be a huge improvement would be if the remaining big email providers other than gmail and yahoo would start using dkim. Once dkim becomes universal, we can establish actual reputations for people as spammers or non-spammers.
Virtually all the spam I get these days is from small domains. Recent examples include education-portal.com, spacesaver.com, and mg-style.net. The solution proposed by the author of TFA is to bug education-portal.com to respond to email sent to abuse@education-portal.com by deactivating jones@education-portal.com. Um, that isn't going to work, because jones works for education-portal.com, and they want him to spam me. The solution is to make dkim universal enough that people can stop accepting mail from domains that don't dkim-sign. Then education-portal.com can get an online reputation as a spammer, and everyone can start blocking them in their spam filters.
Find free books.
The governmental services like police, postal etc, are paid for with your tax money
Exactly! Those are public services. They are paid for by my tax dollars. The OP said that "a huge majority of mail comes from public services like Gmail or Yahoo mail." Again, they are not public services. They are run by corporations and not by the government. And, WTF are you talking about an "idiotic proposal" for? I didn't propose anything and didn't have any links in my post. All I said was email is not a public service. Did somebody forget their meds this morning?
And after some time, who would stop this 3rd party "police" from buckling under pressure from governments/corporations and start scanning all email accounts for other "unfit", "inappropriate" and "potentially harmful" content and banning accounts on a whim? Thanks, but no thanks.
-- I am the Monkey Guru.
Honestly, there is a place for them when it comes to email. They SHOULD offer a 'certified email'. Sell 'eStamps' as a revenue source. Don't receive any email from other servers. Only allow emails that are submitted by a logged in user, and charge a nominal fee for those emails. Then forward the mails to regular email addresses as well as keep a local copy for users who want to log in and get the email from the trusted source. It would look like a corporate email server that does not recieve email from the internet, but has mail forwarding turned on by default.
This wouldn't stop all spam but it would solve a lot of problems:
It doesn't create a new email standard.
It would add enough cost to discourage massive auto generated spam without incurring a massive cost to legitimate users.
It would not require a separate or new application on the users end
It could be bypassed for any email that did not need 'certification'
It would put a postmark on emailed documents from a trusted third party
It would give end to end authentication when both the sender and receiver are signed up
It doesn't require the receive to sign up it they don't want to
It can track delivery timestamps of email
It could be used as a second channel for regular email white listing requests.
As I said, it wouldn't stop spam entirely, but if spammers flooded the system, we could still filter, while allowing them to fund the USPS. So, even if it failed to slow down spam, it would have a huge benefit.
Just give me the top authority and immunity from any civil or criminal litigation!
No problem
Hotmail, Yahoo, Gmail, AIM (amongst others) are all going to get real mad when their mail all goes in the scrapper.
Then users will be mad that their mail gets dumped because their service is lame.
Then I will be out of a job.
ENFORCE the laws and regs in place, that's not going to happen either, as there is no money to be made (or tangibly saved) by doing so.
Useless laws and regs with no teeth and too many wormy lawyers hired by lying spammers.
Please fill out form as necessary......
Rick B.
The spam I get uses forged headers anyway, and was sent from botnets.
So even if abuse@(yahoo|gmail|hotmail|whatever) would cooperate, there is nothing they can do about a bot sending directly to the recipient's server with a fake From: header.
All this plan could accomplish would be to suspend perfectly innocent email accounts from people who were unlucky that their address was used in spam headers.
Actually, it would be more like the Gestapo. Hugely overblown reputation, any only so "successful" because people fell over each other reporting on other people they wanted out of their way.
Unless there's a serious sanction[1] for making false complaints it will be abused to enforce FOSBOWIAWI[2].
It should be the same for DMCA takedowns and some patent claims too.
[1] jail time, or a ban ten times as long as the falsely accused would have got.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Sorry but the protocol was never built for this and whilst it has had people add protocols for securing and signing data and verifying identity only limited people really use them.
If you can't prove an identity then the emails are just bits on the wire. You might as well take people to court for the dust they create.
Good and necessary answer. Don't forget abuse@ for all kinds of bad behaviour, not just email.
And hostmaster@ for host related matters. I was trying to correct the summary not provide a full list of RFC mandated email addresses.
Email is SMTP. There is no practically way to police it like the article describes. The author simply doesn't know how email works. What we need is a new message standard. An Advanced Mail Transfer Protocol. It should include:
1. Encryption system where mail server publish the public keys. Mail server can also hold the recipient private key. This way an email can easily be signed. My server can check signature to see if the mail really comes from whoever says is the sender.
2. Approved senders AKA friends request. On many social media sites you have the option to only get contacted by those in your contact list. Email should work like this to. I should be able to lock my email account from getting mail from anyone I haven't approved.
This could be implemented with backward compatibility with regular SMTP. All regular unsigned SMTP mail will just be marked as just that. Simple and untrusted. As the net upgrades to AMTP2 there will be a point where the majority is over on the new protocol and spam as we know it will die.
#find
You know, anyone who hasn't been around long enough to have an email address ending in .ARPA really should just STFU and stop proposing ridiculous nonsense
like this. Not only is it highly annoying to be exposed to idiocy of this magnitude,
but it distracts from measures that have actually been proven -- repeatedly -- to work.
Setup your spam filters and not worry about it.
How long would it before people use the service to get emails banned from people they don't like??
This suggestion -- promptly killing someone's E-mail account without giving them time to defend themselves -- is a recipe for denial of service. All I have to do is file a complaint against someone I don't like. Zap. They have no E-mail. I don't have to prove my complaint is valid.
Hmm. Someone running a botnet could quickly eliminate all E-mail for a nation. Cyberwar!!
Have gnu, will travel.
What if the complaint is from one of these people who just clicks on "spam" when they don't want the mail, even when it's not spam?
If I clicked on the spam button, it's spam. I don't care why you think we have a business relationship. We don't, I'm not interested.
If I buy a product online and have to register I *always* untick any "send me product updates" checkbox. If you didn't ask that question, you have no permission to send me any emails, and are thus sending me spam.
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
419 fraud isn't a problem, it's a never-ending source of hilarity.
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
It's nice that you always remember which buisnesses are allowed to send you newsletters.
Don't you think it's plausible that someone signs up for a newsletter, and when they get it 3 weeks later have forgotten, and mark it as "spam"? Wouldn't that be a problem with the suggested anti-spam system, especially for smaller buisnesses?
A much better way to handle this is to limit the number of messages per hour that can be sent from a newly created account. Then if it takes a day, or three days, to shut down a spam account, the consequences aren't that bad; the spammer can't use the account to send a million emails in 24 hours. I assume that gmail and yahoo already do this kind of rate-limiting.
That wouldn't work very well. The spammer would just sign up for a lot of email accounts instead. Or rent a server, linode is like $20 for a month, and I bet you can send a lot of spam before it is shut down.
Religion is regarded by the common people as true, by the wise as false, and by rulers as useful.
Use a debian spam filter with zen.spamhous as the rbl and things will be nice and quiet.
Having to work for a living is the root of all evil.
Here is the rfc in question: http://tools.ietf.org/html/rfc5321
It requires the server to accept mail for postmaster, it does not require it to deliver it to anyone.
Odds are, sending an email to the webmaster about email issues would get you a "not my job" response in any era. The address you're thinking of is "postmaster," subby.
Furries make the internet go.
There are some people, and some I know that consider spam as anything they don't want to see. They might say that my first sentence is spam. Any posts they agree with are okay. none they don't. A mail list I run had a person who posted a tasteless and stupid political screed. I had several requests to "get rid of the spam that was taking over the list". One post, and it wasn't spam, just stupid. I contacted the person involved, he said he was sorry. Then after the second day of ceaseless bitching, I put the list on full moderation. Problem is, that first sentence is correct. You and I might know what spam is or isn't, but being a spam cop will mean that you are going to have to put up with more idiocy than we did before.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Interestingly enough, these paragons of what should be allowed cannot grasp the simple concept of a filter.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.