Why Public Email Needs a Police Force

jfruhlinger writes "Those of us who had email addresses in the early days of the Internet age remember sending notes to webmaster email addresses to report malicious email behavior — and actually getting a response back. But today, a huge majority of mail comes from public services like Gmail or Yahoo mail, and getting anyone at those companies to take responsibility for abusive users is nearly impossible. 'If they could agree on a third-party service that could be the receptacle on a 24/7 basis for rapid account suspension, the 419 Fraud problem might dwindle down to a trickle quickly. It would take trust among the email providers to do this, but it would also alleviate big problems that law enforcement officials are usually unable to handle. Call them the email cops.'"

Cyber police?

So now you can ACTUALLY report people to the cyber police?

Re:Cyber police?

Unless the person who is looking for help is friends with the police, then something will happen even if the accused didn't even come close to doing anything wrong.

Please complete the form

[symbolset]

Your post advocates a

( ) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

( ) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

craphound.com

Re:Please complete the form

[1s44c]

Your post advocates a

( ) technical ( ) legislative ( ) market-based (X) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(X) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(X) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
(X) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
(X) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(X) Extreme profitability of spam
( ) Joe jobs and/or identity theft
(X) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
(X) SMTP headers should not be the subject of legislation
(X) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(X) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
(X) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
(X) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

postmaster@

[1s44c]

Those of us who had email addresses in the early days of the Internet age remember sending notes to webmaster email addresses to report malicious email behavior

Webmaster@ will get you the webmaster.
Postmaster@ will get you the postmaster.

They might be the same person but the RFC states these address have to resolve to a human. If they don't with gmail, yahoomail, or whatever they these sites should be listed on rfc-ignorant.

Email police? No, won't work. What happened to that standard spam solution form slashdot used to use?

Re:postmaster@

[1s44c]

They might be the same person but the RFC states these address have to resolve to a human. If they don't with gmail, yahoomail, or whatever they these sites should be listed on rfc-ignorant.

So, let's say they do resolve to a human, does the RFC say they have to do anything about it?

Anyway, as a user of email - free email at that - please explain to me how I can be "abused"?

Spam? The little I get is no skin off my ass. Yahoo, Hotmail, Gmail, etc ... is paying for the bandwidth.

How else can one be "abused" by email?

I believe the RFC says the mail has to be delivered to a human. It doesn't say the human has to read it, be capable of understanding it, or do anything with it. It might be worth reading the actual RFCs involved to check the details but that tends to be a huge time sink.

I consider spam an abusive waste of my time. Maybe you don't, that's up to you.

no it dont

[JonySuede]

enough with the voluntary fascism.

policing won't work.

[sneakyimp]

It's a lot easier to put giant IP blocks on your ban list for countries like China, Cyprus, and any country at all in Africa. Of course I realize that's fairly racist and geo-centric, but the "policing" alternative just isn't feasible because it's a slippery process which would require enormous volumes of man power. There needs to be an automated mechanism. I was thinking that gmail/hotmail/yahoo/whoever could auto-append a "flag this as spam" link to all emails which users could click. This would allow email providers to know exactly which user sent it and which message it was and dramatically streamline the process or complaint rather than forcing someone to parse email headers and sort it all out. Additionally it would offer very structured data for spam complaints that would facilitate algorithmic analysis to determine whether a ban (or just throttling) might mitigate and/or outright solve the problem.

But then again, this system could also be abused.

I think what the author of the article intended was not necessarily to improve spam control but actually to being law enforcement into the issue. Unfortunately, the article is rather poorly written and seems vague and diffused. I tend to concur that more legal punishment should be involved in the realm of scams and spamming.

Account suspension

[Adrian+Lopez]

"Rapid account suspension" as opposed to more deliberative approaches to account suspension? What could possibly go wrong?

If he gets his way, yes.

[khasim]

He's focusing on 419 scams. He wants an instant (or almost instant) way to shut down the accounts that the 419 scammers use.

Which means either an automated system (yeah, how'd you like your account killed because of something you posted on /. that someone took offense to)
or
A staff monitoring the abuse@ and postmaster@ accounts for the various email systems around the clock, every single day.

And what would this accomplish?
It would save the gullible people from themselves. Maybe. As long as the scammers didn't target their emails with enough different reply_to addresses to bypass this.

I'm not getting a very good feeling for this guy's technical credentials.

gmail and yahoo have procedures for reporting spam

[bcrowell]

Gmail and yahoo both sign all outgoing messages cryptographically using dkim. That means that if you get a spam claiming to be from one of their accounts, you can verify that it really is from such an account. Once you've done that, you can report it: gmail, yahoo. So if the author of TFA is complaining that this can't be accomplished by sending email to abuse@gmail.com or postmaster@gmail.com, then I suppose he has a valid complaint that they're not complying with RFCs...but...that's the way it is. It's not the end of the world. Gotta use a web interface instead. Boo hoo.

The author of TFA is upset that he can't get spamming accounts shut down instantly, 24/7. I actually don't really want an internet where any random person can get my ability to send email shut down instantly. What if it's a joe-job? What if the complaint is from one of these people who just clicks on "spam" when they don't want the mail, even when it's not spam? A much better way to handle this is to limit the number of messages per hour that can be sent from a newly created account. Then if it takes a day, or three days, to shut down a spam account, the consequences aren't that bad; the spammer can't use the account to send a million emails in 24 hours. I assume that gmail and yahoo already do this kind of rate-limiting.

What would be a huge improvement would be if the remaining big email providers other than gmail and yahoo would start using dkim. Once dkim becomes universal, we can establish actual reputations for people as spammers or non-spammers.

Virtually all the spam I get these days is from small domains. Recent examples include education-portal.com, spacesaver.com, and mg-style.net. The solution proposed by the author of TFA is to bug education-portal.com to respond to email sent to abuse@education-portal.com by deactivating jones@education-portal.com. Um, that isn't going to work, because jones works for education-portal.com, and they want him to spam me. The solution is to make dkim universal enough that people can stop accepting mail from domains that don't dkim-sign. Then education-portal.com can get an online reputation as a spammer, and everyone can start blocking them in their spam filters.

Re:waste of bandwidth/time/characters/electrons

[plover]

Without doubt the most stupid thing on slashdot today. So far.

"Day ain't over yet."