Certified Email Not Here to Reduce Spam

An anonymous reader writes "Goodmail CEO Richard Gingras surprised Legislators and advocacy groups today when he announced that the CertifiedMail program being implemented by AOL and Yahoo is not meant to reduce spam. Rather than helping to reduce spam Gingras claimed that the point is to allow users to verify who important messages are really from, like a message from your bank or credit card company."

CAKE!

[Omnifarious]

CAKE [cakem.net]

But, I've not had much time to work on it since I've been employed. :-( And it's a much nicer, decentralized solution to this problem that has potentially much less weight and wider applicability than PGP.

Re:As predicted

[Kelson]

Are you kidding? This is what they've been saying all along. The media frenzy has been... inconsistent with what AOL, Goodmail, and Yahoo! have actually been saying in their press releases.

Of course, AOL wasn't terribly consistent even with themselves early on, but if you think Goodmail billed this as an anti-spam solution, you've clearly only been paying cursory attention to the story.

Re:In other words, we'll still get spam

[Anonymous Coward]

There's a far more effective, far more efficient scheme against phishing and joe-jobs already in place: it's called SPF, it doesn't cost a cent, and it allows domains to list those hosts or domains allowed to send email allegedly from that domain. It helps cut worm traffic incredibly by catching forged email from your own domain sent from non-domain members, and by simply assuming that all mail from a domain should use the basic "only from A records or MX records" SPF rules, it provides a very powerful and cheap to implement filter rule.

Better yet, it acts on the first connection from the spammer and blocks the email before it wasts your time and bandwidth loading up the message. It was polluted by Microsoft trying to staple their own special form of "allow me to spam" signature, but SPF version 1 is still alive and kicking at http://www.openspf.org/ [openspf.org]

The USPS was suppsoed to do that!

[netringer]

The US Postal Service demoed just such a thing many, many years ago. They had an email encryption and delivery service to verify that the message was not altered. I suppose the problem in certifying the sender and receiver and proving delivery (to a person - not a mail spool) were technical issues they couldn't handle.

The difference of the USPS vs. Goodmail is that the USPS has official legal authority for such thing as mail tampering and proof of delivery.

I suppose if they were to offer the service now, Goodmail would buy a law to prohibit to USPS from competing against a private business as Sen. Santorum is trying to do with the weather service.

Why can't personal certificates do this?

[AusChucky]

Can I ask what happened to using Personal certificates?? Why, when we use SSL certificates to verify that a website we are visting is actually the true company, can't we use personal certificates to verify that the email we are reciving is actually from the company?? Surely they could configure their mail servers to filter out email on this basis without requiring a 3rd part solution that makes you pay for it. Hate to state the obvious but this is just the big companies way to getting their hands in on a great free thing that the internet provides

Blue Frog "algorithm"

[Spy der Mann]

Automatically? Surely if there existed a way of reporting spam automatically, then it would be trivial to apply the same technique to filter out spam automatically.

Pardon me. It's not automatic in the recognition algorithm, but it's much faster than having to do a whois and then reporting to the ISP for each SPAM that gets to your inbox.

Let me describe the Blue Frog algorithm.

Suppose your e-mail is somedude@myinbox.com . When you set up a blue frog account, you get a "honeypot" address like somedude@report.bluecommunity.com. The reports are analyzed (by whom or what, I don't know) and then your bluefrog software receives a request to report at the spammers' website asking for opt-out (the opt-out just tells the spammer how to download the "do not intrude" registry, it doesn't give out any e-mails).

The point is that this software actually gives an incentive (html form "SPAM") to spammers to stop sending e-mail to your account.

What I do is sending the SPAM that gets into my junk mail folder at the honeypot account. So, filtering is necessary as a first step, but after a while, you don't have to filter the junk mails, because they don't get to your e-mail in the first place. In my case, I use the firefox extension to send my Yahoo! junk-mail to report the SPAM to blue frog.

Then I just let my blue frog software do the dirty work.

We're not trying for anything

[SeaFox]

Goodmail CEO Richard Gingras surprised Legislators and advocacy groups today when he announced that the CertifiedMail program being implemented by AOL and Yahoo is not meant to reduce spam.

Of course not, that way when it does not reduce spam, they can't say CertaifiedMail was a failure.

*****
  This article advocates a
 
( ) technical ( ) legislative (x) market-based ( ) vigilante
 
approach to fighting spam. Your idea will not work. Here is why it won't work.
(One or more of the following may apply to your particular idea, and it may
have other flaws which used to vary from state to state before a bad federal
law was passed.)
 
( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
(x) Many email users cannot afford to lose business or alienate potential
employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
 
Specifically, your plan fails to account for
 
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
(x) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
(x) Bandwidth costs that are unaffected by client filtering
( ) Outlook
 
and the following philosophical objections may also apply:
 
(x) Ideas similar to yours are easy to come up with, yet none have ever been
shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
(x) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
(x) Sending email should be free
(x) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
 
Furthermore, this is what I think about you:
 
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.

Re:Also

[stunt_penguin]

That's as succinct a way as I've seen anyone put advice on phishing, I'll file that one away for the next time I'm lecturing someone on spam, viruses and phishing :o]

Another way of explaining it person-to-person would be to ask them if they got a phonecall on their mobile phone by someone saying they were from their bank, would they actually give out their detiails? Sure as hell they wouldn't.