Certified Email Not Here to Reduce Spam

An anonymous reader writes "Goodmail CEO Richard Gingras surprised Legislators and advocacy groups today when he announced that the CertifiedMail program being implemented by AOL and Yahoo is not meant to reduce spam. Rather than helping to reduce spam Gingras claimed that the point is to allow users to verify who important messages are really from, like a message from your bank or credit card company."

Thats my motto.

[Bill, Shooter of Bul]

Its much easier to succeed, if you never try anything difficult.

As predicted

[Anonymous Coward]

As predicted... sell the government one thing and change it in post-production.

Secondary Effects

[Kuukai]

Rather than helping to reduce spam Gingras claimed that the point is to allow users to verify who important messages are really from, like a message from your bank or credit card company

...leading to more efficent prevention of phishing, and ultimately... reducing.. spam... D'oh!

Won't help a bit

[Opportunist]

Remember the paper from Harward [harvard.edu] dealing with phishing and why it works?

People don't even notice security features. They don't notice HTTPS, they don't notice certificates, they don't even notice bogus URLs. Why should they notice a "verified" mail (or lack of this verification)?

And those who do already know how to deal with phishing mails, they are already capable of discriminating between fraudulent and legit mails.

Money

[Dorion caun Morgul]

It's all about money. I just can't wait until I get to pay 33 cents to send my Parents an email.

In other words, we'll still get spam

[GrumblyStuff]

So this is just a paid for whitelist?

Hello, McFly?! If I'm expecting emails from my bank, I'll be putting them on my safelist anyway! Them and everyone in contacts, emails for forum notifications, newsletters that I want.

This doesn't seem to be doing anything other than making money for someone else.

Re:Secondary Effects

[dgatwood]

Only if all of the banks and credit card companies use it, only if it is sufficiently standardized, and only if users are smart enough to notice that the message isn't "verified".

The problem is, if most of the users were smart enough to realize that, we wouldn't have phishing because people wouldn't fall for it in the first place. I mean, it isn't exactly hard for users to realize that http://666.43.123.666/bankofamerica/mylogin.php [666.43.123.666] isn't a valid BOA website. If they can't figure that out, why do you think this will be any different?

*sigh*

Re:Won't help a bit

[teutonic_leech]

This is a big waste of time and will easily be circumvented by spammers/fishers by 'faking' to be an authorized message. They'll just make it look very similar and the average senior citizen will happily give their personal data away.
May I point out that by combating spam one would 'implicitly' combat messages from data fishers? ;-)

Oh Really!

[protich]

Nothing to see here...we already knew it.

Certified delivery of spam

[kitzilla]

In other words, CertifiedMail is here to certify the delivery of spam by the "important" spammers who have the resources to pay for it.

There Will Be Spam

[Gamzarme]

Oh yes, there will be spam..it seems to be here to stay.
Just like every other problem the 'bad guys' face when exploiting the rest of the population, they will find away around this too.

The news will be that if this practice does go into wide usage, spammers will turn toward draining large, anonymous bank accounts to fund their e-mail influxes.
This 'tax' will only create more problems than necessary.

My advice: leave what isn't broken alone and if you do have problems, then I suggest you install a good e-mail filter to pick out the spam that does get through.

Nothing to see here.

[rholliday]

We all knew this wouldn't reduce spam. This is just a launching point for email blackmail, along the lines of BellSouth's bandwidth threats. The legal people at AOL are just trying to cover their butts so people don't have a leg to stand on when they complain that they don't get less spam. Totally stupid program.

We've heard this before...

[CFrankBernard]

Not meant to reduce spam but to verify sender...SPF/Sender-ID/DomainKeys anyone?

Re:Secondary Effects

[slashname3]

Actually none of the ISPs have any interest in reducing spam. They make to much money off of the spam operators and the sites that host the products provided by the spammers. Taking actual measures to reduce spam would cost the ISPs to much money.

Instead, they want to make money from legimate companies that want to get their messages to end users. This is a win win for the ISPs, but does nothing for end users.

As discussed many times here the only way to defeat spam is to choke off the money flow to the people that use spam to advertise. There are two ways to stop the flow of money. First is to go after the spammers and advertisers. So far this has proven ineffective. Second way is to go after the idiots that actually buy stuff from spammers. This should be relatively easy. Send out spam and when the idiots bite you get their IP addresses and their names and probably their credit card info. Then send the police around to their homes to confiscate their computers, cancel their ISP connections, and ban them from using computers or the Internet forever. It will take about a year or two to track all the idiots down, but once the flow of money has been stopped the spam will stop.

Can't we already do this...

[dteichman2]

Is this just going to be RSA message-signing in a shiny package?

Re:Also

[wish bot]

However, I wouldn't want to be getting email from my credit card company or bank, and I certainly don't want to encourage them to start sending important info by email.

Besides the obvious problem of everything being intercepted by NSA+AT&T in the first place, it will only make it more difficult to tell phishing from the real thing, mainly because you'll be expecting it to be trustworthy. Old phishing techniques may have used mass mailings which could be blocked by spam filters, but that's not necessarily the case any more.

broken way to fix phishing too

[Anonymous Coward]

say you're the bank of america, and you send your "transactional" mail with this GoodMail thing turned on and the little flag set. what about your other emails that you don't pay for? if any of your mail is sent uncertified, then phishers can just impersonate that "oh this is just one of those uncertified emails we the bank of america send you occasionally - click here to see our latest offers (requires SSN)".

so suddenly you have to pay for _all_ your mail just to maintain your credibility. and then what if you cross the spam-complaint level goodmail sets accidentally and they throw you off their system (as they are contractually obliged to do)? does that mean that nobody will ever trust your mails again? do you get to send out one last certified mail saying "okay from now on pay no attention to that little flag?"

it seems a really bad idea for a big company to place their credentials in trust with a third party and then let them charge them for every mail they send

Re:Won't help a bit

[MindStalker]

Yea a rootkit could just interupt your going to a website like your bank and display false SSL info even. There is really nothing a rootkit can't do, why would you use it to interupt emails.

I'll sort my own mail, thank you...

[Ossifer]

I already sort my incoming email, by many categories. What purpose is there to having two classifications: "important" and "other"?

uh, GPG

[Anonymous Coward]

uh, isn't this what PGP/GPG are for?

Re:It's not so easy anymore.

[Ravatar]

Because it's just a matter of time until the non-certified mail messages are almost discernible from the certified ones, and you eventually end up having the exact same problem you have now.

Re:We already have a better way to do this

[collinl]

What about when you want to add or delete accounts to your on-line banking
What happens when you lose you private key, and can't decrypt those important messages about your accounts and the cotracts for service (banking, deposit holding, interest etc are all contracted servies)? And then a tax audit, bankruptcy, or civil suit that requires legal discovery?

Without evidence to defend yourself, life is sooooo much mre difficult.
These sorts of reasons are why PGP, gpg and S/MIME never work in corporate environments - the problems are worse than the benefits.

Lyal

Of course it's not... Just like SPF.

[Tetard]

It's not meant to limit SPAM (unless your idea of email, as some want it to become,
is a communication medium where you only accept people you "trust" and reject the
others). It's meant to protecte trademarks, and push responsibility away from the
sender (i.e.: "you should have checked who the mail came from, ours are signed).
Yahoo, and of course banks and other institutions who want to defend their
credentials love SPF and similar systems. They don't care about SPAM, they just
don't want to get blamed by customers and their insurers for phishing mails and
the like.

Re:Won't help a bit

[ArsenneLupin]

Faked signatures won't work

So instead of faking the signatures, you fake the most-used mail client's "signature-verified" icon instead.

True, a faked icon will appear in the mail rather than in the GUI's "chrome", as it should, but the problem is that most non-technical users don't notice such "subtle" distinctions.