Certified Email Not Here to Reduce Spam 197
An anonymous reader writes "Goodmail CEO Richard Gingras surprised Legislators and advocacy groups today when he announced that the CertifiedMail program being implemented by AOL and Yahoo is not meant to reduce spam. Rather than helping to reduce spam Gingras claimed that the point is to allow users to verify who important messages are really from, like a message from your bank or credit card company."
Also (Score:5, Interesting)
Blue Frog (Score:5, Interesting)
They got even a Firefox extension for reporting spam with Yahoo, Hotmail and GMail.
My bank ?.... (Score:3, Interesting)
Anyone detect hypocrisy? (Score:5, Interesting)
The providers get paid, and they get a good excuse for charging those fees. End of story.
If Goodmail's intentions were genuine, they wouldn't charge the "businesses" for every separate mail provider, but create globally valid certificates and then discuss with mail providers of accepting them.
However who would care to accept the certificates if he doesn't get the dough (the fees)? So there, we arrive at what Goodmail did.
Can you imagine paying up completely independently to every single ISP in the world so it can accept your SSL certificate? Yea, it's THAT bad...
Re:Users won't know that (Score:3, Interesting)
If many companies do this, then the only "certified" mail in the box really will be spam. And then I really will know--little blue ribbon=spam.
Phew, I thought I wasn't going to be able to tell it apart from my legitimate mail!
Re:Won't help a bit (Score:3, Interesting)
Though, I'll admit dispite having a SPF record in my DNS records, I don't have any filters setup on my email server to bounce unwanted emails, but hopfully if one scheme takes off over the others, it'll become included in the examples and default configuration options of many email servers.
Yeah, this is what we've been saying all along (Score:4, Interesting)
They presented to my organization (Score:5, Interesting)
Their VP kept harping on how "it will tell users they can trust your mail". My point that the real challenge was getting users NOT to trust things was not well received, to say the least. I also mercilessly attacked their constant assertion that their widget is "unspoofable", on the simple grounds that a similar widget in a similar location would be sufficient to fool many users.
My CTO has been asking me when we're going to implement Goodmail ever since. Khaaan!
Not to curb spam? Then this is BS (Score:4, Interesting)
If the purpose isn't to reduce spam, what does this new pay-for-being-recognized service offer that current ISPs don't already? Most ISPs will begin taking actions against your spam if you start spamming without contacting them anyway, and you are looking at legal trouble if you spam with forged headers or people who have opted out. Through whitelists and regulations, the framework is already in place for the legit spammers to spam. AOL already has whitelists. AOL already negotiates and limits email volume with mass email marketers. AOL already uses blacklists. And this whole thing isn't even mandatory!
So I'm really not sure what this pay system is supposed to do except earn AOL an extra dime at no added cost.
Re:Also (Score:5, Interesting)
Re:Secondary Effects (Score:4, Interesting)
So it is to stop phising (Score:3, Interesting)
So there is clearly a need for someone to help the average user discriminate between legitimate and nefarious email. The need could result in a significant market opportunity if an ISP developed appropriate technology and backed up the technology with a meaningful guarantee. People will pay for security, even shallow security.
I also believe this will reduce email that maight be strictly catagorized as spam. Not the broad definition of unsolicited email that has resulting in no meaningful agreement on how to deal with the problem, but email that has a misleading subject, spoofed headers, clearly obtuse text content meant to disguise the HTML rendered message, and links to shady websites. If the ISP allowed users to set up a list of safe addresses, provided the level of protection that the USPS service does for unsolicited mail, and provided a good customer crisis line, that would provide a big competitive advantage. If, however it is just charging spamers for email while the user dangles on the vine, that it is quite useless.
Pretty damn sure. (Score:3, Interesting)
The email is being send from "bigfootinteractive.com".
I use the raw ASCII message to get the link and when I past it in the browser, I get that reject message.
So, we have more examples of the bank making phishing EASIER by going through a 3rd party and linking chase.com to that 3rd parties email.
It's funny that Chase includes this bit on their email.
Again, all the links go to chase.com and I've verified that in the raw ASCII text of the message, but the response emails come from bigfootinteractive.com......
Seriously, how easy does Chase want to make a phisher's life?
Hey, Chase! Use your own fucking email servers you morons!
If you're still wondering, let me know and I can post their response email for you to check yourself. I've replaced my domain with "DomainReplaced.com" and fucked up the id string, but other than that it is pure.
Re:Secondary Effects (Score:5, Interesting)
Spammers steal to advertise a "product." They steal resources from anyone they need to advertise their product. You don't suppose these people run the other parts of the their business the same way? Legitimate IPSs don't enjoy hosting spammers in any fashion. This is why nearly all spamming done using cracked botnet zombies (baring a sizable chunk of mainsleaze spam). A quick check of the spam in my Junk folder indicates that most spammers host their websites on non-US systems, or are broken. On a nearly weekly basis I watch a small shared webhosting provider get hosed when his spamming customer lies to him, then screws him out of payment when the webhoster's provider gets involved. The vast majority of the ISPs in the civilized universe want spammers to loose IP connectivity. The largest of sites spend *millions* blocking spam both inbound and outbound.
Instead, they want to make money from legimate companies that want to get their messages to end users. This is a win win for the ISPs, but does nothing for end users.
It's a win for the users as well. The AOL mail client will be able to tell the user that the mail they're reading is indeed from Bank of America, and that other piece of mail is not from BoA. If AOL and Yahoo! know that BoA's mail all has goodmail tokens, and BoA mail shows up that doesn't have mail, it must therefore be a phish (seriously, go look at Goodmail's website [goodmailsystems.com] complete with the AOL mail client screen shots [goodmailsystems.com]). AOL's goodmail implementation is ONLY for transctional mail. That was the basis of Gingras' statement.
The handwaving about AOL charging to deliver mail is, of course, interesting. One would think that AOL is going to make out like bandits on all of the spam they'll be delivering now. That's simply not the case. The goodmail system is designed to support itself, not AOL or Yahoo!. Goodmail will be charging enough to keep themselves in business and keep the accreditation program working. I somehow doubt there's much left in the cost structure to kickback to AOL in any amount they can measure.
As discussed many times here the only way to defeat spam is to choke off the money flow to the people that use spam to advertise. There are two ways to stop the flow of money. First is to go after the spammers and advertisers. So far this has proven ineffective.
Is the strategy ineffective or is our execution of the strategy ineffective? We have weak anti-spam laws that do more to enable the practice than to actually put a stop to it. We have standards bodies that can't come up with effective reputation and sender authorization systems, leaving ISPs to invent their own solution (see goodmail). We have transit providers who don't have the guts to de-peer a rouge network who won't clean up what they're transiting.
Second way is to go after the idiots that actually buy stuff from spammers.
Wow. You don't actually think people *buy* real stuff from spammers? And that the spammers are really selling the stuff they're advertising? Ok, maybe the pharma spammers, but the rest of them? Not so much. These people are theves. They steal for a living.
Going back a week in my Junk box, I see pharma spam, penis pill spam, p0rn spam, mortgage spam, 419 spam, and pump-n-dump spam. Exactly what products are being sold in the spam I've gotten in the last week? Of the things in my list that even sound like products (drugs, penis pills, p0rn, and mortgages) none of those are products that need to be sold by cost shifted advertising. If you have to resort to these tactics to see these products, there's something wrong with the products. That's assuming
We already have a better way to do this (Score:5, Interesting)
This might bring up the question of encrypted spam, but your keyring would act as a whitelist. If some random person sent you an encrypted or signed message, then you would be presented with a message asking if it should be accepted.
All we need is a simplified way to do this for the general public. Too bad Thunderbird doesn't come with Enigmail preinstalled. We'd probably need something else for webmail. (FF extension?)