Certified Email Not Here to Reduce Spam 197
An anonymous reader writes "Goodmail CEO Richard Gingras surprised Legislators and advocacy groups today when he announced that the CertifiedMail program being implemented by AOL and Yahoo is not meant to reduce spam. Rather than helping to reduce spam Gingras claimed that the point is to allow users to verify who important messages are really from, like a message from your bank or credit card company."
Also (Score:5, Interesting)
Re:Also (Score:3)
Re:Also (Score:2, Insightful)
Besides the obvious problem of everything being intercepted by NSA+AT&T in the first place, it will only make it more difficult to tell phishing from the real thing, mainly because you'll be expecting it to be trustworthy. Old phishing techniques may have used mass mailings which could be blocked by spam filters, but that's not necessari
Re:Also (Score:5, Interesting)
Re:Also (Score:3, Informative)
Another way of explaining it person-to-person would be to ask them if they got a phonecall on their mobile phone by someone saying they were from their bank, would they actually give out their detiails? Sure as hell they wouldn't.
Re:Also (Score:2)
Thats my motto. (Score:5, Insightful)
Re:Thats my motto. (Score:2)
Secondary Effects (Score:2, Insightful)
Re:Secondary Effects (Score:5, Insightful)
The problem is, if most of the users were smart enough to realize that, we wouldn't have phishing because people wouldn't fall for it in the first place. I mean, it isn't exactly hard for users to realize that http://666.43.123.666/bankofamerica/mylogin.php [666.43.123.666] isn't a valid BOA website. If they can't figure that out, why do you think this will be any different?
*sigh*
Re:Secondary Effects (Score:3)
>
> The problem is, if most of the users were smart enough to realize that, we wouldn't have phishing because people wouldn't fall for it in the first place. I mean, it isn't exactly hard for users to realize that http://666.43.123.666/bankofamerica/mylogin.php [666.43.123.666] isn't a valid BOA website. If they can't figure that out, w
Re:Secondary Effects (Score:2)
So... You're saying that SiteKey works in that scenario?
Luser enters ID, which is picked up by keylogger. Luser is shown their "SiteKey" challenge image - but the author of the keylogger doesn't give a rat's ass if it's correct or not. He logs the password. Luser is pwn3d.
How the hell is a website supposed to prevent keylogging?
The weakest link
Can't login (Score:5, Funny)
Re:Can't login (Score:3, Funny)
Try this one... (Score:4, Funny)
Functionality may be limited.
Re:Try this one... (Score:2)
Re:Secondary Effects (Score:4, Interesting)
Re:Secondary Effects (Score:2)
It's not so easy anymore. (Score:2)
I am starting to get emails where it is very difficult to tell if they are real or not - both fake emails that look real and REAL emails that look fake. Figuring out which is which takes time, and about a month ago I actually fell for my first phishing scam about 2 months ago (for an eBay password; I had just gotten up and didn't realize the email that looked EXACTLY like the other
Re:It's not so easy anymore. (Score:3, Insightful)
Re:It's not so easy anymore. (Score:2)
Re:Secondary Effects (Score:2)
If the login page or better yet entire website is in https, then the site authenticates itself first. If there is a doubt, double check the SSL cert. Of course only the paranoid(sane) folk are going to double check the SSL cert when banking online.
Re:Secondary Effects (Score:3, Insightful)
Instead, they want to make money from legimate companies that want to get their messages to end users. This is a win win for the ISPs, but does nothing for end users.
As discussed many times here the only way to defeat spam is to choke off the money flow to
Re:Secondary Effects (Score:5, Interesting)
Spammers steal to advertise a "product." They steal resources from anyone they need to advertise their product. You don't suppose these people run the other parts of the their business the same way? Legitimate IPSs don't enjoy hosting spammers in any fashion. This is why nearly all spamming done using cracked botnet zombies (baring a sizable chunk of mainsleaze spam). A quick check of the spam in my Junk folder indicates that most spammers host their websites on non-US systems, or are broken. On a nearly weekly basis I watch a small shared webhosting provider get hosed when his spamming customer lies to him, then screws him out of payment when the webhoster's provider gets involved. The vast majority of the ISPs in the civilized universe want spammers to loose IP connectivity. The largest of sites spend *millions* blocking spam both inbound and outbound.
Instead, they want to make money from legimate companies that want to get their messages to end users. This is a win win for the ISPs, but does nothing for end users.
It's a win for the users as well. The AOL mail client will be able to tell the user that the mail they're reading is indeed from Bank of America, and that other piece of mail is not from BoA. If AOL and Yahoo! know that BoA's mail all has goodmail tokens, and BoA mail shows up that doesn't have mail, it must therefore be a phish (seriously, go look at Goodmail's website [goodmailsystems.com] complete with the AOL mail client screen shots [goodmailsystems.com]). AOL's goodmail implementation is ONLY for transctional mail. That was the basis of Gingras' statement.
The handwaving about AOL charging to deliver mail is, of course, interesting. One would think that AOL is going to make out like bandits on all of the spam they'll be delivering now. That's simply not the case. The goodmail system is designed to support itself, not AOL or Yahoo!. Goodmail will be charging enough to keep themselves in business and keep the accreditation program working. I somehow doubt there's much left in the cost structure to kickback to AOL in any amount they can measure.
As discussed many times here the only way to defeat spam is to choke off the money flow to the people that use spam to advertise. There are two ways to stop the flow of money. First is to go after the spammers and advertisers. So far this has proven ineffective.
Is the strategy ineffective or is our execution of the strategy ineffective? We have weak anti-spam laws that do more to enable the practice than to actually put a stop to it. We have standards bodies that can't come up with effective reputation and sender authorization systems, leaving ISPs to invent their own solution (see goodmail). We have transit providers who don't have the guts to de-peer a rouge network who won't clean up what they're transiting.
Second way is to go after the idiots that actually buy stuff from spammers.
Wow. You don't actually think people *buy* real stuff from spammers? And that the spammers are really selling the stuff they're advertising? Ok, maybe the pharma spammers, but the rest of them? Not so much. These people are theves. They steal for a living.
Going back a week in my Junk box, I see pharma spam, penis pill spam, p0rn spam, mortgage spam, 419 spam, and pump-n-dump spam. Exactly what products are being sold in the spam I've gotten in the last week? Of the things in my list that even sound like products (drugs, penis pills, p0rn, and mortgages) none of those are products that need to be sold by cost shifted advertising. If you have to resort to these tactics to see these products, there's something wrong with the products. That's assuming
Re:Secondary Effects (Score:2)
These people are paying money for something, if no one was responding and giving money to these people why would the keep spamming like they do? True, the idiots may not get anything for the money, but if they respond then they should be stopped from
Re:Secondary Effects (Score:2)
Oh, and bill people if their PCs get compromised regularly. Real money will drive security.
The way to end phishing is to not use email. (Score:2)
Yet it is very easy to kill 100% for almost every financial organization out there.
Just do not use email to communicate with your customers. That's it. Unless you're PayPal, the problem is solved.
The only reasons that banks continue to use email is because:
#1. It provides a cheap way for them to send ads to their customers.
#2. They don't bear the financial loss when customers lose money.
The only way to change #1 is to change the law on #2.
Today I re
Pretty damn sure. (Score:3, Interesting)
The email is being send from "bigfootinteractive.com".
I use the raw ASCII message to get the link and when I past it in the browser, I get that reject message.
So, we have more examples of the bank making phishing EASIER by going through a 3rd party and linking chase.com to that 3rd parties email.
It's funny that Chase includes this bit on their email.
Re:Pretty damn sure. (Score:2)
Re:Pretty damn sure. (Score:2)
Re:Secondary Effects (Score:2)
CAKE! (Score:4, Informative)
CAKE [cakem.net]
But, I've not had much time to work on it since I've been employed. :-( And it's a much nicer, decentralized solution to this problem that has potentially much less weight and wider applicability than PGP.
Won't help a bit (Score:5, Insightful)
People don't even notice security features. They don't notice HTTPS, they don't notice certificates, they don't even notice bogus URLs. Why should they notice a "verified" mail (or lack of this verification)?
And those who do already know how to deal with phishing mails, they are already capable of discriminating between fraudulent and legit mails.
Re:Won't help a bit (Score:3, Insightful)
May I point out that by combating spam one would 'implicitly' combat messages from data fishers?
Re:Won't help a bit (Score:2)
Well, assuming the encryption scheme is good enough, it should be hard to spoof the header tokens. And the graphic that indicates "certified" mail is supposed to appear in the mail client UI (yes, it requires client support), not in the viewing area. So they'd have to spoof the UI, which is trickier than spoofing the layout or sticking a logo in the message body.
All of which, of course, doesn't mean that people will actually pay any attention to it.
Re:Won't help a bit (Score:2)
Re:Won't help a bit (Score:2)
Re:Won't help a bit (Score:3, Insightful)
So instead of faking the signatures, you fake the most-used mail client's "signature-verified" icon instead.
True, a faked icon will appear in the mail rather than in the GUI's "chrome", as it should, but the problem is that most non-technical users don't notice such "subtle" distinctions.
Re:Won't help a bit (Score:2)
Now the organization is affiliated with the user agent makers like mozilla and microsoft.. so only encrypted emails from that organization are read and used. Companies etc pay a small fee to the organization, and give them a string (name) and ip (from and reply-to servers, the dns domain name). Their smtp gateway is
Re:Won't help a bit (Score:2)
Imagine a compromised machine. When the user runs the email client and a (legitimate) "special" Subject: line has been fetched recently, the rootkit takes a screen grab and crops out the pixels where the flag is supposed to be (we go the extra mile because the user might have selected the color of the flag a
Re:Won't help a bit (Score:3, Insightful)
Re:Won't help a bit (Score:2)
At that point they're screwed anyway. I think phishing someone whose box is already rootkitted falls under the category of Overkill.
Re:Won't help a bit (Score:3, Interesting)
Though, I'll admit dispite having a SPF record in my DNS records, I don't have any filters setup on my email server to bounce unwanted emails, but hopfully if one scheme takes off over the others, it'll become included in the examples and default configuration options of many ema
Re:Won't help a bit (Score:2)
Re:Won't help a bit (Score:2)
Re:Won't help a bit (Score:2)
I've got my users so spooked about phishing they are asking permission to even check their mail (not really, but pretty close).
I would think one could easily wipe out phishing problems if the email client to browser connection was disabled (which really exists for no other reason than convenience). There is no reason a web link in an email HAS to open the link in a browser. If you force people to type the URL of their bank into a browser window instead of simply clicking on the link in an email they woul
Money (Score:4, Insightful)
In other words, we'll still get spam (Score:5, Insightful)
Hello, McFly?! If I'm expecting emails from my bank, I'll be putting them on my safelist anyway! Them and everyone in contacts, emails for forum notifications, newsletters that I want.
This doesn't seem to be doing anything other than making money for someone else.
Re:In other words, we'll still get spam (Score:2)
And when the cleverly-crafted phish comes in, the one that uses the right layout, the right wording, the right logos, a browser vulnerability to disguise the fact that it's going to the wrong website?
Most people here will probably recognize it by the fact that your bank wouldn't be asking for your SSN online, or you'll use your bookmark to visit the site instead of the fiendish link. But for the average Joe, this could help hi
Re:In other words, we'll still get spam (Score:2)
When someone registers an account for Orb [orb.com], we send him an automatic email to welcome him. The "from" field contains a valid email address. I am one of the recipient to that email.
And I can tell you that everyday we receive dozens of automated emails asking us to click a link to verify that we are human beings and not a spam bot.
So good for you if you manually manage your safelist, but other people don't bother with it.
T
Re:In other words, we'll still get spam (Score:2)
Typical reply heard from someone that has given this 2 seconds of thought, and doesn't have to deal with sending legitimate email to real people on a day-to-day basis.
So you're just going to whitelist everyone you "want" to get email from, like your bank. Uh huh. And which of their thousand email addresses and dozen domains will you know to put in your whitelist? What if they out-source their email sending to a different compan
Re:In other words, we'll still get spam (Score:2)
If I'm expecting emails from my bank, I'll be putting them on my safelist anyway!
And when it arrives, and the source address matches an entry on your safelist, how will you know who sent the e-mail? You don't believe the From: header, do you?
Re:In other words, we'll still get spam (Score:2)
And then you have customers like my mother, who a) is sufficiently behind the times enough to think "Hello, McFly?!" is an edgy reference from a hip new movie b) uses email and keeps bugging me to show her how to do banking online since I rave about the convinience and c) will learn what a "safelist" is the day I sprout wings and fly. Do you want to take a bet at how many AOL customers resemble my mother versu
Re:In other words, we'll still get spam (Score:2)
Re:In other words, we'll still get spam (Score:2)
I haven't looked at how Goodmail works -- the idea of commercializing mail simply brings too many problems with it to the table.
If you want something that works well, but isn't used by everyone, use PGP. Anything signed by anyone you trust can go right past your spam filter.
It might be possible to do a signing system akin to PGP (or even PGP itself, though it would be expensive) server-side on outgoing mail, if it's too much of a pa
Re:In other words, we'll still get spam (Score:2)
Yeah, it does. And solving the virus/trojan problem relies on all legit computers having antivirus measures in place. I don't hear people saying "AV programs are worthless, because to get rid of viruses, everyone will have to use them."
Implement SPF. Implement SMTP auth. Then reduce restrictions on who can access port 25 of what machine, so when you travel you can still use smtp.isp.com.
Re:In other words, we'll still get spam (Score:2)
ISP's you happen to use when travelling tend to block TCP/25 outbound. Better switch to a different port, perhaps 587 or 465.
Blue Frog (Score:5, Interesting)
They got even a Firefox extension for reporting spam with Yahoo, Hotmail and GMail.
Firefox extension requires bluefrog anyway... (Score:2)
Blue Frog "algorithm" (Score:3, Informative)
Pardon me. It's not automatic in the recognition algorithm, but it's much faster than having to do a whois and then reporting to the ISP for each SPAM that gets to your inbox.
Let me describe the Blue Frog algorithm.
Suppose your e-mail is somedude@myinbox.com . When you set up a blue frog account, you get a "honeypot" address like somedude@report.
Oh Really! (Score:2, Insightful)
Certified delivery of spam (Score:5, Insightful)
Re:Certified delivery of spam (Score:2)
Re:Certified delivery of spam (Score:2)
Yes. The only difference is that now you're a fucking moron.
Re:Certified delivery of spam (Score:2)
Those who can pay, yes, and also agree to abide [goodmailsystems.com] by responsible mailing list practices, use only opt-in lists (it doesn't require confirmed opt-in, unfortunately) with working unsubscribe procedures, eschew email harvesting and list sharing, use accurate headers, maintain a low level of complaints... and submit to a background check to show that they aren't spammers.
If they enforce their TOS
Re:Certified delivery of spam (Score:2)
Re:Certified delivery of spam (Score:2)
There Will Be Spam (Score:3, Insightful)
Just like every other problem the 'bad guys' face when exploiting the rest of the population, they will find away around this too.
The news will be that if this practice does go into wide usage, spammers will turn toward draining large, anonymous bank accounts to fund their e-mail influxes.
This 'tax' will only create more problems than necessary.
My advice: leave what isn't broken alone and if you do have problems, then I suggest you install a good e-mail filter to pick out the spam that does get through.
My bank ?.... (Score:3, Interesting)
Re:My bank ?.... (Score:2)
Hell if I know! I'm still wondering why Citibank mailed me several times to tell me that they were going to cancel an account that I didn't open in the first place
Nothing to see here. (Score:3, Insightful)
Anyone detect hypocrisy? (Score:5, Interesting)
The providers get paid, and they get a good excuse for charging those fees. End of story.
If Goodmail's intentions were genuine, they wouldn't charge the "businesses" for every separate mail provider, but create globally valid certificates and then discuss with mail providers of accepting them.
However who would care to accept the certificates if he doesn't get the dough (the fees)? So there, we arrive at what Goodmail did.
Can you imagine paying up completely independently to every single ISP in the world so it can accept your SSL certificate? Yea, it's THAT bad...
Re:Anyone detect hypocrisy? (Score:2)
Also, right now there is sure to be a good deal of media
We've heard this before... (Score:2, Insightful)
"Certified" (Score:3, Funny)
Yeah someone's certifiable here.
Re:"Certified" (Score:2)
Yeah, this is what we've been saying all along (Score:4, Interesting)
Trust but verify. That it's crap. (Score:5, Funny)
Email address, Web URL, refering party -- each should be bulletproof BEFORE you extend your trust. Otherwise, you might get scammed.
Take this article. We know it's reliable and trustworthy. How?
Well it was submitted by "anonymous reader," who has posted many a fine gem on this here site.
Then it was filtered by an "editor" named "ScuttleMonkey." How can you not trust a monkey? Monkeys rock!
Then, when you click on the link, you see you have been taken to "Spam Daily News," a bastion of journalistic integrity that makes the New York Times look like the New York Times before Judy Miller got fired.
Finally, the whole thing originated from a little place we like to call "Slashdot." I think the quality of this brand needs no elaboration.
So as you can see, it is not hard to recognize a secure, reliable, not-at-all-misleading-or-shady chain of Internet links. Happy surfing!
Only one thing will work... (Score:2, Funny)
Can't we already do this... (Score:2, Insightful)
S/MIME (Score:2)
If Apple Mail can do it seamlessly, why can't AOL?
They presented to my organization (Score:5, Interesting)
Their VP kept harping on how "it will tell users they can trust your mail". My point that the real challenge was getting users NOT to trust things was not well received, to say the least. I also mercilessly attacked their constant assertion that their widget is "unspoofable", on the simple grounds that a similar widget in a similar location would be sufficient to fool many users.
My CTO has been asking me when we're going to implement Goodmail ever since. Khaaan!
Not to curb spam? Then this is BS (Score:4, Interesting)
If the purpose isn't to reduce spam, what does this new pay-for-being-recognized service offer that current ISPs don't already? Most ISPs will begin taking actions against your spam if you start spamming without contacting them anyway, and you are looking at legal trouble if you spam with forged headers or people who have opted out. Through whitelists and regulations, the framework is already in place for the legit spammers to spam. AOL already has whitelists. AOL already negotiates and limits email volume with mass email marketers. AOL already uses blacklists. And this whole thing isn't even mandatory!
So I'm really not sure what this pay system is supposed to do except earn AOL an extra dime at no added cost.
Re:Not to curb spam? Then this is BS (Score:2)
That is the whole point, to add cash to AOhell's sagging profits. Why do you think The boardroom is talking about splitting the company and sending AOhell back out on it's own?
As a tech I only remove more problems from Norton infected machines than I do AOL.
broken way to fix phishing too (Score:3, Insightful)
so suddenly you have to pay for _all_ your mail just to maintain your credibility. and then what if you cross the spam-complaint level goodmail sets accidentally and they throw you off their system (as they are contractually obliged to do)? does that mean that nobody will ever trust your mails again? do you get to send out one last certified mail saying "okay from now on pay no attention to that little flag?"
it seems a really bad idea for a big company to place their credentials in trust with a third party and then let them charge them for every mail they send
I'll sort my own mail, thank you... (Score:3, Insightful)
So it is to stop phising (Score:3, Interesting)
So there is clearly a need for someone to help the average user discriminate between legitimate and nefarious email. The need could result in a significant market opportunity if an ISP developed appropriate technology and backed up the technology with a meaningful guarantee. People will pay for security, even shallow security.
I also believe this will reduce email that maight be strictly catagorized as spam. Not the broad definition of unsolicited email that has resulting in no meaningful agreement on how to deal with the problem, but email that has a misleading subject, spoofed headers, clearly obtuse text content meant to disguise the HTML rendered message, and links to shady websites. If the ISP allowed users to set up a list of safe addresses, provided the level of protection that the USPS service does for unsolicited mail, and provided a good customer crisis line, that would provide a big competitive advantage. If, however it is just charging spamers for email while the user dangles on the vine, that it is quite useless.
The USPS was suppsoed to do that! (Score:4, Informative)
The difference of the USPS vs. Goodmail is that the USPS has official legal authority for such thing as mail tampering and proof of delivery.
I suppose if they were to offer the service now, Goodmail would buy a law to prohibit to USPS from competing against a private business as Sen. Santorum is trying to do with the weather service.
Re:The USPS was suppsoed to do that! (Score:2)
uh, GPG (Score:2, Insightful)
So now all the bad guys have to do... (Score:2)
We already have a better way to do this (Score:5, Interesting)
This might bring up the question of encrypted spam, but your keyring would act as a whitelist. If some random person sent you an encrypted or signed message, then you would be presented with a message asking if it should be accepted.
All we need is a simplified way to do this for the general public. Too bad Thunderbird doesn't come with Enigmail preinstalled. We'd probably need something else for webmail. (FF extension?)
Re:We already have a better way to do this (Score:2, Insightful)
What happens when you lose you private key, and can't decrypt those important messages about your accounts and the cotracts for service (banking, deposit holding, interest etc are all contracted servies)? And then a tax audit, bankruptcy, or civil suit that requires legal discovery?
Without evidence to defend yourself, life is sooooo much mre difficult.
These sorts of reasons are why PGP, gpg and S/MIME never work in corporate environm
Why to reduce spam at all? (Score:2)
Why can't personal certificates do this? (Score:4, Informative)
Re:Why can't personal certificates do this? (Score:2)
I think the major players can't make as much money without the 3rd party scheme so they push it. Note how difficult it is for you to create a certificate to sign your email with that outlook will understand/respect (without using 3rd party).
The large email providers are seeing $$$. I think the delay is in thinking up schemes that people feel the need to pay for. Its funny that we can protect a damn movie through unwanted inconvenience and mandated cost to the
We're not trying for anything (Score:3, Informative)
Of course not, that way when it does not reduce spam, they can't say CertaifiedMail was a failure.
Of course it's not... Just like SPF. (Score:2, Insightful)
is a communication medium where you only accept people you "trust" and reject the
others). It's meant to protecte trademarks, and push responsibility away from the
sender (i.e.: "you should have checked who the mail came from, ours are signed).
Yahoo, and of course banks and other institutions who want to defend their
credentials love SPF and similar systems. They don't care about SPAM, they just
don't want to get blamed by cust
Re:Users won't know that (Score:3, Interesting)
If many companies do this, then the only "certified" mail in the box really
Re:As predicted (Score:3, Informative)
Of course, AOL wasn't terribly consistent even with themselves early on, but if you think Goodmail billed this as an anti-spam solution, you've clearly only been paying cursory attention to the story.