'Leak-Proof' Anti-Spam Solution?

sikandril asks: "In an effort to help the Internet community and user-base at large in fighting spam, I have decided to put up this white paper for public review and remarks. As you will see, the system provides an almost 'waterproof' solution to spam blockage via an opt-in system. The main drawback is that everyone (except spammers or other evildoers) has to have this installed in order for it to work perfectly. A small number of installs means that unknown legit contacts still might show up as spam, albeit only for the first e-mail and/or until they too elect to install the software. I'm an independent developer located in Israel, and would love to hear your ideas regarding this."

That reads like a patent

[Bloater]

From TFA: "In an effort to help the internet community..."

Bollocks, this is an attempt to get investors. What's the patent number?

Am I a cynic? Hell yeah!

Obligatory...

[LiquidCoooled]

This article advocates a

(x) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work.
(One or more of the following may apply to your particular idea, and it may
have other flaws which used to vary from state to state before a bad federal
law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential
employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(X) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(x) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever been
shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
(x) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.

Somebody get these guys a clue...

[FordPrfct]

From the article:

"6. Sixth, the system provides additional security and control over computer viruses which spread by e-mail - Client (1)'s connection with Server (2) is much harder to hack into than simply taking control of a regular e-mail client. Large and suspect amounts of key (4) requests from suspect client (1) can simply be blocked at the server level."

Who said anything about hacking "the connection"? Once we have everybody using the same client, I am sure it is only a matter of time before somebody finds a vulnerability in it, and crafts a virus / trojan to take control of it. And you *know* that people will open it up. "It came completely verified from somebody on my whitelist! It can't be faked or a virus!"

So Mom gets infected. It sends to everybody on her list. Because it was verified, it gets through to all of them, and they open it. Then to all of their friends. And so forth and so on. Not enough key requests from any one client to result in a block at the server level, and impossible to get ahead of it without blocking a significant portion of your userbase.

Congratulations. You've reinvented Outlook, and given people a better reason to click on that attachment and perpetuate it.

Yikes

[TheSHAD0W]

The proposed solution relies on a centralized authority producing new keys for each person periodically, which is a recipe for disaster if a billion users sign up for it.

Re:Obligatory...

[thorndove]

You went too easy on him

Re:Obligatory...

[Skreems]

Your plan completely fails to account for ISPs which either can't or won't screen properly. Want to make some money? Set up an ISP that implements the cert structure, and allows spammers. Want to run a free webmail service (hotmail/yahoomail/gmail)? You damn sure better make sure your users can send as non-spam... except of course, these get used to generate spam addresses, and Google doesn't have time to check out every new account for validity.

The one thing your plan does do is prevent spoofing, but that only works if the public keys are kept secret, in which case they don't work. Within days, these public keys will be circulating along with email addresses on spam lists, and the entire thing is useless.

Time to fill out the form again.

[Anonymous Coward]

However, I feel your efforts would stop more spam if you were to aquire some AK-47s and hunt spammers. Make a documentary about it and upload it to video.google.com to spread fear, uncertainty and doubt into future would-be spammers.

Your post advocates a

( ) technical ( ) legislative ( ) market-based (X) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
(X) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

(X) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
(X) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(X) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!