email, sendmail and spam

[btiffin]

Hello everyone

I'd like to ask the opinions of the board;

Do you think it would be feasible, from both a system and personal management point of view and from a technical standpoint to change sendmail such that everyone had a public and private email address where the private email address only accepted mail from a whitelist of known senders?

There would be a cost on the ISP side, keeping and scanning whitelists, there would be a cost to individuals in managing the list of welcome senders (and some sequence of "please let me send you mail" messages through the public account), but would those costs be greater or lesser than the current loads of spam floating around the internet?

Just curious.
Cheers

[Tony]

Just because you get some spam blocked at some other level than at your inbox, doesn't mean that there will be any less spam clogging the tubes.

[Zeroth]

The only way to stop spam is if everyone overnight gains 50-100 IQ points, and realizes not to buy from unsolicited email. That'll never happen.

[Tony]

Zeroth @ Fri Jul 04, 2008 11:51 am wrote:

if everyone overnight gains 50-100 IQ points

Not going to happen, by definition, as IQ is relative to the population it's measured in. That is, IQ of 100 is defined as the mean.

Though you are right. As long as spam remains profitable... for anyone, it will be there. The funny thing is, if spam was to gradually start getting less profitable, spammers will try to compensate with larger volumes. *sigh*

[Zeroth]

Good point... okay, if everyone suddenly gained common sense, then.

[btiffin]

I was thinking along the lines that sendmail routing would only allow Please Let Me In messages limited to a header and short subject to the public channel of an email address. Then with a cli or click, the private oklist is updated, now to the same address gets approved tags from that sender and bodies are forwarded from then on. These oklists would be the responsibility of the POP ESMTP IMAP sendmail provider under user control.

It would slow social interactions, but spammers would be limited to an 80 character subject line. Spoofing won't be too bad (I think), as each victim address they spoof may only be opened in a few hundred mailboxes. Mailboxes the spammer would have to harvest along with the sender address. Make spamming a waste of time, or at least limit it to one liners.

Dunno; I think a few tweaks to sendmail, a little education on maintaining oklists, a web interface quick exchange tool, and then I think most of the ads could end up being an easier to deal with 80 byte header and most people would end up with less risky and time wasting junk mail. Dunno. I polled yes to my own question, but I might be missing something.

Cheers

[Dan]

It's an intresting idea but i am not sure if it would aucatly help. I think black lists and spam filiters are the way to go (with auto generated white lists to pass threw them).

With me i often delete spam based on the subject alone witch is noramly under 80 chars so it would mean the same amount of work in terms of geting ride of spam but with the added work of having to deal with vaild please let me in messages.

Also in my case i offten send mail to my self, from my own e-mail. This would mean my own e-mail would be white listed and i offten get spam where they spoof the from e-mail as my own e-mail. This means that if the e-mail address was the check for the whitelist there could be alot of common whitelisted e-mails, inlcuding a users own e-mail or somthing like the mail deamon from there own server or other servers. So for it to work right you would need somthing more then the e-mail address for authnetication if you want common e-mails white listed and this gets problmeatic fast as the current e-mail standars do not offer much in the line of authentication of the sender.

What might be good is the ablity to generate tempary e-mail address based on your current one. For example if i have the e-mail dan@compsci.ca i should be able to genreate an e-mail like dan@some_hash.compsci.ca or dan.some_hash@compsci.ca for use with one time sing ups with are likey to give my e-mail to 3rd partys. This new e-mail could then forword e-mail to my main real e-mail for a few days with a waring attached to the subject line and then become dormonent automaticly and just collect the e-mails in a folder with out forwording them to the main e-mail intill i delete the generated e-mail. Doing this was some nice web based user controls would allow for users to mange a set of sub emails for each service they sing up for and if they notice they get alot of spam from one they could simply cut it off with out losing there main e-mail.

[rizzix]

Look up Plus Addressing! You can do what you;re asking for quite easily, i.e. with Plus Addresses and a few client-side scripts.

[Zeroth]

There is a valid solution. It features email authentication, that the person sending the email is the person they're claiming to be. Its just not implemented in many places.

The way I see it working is that a couple of servers are authenticated as not sending spam, their emails are more trustworthy.(Works like ssl) A few more servers add it, they're a bit less trustworthy, at least until they reach a certain trust level(look up eigentrust on wikipedia). Probably be the best way to authenticate valid non-spammy servers. Would be slow, and problems would arise from webmail servers, like gmail, hotmail, yahoo, which have all had their captchas cracked. So they've become sources of spam as well. Using this method would eliminate the literally trillions of emails from hacked windows computers.

[Dan]

Zeroth @ 5th July 2008, 12:24 am wrote:

The way I see it working is that a couple of servers are authenticated as not sending spam, their emails are more trustworthy.(Works like ssl) A few more servers add it, they're a bit less trustworthy, at least until they reach a certain trust level(look up eigentrust on wikipedia). Probably be the best way to authenticate valid non-spammy servers. Would be slow, and problems would arise from webmail servers, like gmail, hotmail, yahoo, which have all had their captchas cracked. So they've become sources of spam as well. Using this method would eliminate the literally trillions of emails from hacked windows computers.

This is not a bad soultion on the surface, however when put in to partice it tends to hurt the litte guy. For example hotmail uses a trust host type system but it tends to be realy negtive to new hosts where almost no e-mail gets threw and there recomend way to fix this is to pay large amounts of money to get there trusted rating. As of right now very litte mail from the CompSci.ca server makes it to hotmail becues we are unwilling and unable to buy in to there system. My worry is that it would become some what like ssl where you need to pay to get tursted (or singed) by some centeral athority (i know you an self sing but then that is not realy trusted) and it could end up alinating the small guys if big e-mail proviers like hotmail, gmail, etc demand it.

So as long as servers can gain turst with out having to pay money, new hosts can get to a tursted level in a resnable time frame and there are ways to appeal or recover from a bad users sending spam or a false indfication of sending spam i think it is not a bad idea.