Nadav Har'El wrote:
The theoretical problem with spam prevention is that it is an arms race,
the people who do it have a (large) economic motivation, and it is just an
example of the broader problem of abuse of power in our society (I see
a mailbox? I can stuff my ad there, so why not. I see a wall? I can write
my name there, so why not. A computer will do whatever I tell it? So let's
see if I can tell other people's computers to format their hard drive).
However, in practice, the spam problem *can* be alleviated. And you (Uri)
have a good track-record of coming up with ideas that DO WORK well (namely,
speedy.co.il), so I wish you the best of luck.
Spam filtering, for example, does work. Since spam started, I have received
a whopping 100,000 (!) spam messages, and only about 200 got through me
home-grown filters (that also use colaborative spam blacklists like RBLs and
Vipul's razor). Nowadays I get about 125 spams a day (!). Without spam
filtering, I would not have been able to read email at all.
In addition to text-based filtering and online up-to-the-minute collaborative
blacklists, there are new tricks that aim to fix the fundamental problem
of SMTP mail: no authentication and no accountability, which allows not only
spammers to prosper, but more alarmingly - "phishers" who are trying to
defraud you. SPF is probably the best solution I know of for this problem
which still keeps your plausible deniability (i.e., gpg is TOO strong) and
allows communication with new people. SPF is already catching some of the
spam and fraudulant emails that I get, but it will get better as more major
email senders will start adding SPF records to their DNS.
And of course, there are techniques which make it more "expensive" (with
"postage-stamp" like payments or computationally expensive) to send email,
therefore making spamming more expensive and ultimately, not worth it.
Unfortunately, I view these last directions as HOPELESS, and I hope Uri
that you're not going in that direction. The problem is twofold. First,
if emailing is more expensive it will not just harm the spammers - it will
also harm operators of legitimate mailing lists, and ISPs with large mail
servers. Secondly, and more importantly: spammers have, from the start
(and even more so today) relied on shifting the costs to others. They don't
need to buy "postage stamps" or make expensive computations if they can break
into your machine and have it do the mailing. This makes "postage stamps"
out of the question (you'll just steal money from the poor victims), and "long
computation" problematic (if it's too short, you'll gain nothing. If it's
too long, nobody can run a legitimate mailing list).
And last but not least, maybe Uri has a new trick up his sleeve?
Why be so negative?
Thanks for the compliments. I have been studying the subject of spam
during the past few years, and I'm aware of other solutions. Spam
filtering is a common solution, and we all use them, but it's not
perfect. It has problems of false positives and false negatives. I
also checked other solutions and they are not perfect either. No
solution is perfect.
SPF, as well as DomainKeys, are concerned on signing domain names. They
have many flaws, but the main one (I think) is that they do nothing to
prevent spam. A spammer, using his own (newly registered) domain name,
can send millions of legitimate messages through them. My idea is to
sign the whole E-mail address, and limit the number of legitimate
messages a user can send per day. This will mean creating a new
protocol which will either replace SMTP or work on top of it. It will
be similar to SPF and DomainKeys, with the difference of signing the
whole E-mail address and limiting the number of messages per day. The
main challenge is to convince users and sys admins to use this new protocol.
Mailing lists will not be able to use this new protocol, but a different
new protocol will be created for them. The new protocol will enable
mailing lists to send mail only to users who confirmed their
subscription. A mailing list admin will not be able to transfer his
subscribers to another mailing list. Users will be able to unsubscribe
using the protocol, without having to ask for "permission" from the
mailing list admin.
I'm looking for people who will help me form a profitable business from
this idea. Profitability is one goal, solving spam is another goal. Of
course no solution to spam in 100% complete, but as Nadav said a
solution should be good enough. If a solution gets rid of 99.9% of
spam, while not interfering with 99.9% of legitimate messages - it's
good enough. My solution will also prevent phishing and E-mail worms.
And sending E-mail for legitimate users will still be free (no cost).
Best Regards,
Uri Even-Chen
Speedy Net
Raanana, Israel.
E-mail: [EMAIL PROTECTED]
Phone: +972-9-7715013
Website: www.uri.co.il
--------------------------------------------------------
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
