Where’s my authenticated email?

Why isn’t email authenticated? I’ll tell you up front that I know very little about this subject. I can’t tell Sender Policy Framework from DomainKeys (link, link) from SenderID.

But what the heck — it’s 2007! How can this not be solved? If you had told me back in 1997 that email wouldn’t be authenticated yet, I would have slapped you in the face. Slapped you. In the face. Go ahead, take a time machine back to 1997 and try me. While you’re at it, fast forward to 2017, collect the email authentication that will no doubt exist then, and bring it on back to 2007.

Sure, there are ancient mainframes running, I dunno, ADA that only know how to use SMTP the way it was used back in 1982. Point taken. They can stick to the old ways. If I ever need to have a deep and trusted email relationship with one of those machines, I’ll whitelist it. And I know that there are corner cases like forwarded email. But somebody tell me in an educational, non-libelous way: what’s keeping the world from enjoying authenticated email? What am I missing? Right now I’m in a position of near-perfect ignorance, so almost any nuggets of constructive knowledge will educate me.

Also, I’m still waiting for my air car and jet pack. 🙂

70 Responses to Where’s my authenticated email? (Leave a comment)

  1. I think email authentication might take quite some more time. And hey, while you’re at it, what about browser standards? LOL.

    And for your air car and jet pack…. Hmmmm, I already placed an order in Amazon. 😀

  2. I have to agree with you Matt, but I can’t offer any wisdom either. My company runs several sites which send basic text emails to members; such as password resets, message waiting notifications, etc. We use SPF and even so, Gmail invariably drops our messages into the Spam folder. Gmail supposedly supports SPF, but of course other mail services toss our member emails into the the spam bin just the same, so what’s the point of SPF if even legitimately sent emails do not get preference? This seriously impacts our business when we can’t count on our paying customers receiving the important information they requested. I’m looking forward to 2017 too!!

  3. Adam

    Hey Matt, you aren’t per chance a Dane Cook fan are you?

    MC: “Slapped you. In the face.”

    DC: “A tire! In the face!”

    Love your posts (and wish I worked for Google),
    AI.

  4. Mike Scott

    Vicious circle. There’s no point authenticating your email until people are rejecting unauthenticated email, and you can’t reject unauthenticated email until nearly all legitimate email is authenticated.

    Also, authentication doesn’t solve the problem of botnets taking over people’s PCs and sending perfectly legitimately authenticated spam as coming from those people — it’s really an anti-phishing tool, not an anti-spam tool.

  5. Well email what we know now basically was mail in old unix systems where anybody could send a message to anyone on the network via pine, mail and some other commands.

    I would send a message to a friend and my username would get transmitted along. (If I remember correctly)

    In the internet (network of networks), where there is virtual subhosting, the servername, ip of the email server is usually what gets transmitted with the messages.

    Also, email is specific to a network and not regulated. So a server doesn’t HAVE to accept any email which comes to them and can create policies on which email to just flatly reject.

    There are some companies out there like goodmail, which yahoo uses to gurantee transport.

  6. You’ll be waiting a long time, I’m still waiting for hot food from the Macdonalds drive through. But seriously, the lack of email authentication is quite surprising.

  7. Well, I’d say that authenticated mail exists. At least corporate SMTP nowadays is mostly authenticated (with all SSL goodies added, yay). GMail is authenticated. All you need is to push policies – it just needs critical mass, as any self-regulating environment.

    Once end-users authenticate to their providers, it is just a matter of trust for providers, and that kind of trust is what is difficult to achieve.

    The only trust system right now on the net is PKCS. Certificates are issued by some ‘trusted roots’, and everyone expects a lock icon, when visiting a website. Now all you need is to convince people to expect a lock on their email client.

    Of course, then you hit all the other issues with trust – do people really read the error popup windows? How is the trust supplied by root authorities? By intermediate authorities?

    The best example is Verisign vs some-50$-SSL-cert. It provides absolutely same lock icon. The method to get say Class3 certificate from Verisign is completely different from some ‘fill online form’. Some organizations even filter out SSL sites signed by non-Verisign (and non-Thawte, which is Verisign too). Here you meet yet another problem, who and how defines what should be trusted and what should be not.

    The difference between Web and Mail is that you usually end up at the Web machine, whereas you don’t know where Mail comes from. This is what SPF is for – deciding if the source of message is appropriate for the address. Now all you need is to add signatures of systems it passed (and verified the sender), or digital signature by sender himself.

    GMail does that for now. Maybe that will be the critical step of the web?

  8. There is a prime directive problem here:

    All technology is bad…contrary to your motto.

    Once a genie is let out of the bottle, it cannot be put back in. And being archaic just grants them demi-god status. Truly bad programmers are the real gods; as the only person who can make any sense of what they did, they are unfireable.

    But, don’t pay any attention to me. I am watching all that play out on a friend who deserves better and am ready to go Howard Beale on general principle with no thought it could possibly improve the situation.

    See ya at the next windmill…

  9. well…

    If these pesky kids and the gdamed amateur night standards like smtp hadn’t taken off. x.400/x.500 would rule the roost – and I could have a email adress like c=uk pn=”maurice” 🙂 (i used to be third line support for one of the uk’s leading ADMD’s and could do stuff like that)

    I’me les arrogant these days and I don’t put my phone no as form1 varient3 in my cv

    Of course google probably wouldn’t exist in this world – it would be ATT search, BT Search – Gmail would be a compleat nonstarter email would be provided through your PTT/Phone company who could tie emails to a phone number.

    The problem is getting everyone to agree and update all the servers in the world – certain governments would love to have this as well there are civil liberties questions as well.

    For all its faults the open internet is better than the expensive PTT regulated walled garden – trust me I’ve been there.

  10. Lars

    You won’t remember new but I just tried you in 1997.
    And you slapped me in the face.

    You were right. 🙂

  11. Daniel Dulitz

    Hey Matt,

    Check out http://www.cs.princeton.edu/~sgaw/publications/01Feb-Activists-sgaw-CHI2006.pdf
    for a good survey of the sociological reasons why encryption isn’t used. Authentication raises similar issues, just less severe, because it’s less intrusive.

    I’ll make the controversial claim that authentication of email wouldn’t really help much. It would help technically savvy people in their dealings with financial institutions, but other than that it wouldn’t help. Clients are insecure, so when it matters you can’t trust them when they say a message is authentic. Users ignore even strongly-worded security warnings. While I would be willing to install a certificate on my Treo, my desktop Linux machine, and GMail, but most people wouldn’t.

    That said, I bet that adding authentication to GMail would be the best way to encourage its adoption in the real world. 🙂

  12. Are you having a spam problem Matt? I was being crippled with spam this fall (nearly unwilling to open my mailbox for fear of what was inside) and Thunderbird’s spam filter was crapping out (either everything was marked spam, or nothing was). I finally had had enough, so I installed ASSP. Two features cut out about 99% of my spam: greylisting/delaying (where e-mails are given a 451 message the first time they arrive) and blocking invalid HELOs. It also has a Bayesian filter, but that isn’t as necessary when less than 5 spams get through a day (versus hundreds).

    Also, it sounds like you need to watch this video:

    “A New Way to Look at Networking”
    http://video.google.com/videoplay?docid=-6972678839686672840

    I’ve been going through Google Research’s videos of the year and that one was really interesting. IIRC, his new model means you trust the data (because it is signed) and not the source.

  13. JLH

    I want my flying car too. Oh what a world reading authenticated email in my flying car…one can dream.

  14. SPF

    … obvious answer, because nobody important wants it solved.

    SPF got hijacked by Microsoft, my view is that it was the best solution.
    SenderID was just SPF embraced and extended, with a GPL incompatible Microsoft license added.
    Domain Keys was needlessly complicated and had privacy problems and a Yahoo IP claim.

    But it’s fixable.

    You could ask Vint to raise it at ICANN and get an SPF record on every domain as a requirement for registration and it would fix the problem in a snap. The risk is, the move would be hijacked, e.g. Verisign might try to sell certificates, or MS might try to get an IP lock on it. But that’s always a risk anyway.

  15. Ian

    With regards to SenderID, it’s Microsoft trying to get everyone to use SenderID while still trying to get patents on it to screw money out of everyone. Except thankfully people turned out not to be stupid and didn’t fall for it.

  16. Swogala

    Hello,

    Those decrepit, ADA-gargling mainframes can always have a translational gateway placed in front of them?

    Besides, wasn’t this another instance of everyone and his cat hatching their own kneejerk solution to a problem, all tightly grasping their own idea and Scarpa-ing off in their own direction without regard for interoperability? Sure it’s 2007, but some things just never seem to change 😉

    Best,

  17. um, email these days *is* authenticated — if you send a mail from GMail, it’ll be authenticated using both SPF and DomainKeys. 😉

    The thing is, there’s a common fallacy regarding authentication, that it alone will help in the fight against spam. This isn’t the case — knowing that a mail was sent by “jm3485 at massiveisp.net” is not much better than knowing that it was sent by IP address 192.122.3.45.

    Authentication is just a step along the road to reputation and accreditation — see this message for details: http://mipassoc.org/pipermail/ietf-dkim/2005q3/000370.html

    In the meantime, users of SpamAssassin and similar anti-spam systems can run their own accreditation, by whitelisting correspondents based on their DK/DKIM/SPF records; the upcoming SpamAssassin 3.2.0 can be set up to run these checks upfront and short-circuit mail from known-good sources with valid SPF/DK/DKIM records.

    Also, hopefully more ISPs and companies will deploy outbound SPF, DK and DKIM as time goes on…

  18. The technology is there – in bits – and no-one has the incentive to put it all together, least of all those who should be doing it – ISPs.

    Your air car is in the mail; company policy prevents us sending jet packs until you present your Individual Flight Licence for inspection. Or reasonable facsimile thereof. Or a sworn statement on a post-it note.

  19. Flying cars and Spam. Talk about recipe for disaster!

  20. On another subject, what does everyone think about the Y2K prediction?

    It’s only three years away, the wold’s governments appear to be waiting till the last minute to address it? 😕

    Isn’t Yahoo a wonderful directory? Everyone uses it, except for AltaVista for complex research.

    BTW:

    Just read the draft of this intriguing paper:
    The Anatomy of a Search Engine by some kids at Stanford.edu – they think they can beat Yahoo with some sort of link counting thing.

    They are creating a new search engine, Matt, check them out – THEY ARE HIRING!

    BTW:
    In ten years from now (if we are all stil alive :LOL ) – email will not be authenticated yet

  21. Alok

    That is an easy one. And it is spelled C – O – N – V – E – N – I – E – N – C – E

  22. I would suggest that the following issues may contribute to the problem:

    1. Lack of knowledge of the possibilities: The vast majority of people who use email are not computer-savvy. They don’t know about authentication possibilities. This is not something that most people are interested in learning about. So the technology has to be ultra-simple if it has to find mass usage.

    2. Anti-spam has made it less important: Anti-spam filters are much more intelligent now. So you don’t have to sort through lot of junk mail and see if they are real.

    3. Lack of demand: How many times do we really need to know if a person has really sent the email? Most of the times, the content in the email and the context clearly indicates who the sender is. Also, in business situations, it is much more secure to call the person to verify if the email is from them than to rely on emerging technology.

    Other questions exist: How much money can a company make of email authentication? How about a person having multiple accounts? What if there are differing standards?

  23. What about authentication of YouTube users and publishers? 🙂

    Since last night YouTube is blocked in Brazil because it´s unable to remove a certain video.

  24. And if anybody can tell me how to do something about the “Joe job”
    http://en.wikipedia.org/wiki/Joe_job
    … I’ve been getting for the last two years I’ll buy them a lobster dinner. I don’t think it’s actually an attack against my domain because they don’t seem to be trying to mimic an actual sender, like info@mydomain.com. Instead, I get about 200 “undeliverable messages” in my inbox and they use random letters as the sender attached to my domain (xhfbxr@mydomain.com).

  25. Here’s your ‘air car’: http://money.cnn.com/magazines/business2/business2_archive/2006/12/01/8394980/index.htm?postversion=2006121506

    Here’s your ‘jet pack’: (You just have to be in space to use it)
    http://en.wikipedia.org/wiki/Manned_maneuvering_unit

    I wonder if you can get G-mail in space? Better yet, if you ran sold things w/ Froogle in space would you still have to pay sales tax -Or- Is there an interstellar sales tax already!

    As far as your email………..and being a Southern Fellow, “I Got Nothin!”

  26. lots0

    As has been pointed out in this thread the technology is already out there to secure emails.

    What we are lacking is a way for anyone to make money by securing emails.

    As soon as someone figures out how to make more money by securing emails than by spamming email addresses, I expect we shall see the last of the email spam…

  27. I use SPF records in almost all my domains, but since so few actually bother to check them they are still used as fake from addresses, which is too bad. SPF makes sense, and ¤%¤%#/#/#/& Microsoft for again trying to hijack the solution.

  28. http://moller.com/skycar/

    Here is your flying car matt. courtesy of google

  29. Why don’t you have an air car? Three letters: FAA.
    Besides, would you really want a flying car if everyone else had one too? You’d be safer with a unicycle on the freeway.

  30. Krishna touched on something that geeks tend not to think about when it comes to things like this:

    The cost and profitability factor.

    Where’s the money in it? How much does it cost to implement? Why would Corporation X force users to authenticate before sending emails? In other words, one of the reasons behind this may be that it’s simply not profitable or at least cost-effective (read: no loss of profits) to implement any level of authentication.

    It also doesn’t help that some ISPs and hosts charge customers for SMTP authentication…why would you charge for the ability to force customers to login and thereby provide some form of tracking?

    http://help.alentus.com/article.aspx?id=10608&cNode=3A8L5Y

    Finally, the thing that comes to my mind is script-based emails (e.g. form-based emails.) While it is possible to authenticate to a server via a script, that means that the login/password/etc. would have to be contained within a script somehow. That’s a security issue in and of itself; think of the number of people who would do something along the lines of:

    SMTP_username =”myemailaccount@domain.com”
    SMTP_password = “123456”

    And then they lose control of the site containing that code. That would be a serious issue in and of itself.

    Mind you, I’m pretty neophytical when it comes to this stuff personally so it may have already been answered.

  31. Spam, it’s pissing me off.
    I’m curious why the ISP’s don’t take action. They complain that most of the traffic is spam but if there’s someone who knows who is spamming, correct me if I’m wrong, they are. It must be that the ISP’s gain from it one way or another.

  32. I would like to be able to cancel an email after it was already sent. There would be a protocol with an encrypted key that would be received by the server and it would delete the email from the person’s inbox if it hasn’t been read yet.

    Obviously, I’ve had a few emails that were sent out in haste which I regretted afterwards. 🙁

  33. JohnMu

    Air car + jet pack? How about a jet-powered personal helicopter that you can fold apart and keep in your car’s trunk? See http://www.johannesmueller.com/fs/fb-wmv8.wmv or http://www.flightforum.ch/forum/showthread.php?t=27290 (german forum with pictures + video links)

    PS Is this SPF really useful: “v=spf1 ptr ?all” ?

  34. I dunno, even if there isn’t a profitable “anti-spam authenticating business” in there, it seems like if everyone could get on the same page, the inevitable upgrades of software would eventually get us where we want to go for very little cost.

    Justin Mason, I did notice that Gmail supports both SPF and DomainKeys. 🙂 But that’s not my main issue (my post should not be read as pro- or anti- any particular email provider). It’s just hard for me to believe that this issue is still an issue.

  35. Matt this WordPress blog may be using one of the best anti spam tools out there by Matt Mullenweg and the gang who created Akismet. Let them set the initial standard and then let everybody follow it. I think Google, MS, Yahoo should be ashamed that email spam remains such a plague.

  36. Lew

    I don’t think authenticated email is around the corner. Like someone said above, we can’t even get browsers to obey WC3 standards across the board. As long as you have people with home computers that are not updated with the latest virus protection, it doesn’t matter if email were authenticated or not. I guess we just have to convince everyone in the world to use 3rd part mailing like Gmail. Corporate environments have their own responsibilities as far a email goes, and most live up to a standard 1000X higher than the average home computer user.

  37. I can’t help you with either authenticated email _or_ a jet pack, but I got a t shirt for xmas that you might like…

    http://www.threadless.com/product/63/Damn_Scientists

    😉

    big

  38. convince everyone in the world to use 3rd part mailing like Gmail

    Huh? You get no spam in your gmail? Am I alone?

  39. David

    They should charge for every email sent.
    People (not only spammers) would think twice before sending an email.

  40. No comments yet on the wikipedia storm in a teacup 🙂 http://www.threadwatch.org/node/11203 ?

    Oh btw http://www.ics-online.co.uk seem to be keyword stuffing

  41. Hi!

    In Europe I thing the Orwell book 1984 plays a big role in that
    Because I know that everytime I authenticate a document in the net-world
    (best I sign it at my Handy, this would mark place and time),
    in which many gov-orgs (?and other) can have access to all (magic lantern / house search on my online drives) which could be a provable bit in another picture of me.
    that’s not how I react, but many people fears new incalculable Risks,
    and so e-mail are more like notices to them than documents.

    And a blog categories proposal: a Forum

    Because I asked some questions here, and get answers
    and now I want to thank and say
    rel=external nofollow” it’s in hopefully right place
    time shell tell us the result

    also THX to the immo-part; maybe right understood

    Matt this would be better in a Forum ?or

    Lew:

    we can’t even get browsers to obey WC3 standards across the board.

    the browsers are not THE problem in this part; but the 99.7 % invalid sites are

    Maurice:
    Great organizations and little participants make often such curious or envier faults

    Greetings Karl Heinz

  42. Matt Cutts said: “It’s just hard for me to believe that this issue is still an issue.”

    And so say all of us … but it’s depressing when we hear it from a Googler!

    Any chance of getting a gmail tech to respond?

  43. Matt, I worked in the email industry for 4 years before it became commodity software and the problem of spam isn’t that tough to solve but the issue is getting everyone to adopt YOUR solution.

    Many of the big players, and I mean Fortune 500s, not just web hosts and ISPs, have such large infrastructures and outdated platforms that it could take them 6 months to a year or more just to transition to new gateways, if ever.

    Then you have the really big technology companies like Yahoo, MSN, and AOL all picking a different approach so it gets ugly when the major providers of email accounts won’t standardize because they’re all pushing their own technology, therefore it’s a permanent gridlock.

    Then you have the last problem, what about people that don’t want to upgrade or refuse? For instance, if the entire country of China (where a lot of spam comes from) refused to upgrade would you simply stop doing business with China? Doubtful.

    So, to quickly solve this problem, install a challenge email system or use a service like Spam Arrest, block russia, ukraine and most of asia from your mail server, and enjoy the Inbox silence only broken by the rare spam that slips through.

  44. lots0

    So who here would PAY $19.95 a month for a guarantee that your inbox will not have any bulk spam in it?

  45. lots0 something really bugs me about the idea that my email with all it’s incredible advantages is free, but that I’d pay that much to simply keep it clear of junk.

    I think a major problem with the internet community is it’s obsession with anonymity. Rather than pay I’d like to provide complete contact information to a central repository, and I’ll choose to get email only from people or companies that have done the same.

  46. Sorry – the two “it’s” above should be “its”. (itses?!)

  47. lots0

    >>>”lots0 something really bugs me about the idea that my email with all it’s incredible advantages is free, but that I’d pay that much to simply keep it clear of junk.”

    You made my point for me Joe. 🙂

    Not many folks would pay to keep a ‘free’ service usable and convenient.

    On the other side of the coin…

    I know an email spammer that paid cash for a 1.3M home last year and has two brand new Hummers and small collection classic cars that have al been paid for by email spam…

  48. Karl

    Maurice:
    Great organizations and little participants make often such curious or envier faults

    Are you talking about the ITU or ICANT here 🙂 or eaven ICL and no its not ok when a standard says start counting sequence nos from 1 to start from 0

  49. $19.95 per month? Thats pretty steep.
    Id prefer to be smarter and attempt to somewhat protect my email addresses a little more! Eg. Make sure that are not viewable on any forums, blogs .etc

    But, i probably would pay $5 per month! 😉

  50. Maurice, I thought about saying something about the Wikipedia kerfluffle and decided not to. If I’m not notable by their guidelines, that’s not a huge concern to me. 🙂 Though it did warm my heart that Danny defended my notability honor:
    http://searchengineland.com/070108-170335.php

    I learned something new from the brouhaha: to be considered notable in Wikipedia, it helps to be the focus of a story by a reputable source. I’ve been quoted in quite a lot of pieces, but there haven’t been that many Matt-focused stories in mainstream media. The BBC article was one, and Danny’s article mentioned the Chicago Tribune article as well.

    bigiain, I liked that shirt. 🙂

  51. PageRank

    @off-topic
    isn’t about time to export PageRank?

  52. Lol..nice one and amen to that..we can put a man on the moon but can’t stop email spam..go figure..perhaps google will figure this one out 😉

  53. JLH

    hmm, wouldn’t be much of a stretch to drawing a correlation between stories in reputable sources and quality natural links would it?

    You can be THE authority in an industry (niche) but unless it gets picked up by the national media (high quality links) your not going to be in the wiki (index). Having many citations from within the industry (link exchanges, your own network) doesn’t help elevate you.

  54. Hey Matt,

    looks like you were hit by the damn RE: my something image spam as well, that went way undetected in all spam filters, including that of GMail

    I was bitching about it just yesterday

    http://weblog.cemper.com/a/200701/10-how-to-get-rid-of-the-re-my-somecrap-spam.php

    best,christoph

  55. What I want to know is that why using services such as SPAM Cop and other, I seem to be getting more SPAM e-mail more than ever! I doubt I’ll ever report any more e-mail to Spam Cop. The spammers are winning this battle despite the fact that it’s 2007! A certain amount of spam is going to get through no matter what you do or when you do it. Not to mention the fact that messages you want will occasionally sift there way into the spam folder.

  56. JLH

    Here’s some media attention:

    http://blogs.zdnet.com/micro-markets/?p=857

    Not sure if it’s all good, but as they say there is no such thing as bad press.

  57. Answers:

    SPF sucks — the entire installed base of the Internet email software uses forwarding extensively, and SPF requires that all forwarders rewrite the email in a daft way. As a result everyone published SPF records, but anyone who rejects on SPF reject a ot of genuine email, so it is largely only used as part of scoring in Spamassassin. it is arriving but over rated (note spammer adopted SPF faster than mail admins!).

    Domain keys resolves the forwarding problem, but is too complicated (and does require everyone to send email properly), I think it is not a bad approach in many ways, but I prefer per user signatures.

    GNUPG/GPG signed emails with web of trust (my preferred approach).

    Requires no fundemental changes to the email infrastructure globally, but Microsoft haven’t fixed Outlook (they have had 9 years to do so), to correctly display the signed data Inline (as the MIME headers indicate it should be displayed). So if you use the standard method, immediately signed emails are harder to read in Outlook. One can still use the inline signature method, but really Microsoft should fix its crappy MIME handling. Also requires users to understand keys to some extent, although that can be mostly hidden. if Microsoft supported PGP natively and shipped the plugin “as standard”…..

    S/MIME – 1. Requires everyone to pay for a certificate. 2. Requires you to trust organizations that are paid for a certificate not to take money from the wrong person. 3. Requires end users to master certificates. This is probably the solution that could be implemented fastest by a third party, as Microsoft Outlook family support it natively, and Microsoft ADS provides support for distributing certificates to corporate employees. Most other email clients have support as well (I’m guessing a lot of it is undertested!).

    Fundamentally the issue is changing a big installed base (IPv6 anyone?).

    Secondary issue is that alternative systems need to reach critical mass before they have anywhere near the utility of email, since replacing SMTP with a better protocol is easy (heck even X400 was better, although anyone who exposed the end users to X400 addresses needs shooting as a “inmate who is running the asylum” (Google it)).

    Worse, forgery (which authentication schemes fix) isn’t the problem most people perceive with email. Most people want SPAM fixed, they don’t want to know with certainty which spammer sent them an email, they just don’t want the email in the first place.

    And yes SMTP is well past its sell by date, not so much just the exchange of messages, but the bizarre formatting of such messages, and the various and diverse standards for exchanes (Jabbers XML looks so tidy in comparison, not that I like XML especially – overhyped). Skype/MSN/Jabber all show one can deploy new messaging systems to a large installed base quickly. Replacement may be the best approach, but no one seems to want to do this, and not claim 100% of resulting business for themselves.

  58. Things are slooooooooooooowly getting there, check this out about some new tools for the proposed dns extensions:

    http://www.onlamp.com/pub/a/onlamp/2007/01/11/dns-extensions.html

  59. Matt,

    It is not only ridiculous but positively pathetic that in this day and age, we can’t prevent spam or supply any kind of “reasonable” solution to bulk spam, personal attacks from competitors and dealing with the laborious, day to day problems which unwanted e:mail messages create for the average person doing business on the internet.

    The only solution that I can forsee (considering my very limited technological abilities) is that anonymity has got to go! We should all PAY for our e:mail addresses and have various options available to us for private and/or business use.

    I have gone to great lengths to protect my website from spammers … yet they persist and have managed to not only break in and upload garbage all over my website (on every single page) but since being caught and having all their hard work reversed, they are now sending me messages daily and using my site to send them! I mean, come on! Some jackass actually has to sit there (on my site) and send every single message individually.

    How sad is that? They are pathetic losers with nothing better to do with their time … but they still manage to tick me off … and I guess (sadly) that seems to be their goal in life. Its unbelievable to me. WHO on Earth has the time to do that? Don’t they realize the “junk mail” button is a very handy thing?

  60. The “corner case” you mention, is pretty heavily used. How do you get around it when you use authenticated email?

  61. I’m having a particularly nasty problem where someone has taken my domain name and is using it with random usernames to send out spam – e.g. sdfasdfsdaf@mydomain.org.

    Of course, most of these spams bounce, so my catchall account gets all the bounce notices. Most of the mail that ends up in my box is these bounced spam notices. (Plus the actual spam that’s directed at my domain.)

  62. I had to think of this posting when I got a mail from my ISP at home: “Swiss ISPs against Spam” – http://www.stopspam.ch/

    They’re pushing SMTP authentication, which is a step in the right direction. I don’t know many Switzerland-based spammers though :D, but it will help keep the zombie-pcs out of my mailbox. There’s also a swiss ISP who proxies all port 25 traffic, dropping all spam-like traffic with a warning to the user (who can allow traffic from his connection, if it’s legitimate).

  63. David Cary

    I’m getting a “Received-SPF: fail” message in the headers of some of the mail I receive at Gmail.

    I am all in favor of anti-spam measures, but something isn’t quite right in this case.

    I’m glad Google is phasing this measure in slowly, rather than immediately deleting messages incorrectly identified as spam.

    I think what is happening is:
    * I use a forwarding service.
    * Someone I know sends me email with all the wonderful “SPF” headers, and has a domain name has “SPF” all properly set up.
    * My forwarding service forwards that email to my Gmail account.
    * Gmail checks the “SPF” headers, determines that my forwarding service is not authorized to send email on behalf of the original person, and (incorrectly) concludes that my forwarding service is a forger, forging the original “from” email address, and therefore probably spam.

    Is there some way to fix Gmail’s implementation of SPF so that I can use a forwarding service, and it correctly distinguishes between people who forge the “from” adress and people who don’t?

    (p.s.: I suspect that
    http://en.wikipedia.org/wiki/Hashcash
    doesn’t have this problem …
    would it be possible to update Gmail to support it?
    Perhaps by letting my web browser calculate the Hashcash values in JavaScript ?
    Or at least allow me to calculate the Hashcash values in some other program and copy-and-paste them into Gmail?
    )

  64. We could significantly slow the spam if we just accept mail from official ISP servers, and block home computers from connecting to our mail servers. The money angle for the ISP’s could be a fee to whitelist your home server, or a fee for a yourname@yourisp.com, or something similar…

  65. David Michaels

    Um, why can’t the post office filter out the junk mail that comes to my mail box every day?

    Spam is part of life. It’s part of a free internet. When a significant amount of customers demand a solution then one will come. At this point however the internet is similar to the beginning of the industrial age.

    Back then there was tremendous discovery and implementation of thousands of new methods of production and no standards. Today, there are standard ways of doing things that are common to almost all production facillities. These methods and procedures aren’t enshrined somewhere, they just exist as the “best” practice forged through a 150 years of trial and error.

    In 20 years computing and the internet will be radically different than now. Look how far we have come in the last ten years. When accessing the internet and programs becomes as easy as using a telephone then we will have arrived where we want to be. Right now we are still toddlers in the internet age.

  66. There’s nothing wrong with Ada, Matt.

    I’d be happy if email systems would recognize SPF for deliverability. I’d be happier if they’d block emails when published SPF records don’t match the sender. I’d be happy if Outlook would apply my rules *before* moving stuff to the Junk Mail folder.

    I’d love to have a flying car, but I am glad that everyone else can’t have one. I am the only person I would trust with a flying car – the rest of you bastards would probably crash into my house.

  67. email authentication is good but spamming email is harm to my single sending e-mail too much.

  68. One thing i cant get rid off is splam. No matter how hard i try i keep getting crap emails.

css.php