We need to start from scratch, with a new system capable of embracing,
extending and exterminating the current system, while preventing spam.
(Dubbed "ENG" (Next Generation Email) for this thread)
At the heart of NGE is the following idea: Deprecate '@'. It was a very good
choice, but is tainted with the taste of spam. We need to switch to another
character. I find any of the following acceptable: !#%&~|{} This char is
called the 'promoted' char. The old '@' is the demoted char.
This new symbol will only be used by the NGE system. Use of it will require
advanced capabilities by the sender and receiver. If no such capability
exists, (the next-generation-ness was lied about) it modifies the address to
use the '@' character.
The I'd deferring technical details to those who have thought about it more,
but I'd like to offer up a few technical things:
1) username{whatever-character}(_at_)domain(_dot_)name is still the same
account to the
user. The user will never need to know the difference. Optionally, they can
learn that emails using the new character are always legit.
2) After wide-spread adoption, spam filters (user-based) or servers
(organization/ISP-based) can be set to drop incoming unsolicited mail using
'@'.
3) we can still run SMTP, just they need a patch for the new separator. This
NGE system will/can talk SMTP to the local host (SMTP mail server) for easy
upgrading. Note: SMTP hosts must be configured to talk to local host (or
trusted) addresses only!
4) The NGE software (receiver side) will be required to verify the sender as
legit. How this is done needs to be discussed. Once legit is decided it can
be promoted (if we want to be aggressive and try for NGE capabilities
anyway, and it passes) or demoted.
On to my technical approach:
I'm entertaining using signatures issued by the ISP, and verified against
the server in the ISP's MX record. If an ISP sees too many inquires for a
user, then that user maybe flagged as spammer, and the account can be
suspended/revoked/throttled back. Eventually the sender will exhaust his
checking accounts or credit card numbers at the ISP and he'll have to move
to a new ISP. The key to this approach is to keep the limits low, make let
them only get off a few hundred before they are yanked. Also watch the
undeliverables. It is rare for me to send to a wrong address, maybe 1 a
month. Surely 10 a month is reasonable? (And they'll all happen in minutes!)
The problem with the above is the MX record can be untrustworthy AND
spammers can multiplex through multiple accounts and/or ISP's. Maybe certs
from a Cert Authority is to be required on the MX?
Multiplexing through accounts (as to not trip the send/sig inquiry limit)
should still trip on the undeliverables as well. (At this point I might
recommend planting invalid email addresses on the web so the spammer using
email address gathering from web pages will trip the undeliverable limit)
Thoughts/comments/suggestions?
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg