http://qs1969.pair.com?node_id=494751


in reply to RFC: Email 2.0: Segmail

If what you'd like to do is to solve the problem at hand (if possible) using existing tools/without introducing a modification to an existing protocol, try DSPAM and SPF.

Between those two things, and some fairly aggressive DNS-based host rejection filters, I get between one and two spam messages per month in my email inbox -- and my email address was out there on the internet before spam was an issue. If DNS-based host rejection isn't feasible, DSPAM will just have to work harder, but work it will.

In general, I think it unwise to fiddle around with things that work for their intended purpose, especially when desired additional functionality can be had for minimal effort.

Specifically (intended constructively, and offered in a friendly tone), I see your proposed scheme suffering from the usual problems -- your ++RECEIVING MAIL++ section details a mechanism that suffers from the same old problems inherent in unintelligent filtering and/or challenge/response systems. I don't see that you've worked around any limitations in any existing system or provided any functionality not already available in a mature product.

However you go about it, I wish you the very best of luck with your project.

Replies are listed 'Best First'.
Re^2: RFC: Email 2.0: Segmail
by superfrink (Curate) on Sep 24, 2005 at 17:32 UTC
    Whatever scheme someone thinks up will have to be adopted by enough domains before it starts to be effective. That doesn't mean it's not a good idea. Just that it's going to take a while so be ready to stick with the project. :)

    Recently my domain has been getting bounce messages to non-existant accounts. The reason is that spam is currently being sent with forged From addresses that are just some random name @ mydomain.

    I have had SPF setup in my DNS for a while now. I like it because it's pretty simple to setup. I don't have any issues where I try to send from different ISPs when I'm not road, etc.

    I have learned that many domains do not use SPF. AOL, Gmail, Hotmail are some that do but many others don't. I've been emailing the whois contacts for each domain that bounces spam to me to tell them about SPF.

    (Side note if your WHOIS contact information doesn't work I think you should lose your domain.)
      That is not true superfrink. The Segmail system works effectively even if only one person takes it up. It is backwards-compatible with current email infrastructure. It does not matter how many other people use it. That is the point.

      -Andrew.


      Andrew Tomazos  |  andrew@tomazos.com  |  www.tomazos.com
Re^2: RFC: Email 2.0: Segmail
by tomazos (Deacon) on Sep 24, 2005 at 17:42 UTC
    Hi Gloryhack.

    I think statistical junk mail filters like DSPAM and SPF are great, and better than nothing, but I can't stand the false positives. Losing any legitimate mail is not acceptable - and the reason most people have a junk email folder, and not simply delete it automatically.

    Segmail specifically will never have a false positive by design. No legitimate mail will ever get filtered. This is a big win, because it means you can delete stuff marked as junk straight away.

    As for the "same old problems inherit in unintelligent filtering and/or challenge/response systems", if you could state what those same old problems are - perhaps I could address them. I think you may be wrong, and many seem to agree with me.

    No offense, but it looks to me like you have glossed over the spec - and haven't taken the time to understood how Segmail works - before commenting.

    -Andrew.


    Andrew Tomazos  |  andrew@tomazos.com  |  www.tomazos.com
      I haven't seen a DSPAM false positive in many months. Once trained, it's exceptionally accurate and very low-maintenance. I've been using DSPAM for at least two years, and have been quite impressed with it. SPF is not a statistical filter.

      Your handling of mail received at an expired ("rotated") address looks to be a sticking point, to me. If Segmail sees an invalid password, "it marks it as junk (bounces it, deletes it, challenge/responses it, moves it to a different folder, whatever)". If a legitimate message is bounced or challenged, the sender might decide instead to abandon the contact -- this is one of challenge/response's sticking points. Legitimate message deletion is a big sticking point with unintelligent filters.

      You say that "No legitimate mail will ever get filtered", but what happens if a correspondent doesn't have your most recent address? "it marks it as junk (bounces it, deletes it, challenge/responses it, moves it to a different folder, whatever)". In any except the quarantine response, the legitimate mail will be filtered, perhaps into the bit bucket.

      Live like you want to live. I was merely suggesting that you consider alternatives that already exist and have been proven in the real world by thousands or tens of thousands of users.

        Hmm, I think you're missing how it works.

        Addresses are not rotated as a matter of course. An address optionally can be rotated if the correspondant exposes it or starts sending unwanted mail to you. This is an exceptional circumstance, and in this exceptional circumstance Segmail is no better or worse than any current solution.

        There is no concept of most recent address. The extra solution for exposing an address to the web and automatically rotating it is tacked on, and not the core of the solution. This extra solution is non-ideal, but still better than current solutions - or put another way - it can fall back to a current solution.

        I'm sure DSPAM is very good, but for some, any possibility of a false positive requires the maintenance of a junk mail folder. Some would like a solution where there was no possibility of a false positive, and hence no need to maintain a junk mail folder. Or in the abstract, I don't want a computer deciding which messages I want and which messages I don't.

        I have to take a closer look at SPF. I thought it was a statistical solution. Thanks for pointing it out.

        -Andrew.


        Andrew Tomazos  |  andrew@tomazos.com  |  www.tomazos.com
Re^2: RFC: Email 2.0: Segmail
by tomazos (Deacon) on Sep 25, 2005 at 07:52 UTC
    Okay, I've had a look at SPF.

    It suffers the same problem as digital signing. It requires that all of your email correspondants use it in order for it to be effective.

    As an email user, I don't have control over how my correspondants use email. The only thing I have control over is what email address I give them. By piggy-backing a username and password in the address I give each of my correspondants, I can identify and authenticate them - without buy in from them.

    That is the essence of this Segmail spec - and what makes it different from DSPAM, SPF, Statistical Junk Mail Filters, Challenge/Response systems and Digital Signing.

    -Andrew.


    Andrew Tomazos  |  andrew@tomazos.com  |  www.tomazos.com
      Again, good luck with your project. I hope it does for you what you want done.

      Just for the record: Of the 89,326 messages destined for my account and processed by DSPAM since I last reset the stats, it's been 99.6% accurate, with a 0.04% false positive rate. I haven't seen a false positive in several months. I see two or fewer spams in my inbox each month, and it takes me all of about a minute a day to clear my spam quarantine. DSPAM is a darn fine product.

      My anti-spam system consists of some DNS-based blacklists (one local, the rest third-party) and SPF on the front line, with DSPAM behind it. This configuration meets my goals, in that it stops network transfer of most spam and quarantines the rest. Yesterday, the front-line stopped 396 connections, 18 of them stopped by the local blacklist, seven by SPF. 66 messages got through the front-line and were processed by DSPAM (with 100% accuracy for the day). Most of the spam that gets through the front line does so by virtue of coming via hosts I remotely administer for others, where I'm known variously as webmaster, postmaster, hostmaster, and root, and webmaster is usually visible on the web. Without those, I'd have received only three messages in my quarantine yesterday, which is not bad at all for an account I've had for seven years that's been exposed (unobfuscated) on the web and in Usenet since day one.

      Again, I hope your project does for you what you want done, and wish you the best of luck with it.

        I am confused. When someone says I use a junk email filter and only get X false positive per month - How do you know that? How do you know you are getting 0.04% false positives?

        Are you checking through your junk email folder by hand by any chance?

        Doesn't checking through your junk email folder defeat the purpose of having a junk email folder? :)

        Segmail is trying to do away with that. Zero false positives by design.

        -Andrew.


        Andrew Tomazos  |  andrew@tomazos.com  |  www.tomazos.com