incrediBILL - 2:03 pm on May 24, 2007 (gmt 0)

The "I have mail for you" is still spam.

The simplest solution to this mess has always been to add an origin of email tracking system on top of the existing SMTP system.

Concept is a trivial email sender handshake system:

a) you only accept email that originates from the domain in the "FROM" field
b) when an SMTP connection is made, you make a new connection back to the originating SMTP server by domain name the get a list of EMAIL ID's being transmitted
c) all email lacking a valid EMAIL ID from the current connection is rejected.

You could still use pre-existing SMTP sites, optionally over time requiring ONLY connections that support the new EMAIL ID delivery verification system. Before full adoption of this methodology you could tag email that was ID VERIFIED vs NON-VERIFIED which would make it easy to sort out the most likely good from the probably bad with very few false positives.

There would be no way to spoof existing domains using this method so all of the email would have to originate from the source it claims to originate from or bounce, easy enough.

This would mean spammers would have to pay for a new domain for each spam run, as that's about how long it would take to lose the domain. Gets expensive real quick and the pressure would be on the registrar to stop selling spam domains after repeated spam abuse reports. These domains are easy to spot as you can reject email from any domain registered within the last 14 days to make sure they aren't "tasting" domains for free.

Now if you want to make it more costly for spammers to spam, require that each mail server have it's own SSL certificate and only accept email from properly secured servers. Then losing a domain name would also mean losing an SSL cert as well, also allowing pressure to be placed on the SSL providers to stop selling to spammers.

Whatcha think? :)

[edited by: incrediBILL at 2:06 pm (utc) on May 24, 2007]