MS partners with IronPort's "Bonded Senders"

[ldyguique]

Email Marketing versus SPAM is a highly sensitive topic to those who want to engage in sending volume email on a regular basis. Many companies have created mailing lists for their registered users. These registered users have "opted-in" to receive email notifications and/or newsletters. To those who have registered, it's not considered spam--Although, at times it does seem to pile up like spam when one cannot get around to reading the incoming mail regularly. There is also a "gray" area -- where people have sent in a "Contact Us" response via a website for some specific information about a product or service. Does this mean that they want to receive regular and ongoing email from that company? Email marketers may believe so; however, they must include an "opt-out" within each email so that the recipient can say, "Hold it just a Minute!!!" Furthermore, many times, when one has signed up as a registered user of a site, there are additional boxes that one must uncheck about "receiving email from third party companies."

The public has become very reactive to the sheer volume of spam that they receive on a daily basis (hence, the creation of the US Federal law, "Can-SPAM," Jan. 2004. Karen Beaver has written a free e-book, The Definitive Guide to E-mail Management and Security, published by Realtimepublishers.com. She claims:

Quote:

Let's look at a real-world example of what spam could actually cost an individual organization. Say the average corporate user receives 50 e-mails per day (both legitimate e-mails and spam) Monday thru Friday and another 50 e-mails over each weekend for a total of 300 e-mails per week or 15,600 per year. These numbers are fairly conservative, and your spam numbers may vary. (Some reports state that as much as 70% or more of e-mail is spam, but I've seen numbers as low as 30%.) Let's take a good even number of 50% for this example. Given that on average, half of all e-mail is spam, we have a total of 7,800 spam messages a year for the average user!

• Spam comprises 55.1 percent of all e-mails (Source: MessageLabs' May 2003 Monthly E-mail Security Report)
• Microsoft claims that spam accounts for 80 percent of all Hotmail messages
• 90 percent of all spam received by Internet users in North America and Europe is sent by less than 200 spam outfits (Source: Spamhaus Project)
• According to a study performed by the Federal Trade Commission, two-thirds of spam contains false claims, 96 percent of spam offering business and investment opportunities contain false claims, and 48 percent of spam promoting health services or products contains false information.
• One day in early 2003, AOL blocked 1 billion spam messages; its previous high was 780 million blocked spam messages in one day (Source: Direct Newsline)
• 4.9 trillion spam messages are projected to be sent in 2003 (Source: Radacati Group)

Since email marketing is as legitimate an advertising media as television, radio, billboards, snail-mail, phonebooks, etc., email marketers have been hit hard due to the abuses of a relative handful of spammers. Spam has also proliferated because of its "free" nature. It costs a sender nothing to advertise via email versus the alternatives.

One company that has been working on a solution is IronPort Systems. Besides hardware solutions, they have also developed the Bonded Senders Program. where an organization can signup and pay for the ability to send mass email. Last November, InfoWorld reported that IronPort was negotiating with the email blacklisting service, SpamCop, to invest up to $1 million to keep it operational. There was also talk of an outright acquisition.

Today, IronPort, issued a press release, along with Microsoft, announcing their new partnership for allowing email marketers access to Hotmail.

MS opens Hotmail to bulk mailers

Quote:

Microsoft said yesterday it had introduced a white list scheme to allow well-behaved email marketing firms to reach its customers without falling foul of its spam filters. Marketing firms who post a cash bond of up to $20,000 through IronPort's "Bonded Sender Programme" will get guarantees that their message will be delivered to the estimated 170 million regular users of Microsoft's Hotmail and MSN e-mail services, providing they follow a strict set of guidelines. Firms who flout the guidelines - standards that exceed those defined in the CAN-SPAM Act - risk losing their money. The approach rewards marketeers who agree to be held accountable for the messages they send. Microsoft has been working on the programme with IronPort for five months but the arrangement was only made public yesterday. With the support of Microsoft, more firms are likely to adopt the scheme. Good news for Ironport's sales team. Microsoft is behind the idea because it wants to reclaim email marketing from criminal spammers. For end users the scheme makes it less likely that messages they have requested from companies they do business with will be blocked (i.e. fewer false positives).

Since most of us have wanted a solution that will allow "legitimate" mass mailing to reach us, this may very well be a solution that will work for some. At first glance, the initial price of $1375.00 for a combination of application fee, license fee, and bond seems pretty steep for the category of "500,000/month." However, since US bulk mail is a very expensive advertising venue, the price drops to a "relative" expense, especially for an email marketing firm, who might handle mass mailings for multiple clients and still come in at less than 500k per month. It will seem quite expensive for the individual small business. However, to believe that one can develop an entire business without any direct costs of advertising just because it's the "internet," is unrealistic, too. Many businesses are developing websites and email programs for a substantially lower cost than any other form of business advertising.

The US has had a long-standing statistic that one out of four businesses fail during their first year of operation. These are "bricks and mortar" storefronts, where the costs of setting up far exceed the costs of an internet business. I suspect that the number of failed internet businesses exceed the 1:4 ratio, albeit at a far smaller cash outlay startup cost.

This should be a means of expanding existing email marketing companies into a more legitimate realm -- setting up packages for mass mailing under a single license.

[thusmann]

It's about Time! Email advertising has the potential to reach worldwide markets and, when used wisely, can help a small company compete with the giants.

By forcing companies to purchase the bond, they are effectively ensuring that those companies meet a certain standard when sending email advertisements.

We should keep this thread alive by adding a list of companies who have paid for the bond.

[Conficio]

Wow, sounds good on surface. However the consequences are:

• Not affordable for small businesses
• Micro$oft and its partners decide who is in and who is out
• It is not my decision, but there's
• It excludes Non for Profit organizations or simple social movements
• It kills open source communities, non commercial newsletters, etc.
• Small business might be able to afford the bond, but how do they afford the legal costs of a dispute?

The solution is so much easier, sign your e-mail with public keys and give me a filter that sorts based on how much I trust the signature. This system is based on the same principles as SSL, which is trusted by millions of online shoppers every year. It allows for companies to have their e-mail signature keys signed by the big trust companies and private people just co-sign the signature key among friends, etc.

Advantage - I can revoke a key, that is compromised! Also it is as good a solution for the big guys as for the little guys. $20,000 is a steep barrier to entry for small companies and it is even steeper for companies outside the US.

Just my point of view.

K<o>
P.S.: Did you know that Microsoft established a trust company themselves, issuing its own root certificates? I have not much trust in them. This company is convicted of misusing their monopoly power. They also can't build secure and stable enough systems to withstand a Denial of Service attack. They need to hold >50 billions of cash (the share holders money, more or less, earning a return of <2% annually over the last three years) to defend against potential legal liability. Why should I trust them?

[ronniethedodger]

Paid Spam Inclusion eh? I don't think this is the answer. It goes against everything the web stands for. Now you have to pay to send email to go thru, where will it stop.

One thing that will happen is that they will all sign onto this, and rely on it. Then all other mail gets put in the roundfile....newsletters, personal mail...blah, blah. The cost of email will go up, and so will your ISP charges.

And I find it ironic that Microsoft is partnering with Yahoo on this spam deal. You can reduce your spam by 90-95% by blocking two domains....yahoo.com and hotmail.com. Now they want you to pay them to keep the spam coming thru...hehehe. Is there something wrong here or what?

Seems to me if a Web Host or ISP is notorious for a harboring spam (like yahoo and hotmail) then they should be blacklisted for the entire domain until they clean up their act and get their own house in order. If their mail is not accepted, I guarantee you they will put a stop to it or lose the good customers (who are being blocked too).

Nip it in the bud at the origin before it even goes out. They have the ability to monitor mass mailings from their own services. In the case of the free services, it should not be allowed. Both Yahoo and Microsoft should be shot. Now there is a new Free Mail service in Russia ... mail.ru which is getting into this act too.

I am with Conficio on this. It is bad for small businesses that cannot afford the bond. It is commercialization of the net and will turn it into a pay service for what is now free advertising.

[Islands]

Sounds like extortion to me! "If you want to talk to my customer, you have to pay me first." If I were the client of that ISP I would be outraged that they're selling my e-mail address to the highest bidders. I don't know of any ISP that I trust enough to let them control what e-mail I can receive.

BTY: Iron Port is being sued by a spam outfit over their SpamCop opaque blacklist policy.
http://news.com.com/2100-1024_3-5210518.html

[Conficio]

Quote:

Originally Posted by ronniethedodger

And I find it ironic that Microsoft is partnering with Yahoo on this spam deal. You can reduce your spam by 90-95% by blocking two domains....yahoo.com and hotmail.com. Now they want you to pay them to keep the spam coming thru...hehehe. Is there something wrong here or what?

Seems to me if a Web Host or ISP is notorious for a harboring spam (like yahoo and hotmail) then they should be blacklisted for the entire domain until they clean up their act and get their own house in order. If their mail is not accepted, I guarantee you they will put a stop to it or lose the good customers (who are being blocked too).

Nip it in the bud at the origin before it even goes out. They have the ability to monitor mass mailings from their own services. In the case of the free services, it should not be allowed. Both Yahoo and Microsoft should be shot. Now there is a new Free Mail service in Russia ... mail.ru which is getting into this act too.

Hi Ronnie,
thanks for the support. However, I think you are somewhat mistaken, in regards to SPAM originating from Yahoo and Hotmail. These return addresses are forged and falsified and if you try to respond to them, you will regularly find the address to be non existent (never existed, not just shut down). I'm a Yahoo customer (paying even), and their SPAM filters work well. Actually they work too well, as they pick many false positives, basically anything that does have a mass audience. That is probably why they call it BULK filter. However, I do want BULK mail from certain sources (like political activist campaigns, my ISP, etc.). So I end up pulling all mail from Yahoo and applying my personal SPAM filter on it.

What I find ironic, is that Microsoft delivers an operating system, that needs two extra components to make it Internet secure (called a firewall and Virus software).

Now they try to extract (or at least support) an E-Mail advertising tax. I wonder why they call this whole thing a cooperation between MSN and the vendor of this bonding service? Why is it not called "MS licensed the technology of ... for X million smackers"? What are the dealings of this? Who pays whom?

Lets work for a better future and preserve our freedom. Lets make our voices heard.

K<o>

[ronniethedodger]

Quote:

Originally Posted by Conficio

I think you are somewhat mistaken, in regards to SPAM originating from Yahoo and Hotmail. These return addresses are forged and falsified and if you try to respond to them, you will regularly find the address to be non existent (never existed, not just shut down). I'm a Yahoo customer (paying even), and their SPAM filters work well. Actually they work too well, as they pick many false positives, basically anything that does have a mass audience. That is probably why they call it BULK filter.

No, I am not confused. But it appears you may have misinterpreted what type of mail I was referring to. I was NOT referring to Yahoo's abilities (or lack of rather) of filtering inbound spam to it's mailboxes. I was referring to outbound mail from it's mail.yahoo.com domain. These are two different things entirely.

But since you brought it up, SpamGuard is a joke. We have mailboxes from Yahoo Store and I can attest to that. I also have a free mailbox from Yahoo and it is no different.

It was just recently that Yahoo turned off the storage quota for mail contained in the Bulk Mail folder too. Some think that was in response to the coming of Google's Gmail, but I think it was more like their inability to do effective filtering -- and that lack of ability often filled the quota allotment very quickly.

The problem I have with this is that they are teaming together in what appears to be a pay-to-send program for mail that is inbound to their mail system, but they are doing nothing to curb the outbound spam that is being issued from it.

Putting up a bond just so your mail can go thru to these two domains alone is setting a dangerous precendent IMO. It also does nothing about cleaning up Spam being generated from those domains either -- which are probably the "bulk" of the problem.

It seems to me that they should put the whitelist or whatever you want to call it into the hands of an impartial registrar-like entity. Much like paying for a bulk-mail permit with the US Postal Service -- you would pay a nominal annual fee of $30 or so of which you get a registered certificate to issue bulk mail (such as product offerings, newsletters, yada yada).

In order to get the certificate, you would have to disclose and/or prove your identity. This is no different than the move by ICANN's crackdown on domain registrations in this area.

All ISP's and Web Hosting companies will participate by checking to see if any bulk mail that originates from their servers has this certificate before sending it out. If they the sender does not have the certificate, then it stops right there before at the point of origin. This is a very simple thing to do and does not require any fancy filtering to implement. No certificate means "no send".

Any inbound spam coming into the hundreds to thousands of mail servers without the Certificate can be identified as to where it is originating from. If their mail server is not doing their part to stem spam coming from their servers, then you blacklist the entire server and all servers in their control ... period, end of discussion.

Is this harsh? No! If you are not part of the solution, then you are part of the problem.

You cut the head off right there in essence -- their servers go on the "blacklist". They either clean it up and get on the bandwagon, or their mail does not go thru.

The small annual fee is not a burden for the small business owner. It also puts the liability of spam generation where is should be ... at the point of origin. And the validation of inbound mail is easy to check too.

[elvis1000]

I imagine we still need to have the ip and date stamp from the opt-in correct? Or is it you pay the bond and mail bomb to every conceivable yahoo email address? I kinda doubt the latter is true. If it is, lets get our check books out we'll get 50 people to go in together and mail from a central source.

[Conficio]

Quote:

Originally Posted by ronniethedodger

Quote:

No, I am not confused. But it appears you may have misinterpreted what type of mail I was referring to. I was NOT referring to Yahoo's abilities (or lack of rather) of filtering inbound spam to it's mailboxes. I was referring to outbound mail from it's mail.yahoo.com domain. These are two different things entirely.

Sorry Ron,
I did not make myself clear. The mails you get from Yahoo are falsified in their return addresses. See bold part above. I should not have mixed the two things up in one paragraph.

Quote:

Originally Posted by ronniethedodger

In order to get the certificate, you would have to disclose and/or prove your identity. This is no different than the move by ICANN's crackdown on domain registrations in this area.

All ISP's and Web Hosting companies will participate by checking to see if any bulk mail that originates from their servers has this certificate before sending it out. If they the sender does not have the certificate, then it stops right there before at the point of origin. This is a very simple thing to do and does not require any fancy filtering to implement. No certificate means "no send".

Any inbound spam coming into the hundreds to thousands of mail servers without the Certificate can be identified as to where it is originating from. If their mail server is not doing their part to stem spam coming from their servers, then you blacklist the entire server and all servers in their control ... period, end of discussion.

That won't work, as long as you can falsify and forge all elements of an e-mail. The source address, the mail server it is coming from, the "To:", the content and any other field or content.

What you need, is some sort of cryptographic verification, that the owner of this cryptographic key, has really written the e-mail. This is called a digital signature and is what I proposed in my post. I only think we do not need another ICANN, that regulates the Internet under California law (yes it is true, ICANN is a corporation thet is regulated under California law!). The rest of the world is much bigger than the US and we need international solutions. As well as it is against the spirit of the Internet to use central systems, as the whole idea of th eInternet is to use distributed robust systems and protocols, that have no single point of failure.

Kind regards
K<o>

[BKamau]

Listen Conficio:

The answer to every problem for a major corporation like Microsoft and Yahoo is to pay them more money. Now the only way they can solve the spam problem is to pay them money. When small business owners have to pay to deliver email its all over for small business online. This will have an adverse impact on the Internet economy.

I have had online and offline businesses, and I would never have an offline business again (unless it is totally homebased) because the overhead is exorbitant. The Internet is an equalizer where people with good ideas can run a business, not just elites with large amounts of capital.

I think it is ironic that Microsoft and Yahoo, two of the most abusive and monopolistic companies on the Internet, are going to take the moral high ground on spam. They are just trying to handle the problem in a way that enriches their pockets. Like an earlier writer said Yahoo can't even control the spam coming from Yahoo. I am not talking about spoofed emails either.

It seems people who take these positions are more apologist for major corporations, than really trying to solve the spam problem. Many Internet gurus who are making a lot of money already are advocating many of these positions because it becomes cost prohibitive for new competition to emerge to challenge their positions.

Learning to build viable ebusinesses and large opt-in email subscriber lists are hard enough. It usually takes years to master business on the Internet. Now you want to throw in paying to send email too.

I also want spam stopped. Judging from the fact that we seem to be getting the same spam from a few individuals (there only seems to be a few products sent out over and over again) I think if we arrested them it would stop.

My solution would be for small businesses to form a non-profit organization (where they pay dues) and develop a key based or whitelist technology which they lobby Yahoo - AOL - and Microsoft to accept. We create a board and volunteer system to audit members email lists etc. This non-profit model has worked well in the offline magazine and newspaper publisher's world, with organizations like ABC and BPA (of course their problem was verifying subscribers where ours is both subscribers and spam issues).

This is the only viable option, because If profit based companies are allowed to charge to deliver email they will forever raise prices for higher and higher fees, until the online world becomes like the offline world. You will need to put up the equity of your house, or your retirement money, on the line to start a business. This is not the right way to go. A non-profit based model with these technologies is the way to go.

[John Glube]

A couple of comments:

Internet Service Providers are confronted with a couple of problems:

* Spoofing and phishing. Spammers rely on the open nature of the simple mail transfer protocol to spoof or fake the from line and the domain.

The solution for this problem? Sender authentication.

Presently, the IETF has created a study group to review a number of different proposals, with the objective being to develop a set of specifications by the fall, allowing for widespread implementation before the fall shopping season.

* Zombie computers. With black list operators like Spamhaus being reasonably successful in identifying open relay systems, spammers have been using viruses to take over computers with open dsl or cable connections and using these to send out their "stuff." The result? ISP's are now blocking volume email sent from cable or dsl IP addresses.

* Filters. It is common knowledge within the industry, the filter systems set up by the ISP's have been causing major problems for permission based email marketers.

The suggested solution? Message authentication.

Habeas started the trend about two years ago. At the time, some in the marketing community protested long and hard about the need to pay for delivery.

Iron Port's Bonded Sender service is merely a continuation of this trend. However, the pricing is structured so as to make it cost prohibitive for the average SOHO.

(This is the same problem with the .mail proposal presently before ICANN.)

I agree with the comments of BKamu "the Internet is the great democratizer." It has created a level playing field allowing the individual entrepreneur to compete effectively with the large corporation.

With Microsoft deciding to adopt Iron Port's Bonded Sender program, especially given some of the statements made by officials of the program, there is cause for concern.

(For more on this people may wish to read an article titled Is Microsoft Getting Into the Anti-Spam Business)

What then is the solution?

* Recently, as many people know, the FTC issued a call for comments under the Can-Spam Act of 2003.

(If you are not familiar with this call and the significant issues for permission based marketers, read The FTC Wants To Hear From You. The formal call for comments on the do-not-email-registry closed on March 31 and on April 20 for comments on the other areas raised by the Commission.)

So, what is the point?

There were a number of filings which make interesting reading.

The first comment I suggest people read is that filed by The Electronic Privacy Information Center in support of a registry system for domains.

Although there are couple of points which require adjustment from the e-marketers perspective, the underlying thesis makes sense.

The other comment is that filed by the US Internet Service Providers Association in opposition.

Members of the US ISPA include America Online, Inc., BellSouth, EarthLink, MCI, Microsoft, SAVVIS, SBC, Verizon.

In reading between the lines one is left with the impression these organizations are opposed to any form of registry system as it would:

* Prevent them from continuing to sell access to their subscriber base to opt-out marketers (a polite term for commercial emailers or spammers); and,

* Thwart any plans this group might have to charge access to opt-in marketers by way of message authentication systems.

(Yes, I appreciate Iron Port is not owned by Microsoft, yet.)

Given message authentication is potentially a valid approach in dealing with the "filter problem," what is the solution?

The Commission establish a domain registry system as suggested by EPIC with the following modifications:

* A licensing system be established. Want to send email? You have to obtain a license. This means you would have to provide your data.

Licenses could be divided into two classes, people who want to simply send email for personal purporses and people who want to send solicited commercial email and transactional or relationship messages.

To obtain a personal license you would have to agree to abide by the Netiquette Guidelines, being RFC 1855 published October 1995. There should be no cost to obtain a personal license.

To obtain a commercial license allowing you to send solicited commercial email, or transactional or relationship messages you would have to agree to comply as a minimum with the document titled How to Advertise Responsibly Using E-Mail and Newsgroups or - how NOT to $$$$$ MAKE ENEMIES FAST! $$$$$ being RFC 3098 published April 2001 and the CSA.

There should be a nominal fee to obtain this type of license.

The benefit of this system? Licensed senders would be then granted a unique code to include with their messages.

Want to register a domain? Not a problem, but you have to agree to the following:

* Utilize a standard open source sender authentication protocol as approved by the IETF (this will help to reduce spam); and,

* Utilize a standard open source message authentication protocol as approved by the IETF allowing the email of licensed senders to pass through your gateway filters for delivery to individual subscribers.

To ensure access, folks from all over (not just US citizens) would be able to obtain a license.

The registry and licensing system could be maintained by the Commission but operated by one or more private concerns.

A couple of additional comments:

* The underlying problem with email is the open nature of the SMTP. We need to move to a closed delivery system to ultimately have any realistic chance of reducing spam to manageable levels over the long term.

(For more on this topic, you may wish to read Is The Writing On The Wall For Spam.)

* At this juncture, the problem in large part is the Internet Service Providers are all over the place. Although decrying spam, the ISP's appear unwilling to take the necessary steps to deal with the issue in a fashion which is in the best interest of the community as a whole and not simply in their own self-interest.

(The adoption of Bonded Sender by Microsoft is a case in point.)

* Many people will not look kindly upon any sort of government imposed regulatory system. Fine.

However, if the community as a whole can't get its act together and there is continued chaos in the market place, what is government's role?

Even if the Commission were to announce a plan in the morning, it would not happen overnight.

Why? The Commission has to file a report with the relevant Congressional committees by (I believe the date is) June 17, 2004 under sub-section 9 (a) of the CSA "that--

(1) sets forth a plan and timetable for establishing a nationwide marketing Do-Not-E-Mail registry;

(2) includes an explanation of any practical, technical, security, privacy, enforceability, or other concerns that the Commission has regarding such a registry; and

(3) includes an explanation of how the registry would be applied with respect to children with e-mail accounts."

Presuming the Commission files a favourable report along the lines suggested, (my proposal is just that, a proposal) subject to certain caveats as to implementation, what is the benefit?

It brings significant pressure to bear on the 'players' to start moving in the right direction.

How come? The earliest the Commission can start to move forward with any plan is September 17, 2004 under sub-section 9 (b) of the CSA.

* With the need for the IETF to develop a standard protocol for sender authentication (likely by the fall) and message authentication (no set timetable yet), even though the Commission could start the process, full implementation would not be realistic until some time in 2005.

(If you are not familiar with the IETF read this document.)

This means there would still be time for the 'players' to get their act together and show the Commission the market can properly regulate itself without the need for such dramatic intervention.

There is another reason why I am suggesting this approach. The SOHO online community needs a champion to deal with what I call the forces of nature, being organizations like Microsoft.

The Commission's role is to protect the consumer while promoting 'fair' competition. With the 'Net have the potential to being the great equalizer, who better to act as the SOHO champion in providing consumer choice while ensuring 'fair' competition?

John Glube
Toronto, Canada

[Conficio]

Hi John,
thanks for the very extensive reply. I didn't get through all the reading, but it strikes me as over complicated.

Why do we need any sender authentication, other than what is already there? If I sign my e-mail, I basically did authenticate myself. Yes I did not sign my header information, but I did sign the content which is as good as any signature (and the required part of any spam) and acts like an added header field identifying the sender.

If now my spam filter sorts e-mails based on their signature in the following piles:

• white listed by a signature I explicitely trust
• grey listed by a signature that is backed by a CA or co-signed by someone I white listed.
• blacklisted by unknown or no signature at all

I would simply read white listed e-mail, browse grey listed for some tidbits of useful information. Yes in general I think un-solicited e-mail can be of use, if it comes from credible sources (signature confirmed by trusted source). and just dump everything on the blacklist.

This is easy, does not need any protocols, just some added functionality in the Mail User Agents and/or spam-filters to manage the white and blacklists and the key ring.

And it does have the ISP interfere with my e-mail! Over some period of time it will try up the SPAM swamp, as not enough people will read the black listed e-mails. And if they still continue to be commercially viable, then I believe it is their freedom to do so. At least everyone can choose to opt out from the misery. If ISPs really find out it does not solve their problem (transporting >50% of e-mail that is SPAM), then they require their customers to use a signature co-signed by them.

Just my simple thoughts
K<o>

[John Glube]

The concept is relatively straightforward:

* The problem? The open nature of SMTP and the failure of Congress to move to an opt-in regime.

* The solution?

The first step is a domain registry system. If adopted it moves the US to an opt-in regime. It also can aid ISP's in dealing with offenders.

At the same time, you move to a closed email delivery system.

With sender authentication, this allows ISP's to block from delivery email which is not 'sender authenticated.'

How? A simple add on to the mail transfer agent.

(You can't achieve this objective with 'signatures,' unless people are prepared to register their 'signatures.' Given security concerns, etc. this makes impratical the use of signatures as a means of verification.)

By combining a licensing system (which some may object to) with an open source message authentication protocol, you deal with the filter problem and step around the attempt by Microsoft and others to control email.

The reason I went to great length was to lay out the framework as some of the underlying concepts are fairly complex.

However, as I said, mine is simply a proposal.

One advantage of the approach I am suggesting?

Leave in the licensing approach, but simply have the Commission establish broad parameters for appropriate message authentication systems.

This would leave room for proposals along the lines put forward by Bkamu, along with private sector solutions.

John Glube
Toronto, Canada

[ronniethedodger]

Yahoo Releases E-Mail Standard to Fight Spam
Reuters Tue May 18, 2004 05:08 PM ET

Internet portal Yahoo Inc. on Tuesday released an e-mail standard that prevents "spam" marketers from hiding unwanted messages behind legitimate e-mail addresses.

The technique, if widely adopted, could help Internet providers more easily block the unwanted bulk messages that currently account for up to two-thirds of all e-mail traffic.

Yahoo's proposed standard, known as DomainKeys, would embed outgoing messages with an encrypted digital signature matched to a signature on the server computer that sends the message.

Internet providers could check the signatures on incoming messages and block those that do not match up.

The procedure would be invisible to regular e-mail users because it would be implemented by e-mail providers, Yahoo said on a Web page describing the standard at (http://antispam.yahoo.com/domainkeys).

More of the story at http://www.reuters.com/newsArticle.j...toryID=5183726


You got to hand it to Yahoo. I think this is great step in the right direction.