That's it. I've had enough. I'm fed up.
I don't know exactly when it happened, but an amazingly complex and ad-hoc ecosystem of spammers and spam filtering solutions (SpamAssassin, blacklists, IP rate limiting, Bayesian filters, keyword blocking, and more) has resulted is such an unreliable (or maybe unpredictable?) that I've simply lost faith in it.
It used to be a rare occurrence that a message I sent didn't make it to the intended recipient's inbox because of some overly aggressive filtering. No more. It seems to be happening on a weekly (almost daily) basis now.
The system appears to be, for lack of a better term, fucked up beyond all repair.
There are technical solutions like SPF and DomainKeys that try to attack part of the problem, but they really aren't cutting it.
It's no wonder that the younger generation seems content to throw away email addresses every year or so and prefer to interact via the messaging systems offered by social networking services (or SMS).
I send and receive a fair amount of email every day. I've been doing since well before spam was a Real Problem. I've seen little if any forward progress on this in recent years. A lot of talk, but no answers.
Despite my praises of Gmail's spam filtering, something changed a while back and it hasn't been the same since. How I long for the days when I didn't need to look in the spam bucket...
What are we doing to do? Use a Twitter like service? Go back to sending things via the postal service?
Some days I wish that Paying to Send E-Mail had taken off.
Am I the only one?
Posted by jzawodn at March 05, 2007 08:42 PM
Yeah.. SPAM is becoming a major problem for me also. Sometimes I check my spam folder first ;-) Whats the intention of spammers these days? Is it changed?
I tend to blame spam laws which don't go far enough. If we stuck a few spammers in prison for a few years, I think we might see a flow on effect...
Wasn't the first "email is doomed" article written in about 1993? I'd love to see spammers do hard jail time.
I agree with Alden to a certain extent here. If Congress actually drafts and the FBI, police, etc actually *enforce* anti-spam laws then the problem, at least as far as it is originates in the US, would be partially diminished.
But Jeremy makes a good point in looking at alternative communication mediums as a way of combating spam. Sadly, though, none of those are inherently much more resistant to spam attacks. (Witness what's going on on Digg or MyBlogLog -- if you can build it, then financially motivated people of dubious integrity can game it.)
Oddly enough the problem can be reduced to a single common pattern: If you want to let people you *don't* already know and trust communicate with you in any form, then you are opening up a vector for unsolicited messaging. From email to SMS to IM to social networks, it's all really the same problem, just a different way of getting a message in your mental inbox.
I suspect that the best middle ground will eventually be found in some form of trust networks. Take LinkedIn, for example. The service can be spammy if you let any old Joe Recruiter send you an invite, is actually relatively spam-free if you restricted your inbound messaging to friend of a friend (i.e., by-way-of-referral) only.
The same could hold true of a email-like messaging system. We just need someone to take the lead and get us there. Yahoo? Google? Microsoft? We're all in a good position to push on this one.
Thing have actually been better for me recently in both directions.
1. Image spam was a problem a few months back, but a combination of SA + FuzzyOcr and some scansets fixed that (see http://forum.robm.fastmail.fm/spam/ for some example transforms that turn the hard to read image spams into easy to read ones)
2. Most of the "scam spam" I get actually goes to my address listed at cpan, strange I would have thought, but nice since I don't get much at that address, the few that get through are easily seen
3. False positives with SA have been low for me
4. If you're using forwarding services, then SA doesn't search back through all Received headers to do all RBL checks, which means you can be testing the forwarding service against RBLs, not the true source. I had to hack SA to allow tracing back through "trusted" hosts.
1. A lot of services actually seem to be 4xx responses these days if they think your site is suspicious rather than bouncing, this is actually quite nice because it means if you realise there's a problem and fix it, your emails will get through
2. I haven't had any emails go missing from what I can tell. I certainly haven't noticed any recipients I sent to not replying
I'm not sure it's the email system itself that's broken, it's currently just the easiest to spam. Even if we "fixed" it, spammers would surely just move on to the next easiest system and fine ways to compromise it instead. And if we move to a "closed" system, we end up with one or two winners who control all the customers, and where are we then?
Currently there is one big win that would kill the vast majority of spam. All ISPs block port 25. The vast majority of spam comes from user compromised machines. Stopping them sending spam by blocking port 25 would be a big win
Of course, as soon as you do that, spammers will move on, but at least the next steps are harder.
For instance, the real worry at the moment appears to be a new set of trojans that actually use webmail services to send their spam, rather than sending directly via an internal SMTP engine. See:
The thing is, this quickly cuts down which providers can keep their outgoing email under control and which can't. It certainly still slows down the spammers from hundreds of emails a minute that you can do via SMTP with no potential for stopping the machines. With a webmail system, you have an intermediary (the webmail provider) and they can detect and block the appropriate accounts.
Have you tried Yahoo Mail lately? :)
All kidding aside, I have yet to notice a false positive on Yahoo! for at least 3 years now, which was the last time I was alerted to the fact that an email went missing.
And I do scan through my Bulk folder now and then looking for them.
Gmail still works for me, its catching 300+ per day for me, with me manually deleting only 1 or 2 per day now. Havent found any good ones in the spam can yet.
Ironic that you use email for your comment checking :-)
I know some ppl will hate me for saying that, but "greylisting"( e.g. "postgrey") still works quite well these days. It only works if you run your own mail server, but ...
The way to do it is simple - set up your email so that it works on a completely exclusive basis - people can only email you if you let them. So a new contact has got to send you a notice that they want to email you, and if you accept, then they can email you afterwards directly.
Kinda a system of opt in permission emailing. Then, spammers can't even get the email to you in the first place. And if you need to email someone, you just send them the opting in request whatever, and then wait until they accept.
you're not the only one jeremy. i've let the folks know at work where i am that if they really REALLY want to get hold of me, throw me a Skype chat message, as i barely check my email anymore. email is screwed as a communication medium.
and to think ,back in the 90s , i used to get really interesting mails from folks that were interested in the same things as i am ,as i used to post my mail address on bulletin boards. interesting conversations resulted. nowadays thats practically impossible.
I've left plenty of rants in your comments before about Y!s email, now you know what I'm talking about!
It has been FUBAR for a long time now.
Web feeds is the new email:
* delivery done by the author
* reciever chooses who to recieve messages from
There would need to be some frameworks in place, of course, as you'd need separate feeds per recipient and authentication (open id?).
If web feed readers are lacking (and they are), an IMAP interface could even be created... You could even have a SMTP-to-blogging-API interface.
Oh well ... So many possibilities, so little time...
I use gmail, not for much, very very little of it is email from actual people. I get some from a couple forums, some from a few web sites who's newsletters I don't mind too much, and not a lot else.
Yet I've got 4500 spam emails in gmail at the moment. It's not filtering out as much as it used to, I've had to start reporting stuff as spam recently.
So yeah, to me it's already a medium that's half dead. I do use stuff like IRC, forums or IM clients more for communicating with actual people these days. Email is more of a service I need, than one I actually like to use these days....
Perhaps we could just throw a few email spammers into a pit with some people who actually try using email and see what comes out....
it's certainly one of the more tiresome facets of the internet...
In your previous post on "Paying to Send E-Mail," you write: "I know this idea isn't perfect. Viruses that send e-mail via Outlook would end up costing you money."
That would be a feature, not a bug.
The reason computer security sucks is the same reason spam sucks: costs have been shifted and there is no accountability.
If the use of insecure computer software would actually cost people money, they would demand better software. An insurance market would be created and people could start making rational choices about security with their own pocketbooks. Shoppers would think: "I was thinking of buying Windows, but $30 a month for hacking insurance seems awfully expensive... what alternatives are there that might be cheaper?"
Isn't it a bit silly that consumers can walk out of Best Buy with a boxful of incredibly insecure software that can collectively cost millions of people around the world days of lost time, and not even *know* it? Isn't it crazy that (whether they know it or not) those who collaborate with spammers by failing to put basic security principles into practice are treated solely as *victims*?
The root of the problem is shifted costs. Personally I think the band-aids are working quite well, I spent very little time dealing with spam and its side-effects. But if everyone else's consensus ends up being that the band-aids are insufficient and the root cause needs to be addressed, the only options worth considering are attempts to rebalance costs. Pay-to-send is one obvious choice -- and, *because* failed security could invoke consumer costs, it may be a tremendous boon to cleaning up, not just our inboxes, but the rest of the internet as well.
Email IS broken. We have a very effective anti-spam filtering system we offer to our hosting customers. 90% of all email is spam.
Spammers are like cockroaches, if you kill one there are many others lurking in the cabinets. The ironic thing is spammers want you to read their crap, but they are slowing making email useless. People are realizing email shouldn't be used for effective communication and then won't read their spam. So they will effectively kill themselves at one point. Once that happens they will move onto SMS and IM in droves.
If people would make some effort to protect their email then you wouldn't have spam. I have 3 gmail accounts and I have never received a single spam email since it launched. I never use any of these emails to sign up for any 'subscriptions'. For that I use bloglines individual emails and create one for each email. I use gmail emails for work or communicating with friends. Technological solutions in this space will not work. Practice some email hygiene.
Hi Jeremy -- I know what you mean.
I've written something on the topic over here: http://taint.org/2007/03/06/141708a.html
Your comments about Gmail surprise me. For me, it has been eerily accurate. Of course the fact that I still feel the need to scan my spam folder on the chance that something shouldn't be there is frustrating.
There's an interesting article on this topic here: http://radar.oreilly.com/archives/2007/03/another_war_wer.html
I've been using Y! Mail Plus for years and the trainable spamguard is wonderful. I hear others with Y! Mail complain about spam and I have to wonder what's different for them? Is it the Plus service's spam filtering is that much better? My email address is sitting out in a ready-to-harvest presence on several sites yet I get only 4 or 5 spam emails a day and maybe 1 or 2 "good" emails get filtered a year.
I feel very fortunate indeed since my spam folder collects over 3,000 pieces a month.
I think I'm in the same boat with you. If I'm expecting something, often I search gmail using "is:spam something". Expecting it to pop in there. It's fine for emailing my regular contacts.
Even social networks are being targetted... although the proprietary nature of Social Networking allows for interesting anti-spam measures which are pretty effective. I do a lot of my communicating over IM, Basecamp, campfire, Facebook... gone are the days of everything in your INBOX.
I was *very* proud of our homebrew mail-scanning setup at our company colo cage that uses SpamAssassin, milter-greylist, MIMEdefang and ClamAV...
... Until a few months into 2006 when it became 100% clear that we had lost the spam battle. Our homebrew system was not working capably any more and it was a blow to the ego to realize it :)
I started looking into the various mail scanning hardware appliances as well as some of the hosted mail cleaning services.
I'm a bit hesitant to name the company we stuck with for fear of sounding like a shill but I actually really do like their products (hosted and appliance based) and pricing so I'll go ahead and give them a shout-out: www.mailfoundry.com
After about 4 months as a hosted client we are still happy. Spam still does leak through their system (and our local milter/SA/clamAV systems) but the level is now within reason. Looking at the stats, we are averaging about an 89% spam rate which tracks nicely with the "90% of all email is spam" stats I've seen online recently.
Like I mentioned above, the worst thing as a geek was to finally realize that our own hand-crafted systems had lost the battle against spam. I'm still mad about that :)
I know what you mean and have suffered too.
A year ago or so I wanted to develop a project within this lines and even started to put up a blog (yetsimple.com).
The truth is I do not have the time nor the resources still for the blog.
My idea (old by now probably).
Spam should be fight before leaving the mail box, at server level, not when it arrives!
What I mean, The servers would do a handshake and know whether the sender is allowed to send or not an e mail to the incoming server if not it will not accept the mail altogether.
This way we should be away with congestive traffic through internet due to spam.
We should not react we should design a new system.
Why does IM work and doesn't e mail.
Those are the questions I believe.
So there would be whitelists at server side, maybe blacklists (there should not be necessary if the system is designed flawlessly). and an invitation procedure.
Maybe after sending an e mail, the sender would receive some kind of key (in constant change) that would match the sender with that key at server level.
This way it will be almost impossible to someone else impost you. New keys every time a mail is sent at server handshake.
The truth is, I am a designer, not a software programmer, I know how I would at leas like to interact with mail.
a) Pre tagging of mails (before sending mails the other person would pretag it, mails within conversation would maintain the tags)
b) Highlighting to take notes (one should be able to highlight (maybe more than one colour) parts of an e mail that are relevant to one, only those and should be able to turn on or off, what I mean, let the rest of the other part of the mail that is not highlighted disapare from our sight and leave any the highlighted text.
c) Take notes (within someone else's mail or ones own) like sticky notes.
d) Send an e mail with highlights, tags, notes to someone else.
Thanks none the less for your time (and space).
I really appreciate your blog.
PS mind my English is not my native tongue.
No you are definately not the only one. I wish I had time to start a new venture on that basis, as there has been some great ideas floating around lately, which could be combined to form a transition path for users. And users it what is needed to drive a change.
I spent many years of my life in the development of email services and infrastructure. There were about 100 of us folks scattered around the planet in the late '80s / early '90s for whom 'Email is my life.' - and a lot of technology came out of it. Was a time when an email window was my entire portal onto the information globe and if you didn't have my addr, for all intents and purposes, you didn't exist.
No more. I came to a similiar conclusion about a year ago. The only thing I use email for these days is site registration approvals and an audit trail of transactions. Everything else is spam. All of my personal communication is either done through controlled web communities or the telephone.
In EE terms, When the signal/noise ratio of a communication channel gets below a certain point, the effort it takes to extract the signal from the noise starts to get prohibitive. And at some further point, the cost of this effort (time, money, whatever) exceeds the value of the signal. We're well past both points.
what is we need is a do not spam list( like do not call list) and anyone spamming once email is on that list should be liable for damages and prosecution.
Though my phone is on do not call list, I still get telemarketers calls sometimes. But it has reduced by some 60%.
Call me old-fashioned, but most of my daily work (on Apache projects), is conducted via email, and spam has had little impact on my productivity. I use Thunderbird's spam filtering. SpamAssassin runs at both Apache and at my mail provider. I quickly scan my spam folders every few days for false positives, and find one every few months. My email addresses are very public, so I get a lot of spam.
Doug & others:
I think you're missing an important part of the problem. I'm less concerned about the spam I get (that's life). But now messages I send to contact that I communicate with ON A REGULAR BASIS are being lost in the crossfire.
That wasn't the case a year ago. :-(
> messages I send [...] are being lost in the crossfire
Hmm. I'm also not seeing that. I frequently have folks ask me if I've yet had a chance to respond to their message yet when I have no recollection of any message from them, but, on inspection, their message is always right there in my inbox. And I also often am disappointed to find that my messages are ignored by their recipients. But those are different problems...
I am with you on this one Jeremy.
We have even had problems with our spam filters at work distinguishing between TRUE internal commmunications. While many spammers are trying to use our email addresses to send us spam, this has caused problems communicating internally.
Also, I am finding that I am having to call people after I sent an email, just to make sure it got to them. Maybe I should just go to phone contact only. But then I don't have digital copies of the conversation like I would via email.
I hope someone can figure something out soon!
As I've mentioned in this space before, Jabber (and, really, all of the IM services) has key-exchange authentication (i.e., not spoofable), requires authentication before conversations can be initiated, and enables (real, useful) blocking of problem users.
Moreover, hundreds of millions of people us IM every day for useful communication, and if more real support were added, deferred messaging (i.e., email with the features of IM) could become a real "thing".
The problem, of course, is that two of the four big players (that would be Yahoo! and MSN) refuse to play with anyone (net neutrality? not likely). AIM has opened up to a remarkable extent, and Jabber is de facto open.
I work on Twitter, and you'll note that we don't yet have YIM integration. We haven't yet gone through the machinations of courting all the relevant folks at yahoo to make that happen, so maybe it's our bad.
I think the larger question is, why, in this era of Pipes, do we need to even consider that as necessary? If a service like Twitter can't easily connect to more than 50% of the IM users, how are we supposed imagine a new way to do "email"?
One feature I love in Thunderbird and a few others is the "people I know" filter. I'd love to see this implemented in Gmail.
If mail comes in from someone in my address book, automatically whitelist it and put it in the Inbox. Give me one click to see just email from people I know.
Not so bad for me anymore and I can't say why. 2 or 3 out of 40 are spammy.
This is mainly a problem of horribly implemented techniques in blocking spam outright (and in the process blocking legit email falsely). Also, with systems where blocking outright doesn't happen but one has to sift through a million emails to find the false-positive's in the spam folder (ie. gmail). I think people have just given up and just don't scan these spam folders any longer as it is just too cumbersome a procedure.
I've written about this here - http://tim.blog.kosmo.com/blog/_archives/2007/1/18/2663117.html
I'm still amazed though that I hear and read similar stories from people today considering spam has been a non-issue for me for a few years now.
Not that it will ever happen, but if someone major ever does decide to implement and push a new email infrastructure, djb's solution would go a long way towards curbing spam:
I have just abandoned my spam trap of steel which was postfix, postgrey, spf mailscanner, spamassassin and clamav. I got almost no spam but legitimate mail was also blocked and my clients were complaining about it.
My server was spending its day fighting onslaughts of spam and I was spending many hours each week tweaking RBLs, SBLs, local spam assassin rules to keep up with it. After some checking around I signed up for Postini and repointed my MX records and it all disappeared. If Postini blocks a mail it holds it in quarantine and sends the user an email each day with the list.
I just did this over the last few weeks so I can't completely endorse it yet, but so far so good.
A while back I was chatting with a well know email guy. He noted that at a university he used to work at experienced a campus wide email non-delivery problem (this was after the first spam, but around the time spam became double digit percentages -- a HUGE problem). The IT department started conducting interviews (who were you sending to? when?) to see if they could find any trends. For the most part, people would come in, and after a few minutes of answering questions, they'd say something like, 'you know, I really did receive the email, but I didn't want to respond, so I just told the sender I didn't get it.' Kind of like hearing the phone ring, checking out the caller id, and deciding not to answer. I always wonder how much of the 'your message got caught by my spam filter' excuse is real and how much is the social aspect of not wanting to answer/respond/be available.
I agree, spam is only going to get worse. No, I don't think tougher laws or tougher enforcement, such as throwing spammers in prison, will work in the long term since that does not address spammers from outside the country. I think the best long-term solution is "pay for each email". Give each email address 50 or 100 free emails a day, and everything over will be charged. Bill Gates had mentioned this a couple of years back, but unfortunately nothing so far...
The problem comes from several sources...
1) Greed. Spammers have no other interest than getting paid for not doing an honest day's work.
2) Companies using Reagan's policy of plausible deniability. They hire third parties to handle their marketing so when users get mad, they can say "Oh we didn't know"
Gmail used to be a solid filter but I've been with Yahoo mail since the beginning and I really think that filter is better for my purposes.
But Jeremy, the problem goes deeper...it goes to companies who rent server space or provide access to companies without knowing a thing or two about them. Endusers opening up spam or clicking on malware links. Laws that do not adequately punish nor investigate malware purveyors and the programmers who write their code.
If they made this type of invasion of the same vein as other major felonies, house these people in the general population in a max security prison, then, and only then would you see some change. But you cannot stop people in Russia, Korea, or other locales from the US. They are not subject to US law and good luck finding them and getting them extradited. It ain't happening anytime soon.
So the answer is...there is no answer. Trace the money, hold the companies in the ads responsible but even then you'll only get ethical companies to act. Companies like Stamps.com, Vonage, and others who outsource their marketing to unscrupulous agencies and then say "Oh we didn't know that they were going to hire someone else to do the email" are either being disingenuous, naive, or dumb.
Create a boycott list of companies to avoid doing business with and I think that you'll have something if everyone adheres to it. But you won't stop the drugs, enlargement, porn, or other borderline business spam as these companies have nothing to lose by spamming.
I think they need to make SPF records compulsory for domains.
If you know and can rely on the SPF record being correct, then the filtering could verify the 'from' field and so rely on it much more, then filter out the bulk emailers using filter lists so your emails wouldn't be so easily caught in the spam content filters.
(The content filtering would be turned down and the SPF filter+filter black list turned up).
The trouble now, is you can't rely on the SPF record being there or correct.
That said, Thunderbird's filter works just fine for me, the only trick is to be careful what you flag as spam or it gets confused. (Only true spam, not bounced spam with you fake address or personalized bulk email from real addresses). It misses a few but I don't get false positives at all and don't need to scan my junk folder.
How much would you pay monthly to have an actual human being read your emails in real time and flag for Spam? I think we're getting to the point where that might be the only way to get around Spam. Although, putting teeth into the laws would certainly help.
Interesting read both here and at some of the links provided in previous comments. I have a couple of thoughts to share. email is different things to different people. They need it do to different things, but in all cases they need it to be reliable. If I send it, it needs to get there or I need to know that it did not get there. So, I asked myself how I use/rely-on email and came up with a very short list. 1) I exchange email with trusted friends and family. 2) Occasionally, I receive legitimate email from people who know people I trust. 3) I get email from business that I do business with. While others might want to tweak those a bit or add a 4th, I'd argue these cover the vast majority of high priority email exchanges that need to succeed. I am beginning to believe that a sender-pays-the-user ($0.05 or so) per email system can work if combined with a refund mechanism to cover cases 1 and 2. In case 3, the transaction would either have to be part of the cost of doing business or be sufficiently well defined so as to be part of the transaction costs (e.g., an extra $0.15 charge that you get back after they send you three emails: acknowledge order, receipt, and shipped). All three of these could be made even more robust by adding white-lists to the email clients - more so if integrated with web browsers. Example, in addition to having a list of trusted friends, you could individually accept email for verifiable friends of friends. Furthermore, clicking on an order button at a website would pop-up a window requesting that you accept N messages that will be coming your way from specific email accounts at the vendor. Accepting the offer would pass that info from the browser to the email client (or maybe the ISP). Yes, there are implementation problems and some of them have viable solutions (see Jamie's comments at Jason's site). The cost of SPAM to the spammer has got to increase for it to go away. In addition, legitimate email should have an express lane to my in-box.
One more thought/question: has anyone been working a token-based solution? By this I mean, initiate contact with my email server/client to request that a single-use token be issued that when attached to an email assures receipt?
Otherwise the pay-per-email system has a built in return receipt capability in that you have a log of who you have paid to accept your email.
All hail the fax machine... who needs email.
I do have one idea regarding your outgoing email getting blocked. Not particularly helpful, granted, just thinking out loud.
I wonder if your relatively unusual name is getting tangled up in spam filters? I just searched my mail archives and immediately found a newsletter from WebProNews.com from 2004. We didn't actively subscribe to this message (it was 'inferred' from a different subscription) and it was sent to a dormant email address - Apple Mail reckoned it was spam and it seems I was inclined to agree. The second link on the 'Inside eBusiness' feature is to you - "Jeremy Zawodny in new Yahoo job".
It's not beyond my imagination that spam filters may be seeing your name and, following a lookup, realise it has only ever previously occured in spam messages, so it takes the plunge and blocks your mail.
I could, of course, be way off base here but it strikes me that this might be a contributory factor in your case.
But yes, ultimately, email is currently broken.
Okay. Email is broken because it has been insecure since its inception. The problem also stems from a combination of greed and stupidity.
How many relatives or friends have we had call us to clean the malware off of their systems because they had to open every stupid jokemail someone sent them.
These people click on links within these joke emails, get infected and next thing I know is my phone is ringing and someone is acting very nice to me on the phone for no reason.
Those machines make up the zombie network but other zombies occur by just honest mistakes. You type in .net instead of .com and you wind up on some marketing site which has nothing but ad links everywhere, popups galore, and if you click on anything, poof...instant download and your PC is now a mail server for sale on an IRC channel.
As much as I disagree with the general idea, I must applaud those ISPs who are blocking outbound SMTP port traffic. Not that it's fullproof. Move it to another port and voila...back in business.
I think that the time has come to say that email is at a plateau right now and until it learns some more lessons as to how to further evolve, it runs the serious risk of becoming obsolete or a nuisance.
There needs to be a general standard of identification that goes beyond MX records and "From" lines all of which can be easily manipulated. Endusers need to be able to control their boxes and ISPs need to become more than just an "onramp to the Internet"
Fixing the spam problem will take effort from everyone and I just don't think that many people want to do anything about it.
A couple days ago, I enabled the "move all emails that are not from known contacts to a different folder" in my email software and it already feels much better. I just see email that I really want and sift through the crap once a day. Think of it like your regular postal mailbox: you empty it once a day and whatever I don't recognize, I throw it away as junkmail immediately ...
Yes, email is FUBAR.
Why can't there be a universal authentication process that all legit senders will do, and then we simply deny messages from all but authenticated senders?
Spam sucks... but alternatives are not much better.
Personally I'd rather see a Email2 system take off. One that requires authenticated secure SMTP servers. Encrypted connections across the board using valid SSL certificates. On top of that require SPF/DomainKeys like system.
With a system like that you have the following advantages:
- Costs much more. Can't use botnets to spam, as SSL cert won't work unless you've got cash for your entire botnet.
- With SSL certs and SPF/DomainKeys on authenticated servers, you'd have a "trusted" server. Those without would be eventually written off as junk.
So in the beginning it would be like priority mail... eventually the bulk mail just would be cut off.
The system needs to be rebuilt. The problem is nobody wants to do it, since anything better would have additional cost.
Then again, I want Internet2, and IPv6.
While it's a commercial product built upon Open Source ( Apache/mod_perl ), TrafficControl from www.mailchannels.com has solved the "too many incoming SMTP" connections issue for me. It allowed me to get 10x the number of connections on exactly the same hardware. Also has some nice spam filtering baked right in, along with hooks into other systems like CloudMark.
Anti-spammers are the worst component to the problem. They block legitimate email in an over-zealous effort to block spam.
I had to email a time critical pre-employment exam -- and my ISP decided to block port 25! It took me 30 minutes to figure out what was going on, and by that point my exam results were sent to my potential employer very late! If I lose the job over this, I will sue my ISP for denial of service. Denial of service is a felony in some states.
BTW, someone commented on gmail. Gmail is a /terrible/ email service. They don't even allow disposable email addresses in the FROM field -- effectively preventing users ability to protect themselves from spam.