|
|
Bulk emailing drives me nuts - mostly because its existence hinges on a single
fault in the standard email delivery system - the Simple Mail Transfer
Protocol (SMTP.) That fault is that you can communicate with a mail server
anywhere in the world and convince it to deliver to your intended target. It
really is quite easy. In college, I used to send rebuttals in my religious
debates to rabid believers... with the 'From' line showing God@heaven.com.
In Utah, I was convinced that heaven had to be a .com. Anyway, I digress.
Anyway, one minor change to the protocol would fix the problem. I'm not
talking about authentication or any other crypto-heavy solution - just the
simple requirement that you MUST provide a From line and the email address
listed therein MUST be capable of accepting email in order for the message to be
delivered. It's that simple.
A bulk emailer will do anything to avoid having a valid target in the From
field because they know that they would have to handle an insane number of
bounced messages - as well as people who (and I used to do this) would send
them back the entire text of Monty Python's Holy Grail as punishment for
wasting the time of the recipients. In other words, if sending 100,000,000
email messages meant that you had to (potentially) handle 100,000,000 queries
in return, you'd probably not be able to send spam so economically.
Your email server probably already requires that an address be provided in
the From line, but this is not sufficient. As I said, you can use whatever
you like there. But what if the receiving server were to periodically contact
the sending server and ask "did you really send this message?" ...until such
time as the recipient showed up to read it?
An example, using client.me.com (my workstation, where I read my mail,)
client.you.com (where you read your email,) mail.me.com (my mail server,) and
mail.you.com (your mail server.)
The servers come up trusting nobody. You send me mail, and our servers kick
into action. mail.you.com contacts mail.me.com and hands the message off.
Until I show up to get that mail, mail.me.com will try to contact mail.you.com,
checking to see if it is still there. (If mail.you.com is consistently there,
mail.me.com will lengthen the delay between checks.) When I connect to
mail.me.com to get my mail and read it, I mark your email address as 'trusted'
and my mail server will be much less rabid about validation in the future.
If a spammer sends email to me, their server has to stick around and service all
queries until I check my email. Otherwise, it will never actually be delivered.
They cannot pretend to be someone I trust. Why? Because when mail.me.com
contacts mail.you.com, they will positively establish that the email was not
sent by you. My server will simply delete the message.
If a source of email were _really_ suspicious, I could take the negotiation one
step further. In addition to asking mail.suspicious.com if s/he sent an email
message, mail.me.com could send one back - holding delivery of the _received_
email until the verification email message triggered a "did you send this"
query back. =]
Clearly, there is an issue here: the server that sends the email has to remain
available. It is an inherent part of the protocol. If your mail server is
offline 10% of the time, then one tenth of the email it sends will be dropped
by recipients. I feel that this is an acceptable compromise. If your mail
server is offline 10% of the time, you have a problem with your ISP and someone
needs to do some serious, professional ass-kicking.
At first blush, there is another drawback: bandwidth. If receiving a 1k email
address triggers many more communications with the sender to verify that the
message is valid, the data cost of that message increases dramatically. If the
process works, however, I'd not have received hundreds of megs of junk mail in
the last 3 months. My total useful payload of email in that time is probably
a couple of megs at most. If verification were to increase legitimate traffic
ten-fold, it would still cut overall traffic by double-digit percents. It
would also mean a LOT less wasted corporate and personal time wasted reading
the crap.
-rbarry
|