Way off topic talk about email

[Anthony DiPierro]

On 12/31/05, Eugen Leitl <eugen at leitl.org> wrote:
> On Sat, Dec 31, 2005 at 10:56:01AM -0500, Anthony DiPierro wrote:
> > If it hurts, I'm doing it wrong?  Maybe you can point me to a perfect
> > spam filter, because I haven't yet found one.
>
> There's no such thing as a perfect anything in this universe.
> But spam filters for email are a lot more mature than spim, voip, irc
> or blog spam.

Considering that you can easily attach a spam filter to a blog, I
don't see how that could possibly be the case.

> Despite publishing my email address about everywhere
> and receiving hundreds of spam messages every day I see almost none
> (and I don't even use grey/whitelisting, and do not tune my
> filters manually -- I would have to do this if there's another
> order of magnitude increase in spam volume).
>
I'd be interested in what spam filter you use.  I think I'd go through
the trouble of setting it up if I could drop my spam to "almost none"
(of course I get thousands of spam messages a day pre-filters so maybe
it wouldn't work as well for me).

> > Your list of "features" essentially defined email, as one was that it
> > "creates multiple redundant realtime-searchable archives at each
> > user's end (mailboxes)".  If you eliminate that "feature" there are
>
> I'm not an old hand, but I've seen a lot of sites vanish into
> the great bit bucket in the sky since 1994 or so. Many mailing list
> archives have been restored from indivdual's local mboxes. Distributed
> P2P filestores are not common yet.
>
Well there's always archive.org...  Besides, the fact that some
alternatives to email don't back anything up doesn't mean that none of
them back anything up.  You don't have to have a distributed P2P
filestore to make daily backups and distribute them to 3 or 4 backup
locations.  Backing up every post to every mailing list on the
computer of every single subscriber is excessively wasteful.

> > plenty of alternatives, and I don't really see it as a useful feature,
> > more of a horribly inefficient implementation.  Some of the other
>
> It doesn't matter how it's implemented. It is a widely deployed
> technology, and it arguably works.
>
Of course it matters how it's implemented.  Disk space costs money.

> > features I'm not even sure I agree about.  Email supports
> > authentication and encryption?  Only in the sense that you can easily
>
> Yes, for me it does.
>
> > build authentication and encryption on top of any digital distribution
> > mechanism.
>
> No. This means that a mature infrastructure is in place. It doesn't
> matter what somebody can do, theoretically, maybe -- assuming the
> rest of the world will adopt itt.
>
C'mon, what percentage of email users do you think use authentication
and encryption?  The rest of the world hasn't adopted it, not yet.

> > If I had the opportunity to post replies to this mailing list using a
> > web form instead of email I'd definitely use it.  Creating a gmail
>
> Write a login or CAPTCHA-authenticated submission script, and publish
> it on a web page. It would be a good idea, as I understand most
> newcomers don't like email and prefer a web forum interface to
> access and post content. It's easy to add that by an external
> page, without touching a line of Mailman.
>
Some day maybe I'll have the time and energy to write such an
interface (or more likely to pay someone else to write it for me).  In
the mean time my gmail hackaround is good enough.

> > account to subscribe to mailing lists is the next best thing.
>
> You might want to look into procmail and Beagle. (I personally
> don't bother, screen+mutt works for me, I only use procmail
> for killfiling).
>
See above.  I have enough things to do in life to the point where it's
not worth it for me to spend the time administering my own email
server.  I've played with that stuff in the past but I don't have time
for it right now.

> > I guess it's true that no one is *forcing* me to use email.  But
> > without an email address I can't access my bank's online banking, or
>
> You should be able to do online banking without requiring email.
>
I should be able to do a lot of things without an email address. 
Doesn't mean I can.  Both of the banks I use require me to tell them
my email address, and I can't use a throwaway account because then
anyone else who gets access to that account could steal my password.

> > pay my student loans through the web, or post to or-talk, or subscribe
> > to slashdot, or receive paypal payments, or a whole host of other
> > things.  That doesn't really make sense to me.  In fact, using the
>
> Authentication by email-delivered one-time token works well, and is
> easy to implement. No wonder everybody is using it.
>
Authentication of what?  There are people with multiple email
addresses.  There are email addresses which are used by multiple
people.  There are people with no email address at all. 
Email-delivered one-time tokens don't authenticate much of anything,
and those examples I gave aren't one-time things anyway.  I really
don't see what this type of "authentication" works well at.

> > From: field of an email for authentication (which is what the or-talk
> > listserver does) makes about as much sense as using an IP address.
>
> But IP-based authentication works very well, if yours is a static IP.
> Sure, there's spoofing, but in practice you can just as well subscribe
> to the list and sniff poster addresses, or spam the list directly.
>
Sounds to me like it's trivial for a spammer to spam the list anyway. 
That's what I'd refer to as a rather useless security mechanism.

> Of course you can use signed mail and Turing tests for authentication,
> should that become commonplace.

Turing tests through email?  That's about the dumbest idea I've ever
heard (yeah yeah, I'm being hyperbolic).  Seriously though, who wants
to sit and wait for a bounce before they can post a message?

Signed email is more reasonable, I could see a system built around
that being better from an authentication standpoint (it'd probably
have to rely on other forms of authentication other than just the
current webs of trust, though).  It still wouldn't satify those of us
who don't feel like giving out our email address in the first place,
though.

Anthony