Short answer: nope.

Long answer:

Spoofing - Authentication would be wonderful, and is doable if you're willing to set up a central authentication system that would contain information on everyone who sends e-mail to you and vice versa. User level authentication is a variant that was discussed a few months back (can't remember where). Basically, if the sender isn't on your list of trusted sources the mail doesn't get delivered, and in order to get on the list the software sent a authorization query to the sender, who would reply correctly and be added to the list. There are some obvious holes in that, least of which is inconvienence.

Security - Security was not an issue when the e-mail protocols were designed and implemented. Workarounds such as encryption and digital signatures can make it better, but to really achieve the level of security he's talking about here would require a ground-up redesign of the protocols with security as the number one priority.

Anti-Virals - Looks good on paper, doesn't work in RL. Most users don't install A/V software, and even those who do don't always keep it maintained/updated. One option I've seen was to force ISPs to use A/V software on their mail/relay servers, but that's a little too intrusive for my tastes. Short of forcing everyone on the 'net to run and maintain A/V software (or having a central site that does it for them), I don't see any way that this could be done without radical changes.

I'm sure there are some errors in this, but I'm in a hurry. Hope it helps.

Something of the like could be hacked together using current open-standards based mailer daemons (e.g. sendmail, exim, postfix), but the problem ends up being that everyone has to run the same type of system security. If joe blow isn't running spoof-proof mailer software, and jane doe is, jane's server will reject mail from joe even if he's not a spammer. That means joe is forced to use it.

Another very large issue that comes into play is exactly who dictates the standard for the spoof-proof authentication. If it's Microsoft, you can fairly well rest assured that a) People will find a way around it, and b) No one else will be able to play with it. Not a good solution, by any means.

I don't see a pressing need to spam-proof email, just as I don't see a need to duct tape a claymore mine to my mailbox to ward off print-spam. If you don't want it, there are several steps a user can take to block it.

I use Apple's mail.app mail client, which includes a learning AI spam-blocking feature. I get several hundred spam mails per day, yet only one or two get through the filter, and it gets smarter the more you use it.

In a nutshell: The responsibility should fall to the user to block spam. ISPs, of course, can take a host of measures to significantly reduce it, but ultimately the decision of how to deal with it should be yours.

My decision was to use an OS that is impervious to 99.9% of virii, and a mail client that can intelligently block spam.

... should be completely encrypted and secure...

This will be MOST problematical; the Homeland (In)Security Department is adamantly agains encryption, as it "might" interfere with their ability to eavesdrop. Unlike postal material which requires a court order to open, the feds want the right available with no interference to read eMails.

TO: Stephen Green
RE: Short Answer

Mac OS X with iMail.

The elimination of spam is VERY effective.

Half of my daily 100 items used to be spam. [Note: I make a lot of comments on blogs.]

Now 99% of that half is dumped into the Junk 'pile' automatically.

Regards,

Chuck(le)

Stopping spam at the level Dvork, and many others want, is absolutely NOT doable without either a redesign of the SMTP protocol, or intrusive force placed on SOMEBODY (end-users, ISP's, businesses, etc).

Spoof-proof authentication: Can't really be done without forcing all email users ALL OVER THE WORLD to use a trusted central authority to authenticate senders to receivers. For a multitude of reasons, this will not happen.

Privacy: encrypted and/or secure email is already available to anyone who wants it. PGP (and open GPG) provide encryption/authentication, and there are SSL-enabled IMAP/POP/SMTP/Webmail apps to transmit and receive securely as well. However, in this case, one would have to force users to use these methods, and that is just too intrusive.

Systemic antiviral agents: Dvorak is off his rocker if he thinks that viruses will just up and wither away without email transmission... They spread like wildfire without email just as easily as with.

The fact is spam will never go away unless it stops working... It's still here for a reason, folks, and it's not just to irritate you. And there are some VERY smart people making sure that they get around all the various methods of stopping it.

And redesigning SMTP to something different will probably never happen as well. There is WAY too much infrastructure in place that would need to be supported, and tools already exist that do a more than adequate job in reducing spam. If you use those tools avaliable, and NOT make a major federal issue out of a couple pieces a day, the problem is no longer.

But I'm having so much fun with spam...

Freedom. Efficiency. Security.

Pick two.

My short answer is "no". My long answer is on my blog, here.

The reality is, it would be possible, but so would supplying all of our electic power needs via nuclear power plants. It will be equally improbable in practice. Like that example, the necessary changes to eliminate spam would have a lot of benefits, but also a lot of costs and risks.

Well, probably not at the user level -- there are signature modes available now, but few use them.

HOWEVER, there might be quick fixes at the server level that would be possible.

For example, a DNS record could contain a public key, and mailservers getting inbound mail purportedly from a given domain could test a short, encrypted block in the mailheader (say subject, sender & time) against the domain's (or mailserver's) public key. This would cut down on many forgeries. The authority issuing the keys would be the domain registrar, or some uber-registrar. The system would be voluntary, although one could set one's own mailserver to reject non-conforming inbound mail.

Changes: Registrar (major new function), DNS (modest), SMTP (moderate), POP & user (transparent).

Downside: Computational burden on mailservers. Although reduction of spam relieves mailservers of perhaps a greater burden.

Problem: Would require auxillary filtering on known rogue domains. But a blacklist at the purported domain level is a lot easier than on IP, especially if the domain is authenticable.

The security and (message-level) authentication thing is easily managed for those who *care* by a "simple" encryption and signing program (ala PGP, whatever).

Of course, the vast majority of people don't care to bother with that for their email - as most email is not "sensitive".

As to virus checks, "buy antivirus software" is the key. Though, it's probably GOOD that people don't run or open random attachments they weren't expecting - there's plenty of room for people to write plain old executables that, say, wipe your hard drive, and no antivirus software can tell one of those from a picture viewer or game installer or whatever, as long as the Bad Guy doesn't use the same program over and over so they can get a signature for it.

(I do wonder why he includes "signed and encrypted before transmission" under "systemic antivirus protection"... I'm unaware of a tendency for viruses to be inserted into content in transit, although it's technically possible to do so...)

Maybe there's something wrong with me. but I don't mind spam. Hitting DEL ain't all that hard, plus the nigerian spam is sometimes riotously funny (lately they open with 'My Dear').

As to viruses, not being stupid helps. Don't open executable attachments without scanning them first, Don't use Microsoft products for email. Don't delete any files that some email forward claims is a virus.

In the past five years I've been infected by a virus ONCE. I don't even run any antivirus programs, I just do a complete system scan every six months or so. It can't be that hard.