It’s time to get rid of email


----------------

There are few things in life that I hate more than spam.  But I hate receiving one type of message even more:  delivery status notifications for spam that was sent to bad email addresses, spoofing my address as the sender.  Lately, I’ve been getting a couple hundred of these per day.  Of course, that means that probably several thousand spam messages reached their destination, fingering me as the sender.  I wonder how many mail servers have black-listed me.  Even the most intelligent spam filters have probably begun to assign a high spam probability to my address.

As far as I know, there’s very little that can be done about this.  SMTP was not designed with spammers in mind.  Back when email protocols began evolving in the ’70’s, the only people who used email were innocent geeks.  Even though the first spam message was sent thirty years ago, spam didn’t really become a popular marketing tool until everyone and their grandmother got on the Internet in the 1990’s.

Spam isn’t the only reason why email is a broken communication medium, though:

  1. Delivery is not guaranteed.  Between potential problems with your email client, a server hiccup somewhere in between, or any number of junk mail filters that your message might encounter along its journey, the odds of it actually reaching its destination are getting worse daily.
  2. Too much noise.  Even if your message reaches its intended audience’s inbox, they might not even notice it among all the other messages they receive every day — especially since 90% of the ones that aren’t caught by spam filters are still spam.
  3. It isn’t private.  Sure, you can set up secure email, but who goes to the trouble?  In my experience, many companies send sensitive business plans over unsecured email.  Individuals, too, often send personal information over that same public channel — even passwords.
  4. Sender spoofing means you can’t trust that the message is from the person that claims to be the sender.  If you hit “Reply”, you’d better examine the resulting Reply-to address, or you might not know to whom you’re telling all your deepest secrets.
  5. HTML mail makes it easy to hide phishing links.  A savvy email recipient will never click a link in an HTML email without viewing the source to verify the domain — but how easy is it for most people to be fooled?

Clearly, the time has come for a replacement for email.  We need a secure, private service with guaranteed delivery, verified identity, and no spam.  Messages should be organized into discrete conversations to which only specific people are granted access — to read or to contribute.

Hmm…I may have just given myself an idea…







46 Responses to It’s time to get rid of email

  1. That’s some deep thought you’re having. Same thing goes for web browsing. No tools/browser/anti-this-anti-that can guarantee your secure browsing unless the person is tech savvy.

    I too, hate spam, but nothing beats skill and experience to tell “friend” from “foe”. Those 5 points really troublesome. I didn’t know it was so unsafe.

    Thank God, I’m a geek in the pink.

    I guess the solution is, erm…IMing?

    • I think IM has similar issues, though some IM clients give you a little more control over who can talk to you.

      Besides, one of the good things about email is that it doesn’t interrupt you. You can process it when you’re ready, instead of having a message pop up in front of your face.

      I’ve noticed, though, that GTalk now buffers messages when you’re offline. That’s a step in the right direction.

  2. That's some deep thought you're having. Same thing goes for web browsing. No tools/browser/anti-this-anti-that can guarantee your secure browsing unless the person is tech savvy.

    I too, hate spam, but nothing beats skill and experience to tell "friend" from "foe". Those 5 points really troublesome. I didn't know it was so unsafe.

    Thank God, I'm a geek in the pink.

    I guess the solution is, erm…IMing?

    • I think IM has similar issues, though some IM clients give you a little more control over who can talk to you.

      Besides, one of the good things about email is that it doesn't interrupt you. You can process it when you're ready, instead of having a message pop up in front of your face.

      I've noticed, though, that GTalk now buffers messages when you're offline. That's a step in the right direction.

  3. You’re absolutely right, of course. I think part of the problem lies in the fact that the general public doesn’t fully appreciate just how unsafe and unreliable the medium really is. Without this awareness there’s no ground (read: economic stimulant) for companies to develop a viable alternative. Once more I turn my head to the OSS community in great anticipation. :)

  4. You're absolutely right, of course. I think part of the problem lies in the fact that the general public doesn't fully appreciate just how unsafe and unreliable the medium really is. Without this awareness there's no ground (read: economic stimulant) for companies to develop a viable alternative. Once more I turn my head to the OSS community in great anticipation. :)

    • I’ll have to read up on that protocol to see if it could be used in the scheme I’m imagining. Thanks for the tip.

    • I'll have to read up on that protocol to see if it could be used in the scheme I'm imagining. Thanks for the tip.

  5. I don’t use a desktop email client, ever! I only use online services like Gmail, Yahoo, and Hotmail. I don’t have much of a problem. They seem to filter most of the bad stuff out. I can see your point though about newbies getting into trouble. I have an email account just for websites I receive newsletters from, and those sites that I visit that want an email address to “sign on” for info. Then I have an email address that I use just for my friends and family. You just have to work your plan.
    //bob

  6. I don't use a desktop email client, ever! I only use online services like Gmail, Yahoo, and Hotmail. I don't have much of a problem. They seem to filter most of the bad stuff out. I can see your point though about newbies getting into trouble. I have an email account just for websites I receive newsletters from, and those sites that I visit that want an email address to "sign on" for info. Then I have an email address that I use just for my friends and family. You just have to work your plan.

    //bob

  7. Part of the reason email is here to stay is that is is too valuable and convenient for most users despite these correct observations of the issues. It’s just like using credit cards (online or off): there are many ways it can get you in deep trouble, but most of the time it doesn’t and it’s darn convenient.

    But if you get 200 spoof bounces a day, maybe you really ought to change address…

    • Yeah, I’d hate to do that, since I’ve had the same address of for more than eleven years. But it is getting pretty bad.

  8. Part of the reason email is here to stay is that is is too valuable and convenient for most users despite these correct observations of the issues. It's just like using credit cards (online or off): there are many ways it can get you in deep trouble, but most of the time it doesn't and it's darn convenient.

    But if you get 200 spoof bounces a day, maybe you really ought to change address…

    • Yeah, I'd hate to do that, since I've had the same address of for more than eleven years. But it is getting pretty bad.

  9. I hear this argument a lot, and I’m afraid it’s very naive. Most of the problems with email aren’t really problems with SMTP or MIME, but are much more fundamental.

    In particular, some of the key design points of email are:

    — Openness to all comers (you don’t need to register/authenticate a machine or person to send email)

    — Store and forward architecture on a loosely-structure internetwork

    — A plurality of mail-reading tools that can take “delivered” mail and do almost anything with it.

    Some of the problems you have with email (notably authentication and misleading html links) are things that can indeed be fixed, but they can be fixed in SMTP/MIME — it’s not necessary to replace it. But the others (notably uncertain delivery and spam) are going to inevitably be problems in any message delivery mechanism that shares those design goals.

    I’ve had this argument over and over for years; usually once people understand the underlying constraints, the wholesale replacement of email becomes less appealing. (That’s particularly good because it’s practically impossible to imagine a transition anyway.)

    I know that my view may be considered somewhat biased, since I’m associated with the creation of some of these protocols, but I’ll have a hard time taking these proposals seriously until you can tell me how a new protocol would differ from SMTP in such a way as to prevent spam and guarantee delivery. I don’t think it can be done without a lot more central control on the Internet, which would be a cure worse than the disease. — Nathaniel

    • Wow, it’s great to hear from you on this, Nathaniel.

      After thinking on it overnight, I agree with you that email can never be fully replaced.

      But I’d like to see a new messaging system that is centrally controlled and private (but provided with an API so client tools could access it, given proper authentication). I’d use that for communicating with my customers and my friends and family — and relegate email to initial contacts only. Then I could afford to ignore it most of the time.

      The biggest problem I have with email right now is that it’s doing too many things. Some correspondence should be private, plus it gets lost in all the other noise.

    • One solution might be that for professional emails, a global “by project” unique token (a la MAC/UUID style) should be generated by any company for all members of a project across companies or for internal departments with an expiration date.
      It would be sent in the xtra headers of an email and match a pool of accepted professional email addresses.

      Then if the company wants to restrict email usage, it may route all non-tokenized emails to a list of public email addresses of the company for clearing, and only properly tokenized emails could reach individuals of the company.

      The drawback: the more tokens to store for one email address, the more searching for allowing an email to go through.

      I don’t think this would require any change in the protocols.

      Isn’t there something like that in some mail servers?

  10. I hear this argument a lot, and I'm afraid it's very naive. Most of the problems with email aren't really problems with SMTP or MIME, but are much more fundamental.

    In particular, some of the key design points of email are:

    — Openness to all comers (you don't need to register/authenticate a machine or person to send email)

    — Store and forward architecture on a loosely-structure internetwork

    — A plurality of mail-reading tools that can take "delivered" mail and do almost anything with it.

    Some of the problems you have with email (notably authentication and misleading html links) are things that can indeed be fixed, but they can be fixed in SMTP/MIME — it's not necessary to replace it. But the others (notably uncertain delivery and spam) are going to inevitably be problems in any message delivery mechanism that shares those design goals.

    I've had this argument over and over for years; usually once people understand the underlying constraints, the wholesale replacement of email becomes less appealing. (That's particularly good because it's practically impossible to imagine a transition anyway.)

    I know that my view may be considered somewhat biased, since I'm associated with the creation of some of these protocols, but I'll have a hard time taking these proposals seriously until you can tell me how a new protocol would differ from SMTP in such a way as to prevent spam and guarantee delivery. I don't think it can be done without a lot more central control on the Internet, which would be a cure worse than the disease. — Nathaniel

    • Wow, it's great to hear from you on this, Nathaniel.

      After thinking on it overnight, I agree with you that email can never be fully replaced.

      But I'd like to see a new messaging system that is centrally controlled and private (but provided with an API so client tools could access it, given proper authentication). I'd use that for communicating with my customers and my friends and family — and relegate email to initial contacts only. Then I could afford to ignore it most of the time.

      The biggest problem I have with email right now is that it's doing too many things. Some correspondence should be private, plus it gets lost in all the other noise.

    • One solution might be that for professional emails, a global “by project” unique token (a la MAC/UUID style) should be generated by any company for all members of a project across companies or for internal departments with an expiration date.

      It would be sent in the xtra headers of an email and match a pool of accepted professional email addresses.

      Then if the company wants to restrict email usage, it may route all non-tokenized emails to a list of public email addresses of the company for clearing, and only properly tokenized emails could reach individuals of the company.

      The drawback: the more tokens to store for one email address, the more searching for allowing an email to go through.

      I don’t think this would require any change in the protocols.

      Isn't there something like that in some mail servers?

  11. Looks like Nathaniel beat me to it. It’s also worth noting that a lot of current spam issues are due to admin neglect. I’ve been guilty of that in the past myself, but taking a couple days to really get a feel for what’s going on with any SMTP systems you administrate should be made a priority. Not only will your system suffer, but others will bear the burden of your ignorance.

  12. Looks like Nathaniel beat me to it. It's also worth noting that a lot of current spam issues are due to admin neglect. I've been guilty of that in the past myself, but taking a couple days to really get a feel for what's going on with any SMTP systems you administrate should be made a priority. Not only will your system suffer, but others will bear the burden of your ignorance.

  13. Chip, it sounds like your machine belongs to someone else. If you’re getting 200 bounce-backs a day, then you definitely have a problem. Creating a new email address won’t stop it. You need to have your machine cleaned out. Find someone who really does know whjat they are doing and have all the spyware removed from your machine. Once that is done, stop using your “real” email address to sign up for stuff on the web. Use a temporary email service, or an online service such as YahooMail where you can create a “special” account that you use only for that purpose.
    The problem you’re having isn’t with SMTP or your local email client. The problem you are having is almost certainly caused by using your email address as you sign up for online services, games, widgets, etc…
    EMail me if I can help.

    • Jon, I happen to be one of those people who “does know whjat (sic) they are doing.” I am certain that I do not have any spyware or bot on any of my systems. Someone out there reaped my public email address and is spoofing me as the sender for their spam. I will admit that my address has been published on the web for all to see since 1997 — so I have brought this on myself to some degree.

      Rather than give up on my long-standing address, I’ll probably set up some rule to just trash the delivery failure notices.

  14. Chip, it sounds like your machine belongs to someone else. If you're getting 200 bounce-backs a day, then you definitely have a problem. Creating a new email address won't stop it. You need to have your machine cleaned out. Find someone who really does know whjat they are doing and have all the spyware removed from your machine. Once that is done, stop using your "real" email address to sign up for stuff on the web. Use a temporary email service, or an online service such as YahooMail where you can create a "special" account that you use only for that purpose.

    The problem you're having isn't with SMTP or your local email client. The problem you are having is almost certainly caused by using your email address as you sign up for online services, games, widgets, etc…

    EMail me if I can help.

    • Jon, I happen to be one of those people who "does know whjat (sic) they are doing." I am certain that I do not have any spyware or bot on any of my systems. Someone out there reaped my public email address and is spoofing me as the sender for their spam. I will admit that my address has been published on the web for all to see since 1997 — so I have brought this on myself to some degree.

      Rather than give up on my long-standing address, I'll probably set up some rule to just trash the delivery failure notices.

  15. Email should be sent over SSL by default. Its a pitty that you have to “purchase” a certificate at Verisign, etc. It a f*** mafia.

    Spoofing is also a problem at our email services. The US Army should hunt down Spammers instead of BinLaden. They cause much more problems!

  16. Email should be sent over SSL by default. Its a pitty that you have to “purchase” a certificate at Verisign, etc. It a f*** mafia.

    Spoofing is also a problem at our email services. The US Army should hunt down Spammers instead of BinLaden. They cause much more problems!

  17. Email should be sent over SSL by default. Its a pitty that you have to "purchase" a certificate at Verisign, etc. It a f*** mafia.

    Spoofing is also a problem at our email services. The US Army should hunt down Spammers instead of BinLaden. They cause much more problems!

  18. You mention two separate problems: secure messaging and spam.

    Secure messaging is available. You can use encryption and a secure email service such as “Sub Rosa” from novo-ordo.com.

    Spam is more difficult. The reason we have so much spam is because it can be sent en mass at someone else’s expense. Most spam these days come from the armies of botnets that the spammer have set up with other people’s computers. This is easy for them to do because most people use a fundamentally insecure operating system. Unless that can be changed, I do not see a solution to the spam problem.

    • I think that a messaging system where you decided who was invited to a particular conversation (by invitation only) would be impervious to spam. The reason why we have spam is that anybody on the Internet can send you or me a message, and it costs very nearly 0 to do so.

  19. You mention two separate problems: secure messaging and spam.

    Secure messaging is available. You can use encryption and a secure email service such as “Sub Rosa” from novo-ordo.com.

    Spam is more difficult. The reason we have so much spam is because it can be sent en mass at someone else’s expense. Most spam these days come from the armies of botnets that the spammer have set up with other people’s computers. This is easy for them to do because most people use a fundamentally insecure operating system. Unless that can be changed, I do not see a solution to the spam problem.

  20. You mention two separate problems: secure messaging and spam.

    Secure messaging is available. You can use encryption and a secure email service such as "Sub Rosa" from novo-ordo.com.

    Spam is more difficult. The reason we have so much spam is because it can be sent en mass at someone else's expense. Most spam these days come from the armies of botnets that the spammer have set up with other people's computers. This is easy for them to do because most people use a fundamentally insecure operating system. Unless that can be changed, I do not see a solution to the spam problem.

    • I think that a messaging system where you decided who was invited to a particular conversation (by invitation only) would be impervious to spam. The reason why we have spam is that anybody on the Internet can send you or me a message, and it costs very nearly 0 to do so.

    • I wish I could claim an influence, but I think they started working on it long before this post.

      I’m really looking forward to it, and I hope it answers all of these points.

    • I wish I could claim an influence, but I think they started working on it long before this post.

      I'm really looking forward to it, and I hope it answers all of these points.