[ratata]

True. But they are not calling for a completely open system. I like this proposal from the author.

> Change blacklisting protocols so they are not permanent and use an exponential cooldown penalty. After spam is detected from an IP, it should be banned for, say, ten minutes. Then, a day. A week. A month, and so on. This discourages spammers from reusing IPs after the ban is lifted and will allow the IP pool to be cleaned over time by legitimate owners.

> There should be a recourse for legitimate servers. I'm not asking for a blank check. I don't mind doing some paperwork or paying a fee to prove I'm legit. Spammers will not do that, and if they do, they will get blacklisted anyways after sending more spam.

But Big Tech will not do that because they will gain more from eliminating the competition.

[dane-pgp]

> I don't mind doing some paperwork or paying a fee to prove I'm legit.

Then how about this: The big email companies all declare one day that any newly registered domain (with an MX record) needs to post a bond for good behaviour in escrow somewhere. If any of them find the domain being used to send spam, they can slash the bond (sending it to some charity or something).

This has the advantage that it doesn't affect any existing senders (so there's no one to complain about it), and it makes transparent the cartel-like power that these companies have over email. Perhaps, to democratise the process a bit, the ITU could organise a ballot (one vote per country) to elect 5 companies/non-profits who would have this bond-slashing power.

Unfortunately to implement something like this, they'd also probably have to demand that DKIM signing become mandatory (so there are cryptographic proofs of any evidence of spamming), and this sort of global consensus / money processing scheme would probably end up being built using a blockchain, whether that was a good idea or not.

[hug]

I can just imagine the headline. “Ask HN: Google sent my mail bond to charity for no reason and has torpedoed my small business, and I can’t get in touch with anyone to make it right”

[dane-pgp]

I can imagine headlines like that too, but the idea of electing 5 (or some other odd number of) entities is that they would be able to share among themselves the cryptographically signed evidence of the spam they detected, and then the bond slashing would require a majority vote.

So instead, the headline should be something like "Ask HN: Google, Amazon, and the Shanghai Cooperation Organisation forced me to send $100 of Ether to UNICEF and I couldn't send any new emails until I sent another $100 payment to my domain registrar. How do I take them to the World Court to force them to reimburse me?". That's not a great situation, but it's slightly better than the status quo.

[AdrianEGraphene]

You're describing one of the solutions made by Ironport, "Bonded Sender". Their solutions were sold to Return Path and Cisco later bought them out, presumably with the bonded sended solution still belonging to Return Path? [1,2]

I've never seen discussion of this in the mainstream though... so I'm not sure if it's actually being used or just shelved.

At this point, I think any proprietary they've created is game for usage. But it's very hard to get multiple large organizations to adopt this.

I definitely think it's a solution.

[1] https://archive.ph/CH98s [2] https://www.computerworld.com/article/2548788/cisco-to-acqui...

[IgorPartola]

Is there any actually money to be made in hosting email for people? I genuinely don’t know but my suspicion is that GMail, Yahoo, Outlook, et al are loss leaders for their owner companies. I suspect people at those companies would be quite happy if the protocol got unfucked enough that it small players could participate without negatively impacting the network.

[GekkePrutser]

O365 web costs me 5 bucks per month and I only use it for a few emails a week so I doubt it's a loss leader.

If I'd actually use all of it a lot, sure but I don't.

[IgorPartola]

Do you just get email with that? Or maybe is there an office suite also?

[GekkePrutser]

There's an office suite included yes but only web based which really sucks. Half the office features are not supported.

It also doesn't work properly on Firefox on FreeBSD.

Even though on other OSes it works ok, it's so limited I can't imagine anyone using the web version of office 365 for any serious activity.

[0x445442]

I gladly pay for Fastmail and I assume they’re not running a charity. Also, I think hey.com is charging $100 per year.

[IgorPartola]

I am not saying there aren’t paid options. But Fastmail isn’t who we are talking about being a bad actor here and is much smaller than GMail.

[0x445442]

You asked it there is any money to be made in email, I provided you with anecdotal evidence that there was.

[tinus_hn]

Spam has been been fought for decades, you can rest assured any obvious solution has been tried and either doesn’t have the desired effect or is impossible to implement.

[Javantea_]

You ignore the fact that there are perverse incentives among the participants. It's possible to implement, and I'm doing it myself. If I had more time to spend on it, we could end spam. Instead I am fine as is: most of the spammers have given up.

[cowtools]

I think we ought to move email (or some future incarnation of email, like matrix) to a completely whitelist (opt-in to receive messages) basis.

[pas]

signup confirm emails are like that.

similarly, any "hello pls add me to your allow-list" emails could be made auto-disappear to the "will be deleted in 30 days" folder in ~10-15 minutes, so even if you get a 100 spam messages per day you only see the last of those, you can easily pick what you are looking for, and don't worry about the rest, they'll just disappear.

(and you still have 30 days to look for messages that might be interesting/important/etc.)

...

the real missing piece is the feedback mechanism. DMARC is meh. of course large senders have implemented FBL, but they are not available for mere mortals.

https://en.wikipedia.org/wiki/Feedback_loop_(email)

[cowtools]

signup confirm emails are not what i'm describing, because you need to establish and filter the initial offer that they send you via email itself, which is still prone to phishing.

What I'm describing is a situation where users themselves have to proactively subscribe to a connection using some sort of out-of-band mechanism. For example, if a website wanted to send you emails, they could produce some sort of "connection ticket" that you can give to your email client in order to subscribe to them.

[michaelmrose]

This is useless because users are stupid, people sending the mail are stupid, people getting the mail are stupid, UI people creating interfaces are so stupid society could be improved by putting them in a box and mailing them all to some wasteland and hoping they form their own society there or starve.

This would result in half the planet being frustrated all the time and the other half never getting their mail.

If your goal is to secretly destroy email this is the way.

[franga2000]

This makes sense for service emails and is similar to how push notification services like Pushbullet work, but can't work for humans. You need to be able to give your email to someone IRL so they can send you a message. Mutual approval would be possible in the "we just met and want to exchange emails" situation, but that too breaks when you legitimately want to give anyone the chance to message you.

[iggldiggl]

> but that too breaks when you legitimately want to give anyone the chance to message you.

Yup. I do want people to be able to contact me regarding my homepage. It's only a niche page on a niche subject, so only a handful of people has written in, but it was nice hearing from them and some of them did make quite a few valuable contributions.

Some minimal obfuscation seems to be enough to keep mail harvesters away, and beyond that those mails go through the same spam filter as all my other mail traffic. Putting up a contact form would definitively be more of a hassle than just a simple mailto:-link, and then I would additionally have to start worrying about how to keep the bots away from that contact form.

[pas]

I know, but anything out of band won't really work, because that can be phished even more, plus as described above, there's no real need for it either (IMHO).

[KoftaBob]

That's essentially how www.hey.com works! I thought it would be tedious at first, but I don't mind it, and it's done a great job of making it so I only see what I want to see in my inbox.

[iggldiggl]

From a quick read, hey.com still allows arbitrary people to message you and just initially puts them in "The Screener", which doesn't seem like quite the same thing as an absolutely "completely whitelist (opt-in to receive messages) basis".

That's fine by me because

a) I do want to give out some sort of contact info on my homepage and people being able to message me in relation to that (and putting up a contact form leads to its own spam problems), and

b) if you happen to swap contact details offline, you then have to remember that you still need to additionally whitelist that person inside of that message service, which also seems somewhat of a hassle.

Somebody who gets inundated in unwanted messages might have a different opinion on that subject, though, and might indeed prefer a strict opt-in mode, with no exceptions…