Flutterby™! : Making email useful again 2006-02-19 06:03:02.676599+00

Making email useful again

2006-02-19 06:03:02.676599+00 by Dan Lyke 5 comments

What I should really do is set up some specific accounts for commercial sites from which I actually want to receive email, but... Why don't PayPal and eBay include a user definable field which they include in the subject line of every mail that they send to me. That way I can give them a secret which only they and I know, and I can nuke every other email purporting to come from them?

(I'm off the opinion that eBay/PayPal doesn't exactly have a legacy of engineering excellence; I feel that the less they do, the better.)

Coming out of large corporate environments where we used Lotus Notes PKI for both e-mail and application access control, I'm true believer that there's a bigger identity and access control application opportunity based around people having their own domains (you've proved your identifiy to the domain registrar and there's some regulation around domains). Specifically, it feels like every service provider should get a different e-mail address in the form of newguid@domain.com (perhaps even eBay/Paypal could generate the guid they'd like you to use). I even envision business cards that have a unique short guid for the e-mail address for every card (plenty of card printers support this and love to charge extra when they can). Obviously, an e-mail client (and maybe browser) would need some rethinking for this to work.

I'd love to play with this some. If you assume that every user has a unique domain that they control (unlimited e-mail addresses, web site that could change for a short time to prove identity, etc...), then you can push authentication off on the web host/registrar.

Believe me... Web/Hosts registrars are NOT that place. If the CC# works, Poof, you have a domain.

Actually, Mike, that's the point. After 30-60 days or so, the registrar can be reasonably assured that the charge was valid. The other advantage here is that you have LOTS of choices of registrars. Don't like the policies of a particular registrar (or, for that matter, particular nation where the registrar is located), choose another one. You could even choose a registrar/webhost that made use of a securid token (you know, random number generator on a key fob) for authentication. By pushing up to that level, every web service can benefit and the end user can choose what level of security they're comfortable with.

Dan, you might be interested to know I have been using something like the "secret keyword" system for many months now. I get a very high proportion of spam on three domain accounts I can't close entirely, but most spam filters inevitably fail me in some key way, and with those, the traffic is high enough that I can't double-check for spam by eye. So instead for those I use message flagging. Some Froms and Tos get flagged, but the best way to get something hit with the "Hey, actually look at this one" flag is to put a special word in [brackets] in the subject line. I've left instructions on the placeholder site for those domains, and if someone genuinely wants to contact me about those dead sites, and they can't find or follow directions, then I may never read their email. Too bad. But I know a couple of people have found the directions and used them, because I've gotten real mail with the keywords.

I'm tempted to do the same for inu.org, but I feel like I can't reasonably ask people to put in a subject keyword just for daily correspondence - and also that domain does occasionly get valid email from random passers-by who might not know the secret, or manage to find the page with the secret. So for the time being I just filter and walk through two hundred messages in the spam bin every morning, to make sure nothing landed there which is actually important. It's a tad tedious.

#Comment Re: Personal Identifier in Subjects made: 2006-02-24 07:48:53.921652+00 by: Matthew Quinn [edit history]

Hell, I think it's a great idea.. if for nothing else then at LEAST for finance/commerce sites, like paypal/ebay/banks.. Spam may cost directly and indirectly so many millions, but phishing is a real direct burn when people are hit by it. Sure, most neterans scoff at the idea of being taken in by a fake bank email, but I've seen some pretty damn impressive fakes and it's not hard to see how net newbies/casual users can be taken in..

The only problem then, is that the same people who would be taken in by an "Important Notice from Bank X" email will probably be just as likely to forget to check for a subject keyword if the email 'sounds' urgent (or assume that because it is an email being sent to all customers and not just them, the keywording is not applicable). Guess what I'm trying to say is that though it would go a long way to helping at least semi-savvy people filter and double-check things, those most likely to fall victim to scams etc would still be in the same boat. :/

One service which I have found to be invaluable is that offered by www.sneakemail.com, which allows you to create randomly generated aliases to your existing address, (for example, 6fr74j37@sneakemail.com which will forward to joebloggs@hotmail.com) which provides three major benefits. Firstly, the obvious one, you can delete an alias if it is passed to spammers, and you can also filter each address individually, meaning if you give an alias to fred@stuff.com for him to use, you can set sneakemail.com to drop any mail to that alias not coming from fred's addy, or any email not coming from stuff.com. Secondly, you have an excellent way to track which people/sites have given out your address (well, your alias), and can call them up on it ;) Not only does this mean you can identify unscrupulous sites which sell addresses and warn others away from them, but in at least one instance I was able to bring to an aquaintance's attention the fact that they had been infected/hit with a mass-mailer worm which had extracted my alias address from his book and started spamming it. Lastly, and this is one which has only just occurred to me now but I will actually use very soon now that I think about it, is that you can change your REAL email address/es without having to let everyone else know ;) (because you simply update your sneakemail settings to point to the new addy)

Phew! I didn't actually mean to write that much, but I reckon I'll go copy that somewhere else so I can pull it out again if someone asks me why to use sneak :)

P.S: "Neteran" = Net Veteran P.P.S: If you give sneakemail 2 bucks a month they have extra features like being able to create nonrandom aliases (which is probably the main one I'd be doing it for) but I've been using it free for almost 2 years now, no worries ;)