I dont think we're doing it because for whatever reason, someone hasnt managed to figure out how to make money implementing a really effective spam blocking method :) Who would be the signing authority? or would there be no method to validate the digital ID? If anyone could create an ID, then the spammers would just keep making a new ID. If someone does validate it, that means its going to cost money the same as it does now to get an SSL cert for a webserver. Not to mention implementing this would probably require people to upgrade mail servers.

I'm just waiting for google to implement something like you suggested with gmail. Once they do that, then all the others will copy (and hopefully wont implement a completely proprietary system) gmail. If hotmail, gmail, yahoo and aol all implemented the same system, that would probably account for 90% of the legit email being sent i would think.

As you noted, it would certainly need to come from a well known Certificate Authority.

Of the big 3, it looks like only Verisign charges anything for personal email certificates. Both Comodo and Thawte offer free ones.

http://www.google.com/search?hl=en&q=personal+email+certificate

I agree that if the free email providers set some standards, that would help greatly with the spam issues. I think local ISPs get abused a lot also -- I bet those "have a computer? work from home" signs you see in some cities are often about sending spam :(

~Brad

I'd actually be somewhat surprised if those work at home signs were for spamming. Seems like they just steal computer time using worms/bots to do that sort of thing.

The free certs dont seem like they would be very useful for stopping spam. All the free certs seem to require is a valid email address. The spammers have starting buying nonsense .info domains just to create valid email addresses for themselves. So relying on this free system would be pointless since the spammers will just keep making email addresses. The only way it would work is if you had a white list of allowed people. If i have to do that, i could do it almost as well without the cert since most of the spam i get is all from bogus email addresses. I rarely, if ever, get email from a forged address of someone i know.

I only looked at thawte, i'm just assuming comodo also just validates your email address.

I think for digital signing to work, they would have to validate your actual identify by viewing some solid ID documentation like a driver lic and SS card or something.

I know thawte has that whole web of trust thing, so maybe that would help if you only accept certs with a certain level of trust.

Excellent points Ian.

One possible solution is to have a whitelist and all email coming from outside of that costs the sender some negligable amount (1 cent, or even a tenth of a cent) to be accepted or it gets bounced.

The cost impact on most legitimate email is negligable, but the cost impact on spammers is high.

By having mail bounce if it comes without payment, you help to alleviate issues for legitimate mass email.

The problem with this type of solution is that it requires near universal acceptance before it is practical for anyone to use - again though, the bounce rather than delete approach does help here as well; from a simple "I don't know you, use pay-mail or contact me by other means to be added to my whitelist" response, to complex solutions like sending back a captcha which represents a one-off key to get an email through.

If we resort to a white list, I might as well just create a filter in my mailbox to run a white list for me. And that would be very effective for me because i very very rarely get an email from a forged email address i know. I would say easily 99.99% of all the spam has a bogus email address.

Also, the problem with the 1 cent thing - who gets the money? Because as soon as you come up with something like that, even with just 1/10 of a cent, that money is going to add up and everyone is going to want a slice of the pie, if not the whole pie. Even if the money goes to the person who is receiving the email, someone is going to have to hold onto that money. Not to mention it ads a whole new layer of complextity and security. You have to be able to communicate with whatever server will handle the transaction and it would have to be done securely to prevent someone from stealing money from someone's account.

i think its a good idea in that it will kill the spammers. but I also hate the idea because right now email doesnt cost me anything. And once you introduce a fee - well i think that just opens the door to more fees and rate hikes etc.

I suppose death by firing squad to spammers isnt an option huh? :)

I think I've read something simillar a few days ago. I don't remember where, might have been on digg.com or slashdot.