# End of robo calls? What about the end of spam mail?

#### spinnaker

Joined Oct 29, 2009
7,835
This is great news!

https://robocalllawsuit.com/stir-shaken/

I am on Verizon and they are supposed to be implementing this by the end of the year.

I have often wondered why they could not solve this issue with email too. Seems it would be easy to have to have a certificate supplied by one of the certificate authorities. If you don't have a certificate that matches your email then email servers stop passing your mail. If you misuse the certificate by spamming then your certificate gets revoked. I have been wondering for years why something like this has not been implmented.

#### Aleph(0)

Joined Mar 14, 2015
597
This is great news!

https://robocalllawsuit.com/stir-shaken/

I am on Verizon and they are supposed to be implementing this by the end of the year.

I have often wondered why they could not solve this issue with email too. Seems it would be easy to have to have a certificate supplied by one of the certificate authorities. If you don't have a certificate that matches your email then email servers stop passing your mail. If you misuse the certificate by spamming then your certificate gets revoked. I have been wondering for years why something like this has not been implmented.
Hi Spinniker! Happy to see you back on here again!

So abt article, I say sad thing is it's voluntary action by Telecoms instead of regulatory mandate by FCC, FTC and whoever! So like _in 5 years things might be better_ Give me a break! Govt needs to work for citizens! Which in this case means Telcos should be given six months MAX to get in line after which vry heavy per diem noncompliance fines are levied (which by codification could not be passed along to subscribers)! Also cuz most of those calls are attempts 2 defraud it should be in criminal (instead of civil) jurisdiction with telecoms being accessories b4 during and after the fact! So I get it that _the system_ (by which I mean tort and CJS) babies business for sake of the economy but I say end NEVER justifies means!

#### barretbronte

Joined Oct 29, 2018
1
If someone can solve the problem that is spam emails, they deserve all of the medals and all of the money!

#### WBahn

Joined Mar 31, 2012
26,451
This is great news!

https://robocalllawsuit.com/stir-shaken/

I am on Verizon and they are supposed to be implementing this by the end of the year.

I have often wondered why they could not solve this issue with email too. Seems it would be easy to have to have a certificate supplied by one of the certificate authorities. If you don't have a certificate that matches your email then email servers stop passing your mail. If you misuse the certificate by spamming then your certificate gets revoked. I have been wondering for years why something like this has not been implmented.
Not nearly as easy as you might think.

Remember what these certificates are intended for -- to let the recipient authenticate that the particular e-mail in question was sent from whom it claims to have been sent by. It says nothing about whether you wanted to receive anything from that sender nor, and here's the killer, does it impact your ability to receive other e-mails from other senders who don't have certificates. But if the e-mail servers are going to do what you suggest, then every e-mail sender is going to have to have a certificate -- and it's not just a matter of a certificate authority supplying certificates en mass since that would do absolutely nothing.

Are you willing to pay and go through the hassle of providing acceptable documents so that the CA can verify your identity before issuing a certificate just so that you can send e-mails to your child and similarly do that for your child so that they can reply to you? The system you are describing will only work if EVERY e-mail sender has a VETTED certificate that is kept current. At the very basic low end you are talking about something around $60/year per person per e-mail address (and I doubt that this level of certificate would suffice). How many people would be willing to pay that? What about those that can't afford to? Is it going to become government's job to subsidize their e-mail certificates? Now look at it from the spammer's perspective. As long as they can get new certificates do they really care if their old one's get revoked? What if they have to purchase a higher level certificate costing$250/year at the rate of one a day. Would that additional cost be likely to make them stop spamming, or would they just shrug at an additional \$250 a day cost and simply keep applying for new certificates figuring that each one is only going to be usable for a short period of time before it gets revoked. I doubt it would get revoked in a single day, so each one would probably be usable for quite a bit longer. If the spammers see it as an acceptable cost of doing business, then the vetting process would have to be thorough enough to delve into the identity of the applicant deep enough to determine that they are affiliated with a proscribed entity -- and that means that EVERY certificate applicant would have to be vetted that deeply (with the corresponding price tag), including each member of your household for each e-mail address and on a recurring basis.

#### Alec_t

Joined Sep 17, 2013
12,897
I think one way of cutting out a lot of the junk/spam/scam phone calls and emails would be to make all telcos levy a small charge per call/email, rather than have the present system where fixed price subscriptions allow unlimited calls/emails per subscription period.

#### barretbronte

Joined Oct 29, 2018
1
I think one way of cutting out a lot of the junk/spam/scam phone calls and emails would be to make all telcos levy a small charge per call/email, rather than have the present system where fixed price subscriptions allow unlimited calls/emails per subscription period.
Although I don't disagree with what you are suggesting in theory, in practice I think a lot of people would feel that this is reversing back in time a little bit to older telco subscriptions which people hated

#### Aleph(0)

Joined Mar 14, 2015
597
I think one way of cutting out a lot of the junk/spam/scam phone calls and emails would be to make all telcos levy a small charge per call/email, rather than have the present system where fixed price subscriptions allow unlimited calls/emails per subscription period.
Alec_t that would definitely help a lot! But I also say aggressive investigation of spam/fraudulent messaging and criminal prosecution of spammers plus holding non-compliant ISPs/Teleco's responsible as criminal accessories is absolutely necessary to solution!

I think a lot of people would feel that this is reversing back in time a little bit to older telco subscriptions which people hated
Barretbronte all I can say is as it stands telephone and E are getting totally useless! Fees would only need 2b applied to high-volume mailings/calls which wouldn't affect most honest subscribers at all!

#### spinnaker

Joined Oct 29, 2009
7,835
I think one way of cutting out a lot of the junk/spam/scam phone calls and emails would be to make all telcos levy a small charge per call/email, rather than have the present system where fixed price subscriptions allow unlimited calls/emails per subscription period.

How would that work? Nothing is going to prevent a spammer from hosting their own mail server.

#### spinnaker

Joined Oct 29, 2009
7,835
Alec_t that would definitely help a lot! But I also say aggressive investigation of spam/fraudulent messaging and criminal prosecution of spammers plus holding non-compliant ISPs/Teleco's responsible as criminal accessories is absolutely necessary to solution!
They can't keep hackers at bay. How are they going to control the spammers?

As for hackers, I am surprised that with so much money that is at risk at these large companies they are hiring mercenaries to go in and capture these people or even worse.

#### Alec_t

Joined Sep 17, 2013
12,897
Nothing is going to prevent a spammer from hosting their own mail server.
At some point the traffic will be routed via an ISP/telco/authority with the ability to recognise and charge for it.

#### djsfantasi

Joined Apr 11, 2010
8,394
This is great news!

https://robocalllawsuit.com/stir-shaken/

I am on Verizon and they are supposed to be implementing this by the end of the year.

I have often wondered why they could not solve this issue with email too. Seems it would be easy to have to have a certificate supplied by one of the certificate authorities. If you don't have a certificate that matches your email then email servers stop passing your mail. If you misuse the certificate by spamming then your certificate gets revoked. I have been wondering for years why something like this has not been implmented.
The problem is that certificates were never intended to verify identity. They are used to encrypt data communications between two sites. It’s a non-trivial task to copy your certificate and fire up my own fake server that pretends to be you!

There was an effort to create a database of mail servers and IP addresses. But for that approach to work, a massive infrastructure change is necessary. There is an insufficient population for it to be an effective weapon. And it significantly increases traffic, as for each email, several transactions over the internet would be necessary. Just the introduction of this scheme caused many headaches (Talk to me, I know!)

IMHO, without some compelling new transport is forced on the entire Internet, this spam problem will not go away.

#### spinnaker

Joined Oct 29, 2009
7,835
The problem is that certificates were never intended to verify identity. They are used to encrypt data communications between two sites. It’s a non-trivial task to copy your certificate and fire up my own fake server that pretends to be you!

There was an effort to create a database of mail servers and IP addresses. But for that approach to work, a massive infrastructure change is necessary. There is an insufficient population for it to be an effective weapon. And it significantly increases traffic, as for each email, several transactions over the internet would be necessary. Just the introduction of this scheme caused many headaches (Talk to me, I know!)

IMHO, without some compelling new transport is forced on the entire Internet, this spam problem will not go away.

They are used for identity all the time. The certificate guarantees what the connection is at the other end. We used certificates on client browsers. The certificate was used as another level of authentication.

Though I do see your point on setting that all up.

#### Aleph(0)

Joined Mar 14, 2015
597
As for hackers, I am surprised that with so much money that is at risk at these large companies they are hiring mercenaries to go in and capture these people or even worse.
Spinnaker I say who knows? Maybe they are! Not everything makes the news, u know! Being totally serious I SO want to believe it!

So anyhow it's prolly international nature of problem that makes it hard 2 deal with through like _conventional channels_ (so just as another example N. Korean counterfeiting US currency) so I say USA's _Mr. Nice Guy_ image (whether deserved or not) needs 2b reversed! Double ditto for the other English _spin-off_ societies

#### djsfantasi

Joined Apr 11, 2010
8,394
They are used for identity all the time. The certificate guarantees what the connection is at the other end. We used certificates on client browsers. The certificate was used as another level of authentication.

Though I do see your point on setting that all up.
My point was they were NOT INTENDED to verify identity. They are simple to spoof, thus anyone can appear to be you. Useless for verifying identity. The certificate allows two nodes to talk to each other with an encrypted conversation. It doesn’t prove the identity of either node. This was my career for twenty+ years and I’m sure of my position.

#### spinnaker

Joined Oct 29, 2009
7,835
My point was they were NOT INTENDED to verify identity. They are simple to spoof, thus anyone can appear to be you. Useless for verifying identity. The certificate allows two nodes to talk to each other with an encrypted conversation. It doesn’t prove the identity of either node. This was my career for twenty+ years and I’m sure of my position.

Well not sure how our security department allowed us to use this as another factor of authentication then. This site contained a lot of sensitive information and our security department is brutal when it comes to making sure sites are secure.

#### djsfantasi

Joined Apr 11, 2010
8,394
Well not sure how our security department allowed us to use this as another factor of authentication then. This site contained a lot of sensitive information and our security department is brutal when it comes to making sure sites are secure.
I bring this up only to illustrate where I am coming from.

Our security department banned this for authentication. We were a Level I PCI DSS provider. PCI DSS is the standard for being certified to process credit card transactions. Level I is the same level of security imposed on financial institutions, such as banks.

Not specifically addressing your environment, but I once audited a government contractor providing services to the military. They passed their security audit, but I was able to access everything from anywhere in the world. IMHO, not all security departments are created equal.

#### WBahn

Joined Mar 31, 2012
26,451
My point was they were NOT INTENDED to verify identity. They are simple to spoof, thus anyone can appear to be you. Useless for verifying identity. The certificate allows two nodes to talk to each other with an encrypted conversation. It doesn’t prove the identity of either node. This was my career for twenty+ years and I’m sure of my position.
I'm pretty sure they WERE intended to verify identity, they just are seldom USED that way.

When someone sends you their certificate you can use the information in it to verify the information as authentic be checking it's signature from the issuing certificate authority. You can walk back up that chain all the way to the root-level CA.

But that's a hassle, especially since many sites don't maintain their certificates, so if you configure your browser to not connect to sites that can't be authenticated you find that you can't connect to very many sites (including some really big names). So most people disable that feature (usually by clicking a button that says something like, "Connect anyway").

Now, if sites HAD to maintain their certificates in order to send e-mail, they probably would. But EVERYONE that sends e-mail would have to do so, not just large companies. I don't think most people are going to be willing to do that.

As for the added bandwidth, it would be significant. But I also suspect that things could adapt pretty readily and that a system similar to DNS would be set up specifically for providing CA public keys. In fact, it might even just be added onto the existing DNS service.