sending the first message

Discussion re sg development. You don't have to be a developer.

sending the first message

Postby josh » Sun Oct 26, 2003 5:37 pm

It's now to the point where the code for the "sending the first message" feature is looking trivial. For me, anyway, though, big challenges remain in user interface -- and mainly in training. I believe the number one risk is that adding this feature will further obscure the biggest advantage that sg has -- auto-create.

I've been thinking about it for awhile, and here's where I am now:

First -- we won't provide a form for sending a message. Instead, we'll provide an email address to send to. The user can click on a mailto: link or copy/paste into the MUA, and from there it'll work just like a reply does now.

What I'm thinking we should do is add a form that asks for:
a) a word
b) a count
c) a domain (eg, spamgourmet.com, xoxy.net, etc.)
e) the 3d party recipient address

Given this info, the UI will

1) a) create a new address record (and its corresponding private key) if the there's no existing address for the word,

or
1) b) refill an existing address up to the supplied count if it does exist -- also changing the domain to the specified domain if necessary.

and
2) use the private key from the new or exisiting address, along with the 3d party recipient address to generate a masking reply address the same way that the mail handler does now.

That address will then be presented to the user as a mailto: as described above. When the user uses it, it'll be handled like a reply is now, so no changes to the mail handler will be necessary. We also avoid the apparently undesirable situation of having email originate at the sg server.
josh
 
Posts: 1371
Joined: Fri Aug 29, 2003 2:28 pm

Need to avoid aut account creation

Postby SysKoll » Sun Oct 26, 2003 5:54 pm

Josh,

Sounds like a good implementation. However, in order to avoid scripted account creation, we need to add a feature to new account creation -- namely, the "what's the word in this image" feature we discussed. More later.
-- SysKoll
SysKoll
 
Posts: 889
Joined: Thu Aug 28, 2003 9:24 pm

Postby josh » Sun Oct 26, 2003 7:15 pm

you're right about that.

Are there any patent concerns with the image thing? (yes, we could be asking that same question for every line of code we have -- it just seems like I remember something about this)
josh
 
Posts: 1371
Joined: Fri Aug 29, 2003 2:28 pm

Word in image: the CAPTCHA

Postby SysKoll » Mon Oct 27, 2003 1:51 am

Are there any patent concerns with the image thing?


I don't think so. According to www.captcha.net, the "identify word in image" method is used by a plethora of web sites, and nowhere is a patent mentioned. The abundant academic publications on the subject make very good prior art anyway.

I suggest using the prevalent acronym, CAPTCHA, for designating the "identify word in image" method in our forums.

The most widely used program for implementing a CAPTCHA seems to be gimpy. However, it's a bit computationally heavy. I'll do some tests and compare with my ImageMagick-based script.

I propose to write a Perl sub that takes a file name as argument. When the sub returns, the file contains a CAPTCHA image and the return value is the word contained in that image. What do you think?
-- SysKoll
SysKoll
 
Posts: 889
Joined: Thu Aug 28, 2003 9:24 pm

Postby Strg-Alt-Del » Tue Oct 28, 2003 6:15 pm

> What I'm thinking we should do is add a form that asks for:
> a) a word
> b) a count
> c) a domain (eg, spamgourmet.com, xoxy.net, etc.)
> e) the 3d party recipient address


Just a proposal ,.... but the possibility to set a "restrict return mails to recipient"- flag would be a nice feature....
Strg-Alt-Del
 

"restrict return mail to recipient"?

Postby SysKoll » Tue Oct 28, 2003 7:41 pm

Just a proposal ,.... but the possibility to set a "restrict return mails to recipient"- flag would be a nice feature....


Can you please elaborate? I'm not sure what you mean.
-- SysKoll
SysKoll
 
Posts: 889
Joined: Thu Aug 28, 2003 9:24 pm

Postby josh » Wed Oct 29, 2003 2:32 am

Like a "set recipient as exclusive sender" checkbox? That would be simple unless there already was an exclusive sender for the address.
josh
 
Posts: 1371
Joined: Fri Aug 29, 2003 2:28 pm

Postby Strg-Alt-Del » Wed Oct 29, 2003 11:29 am

That´s exactly what I mean.

I already noticed, that when I subscribed to a service that I wanted to use (a newsletter), I received spam from different other companies to the same mailadress that I created specially for the purpose mentioned above. It seems to me that some companies give away or trade with mail adresses when they know about your interrests.

In the meantime I became aware of the fact, that the receiver of the first mail is not necessarily the sender of the newsletter (or whatever you ordered). I.e. that means you subscribe to: "admin@xyz.com" and receive the newsletter (or whatever) by "infonews@xyz.com".
A workaround could be that this switch would enable the recipient of the mail AND the sender of the first incoming mail (if it comes from the same domain).

A further checkbox could be added to set the recipient (or the first replier) automatically to a "trusted sender" status.
In that case it would be also possible to create mail adresses like "Iwantyourmail.spamcowboy@xoxy.net". But this makes it necessary to have the option to remove the "trusted sender" status in the advanced mode.


Another :idea: , for the first mail ...
Scenario:

* Write a mail in your mail client of choice as you would do normally (also attachment or pictures included are possible)
* set your own new created mail adress as recipient
* use the spamgourmet-tool on your HD or on the spamgourmet page where you can enter all necessary data as you described in your first post.
* the program or script encrypts the data and produces either a header, footer or attachment that you copy and paste into the mail or attach to the mail
* spamgourmet:
- scans the mails with an formerly unused new adress for such a header/footer or an attachment with a special naming scheme
- decrypts the data and uses them
- removes the spamgourmet header/footer/attachment (so nobody will notice anything unusual)
- forwards the mail according to the attachments informations

Thats it,...first mail sent....


As already mentioned just ideas - maybe helpful, maybe not.


Keep up your excellent work :!:
Strg-Alt-Del
 

Postby Strg-Alt-Del » Wed Oct 29, 2003 12:33 pm

Addendum to "scenario":

1) I forgot to mention that the first mail is created with the mailaccount that is already known by spamgourmet as the forward adress. So it would be necessary to remove the mail adress in the mail header (not the encrypted information header inside the mail) and exchange it by the spamgourmet adress of course.

2) incoming mails with that naming scheme "uvwxyz.spamcowboy@xoxy.net" are treated as spam or unsolicited mail unless there was not an initial mail by the user itself. That means, mailadresses invented by s.o. else like "iloveyou.spamcowboy@xoxy.net" are recognized as fake.
So this is a possibility to prevent abuse from outside.

A side effect would be that you know who the real sender of mails is - and everybody should be aware of this.
So that might be a little protection against people who want to abuse SG for unserious purposes.
Strg-Alt-Del
 

Postby josh » Sat Nov 01, 2003 8:27 pm

btw - this thread hasn't died -- we're working on the captchagen implementation mentioned above, which is a prereq to the first-message feature. I'm pretty much single-tasking...
josh
 
Posts: 1371
Joined: Fri Aug 29, 2003 2:28 pm

Postby James Day » Sun Nov 09, 2003 10:01 pm

Using images isn't free of patent issues, thought the patent claim appears to be bogus because of extensive prior art. That won't help much if you have to ear the costs of proving that it's invalid, though. Here's one story referencing the patent.

One alternative way to do it is to write javascript which uses document.write to write entity-encoded text. That won't be static and exploits the known reduced havestability of entity encoding so it'll be relatively hard to script an attack on it. You can see an example of the technique at my email address obfuscation page.
James Day
 
Posts: 8
Joined: Sat Aug 30, 2003 1:44 pm


Return to Developers

Who is online

Users browsing this forum: No registered users and 1 guest

cron