or Connect
AppleInsider › Forums › General › General Discussion › Apple wants to stop, track down spammers with automated disposable email addresses
New Posts  All Forums:Forum Nav:

Apple wants to stop, track down spammers with automated disposable email addresses - Page 2

post #41 of 69
Amazing to see that Apple is considering the same thing that is just now launching!

Go see ningo.me / beat.apple to find the implementation of this "transparent disposable email address system". It is in its early stages, but is way more powerful: you can even require a "postage" for sending you email - which will reduce the spam (or even irrelevant non-sense from your friends...) even more.

As for spamgourmet: that is not an adequate system at all: as soon as you reply to a message, your real address is disclosed. Not so at ningo.me.
post #42 of 69
Quote:
Originally Posted by shompa View Post

I wish that Apple at least started to do what Google does with Gmail: Cache all pictures and stuff on their own servers.

Today most spam gets validation thru HTML mail. Having picture/links cached on local servers stops this.

I understand that Google does this because THEY want to data mine the stuff instead. In Apples case: I trust them more, since they don't make their money from advertising/data mining.

Doesn't really help, because real spammers, the ones you want to defend against, they don't use fixed resource URLs but resource query URLs that have an identifier of the precise message (and thus email address) that the query comes from.

So instead of something like

http://www.somehost.tld/images/someImage.jpg

you have something like

http://www.somehost.tld/resourcequery.cgi?messageid=1234567890abcdef&resource=someImage&resourcetype=jpg

or some significantly more convoluted query that may even obfuscate the variables and values such that without knowledge of their database structure you can't view the image without revealing yourself.
For this reason remote images should NEVER be automatically loaded except for explicitly trusted senders that are checked with sender domain keys (otherwise it's easy to spoof the envelope and make it look like you yourself or someone from you domain sent the message which would likely result in the sender being falsely classified as trusted).
post #43 of 69
Quote:
Our Locked Addresses feature is not patented because I am philosophically opposed to software patents.

Amusingly, I used the Locked Addresses feature to sign up to Apple Insider. If they sell my email address, I'll know about it!

 

@dskoll: thanks a lot for your actions! I perfectly agree on the philosophical level.

 

However, your canit product looks a bit older than the brandnew ningo.me... ningo.me is also rather targeted at the mass market than businesses.

post #44 of 69
Quote:
Originally Posted by PhilBoogie View Post

This is so obvious that I'd expected it earlier. Still, great if they implement such a system. I used to create a gmail (sic) account if I ordered something online, and delete the account from Mail once delivered. As good as gmail is at getting rid of spam, I moved on, because, well, gmail is still Google after all.

 

@PhilBoogie

 

When I thought up the idea behind ningo.me 5 years ago - and ever since - I also wondered why no-one else would go after this since it seemed so obvious. At ningo.me, in addition to this transparent disposable email address business, you can levy a postage on your addresses.

 

So instead of deleting your flooded address: just put a postage on it and make money if those spammers (or unwanted followers...) still want to reach you!

post #45 of 69
Quote:
Originally Posted by dskoll View Post

@Tallest Skil:

Our Locked Addresses feature is not patented because I am philosophically opposed to software patents.

Secondly, under patent law, prior art does not need to be patented. You merely need to show that an invention has been invented and published before the filing date.

 

Hasn't that changed in the US now? I understand it's now first-to-file. Not a patent lawyer myself though!

post #46 of 69
I've done this for years, all it takes is $8 a year to own your own domain, and have your provider forward all mail sent to that domain to a specific mailbox. Then you can assign someone an e-mail address in that domain and if they contaminate it, mark that e-mail to go to /dev/null or just not go to you and you'll never see it again.

so instead of george@thisisanexample.com I use george02142014@thisisanexample.com, and any mail going to any address at thisisanexample.com goes to wxtr7736@gmail.com, and if someone passes around george02142014 then I can send that to nowhere or just discard it.

I use one regular address but what I do is add a date/time code at tne end, and I can see if someone is shopping it around. Another thing I did is that I'm on a U.S. Highway, so instead of listing my street name in the Internet records, I list the highway. So if I get mail addressed to 17704 U.S. Route 301 instead of 17704 Main Avenue, I know they're trolling the Whois system for mailing addresses to send junk mail. (Note, this is not my real address or real e-mail..)
Edited by Paul Robinson - 2/14/14 at 6:11am
The lessons of history teach us - if they teach us anything - that no one learns the lessons that history teaches us.
Reply
The lessons of history teach us - if they teach us anything - that no one learns the lessons that history teaches us.
Reply
post #47 of 69
Quote:
Originally Posted by ItsTheInternet View Post

 

Hasn't that changed in the US now? I understand it's now first-to-file. Not a patent lawyer myself though!

 



The US has changed to first-to-file to be in line with most other jurisdictions. However, the first-to-file rule applies to priority for obtaining a patent.

To prove prior art, you only need to show that the claimed invention has been used and disclosed prior to the patent filing date. In particular, prior art does not have to be patented. It merely has to have been disclosed.
post #48 of 69
Quote:
Originally Posted by luzi View Post

However, your canit product looks a bit older than the brandnew ningo.me

 



Well, yes. Our product is much older than the one you are advertising. But that's a good thing... the older the better if you're trying to prove prior art.
post #49 of 69
Quote:
Originally Posted by Paul Robinson View Post


I use one regular address but what I do is add a date/time code at tne end, and I can see if someone is shopping it around.



That is an adequate but flawed implementation. Our implementation generates random addresses with a cryptographically-strong random number generator. For true security, you need two things: (1) the disposable email address must be very hard to guess or predict, and (2) it must provide no clue as to the real email address behind it. Your implementation fails (2). I suspect Apple's fails (1) because of the limited randomization in their address generator.

Our implementation also lets you decide how strict to make the address. Should it lock to one specific sender? Or just to a domain? Or should several senders and domains be allowed to use it? And if the lock is violated, should the mail be rejected or simply quarantined for review? These fine-grained settings let you adjust the systems behavior for each situation.
post #50 of 69
Quote:
Originally Posted by dskoll View Post

Well, yes. Our product is much older than the one you are advertising. But that's a good thing... the older the better if you're trying to prove prior art.

 

Hey @dskoll: Of course you are right! That's exactly why I am thankful you already implemented this so soon!

 

Let me know if I can support you in any way!

post #51 of 69
Quote:
Originally Posted by Paul Robinson View Post

I've done this for years, all it takes is $8 a year to own your own domain, and have your provider forward all mail sent to that domain to a specific mailbox. Then you can assign someone an e-mail address in that domain and if they contaminate it, mark that e-mail to go to /dev/null or just not go to you and you'll never see it again.

so instead of george@thisisanexample.com I use george02142014@thisisanexample.com, and any mail going to any address at thisisanexample.com goes to wxtr7736@gmail.com, and if someone passes around george02142014 then I can send that to nowhere or just discard it.

I use one regular address but what I do is add a date/time code at tne end, and I can see if someone is shopping it around. Another thing I did is that I'm on a U.S. Highway, so instead of listing my street name in the Internet records, I list the highway. So if I get mail addressed to 17704 U.S. Route 301 instead of 17704 Main Avenue, I know they're trolling the Whois system for mailing addresses to send junk mail. (Note, this is not my real address or real e-mail..)

 

The main flaw I see in this approach again is that with your first reply, you disclose your "true" address.

 

Not so with ningo.me, where you stay behind your "disposable" address as long as you like.

post #52 of 69
Quote:
Originally Posted by dskoll View Post


To prove prior art, you only need to show that the claimed invention has been used and disclosed prior to the patent filing date. In particular, prior art does not have to be patented. It merely has to have been disclosed.

 

I think this is one reason some companies regularly leak details of what projects they are up to. By regularly reporting on your progress, you reduce the risk that someone else comes up with a similar product in the same time frame, gets a broad patent, and renders your effort wasted.


Edited by d4NjvRzf - 2/14/14 at 7:57am
post #53 of 69
Quote:
Originally Posted by d4NjvRzf View Post

 

I think this is one reason some companies regularly leak details of what projects they are up to. By regularly reporting on your progress, you reduce the risk that someone else comes up with a similar product in the same time frame, gets a broad patent, and renders your effort wasted.

 



Well, it's a dangerous strategy. If you disclose an invention more than six months (I believe... maybe a year) before applying for a patent, you can no longer patent the invention. We disclosed our invention because we had no intention of trying to patent it. Generally, if a company thinks it has a patentable invention, it stays very quiet about it until the patent application is filed.

post #54 of 69
A semi-easy way to do the same thing with gmail is to use their plus sign system.

If your email address is myemail@gmail.com, you can give one site an email address like myemail amazon@gmail.com and another myemail iffy@gmail.com. All of them are aliases to the same account.

If the "iffy" account starts sending spam, you can setup a gmail filter to zap it.
post #55 of 69
Quote:
Originally Posted by ahmlco View Post

If the "iffy" account starts sending spam, you can setup a gmail filter to zap it.

Can't you simply delete the alias instead?
"Fibonacci: As easy as 1, 1, 2, 3..."
Reply
"Fibonacci: As easy as 1, 1, 2, 3..."
Reply
post #56 of 69

Phil, it's not a true alias in the tradition sense of the word. You create the "alias" on the fly and you can have as many of them as you wish.

 

Google will ignore anything after the plus and before the at sign, so you can make up anything you want when you're entering an email on a site. 

 

myemail+spam@gmail.com

myemail+junk@gmail.com

myemail+lists@gmail.com

myemail+work@gmail.com

myemail+twitter@gmail.com

post #57 of 69
Quote:
Originally Posted by ahmlco View Post

Phil, it's not a true alias in the tradition sense of the word. You create the "alias" on the fly and you can have as many of them as you wish.

Google will ignore anything after the plus and before the at sign, so you can make up anything you want when you're entering an email on a site. 

myemail+spam@gmail.com
myemail+junk@gmail.com
myemail+lists@gmail.com
myemail+work@gmail.com
myemail+twitter@gmail.com

I see. So if this is common knowledge a spambot could simply delete the +something part out of an gmail address and still fill your inbox.
"Fibonacci: As easy as 1, 1, 2, 3..."
Reply
"Fibonacci: As easy as 1, 1, 2, 3..."
Reply
post #58 of 69
I don't understand how this can be considered a new idea.

My domain service provider already does this with a "catch all" account. I set up a new email with an asterisk as the email name (i.e. *@mydomain.com). I either set this new email up with it's own email box, or I forward it to my normal email address. After that, I can make up any email address I want (i.e. junkmail@mydomain.com or appleinsiderjunk@mydomain.com). The email then gets forwarded to the "catch-all" email box.

Using this, I can sign up for a service on line, say to wxyz company, using the email wxyz@mydomain.com. The email comes in to my catch all email box whereby I immediately validate or verify it. After that I can forget about it. As a matter of fact, I generally have a rule set up to delete all emails in this catch all email box after 7 days. Set it and forget it. If I use the company name as the email name I can then instantly know whom they are selling or trading the email address to.

If I don't want to hassle with the extra "catch all" email box, I set the catch all service up to forward the email to my regular email address. All I do then is to add a unique set of characters to the email address and set Outlook to forward that email to my regular email account's junk folder. For example... appleinsiderjunkqqq@mydomain.com. this one-time use email gets grabbed by my provider's catch all email account, gets sent to my regular email where the 'qqq' triggers the Outlook rule I set up to send it to the junk folder. Done deal. It requires all of 2 minutes to set up the first time after which no additional work is ever needed and I can create as many onetime or multiple time 'disposable' emails as I like whenever I like.

And Apple is getting a patent for something almost exactly like this? I guess it pays to afford good lawyers.
post #59 of 69
Quote:
Originally Posted by tkainz View Post


Nice Post until:

And Apple is getting a patent for something almost exactly like this? I guess it pays to afford good lawyers.

I would say it pays to afford yourself the time to read the patent and see how it differs from what's available with your own domain... something that not everyone has or wants to set up... and thus looking foolish with stupidy following a pretty decent post.
Knowing what you are talking about would help you understand why you are so wrong. By "Realistic" - AI Forum Member
Reply
Knowing what you are talking about would help you understand why you are so wrong. By "Realistic" - AI Forum Member
Reply
post #60 of 69
Quote:
Originally Posted by ThePixelDoc View Post

Quote:
Originally Posted by tkainz View Post


Nice Post until:

And Apple is getting a patent for something almost exactly like this? I guess it pays to afford good lawyers.

I would say it pays to afford yourself the time to read the patent and see how it differs from what's available with your own domain... something that not everyone has or wants to set up... and thus looking foolish with stupidy following a pretty decent post.

Windows and Android users don't want to read through the details of the patents. The trigger words of Apple and patent just set off the immediate reaction: 'someone else did it first', 'this isn't innovative', 'obvious', 'LG Prada, LG Prada', 'hey, that's just a rectangle'. It's an affliction:

post #61 of 69
It's not a new idea. 15 years ago, those of us with our own domain names would use a wildcard alias to generate unique addresses for everyone and filter them through Procmail on the mail server. And you can do this now with GMail. Add a string to your username with a . It only works because nobody does it, so spam software probably won't strip the string off.
post #62 of 69
Quote:
Originally Posted by JohnH View Post

It's not a new idea. you can do this now with GMail. Add a string to your username with a . It only works because nobody does it, so spam software probably won't strip the string off.

It would be funny if it wasn't so annoying. A Windows user, clearly not reading the patent, signing up to an Apple forum to express an objection, even waited 2 years for the right moment.

The patent mentions systems that append characters to the left side of a standard standard email address. Some services don't allow you to use characters like + in the email address so the system breaks down. Even with systems that allow the addresses, they can strip off the characters and get your actual email.

Here's a recent patent by Samsung ( found via http://www.latestpatents.com/samsung-patent-applications-published-on-13-february-2014/ ):

http://appft1.uspto.gov/netacgi/nph-Parser?p=1&u=%2Fnetahtml%2FPTO%2Fsearch-bool.html&r=1&f=G&l=50&co1=AND&d=PG01&s1=20140047474.PGNR.

"IMAGE PROCESSING APPARATUS AND CONTROL METHOD THEREOF

a set-top box belongs to this kind of image processing apparatus. The image processing apparatus which includes the display panel displays an image on its display panel, based on the processed image signal. An example of this kind of image processing apparatus is a TV or a monitor.

Even if image processing apparatuses are identical models, the environment in which users use the image processing apparatuses is different."

I won't bothering reading the rest of it but I will say this: OMG, Samsung's trying to patent the set-top box. Obvious! Prior art! It's just a rectangle. They're trying to avoid competition with patents - they should innovate, not litigate. Wait, I have to sign up to an Android or Windows forum first and tell them this.
post #63 of 69
Quote:
Originally Posted by Marvin View Post

I won't bothering reading the rest of it but I will say this: OMG, Samsung's trying to patent the set-top box. Obvious! Prior art! It's just a rectangle. They're trying to avoid competition with patents - they should innovate, not litigate. Wait, I have to sign up to an Android or Windows forum first and tell them this.

Don't worry, some Android users like me are anti patents pretty much in general :-)

 

I can't stand the idea of state enforced monopolies on ideas granted to some of the biggest companies in the world. Patents only make sense to me when it's a tiny company vs a huge company and that's almost never the case.

post #64 of 69
Quote:
Originally Posted by Marvin View Post

It would be funny if it wasn't so annoying. A Windows user, clearly not reading the patent, signing up to an Apple forum to express an objection, even waited 2 years for the right moment.

I don't think that Procmail runs on Windows.  It does on OS X, though.

 

I am not at all objecting.  I think it's a great idea, and I think it would be good for Apple to have the patent.  I was just saying that the practice has been around a long time, not that it invalidates the patent.  Apple's patent seems to be much improved over the manual methods and simple scripts used since the 90s.  The original article, itself, says that people are already doing this; I was just saying that it started a long time ago, rather than something recent, although nobody has successfully developed it as an integrated system for widespread commercial application, AFAIK.

 

Your ability to quote out of context rivals that of creationists.  Yes, leave out the mention of Procmail so I look like a stupid Windows user.  Actually, I mentioned GMail with my tongue in my cheek as an afterthought to my main point, which you conveniently deleted, connecting one statement to another without the part in between, and I was hardly implying that the GMail solution is a good as Apple's.  If it was, then everyone would already be using it, but as I said before, they don't, with good reason.  As I said, and you repeated, spammers can simply strip the extra string off, for one thing.

post #65 of 69
Quote:
Originally Posted by ItsTheInternet View Post

Don't worry, some Android users like me are anti patents pretty much in general :-)

That's what they all say but naturally this site discusses Apple patents so that's the ones we always hear the criticism of. When it comes round to one of Google's or Samsung's patents being invalidated, the people who complain about Apple's ones usually change their view on patents.
Quote:
Originally Posted by JohnH 
I was just saying that the practice has been around a long time, not that it invalidates the patent.

Your mention that it's not a new idea implies the patent is worthless. Unless it's new, it's not patentable. The idea being the details provided and not the concept. People object to the originality of the general concept but that's rarely what the patent claims.
Quote:
Originally Posted by JohnH 
I mentioned GMail with my tongue in my cheek as an afterthought to my main point, which you conveniently deleted, connecting one statement to another without the part in between, and I was hardly implying that the GMail solution is a good as Apple's.

I see, your reference about GMail was to Procmail, not the patent directly. It sounded like you were suggesting the same about both i.e it's not new, Procmail did it 15 years ago, now GMail does it. Omitting the Procmail part doesn't seem to change the overall statement that it's not new.

Now this guy here says he implements a system already:
Quote:
Originally Posted by dskoll 
Amusingly, I used the Locked Addresses feature to sign up to Apple Insider. If they sell my email address, I'll know about it!

That is pretty funny. If Apple's system doesn't do any more than this then the patent likely won't hold up. But Apple doesn't always use patents as an offensive measure either, that's another assumption. They use them in defense of patent trolls. Google's dealing with one right now:

http://arstechnica.com/tech-policy/2014/01/court-orders-google-to-pay-1-36-of-adwords-revenue-for-infringing-patents/

That's why big companies patent as much as they can get away with. If they don't then you get greedy non-practising entities that do patent them and they wait until someone else builds the infrastructure to make money and they steal a cut while contributing nothing. The more that Apple and Google have run-ins with patent trolls, the more they've ramped up their purchasing and filing of patents. Who knows where it's going to end. There needs to be protection for both big companies from NPEs and protection for small companies who do have genuinely original ideas from big companies that use it without rewarding them.

If they all expire within a certain timeframe then big companies like Samsung could outlast smaller ones:

http://www.theguardian.com/technology/2014/feb/17/samsung-dyson-vacuum-cleaner-patent-copyright

If they don't exist at all then a first product taken to market can be easily replicated by a big company.
post #66 of 69
Quote:
Originally Posted by ahmlco View Post
 

Phil, it's not a true alias in the tradition sense of the word. You create the "alias" on the fly and you can have as many of them as you wish.

 

Google will ignore anything after the plus and before the at sign, so you can make up anything you want when you're entering an email on a site. 

 

myemail+spam@gmail.com

myemail+junk@gmail.com

myemail+lists@gmail.com

myemail+work@gmail.com

myemail+twitter@gmail.com

 

I do something similar. Of course, sophisticared spammers could remove the +keyword part from the user+keyword@domain.tld format address, but since few people do this, it works rather well.

Of course, one could start using encrypted front-parts for e-mail addresses, so only the mail server could then transform upon receipt something like 234ae9534da2342cf1234fa0@domain.tld back into user+keyword@domain.tld

The beauty of the user+keyword@domain.tld system is, that it also allows for server side sorting of e-mail into corresponding IMAP folders, if the server is set up to do so.

The real problem is however, that too many sites use brain-dead input field verification and thus reject user+keyword@domain.tld as an invalid e-mail format. Worse, sometimes you sign up on a site with such an e-mail, and then they redo the site and you can't log in anymore because it's an "invalid" e-mail, often to the point where you can't even turn off receiving mail from them, because to do so you'd have to log in, which you can't do, because the system now rejects that e-mail address format.

 

Ideally, something like an integration with the keychain would allow the user to store a mail server's public key, which would then be used in conjunction with data detectors and autofill to encrypt the user+keyword part and generate the e-mail address to be filled into the form by the autofill. The mail server, knowing it's private key, would then decrypt the address upon receipt of the e-mail and deliver the message to the proper user, showing both original and decrypted receipient e-mails.

 

As an additional side effect: all the sites that use e-mail addresses as user names would become more secure, because without compromising the mail server's private and public keys it would be rather difficult to guess the identity of users from their log-in credentials alone.

 

For this to work well, however, one needs an integrated system like OS X + Server or OS X + iCloud offers. Because the mail server needs to be aware, the system and user need to be able to exchange/sety up encryption keys when e-mail accounts are set up or edited, and the web browser/autofill/keychain system need to be in on it, too, for it to be painless and automatic.

post #67 of 69
Quote:
Originally Posted by rcfa View Post


For this to work well, however, one needs an integrated system like OS X + Server or OS X + iCloud offers. Because the mail server needs to be aware, the system and user need to be able to exchange/sety up encryption keys when e-mail accounts are set up or edited, and the web browser/autofill/keychain system need to be in on it, too, for it to be painless and automatic.

Great Post! That's all that needs to be said about the technology and the Apple patent and why it is DIFFERENT than what the technically inclined and able amoung us have been doingin the past.

If and when Apple decides to impliment the Patent and use it, rest assured it will have an easy to use GUI to the complicated backend... and every-day people will actually use it.

That's the Apple difference in a nut-shell since it's inception: every-day users making use of complicated computer technology, seemlessly and magically, without having the slightest idea of how it works... "It Just Works"....1smoking.gif
Knowing what you are talking about would help you understand why you are so wrong. By "Realistic" - AI Forum Member
Reply
Knowing what you are talking about would help you understand why you are so wrong. By "Realistic" - AI Forum Member
Reply
post #68 of 69
Quote:
Originally Posted by ThePixelDoc View Post

Quote:
Originally Posted by rcfa View Post


For this to work well, however, one needs an integrated system like OS X + Server or OS X + iCloud offers. Because the mail server needs to be aware, the system and user need to be able to exchange/sety up encryption keys when e-mail accounts are set up or edited, and the web browser/autofill/keychain system need to be in on it, too, for it to be painless and automatic.

Great Post! That's all that needs to be said about the technology and the Apple patent and why it is DIFFERENT than what the technically inclined and able amoung us have been doingin the past.

If and when Apple decides to impliment the Patent and use it, rest assured it will have an easy to use GUI to the complicated backend... and every-day people will actually use it.

A lot of solutions are intended to deal with incoming mail. So for example, generating an address that you give to a provider and it only allows mail to come from that one source. But say it's Paypal and they need you to contact them from the address, you need to have your SMTP server authenticate it correctly. Apple's method is intended to work in both directions transparently mapping the disposable address with the non-disposable one.

The UI described would be in something like Apple Mail.

- When you are about to signup to a service, you'd go into Mail or perhaps it can be in Safari too and click a button to request a disposable address with expiry options and domain details
- you would then get an email address to use and enter it into the signup box, this can be one button next to an email field in Safari or in a right-click menu
- the service now only has the disposable address
- incoming mail will reach the server and be sent to your normal email inbox as though it was sent to your actual email address or discarded if it was spam
- outgoing mail / replies can be sent from your normal email account because when the server knows that your from address is the disposable one, it can translate it automatically on the server to hide your actual address, saving you logging into a disposable account in order to send mail

As long as it can generate short addresses, it could also be used in situations where you give an email address in writing in a store or bank or over the phone. It suggested the possibility of using a different person's name but that might look a bit suspicious in real world scenarios and it contributes to a shortage of available real name email addresses at large email services.
post #69 of 69
Quote:
Originally Posted by Tallest Skil View Post
 

 

Oh, no. You don’t understand. It’s not us… it’s Apple. Apple is doing this to get back in bed (so to speak) with the spambots! I have proof! Look at the mailing address! 

 

 

LOL

 

"I'm not interested in becoming a real man"

 

Damn.

 

They got me again.

The recent false claim that iCloud was hacked has shaken my ability to trust those people who would steal my photos and post them online without my permission...
Reply
The recent false claim that iCloud was hacked has shaken my ability to trust those people who would steal my photos and post them online without my permission...
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: General Discussion
AppleInsider › Forums › General › General Discussion › Apple wants to stop, track down spammers with automated disposable email addresses