Apple wants to stop, track down spammers with automated disposable email addresses

13

Comments

  • Reply 41 of 69
    rcfarcfa Posts: 762member
    shompa wrote: »
    I wish that Apple at least started to do what Google does with Gmail: Cache all pictures and stuff on their own servers.

    Today most spam gets validation thru HTML mail. Having picture/links cached on local servers stops this.

    I understand that Google does this because THEY want to data mine the stuff instead. In Apples case: I trust them more, since they don't make their money from advertising/data mining.

    Doesn't really help, because real spammers, the ones you want to defend against, they don't use fixed resource URLs but resource query URLs that have an identifier of the precise message (and thus email address) that the query comes from.

    So instead of something like

    http://www.somehost.tld/images/someImage.jpg

    you have something like

    http://www.somehost.tld/resourcequery.cgi?messageid=1234567890abcdef&resource=someImage&resourcetype=jpg

    or some significantly more convoluted query that may even obfuscate the variables and values such that without knowledge of their database structure you can't view the image without revealing yourself.
    For this reason remote images should NEVER be automatically loaded except for explicitly trusted senders that are checked with sender domain keys (otherwise it's easy to spoof the envelope and make it look like you yourself or someone from you domain sent the message which would likely result in the sender being falsely classified as trusted).
  • Reply 42 of 69
    Quote:
    Our Locked Addresses feature is not patented because I am philosophically opposed to software patents.



    Amusingly, I used the Locked Addresses feature to sign up to Apple Insider. If they sell my email address, I'll know about it!

     

    @dskoll: thanks a lot for your actions! I perfectly agree on the philosophical level.

     

    However, your canit product looks a bit older than the brandnew ningo.me... ningo.me is also rather targeted at the mass market than businesses.

  • Reply 43 of 69
    Quote:
    Originally Posted by PhilBoogie View Post



    This is so obvious that I'd expected it earlier. Still, great if they implement such a system. I used to create a gmail (sic) account if I ordered something online, and delete the account from Mail once delivered. As good as gmail is at getting rid of spam, I moved on, because, well, gmail is still Google after all.

     

    @PhilBoogie

     

    When I thought up the idea behind ningo.me 5 years ago - and ever since - I also wondered why no-one else would go after this since it seemed so obvious. At ningo.me, in addition to this transparent disposable email address business, you can levy a postage on your addresses.

     

    So instead of deleting your flooded address: just put a postage on it and make money if those spammers (or unwanted followers...) still want to reach you!

  • Reply 44 of 69
    Quote:

    Originally Posted by dskoll View Post



    @Tallest Skil:



    Our Locked Addresses feature is not patented because I am philosophically opposed to software patents.



    Secondly, under patent law, prior art does not need to be patented. You merely need to show that an invention has been invented and published before the filing date.

     

    Hasn't that changed in the US now? I understand it's now first-to-file. Not a patent lawyer myself though!

  • Reply 45 of 69
    I've done this for years, all it takes is $8 a year to own your own domain, and have your provider forward all mail sent to that domain to a specific mailbox. Then you can assign someone an e-mail address in that domain and if they contaminate it, mark that e-mail to go to /dev/null or just not go to you and you'll never see it again.

    so instead of [email protected] I use [email protected], and any mail going to any address at thisisanexample.com goes to [email protected], and if someone passes around george02142014 then I can send that to nowhere or just discard it.

    I use one regular address but what I do is add a date/time code at tne end, and I can see if someone is shopping it around. Another thing I did is that I'm on a U.S. Highway, so instead of listing my street name in the Internet records, I list the highway. So if I get mail addressed to 17704 U.S. Route 301 instead of 17704 Main Avenue, I know they're trolling the Whois system for mailing addresses to send junk mail. (Note, this is not my real address or real e-mail..)
  • Reply 46 of 69
    Quote:
    Originally Posted by ItsTheInternet View Post

     

    Hasn't that changed in the US now? I understand it's now first-to-file. Not a patent lawyer myself though!

     

    The US has changed to first-to-file to be in line with most other jurisdictions. However, the first-to-file rule applies to priority for obtaining a patent.

    To prove prior art, you only need to show that the claimed invention has been used and disclosed prior to the patent filing date. In particular, prior art does not have to be patented. It merely has to have been disclosed.
  • Reply 47 of 69
    Quote:
    Originally Posted by luzi View Post

    However, your canit product looks a bit older than the brandnew ningo.me

     

    Well, yes. Our product is much older than the one you are advertising. But that's a good thing... the older the better if you're trying to prove prior art.
  • Reply 48 of 69
    Quote:
    Originally Posted by Paul Robinson View Post


    I use one regular address but what I do is add a date/time code at tne end, and I can see if someone is shopping it around.



    That is an adequate but flawed implementation. Our implementation generates random addresses with a cryptographically-strong random number generator. For true security, you need two things: (1) the disposable email address must be very hard to guess or predict, and (2) it must provide no clue as to the real email address behind it. Your implementation fails (2). I suspect Apple's fails (1) because of the limited randomization in their address generator.

    Our implementation also lets you decide how strict to make the address. Should it lock to one specific sender? Or just to a domain? Or should several senders and domains be allowed to use it? And if the lock is violated, should the mail be rejected or simply quarantined for review? These fine-grained settings let you adjust the systems behavior for each situation.
  • Reply 49 of 69
    Quote:

    Originally Posted by dskoll View Post



    Well, yes. Our product is much older than the one you are advertising. But that's a good thing... the older the better if you're trying to prove prior art.

     

    Hey @dskoll: Of course you are right! That's exactly why I am thankful you already implemented this so soon!

     

    Let me know if I can support you in any way!

  • Reply 50 of 69
    Quote:

    Originally Posted by Paul Robinson View Post



    I've done this for years, all it takes is $8 a year to own your own domain, and have your provider forward all mail sent to that domain to a specific mailbox. Then you can assign someone an e-mail address in that domain and if they contaminate it, mark that e-mail to go to /dev/null or just not go to you and you'll never see it again.



    so instead of [email protected] I use [email protected], and any mail going to any address at thisisanexample.com goes to [email protected], and if someone passes around george02142014 then I can send that to nowhere or just discard it.



    I use one regular address but what I do is add a date/time code at tne end, and I can see if someone is shopping it around. Another thing I did is that I'm on a U.S. Highway, so instead of listing my street name in the Internet records, I list the highway. So if I get mail addressed to 17704 U.S. Route 301 instead of 17704 Main Avenue, I know they're trolling the Whois system for mailing addresses to send junk mail. (Note, this is not my real address or real e-mail..)

     

    The main flaw I see in this approach again is that with your first reply, you disclose your "true" address.

     

    Not so with ningo.me, where you stay behind your "disposable" address as long as you like.

  • Reply 51 of 69
    Quote:
    Originally Posted by dskoll View Post





    To prove prior art, you only need to show that the claimed invention has been used and disclosed prior to the patent filing date. In particular, prior art does not have to be patented. It merely has to have been disclosed.

     

    I think this is one reason some companies regularly leak details of what projects they are up to. By regularly reporting on your progress, you reduce the risk that someone else comes up with a similar product in the same time frame, gets a broad patent, and renders your effort wasted.

  • Reply 52 of 69
    Quote:
    Originally Posted by d4NjvRzf View Post

     

    I think this is one reason some companies regularly leak details of what projects they are up to. By regularly reporting on your progress, you reduce the risk that someone else comes up with a similar product in the same time frame, gets a broad patent, and renders your effort wasted.

     

    Well, it's a dangerous strategy. If you disclose an invention more than six months (I believe... maybe a year) before applying for a patent, you can no longer patent the invention. We disclosed our invention because we had no intention of trying to patent it. Generally, if a company thinks it has a patentable invention, it stays very quiet about it until the patent application is filed.

  • Reply 53 of 69

    Sounds just like what we have been doing at spamex (http://www.spamex.com) since 2001.  Easy to use, personal domains, bi-directional, forwards to real email address(s).  Where is the novelty apple?

  • Reply 54 of 69
    A semi-easy way to do the same thing with gmail is to use their plus sign system.

    If your email address is [email protected], you can give one site an email address like myemail [email protected] and another myemail [email protected] All of them are aliases to the same account.

    If the "iffy" account starts sending spam, you can setup a gmail filter to zap it.
  • Reply 55 of 69
    ahmlco wrote: »
    If the "iffy" account starts sending spam, you can setup a gmail filter to zap it.

    Can't you simply delete the alias instead?
  • Reply 56 of 69
    ahmlcoahmlco Posts: 432member

    Phil, it's not a true alias in the tradition sense of the word. You create the "alias" on the fly and you can have as many of them as you wish.

     

    Google will ignore anything after the plus and before the at sign, so you can make up anything you want when you're entering an email on a site. 

     

    [email protected]

    myemail[email protected]

    [email protected]

    [email protected]

    [email protected]

  • Reply 57 of 69
    ahmlco wrote: »
    Phil, it's not a true alias in the tradition sense of the word. You create the "alias" on the fly and you can have as many of them as you wish.

    Google will ignore anything after the plus and before the at sign, so you can make up anything you want when you're entering an email on a site. 

    [email protected]
    [email protected]
    [email protected]
    [email protected]
    [email protected]

    I see. So if this is common knowledge a spambot could simply delete the +something part out of an gmail address and still fill your inbox.
  • Reply 58 of 69
    I don't understand how this can be considered a new idea.

    My domain service provider already does this with a "catch all" account. I set up a new email with an asterisk as the email name (i.e. *@mydomain.com). I either set this new email up with it's own email box, or I forward it to my normal email address. After that, I can make up any email address I want (i.e. [email protected] or [email protected]). The email then gets forwarded to the "catch-all" email box.

    Using this, I can sign up for a service on line, say to wxyz company, using the email [email protected] The email comes in to my catch all email box whereby I immediately validate or verify it. After that I can forget about it. As a matter of fact, I generally have a rule set up to delete all emails in this catch all email box after 7 days. Set it and forget it. If I use the company name as the email name I can then instantly know whom they are selling or trading the email address to.

    If I don't want to hassle with the extra "catch all" email box, I set the catch all service up to forward the email to my regular email address. All I do then is to add a unique set of characters to the email address and set Outlook to forward that email to my regular email account's junk folder. For example... [email protected] this one-time use email gets grabbed by my provider's catch all email account, gets sent to my regular email where the 'qqq' triggers the Outlook rule I set up to send it to the junk folder. Done deal. It requires all of 2 minutes to set up the first time after which no additional work is ever needed and I can create as many onetime or multiple time 'disposable' emails as I like whenever I like.

    And Apple is getting a patent for something almost exactly like this? I guess it pays to afford good lawyers.
  • Reply 59 of 69
    tkainz wrote: »

    Nice Post until:

    And Apple is getting a patent for something almost exactly like this? I guess it pays to afford good lawyers.

    I would say it pays to afford yourself the time to read the patent and see how it differs from what's available with your own domain... something that not everyone has or wants to set up... and thus looking foolish with stupidy following a pretty decent post.
  • Reply 60 of 69
    MarvinMarvin Posts: 14,213moderator
    tkainz wrote: »

    Nice Post until:

    And Apple is getting a patent for something almost exactly like this? I guess it pays to afford good lawyers.

    I would say it pays to afford yourself the time to read the patent and see how it differs from what's available with your own domain... something that not everyone has or wants to set up... and thus looking foolish with stupidy following a pretty decent post.

    Windows and Android users don't want to read through the details of the patents. The trigger words of Apple and patent just set off the immediate reaction: 'someone else did it first', 'this isn't innovative', 'obvious', 'LG Prada, LG Prada', 'hey, that's just a rectangle'. It's an affliction:


    [VIDEO]
Sign In or Register to comment.