We are bombarded by ads from the moment we get up until the moment we go to sleep. There's ads on the radio, ads on TV, ads in the newspaper, ads on billboards, ads on the bus, ads on the fricking steps in the NYC subway. In my physical mailbox, where I used to throw away about one worthless little newspaper full of ads a week, now it's one or two a day.

The reality is that recipients do not care if they get the vast majority of what ESPs send. Even if we might have at one point checked the box to get Valuable Offers for More Fabulous Products Like This, now it's just more stuff in the gusher of ads. If there's a button to push to make their inboxes an ad-free zone, it really shouldn't come as a surprise that people push it.

For the minority of stuff that people do want, like the daily headlines from newspapers, or perhaps the weekly roundup of cheap plane fares, there's better ways to get them than e-mail. An RSS or Twitter feed is entirely under the recipient's control, meaning that no sleazy marketing manager can try to shove his messages to the top of My Yahoo, or to insert his feed if I didn't ask for it. If I lose interest and unsubscribe, it is gone instantly, permanently, and reliably. If I were a mail manager, I would be delighted to push the no-ESP button, then show a few of my users how to set up feeds for the trickle of stuff they really want, because now the management burden is on them, not on me.

For ESPs, if there is any argument whatsoever about whether recipients want your mail, you lose. Yes, it's hard to read their minds and only send them what they want, but thats how competent ESPs make the big bucks.

(Several mail managers at very large ISPs wrote privately to thank me for my note and wish they had that button, but they asked me not to name them since ESPs are so excitable.)

Spammers are in it for the money, and to the extent they can keep what they get, they'll keep spamming. Fines that wipe out the profits, and in particular fines that can actually be collected are essential if we're going to make any progress against spam.

Fortunately for the FTC, Herbal King's spam was sloppy, with faked headers and broken opt-out links, which are among the few things that the weak CAN SPAM law forbids. If the spammers had been more careful, the fake drugs would still be illegal, but it would have been harder to prosecute them in the US since CAN SPAM wouldn't have applied.

Everyone who uses e-mail needs spam filtering, and some filters definitely work better than others. Some people we know were trying to design tests of filter quality, which turns out to be extremely difficult.

What one might call 'filtering quality' assessment, should be the very very last step after "does it have the features I want?", "does it install/is it supported/supportable?", "does it crash?", "does it make lots of stupid mistakes?", "is it likely going to compare favorably with what we already have?".

I like Verisign's characterization of this kind of malware as an insecure endpoint, the PC which is the endpoint of the conversation with the bank isn't actually under the control of the person who's using it. There's no question that straight phishes and malware are different problems, but they attack the same customers toward the same ends, and a lot of popular security strategies like those keyfob tokens that generate a different random number every minute are equally ineffective against both. There's also some overlap in implementation, e.g. phishes that direct you to a website that downloads malware.

We can usefully distiguish between offline and online attacks. An offline attack steals credentials for use later, while an online attack sits between you and the bank and does bad stuff in a session after you set it up. Offline attacks are deterred by changing the credentials from one session to the next. The keyfob is one expensive way to do it, but there are others. Most of my non-US bank accounts have two passwords where the bank only asks me for three randomly chosen letters of the second password each time I log in. I gather some European banks send their customers a printed list of one-time passwords, and you use one and cross it out each time you log in.

None of these are effective against online attacks, since the bad guys have a proxy that asks you the real questions from the bank and passes back your real answers, setting up a real session The problem is that there's an insecure endpoint, either a malware infected PC on your desk, or the proxy which you think is the bank and the bank thinks is you.

The solution either way is to switch to a secure endpoint. That's why I have suggested a hardware USB confirmation dongle with a screen and YES/NO buttons, where you set up the transaction on the insecure PC but the dongle has an encrypted connection to the bank. so the display on its screen and your push of the YES or NO button are secure. Another possibility is a confirmation phone call to a phone which is physically separate from your PC, where it reads you the transaction, and you press 1 for yes or 2 for no. (Attention Users! Do not use a softphone on your PC for confirmations!)

It seems to me that although the details are different, the fundamental problems and solutions are very similar, so it makes sense to consider them together.