<div dir="ltr">Polite strangers don't spam ------------------------------------------------ Trying for "The simplest thing that could possibly work": - Friends don't spam you. - You don't converse with spammers. => No need for spam filtering for friends and people whose emails you choose to reply to. (In the context of an assumed email-address-spoofing-proof e2e encrypted email exchange.) => Before Stranger is allowed to exchange encrypted emails with you, he has to perform a "polite handshake" with you over normal unencrypted email. This cleartext semi-automated challenge-response exchange is guarded by your provider's spam filtering. Just like in the real world, Stranger first needs to quickly introduce himself and briefly tell you why he thinks you might want to converse with him. This handshake is like a "friend-request" (E2E crypto request) with a human-generated captcha (a "pitch for your attention" written by the stranger) which you solve/accept by reading and simply replying to it if convinced. After successful completion, you assume Stranger is legit (unlikely to send spam) and authorize him to communicate with you over an encrypted channel. There's a blacklist if you change your mind. I. Example [POLITELY] email handshake: ------------------------------------------------ Stranger wants you to authorize him for e2e encrypted email and kicks off with a special (see 2/a below) email message: ---Email-1---> | | From: Stranger | To: You | Subject: [politely] We met at LeWeb 2013 | | I was wearing a pink dress, we discussed libertarian | science fiction, you said you hated bitcoin. I promised | to send you details about project xyz. <---Email-2--- | | In-Reply-To: Email-1 | Date: < at least 7 hours after receipt of Email-1 > | From: You | To: Stranger | Subject: Re: [politely] We met at LeWeb 2013 | | This is an automated reply | generated by a polite email client, | on behalf of "from". | | "from" has not yet been shown your original email message. | If the message shown below was not sent by you, | please excuse and ignore this reply. | | Otherwise, | simply REPLY to this | to enable "from" to see your original message. | | ----- Your Original Message: | | I was wearing a pink dress, we discussed libertarian | science fiction, you said you hated bitcoin. I promised | to send you details about project xyz. | | <anti-spoof-random-string> ---Email-3---> | | In-Reply-To: Email-2 | From: Stranger | To: You | Subject: Re: Re: [politely] We met at LeWeb 2013 | ... | <anti-spoof-random-string> <---Email-4--- | | In-Reply-To: Email-1 (not Email-3) | From: Stranger | To: You | Subject: Re: We met at LeWeb 2013 | | Thanks for being polite. Let's do e2e crypto. II. Details: ------------------------------------------------ Stranger wants you to authorize him for e2e encrypted email. 1/ Stranger sends you Email-1 2/ Your email client intercepts this email and detects that the subject is prefixed with "[politely]", which indicates that the sender agrees to execute the polite challenge-response dance/protocol. Your email client (any [politely]-enabled client) MUST NOT & WILL NOT show this email to you just yet => Stranger must be 100% certain that he cannot possibly get your attention until he has proved ownership of his email address, see 2/c). Instead: 2/a It checks if the message is a proper [politely] message: - it must be text-only, - it should be one paragraph only - there must be no attachments (no embedded images etc) - it must have a maximum of +-413 characters (whatever, 627?) - [and maybe it must not contain any urls -> 99.9% spam-proof?] If the message fails this check, your client [may reply with an explanation of why it rejects it before it] deletes the message. If the message passes: 2/b. It waits for some random time between 7 and 17 hours (proper suggestions welcome, this is to force Stranger to prove control over his email address for "long enough", maybe you can configure your email client to your liking, 5 seconds should do for the first 100 million e2e users...) before... 2/c. ...it replies with the auto-generated "challenge" Email-2 to figure out if Stranger did not spoof his address, and to force him to monitor it for "long enough". 3/ Stranger receives Email-2 and simply hits reply to it (Email-3). 4/ Your email client intercepts Email-3, checks its validity, and deletes it. 4/a If Email-3 is faked (no anti-spoof-random-string): abort. Instead of the anti-spoof-random-string a simply check for In-Reply-To: Email-2 would do, provided stranger's client does generate this header, and message-ids are reasonable. 4/b Otherwise, your client WILL FINALLY SHOW you Email-1. (possibly only in your client's spam folder if either the original or the just-deleted one were classified as spam by your provider). Your email client might show you a separate twitter-like "stream" of "fully opened" one-paragraph [politely] requests which you can process very fast whenever you have a minute. 5/ If you have the time to read and like Stranger's pitch, simply reply to him (your client could simply let you tap the pitch in the twitter-like stream to send an auto-generated reply. Your reply will cause your email client to whitelist Stranger for e2e crypto. From now on your client accepts e2e emails from Stranger. If Stranger starts sending stuff you consider SPAM after decryption, "blacklist" him. III. Hand-waving: ------------------------------------------------ This is really meant as a general "politely requesting your attention" protocol which can be used by anyone using a normal email client to communicate with someone using a "polite" email client. If it is used to authorize e2e, Stranger would probably use an e2e enabled client which would automate some of the steps for him above. Also, some kind of DH key exchange could be piggy-backed on top of the handshake so that by Email-4 (or Email-3) both sides are ready to go dark. Automated MITM detection would be insanely great. IV. Will it work? ------------------------------------------------ And if it does work, would it work even without the provider's spam filters? [Mike Hearn:] are there reasonable restrictions on the format of the "pitch for attention" email (2/a) which [coupled with a long enough delay before Email-2 is sent] would make any kind of spam filtering needless because it would disgust spammers enough not to be polite? -carlo </div>