h a l f b a k e r y
add, search, annotate, link, view, overview, recent, by name, random
news, help, about, links, report a problem
or get an account
I receive a lot of email on my personal email
account, much of it being marketing
junk, with a few things (personal emails from friends
and family, confirmations
of orders from online shopping, vouchers,
notifications of some artist's work I
admire coming up for auction etc.) that are
Those emails with known
sender addresses (like friends and family) can be
auto-sorted by my email client
software. This filtering based on address doesn't
work for other types of
important email, because multiple types of email
(order confirmations, vouchers,
marketing guff) might all be sent from the same email
that this be solved by emails from these
organisations having text tokens
included in them to enable them to be sorted by the
email client software. So an
email containing the text "$order-confirmation$"
might be filtered into a special
folder where you keep all these, whereas one
containing "$security-alert$" would
be highlighted in red and left in your inbox.
This solution would work,
but has a couple of flaws. First, spammers would just
start using these codes to
make their spam get your attention. Secondly, there's
no real incentive for
online shops, etc. to use these, or use them
So, I propose a
cunning variant of the idea. In this mechanism I, the
recipient of these emails,
supplies the codes to be used for filtering, which
will be unique (if I make them
random enough) to my user account. So, when I sign up
for an account with, say,
an online shop, I specify that order confirmation
emails should contain within
them somewhere the text "$hippo-order-conf-gh8-kE3-
ZI8$", security alert
emails should contain "$hippo-sec-alert-Nu6-mc2-
kL7$", and so on. I then set
up the filters in my email client software and
everything is taken care of, with
the personal email generators used by these
businesses taking these codes from my
account information and inserting them into standard
emails. Spammers cannot
exploit this because the codes are unique to me (and
I might make them unique to
the online business too - or I might reuse them
between online businesses). The
online business has some incentives to use this
system: by getting you to supply
your filtering codes they are also getting you to
sign up for an account and
gathering valuable marketing data from you as opposed
to you merely having a
'guest account'. They also have no incentive to
misuse these codes (i.e. by
mislabelling some marketing fluff as an important
security alert), as this will
cause you to just stop using the filtering for this
Authentication, integrity, non-repudiation [kdf, Oct 07 2020]
||Gmail has the + function which kind of allows for
this - so if you've got a gmail address
firstname.lastname@example.org and are ordering from
liquoriceyum.com, then you can sign up to them
as email@example.com and use the
content between + and @ to drive your filtering
||I used to use something like this when signing up
to likely spam sources, but ended up just not
signing up to likely spam sources, so I'm not
entirely sure how effective it is - but it is a
||Interesting - I didn't know about that, but I'm not
sure that adds much because filtering by sender is
already easy for email clients. So what I'm proposing
is a finer-grained version of that, where emails can
be filtered by category as well as by sender - i.e.
in your example liquoriceyum.com might send order
conformations and also marketing material to
firstname.lastname@example.org which wouldn't really
help me see what's important.
||I think a lot of people have wanted variations on this idea for a long time.
||It would be nice if you could supply places with single-use tokens.
That way, if they spammed you it would be easy to just not give them any more.
And if you made it clear at the start how long you expected them to last, they'd not have an incentive to
sign you up to their random newsletter, because that would burn through their allocation.
||I suggest avoiding dollar signs as part of the standard. Not only do they look unsightly, but
many languages use a "$" prefix to indicate a variable, so there is more chance it would catch something
out somewhere in the various systems it would need to pass through. If not by accident, then through malice.
Square brackets "[ ]" seem to be a de-facto standard for this sort of thing now, not just within the
||The tokens don't have to be unique, they just have to be unguessable. Including a leading account ID is
probably a good idea, though.
||It's a definite sign of the degree people have given up on the future that ideas such as this don't have more buns.
||Digital signatures (link) - WKTE and answers how to
codes unique to the both sender and recipientfor
ensuring authenticity of messages/sender
||I dont follow the rest of hippos reasoning on how
to get advertisers to use these though.
||I know what digital signatures are and how they are
used. This idea has almost nothing in common with
||Thats true, your implementation is unlike current
digital signature technology. But the concepts -
unique keys shared between sender and recipient,
for confirming a trust relationship - are fairly
||Suppose you get enough of your correspondents to
buy into this scheme and others want to use it.
How do they generate their tokens?
||They can just make them up - the tokens just have to
be reasonably unguessable. It's not a high-security
application at all.
||Hmmm... email filtering by sender and keywords already
exists, as does identity verification by digital certificates.
I'm not seeing - even in a half baked way - the value of
telling your correspondents "I'm not going to read your
order confirmation emails unless you also include this
secret word I made up."
||And even as I typed those words, it occurs to me even
THAT *is* already baked in the real world - sort of. In
online classified / for-sale / personals website
advertisements. People often include instructions
on words or phrases to include when replying, to filter out
responses from bots and spammers.
||The EU GDPR regulations kind of regulate this from the business point of view, in that they are legally not permitted to send you emails unless you have explicitly consented to receive those emails. So if you buy a thingy, the thingy company can send you confirmations and sales receipts, but if they want to also send you marketing emails for thingy accessories and thingy add-ons, they have to get you to tick some kind of permission box consenting to this when you give them your emails address.
||[pocmloc] Good point, GDPR mandates consent - so
providing a token could be a more sophisticated form
of the consent sign-up process.
||//I dont follow the rest of hippos reasoning on how to get advertisers to use these
||I think the gist is that there's a spectrum of advertisers.
||spammers - wouldn't benefit from the system, and this is good.
||socially responsible businesses you already have a relationship with - use the system,
and benefit from being better able to communicate with you (by getting whitelisted)
||random companies you have some interaction with - get to use the system on
probation. If they start spamming you, or sell your address to the scammers, you can
easily blacklist them.
||[Loris] Indeed - there are modest incentives for
everyone to use this system