We still have a serious problem with mail client behavior. There is so much that clients could still do to add basic security, even though E-mail protocols are terrible.
For instance, why do we not see in every client a big warning at the top saying something like: “NOTE: YOU HAVE NEVER RECEIVED E-MAIL FROM THIS INTERNET LOCATION BEFORE.”? Heck, such messages should even be auto-quarantined to specific folders. It would go a long way to protect people from constantly opening spam.
And, why by default do they insist on making everything look “simple” and “clean” at the expense of helping users to do even the most basic validation? They show senders as short names like “Facebook” when CLEARLY the message is coming from facebook.spammer.com or whatever when you do even the slightest digging into the original message.
Why are “rules” so complex, since damn near everybody needs them for basic sanity? There ought to be a button in every message saying something like “Mark Every Future Message From This Sender as Junk”, and similar short-cuts.
The 'simplicity' is the same as Microsoft hiding things like file extensions, ostensibly to help less experienced users. It ended up making users have even less of an concept of file types, and made it easier for evildoers to disguise executables as photos and such.
> For instance, why do we not see in every client a big warning at the top saying something like: “NOTE: YOU HAVE NEVER RECEIVED E-MAIL FROM THIS INTERNET LOCATION BEFORE.”?
Because that is way too dangerous a policy. Recently, I moved, and in creating online accounts for online bill pay, I got confirmation emails from each of my utilities. Saying that they're spam just because you've never received email from them would cause most people to be unable to find these confirmation messages.
> And, why by default do they insist on making everything look “simple” and “clean” at the expense of helping users to do even the most basic validation? They show senders as short names like “Facebook” when CLEARLY the message is coming from facebook.spammer.com or whatever when you do even the slightest digging into the original message.
Uh, my email client doesn't do that. If the email address isn't priorly known, it shows the email address instead of the display name.
> Why are “rules” so complex, since damn near everybody needs them for basic sanity? There ought to be a button in every message saying something like “Mark Every Future Message From This Sender as Junk”, and similar short-cuts.
Most spammers don't reuse the same email addresses. You end up with a lot of useless rules. Bayesian spam filtering is much more effective, for example, and requires very little user action.
> Saying that they're spam just because you've never received email from them would cause most people to be unable to find these confirmation messages.
It's not saying that they are spam. It's just saying that you never received a message from them. That account confirmation email you are expecting will be obviously marked, but that phishing email claiming to be from your bank will be marked too. You look at the mark and decide what to do.
Email clients probably don't do it because it is not as useful as it sounds. Impersonating email senders is not hard, so phishers will just do it.
> If the email address isn't priorly known, it shows the email address instead of the display name.
The only email client that I have ever seen doing that is the roundcube instance I configured on my VPS. I use several clients, nearly all of them either hide the sender address or decrease its relevance enough so that nobody sees them.
I'm in complete agreement with your comment about spam filtering. The only thing is that somehow, it feels like it worked better at the earlier 00's. Nowadays the training for your account will be dissolved in a huge set of unreleated data, so that anything specific for the spam you are receiving will never be reflected on the filter. That is both for marking things as spam and as not spam.
I get where both of you are coming from, but there is one UX part of this I've found that is hard to solve.
Inexperienced users want to be told what to do. You can't just throw information or warnings at them without giving them a way to act on it.
Combine that with the fact that if the users even read the warnings they are going to only read a sentence at most, or just the first option.
So when you show a warning like"you have never received email from this address before" users are going to ask what they should do. Is this dangerous? Did it come from my bank? I've had this bank for years! Does this mean the email is a hacker!?
If you say "it can be dangerous, but it also can be just a new email" that will be read as "yes this is dangerous" and now they will learn the hard way that it is safe, and your warnings will have less weight in the future (they were wrong about this being "a hacker" once, they might be wrong this time too!)
It's a really hard problem to solve, and the "easy way out" is to not show the information at all (no confusion if you just don't show it!) But that kind of just kicks the can to the user leaving them to determine if an email is "good" or "bad".
If impersonating senders was so easy, phishers would be doing it. Yes anyone can lie in the From header, but any sane mail system would reject it as unverified
For instance, why do we not see in every client a big warning at the top saying something like: “NOTE: YOU HAVE NEVER RECEIVED E-MAIL FROM THIS INTERNET LOCATION BEFORE.”? Heck, such messages should even be auto-quarantined to specific folders. It would go a long way to protect people from constantly opening spam.
And, why by default do they insist on making everything look “simple” and “clean” at the expense of helping users to do even the most basic validation? They show senders as short names like “Facebook” when CLEARLY the message is coming from facebook.spammer.com or whatever when you do even the slightest digging into the original message.
Why are “rules” so complex, since damn near everybody needs them for basic sanity? There ought to be a button in every message saying something like “Mark Every Future Message From This Sender as Junk”, and similar short-cuts.