Spam Solutions

Like any problem, the problem of spam inspired 3 kinds of solutions: social, political, and purely technical.

I don't see how any technical measure could solve the spam problem without affecting the appropriate usage of mail too much. If the legislation cannot help us, we have to protect ourselves. Spamming has to be a risky business. Sending 1 billion of spam mails might be cheap, but if one's life/property is at risk, they should reconsider.

Spam Solutions Summary

Close SMTP:
legislation: Tighter Laws:
Make sending email a little bit more difficult:
Local Filtering:
Require Certification:
Require Small Fee On Emails:
Get rid of SMTP:

Close SMTP:

Spam is possible because SMTP is wide open (at least as commonly implemented).

What would it take to close it? Would it be possible to make SMTP as it exists less spammer-friendly, would it take changes to the protocol, or should SMTP be abandoned entirely? Given its level of inertia, how long would it take to get improvements in place?

The main problem is validation - anybody can claim to be anyone. If SMTP had halfway decent validation, then even if spam got through, it would be possible to verify where it came from, and maybe do something about it, even if it's just to blacklist the origin.

What kills me is seeing things like "may be forged" in headers. It "may be forged" - what the hell are you accepting if for, then?

Start with something simple like, not accepting messages without a HELO, and validating that the hostname in the HELO maps back to the caller's IP.

Another validation would be to call back the host and ask them if the sender's email address is a valid user on that machine.

Yet another approach would be to have pull instead of push - if a server wants to deliver mail, it would give the target machine its host name, and the target machine would call back and pull the mail - that way it would "fer sure" know where the bloody mail came from.

Maybe stuff like this is already in sendmail, but nobody configures it? Is there anybody who knows how to set up a decent email server?

Being able to confirm exactly where the email came from (at least the physical machine) seems like it would be useful first step most other social, political, and technical solutions.

Pros: Reduces identity pirates
Cons: Still subject to zombies

legislation: Tighter Laws:

Pros: Gets spammers off the streets
Cons: Too difficult, does not stretch entire globe, hard to fund

The US Senate has just approved new Spam legislation (2003.10.22) Unfortunately, it's opt-out legislation. not opt-in legislation - it's legal for a spammer to spam until you opt-out, vs. illegal to spam until you opt-in.

Is it just me, or does it seem like a bad idea to fix technical problems with legislation?

Unenforceable: because it's difficult to find who sent the spam. Perhaps the spam includes a return address - but did that person send the spam, or was it forged to create a JoeJob??

If it works, it must be possible:

"Australia's spam laws successful" http://www.gss.co.uk/news/article/1126/Follow_our_lead_on_spam,_say_Aussies/

Make sending email a little bit more difficult:

see EmailHurdles

Pros: much more difficult for illegitimate senders
Cons: slightly more difficult for legitimate senders

Local Filtering:

Pros: individual recipients can implement unilaterally. Does not require system-wide changes. Users can customize.
Cons: Imperfect because some bad ones get through and some good mail gets deleted. Results in a constant "arms race" as spammers adjust to fit filter styles and dictionaries. Zombie machines will be CPU-taxed even more.

Spam filters, which are really too little too late - Spam is a bandwidth and cpu killer, filters are after the fact.

I agree with you, but until there's a better solution, filtering at least cuts down on the spam that I have to deal with directly.

Require Certification: (see http://www.thawte.com/certs/personal/contents.html) (EditHint: Should this be moved to EmailHurdle?)

Pros: Free solution which is currently available. Must be linked to a valid "real world" identification, such as a drivers License Number. It is also quite viral - most email clients make it quite prominent that the email is signed. After recently sending a signed message to the whole company, there have been numerous questions from workmates about how to obtain a certificate.
Cons: Have to convince everybody to get one. The process, while not difficult, is fairly long and offputting.

Require Small Fee On Emails:

(EditHint: move to PayForEmail?)

This small fee is reminiscent of the "stamps" we put on physical mail (see http://fare.tunes.org/articles/stamps_vs_spam.html ).

Pros: Creates an auto-correcting capitalist system as ISP's will want to collect their rightful fee portion out of greed, making it difficult for spammers to keep getting millions of free lunches.
Cons:
- Requires vast changes to current system.
- Makes non-profit mail-list difficult.
  - Could have a "friends" list. See below.
- Zombie machine owners can get stuck with a spam bill
  - That might be a good thing. Otherwise people won't fix their zombies, which have ramifications beyond just email. Also, perhaps the ISP can optionally limit the number of outgoing messages per day to say 30 for a "regular" person.

who pays whom, for what?

who pays ... for what? It seem obvious to me who pays - to make spam unprofitable, spammers must pay through the nose. To avoid loopholes, this means that every one who sends an email must pay per email.

Who gets paid? Here's some possibilities:

the person who receives the email People who claim they bought their computer, ISP service, and mailing lists fair and square are going to act even more mystified when we get upset at mail they paid us to look at.
Sender
the local or global government (a per-email tax)
the owners of each piece of equipment an email passes through.
All of the above get a cut

The person who receives

In my opinion, "the person who receives the email" is clearly the simplest and probably the best choice. This keeps email very close to the current system - free to people who use email normally as a back-and-forth exchange.

The simplest versions have some fixed small value - say half a penny ($0.005) per email. Other versions allow the recipient to set his price - college students may charge half a penny per email so their friends can communicate easily, while people who only have time to read extremely urgent critical email may charge $10.

Some people may claim this is Untestable at a small scale. Why?

Someone has claimed this is Unimplementable. Why? It seems that a single ISP could unilaterally start by telling all new users that it will cost $0.005 for each email sent.

What about paying for the right to be on another persons white-list? Assume all parties have a white-list. If I want to get on your white list and i have no other way to ask you to put me on your white list, i pay a small fee. There could be broker services for this. If the broker server is down, it only stops initial contact. Ongoing contact will continue to work as it does today, even if proposed broker servers are down.

Sender

The problem with billing the receiver is that they don't know what it is until they open and read it. Thus, perhaps we should follow the post-office approach and charge the sender. If a spammer has to pay say 5-cents per message, then mass mailings would not be effective. Plus, they'd have to register with an e-post-office (for bulk rights), making them easier to track.

Another advantage of sender-based is that it resembles the current paper-based mail system, making it easier to relate to and/or barrow the infrastructure.

All of the above

In my opinion the fee proceeds should be spread roughly equally among the regulating agency, ISPs/backbones, the sender, and the receiver. If they all get a cut, then they have a financial incentive to prevent fraud, at least fraud caused by deadbeat senders. In the case where it passes through multiple internet pipe vendors, then the ISP's portion of the fees will be pooled.

Yes, that's one of the options above. Not the *simplest* option, but certainly far better than what we have now.

I agree it is not the simplest, but since profits are involved the incentives and funding for infrastructure will be there.

Re: Makes non-profit mail-list difficult.

Yes, some people *claim* that "it will muzzle citizen activism ... it ultimately amounts to extortion." (-- http://www.grassfire.org/68/petition.asp ).

Option 1:

Perhaps receivers could be provided with the option of a "friends" list of addresses to accept without charge. Whether it would be kept on the ISP server or on the client is something that needs exploration.

Option 2:

implement "the person who receives gets the penny". Since an organization is made up of its members, the net cost, to the organization, of every mailing that organization makes to its members, is zero. The penny is merely shuffled from one member to another.

I see that America Online and Yahoo announced plans to implement "Certified email" http://en.wikipedia.org/wiki/Certified_e-mail at 1/4 cent per message. Who gets that 1/4 cent? -- DavidCary

I see that Boxbe https://www.boxbe.com/ seems to be implementing a "sender pays" system. They let the receiver name his price. -- DavidCary

Could we convert this into a "strategyproof game"? (http://en.wikipedia.org/wiki/Strategyproof).

Get rid of SMTP:

SMTP won't exist for much longer. Use something else entirely.

replace mailboxes with secure wiki pages.
focus on real-time communications like telephones and "talk" and IM. Spammers can't carry on a conversation with a million people, can they?
CAKE is a networking protocol in which all messages are addressed to a public key, and are signed by the source public key. Public key identifiers are treated like IP addresses. They represent the destination or source of any particular message. This makes it impossible to forge "from" addresses. See http://www.cakem.net/
IM2000 keeps the mail on the sender's server until deliberately downloaded by all recipients. You know where it came from and can blacklist (or perhaps prosecute) the sender. This has benefits for mailing lists and saved outgoing messages, too. See http://cr.yp.to/im2000.html and http://homepages.tesco.net/~J.deBoynePollard/
PosterCentricMessageSubscriptionProtocol
other options?

SPAM won't exist for much longer. Bill Gates has publicly announced that it will be eradicated within two years.

He has also suggested he will get rid of Linux in 2 years. Thus, if his word means anything...

According to http://www.google.com/search?q=cache:y_MupLYl9gMJ:www.thedistributionchannel.eu.com/multimedia/week11-1.htm and http://news.bbc.co.uk/2/hi/business/4023667.stm , Bill Gates said this at a World Economic Forum meeting in January 2004, but a verbatim quote is not given.

... does it seem like a bad idea to fix technical problems with legislation?

Yes, but:

It's a bad idea to try to fix social problems with technical solutions.

[Heh. I like ParkingLotTherapy for spammers - if you can catch 'em.]

Do not email list

Some people have suggested a "do not email list", similar to current "do not call" telephone lists.

To prevent spammers from mailing everyone on the list, the distributed list would *not* contain the actual email addresses, but a one-way hash of each address.

Legitimate senders would presumably carefully hash each address that they already have, and if the result matches one of the hashes on the do-not-email list, remove that address from their list.

With hashing, at least this doesn't *help* spammers. But how exactly would this stop or slow down spammers?

Spam is an instance of a more general problem, TimeAndAttentionBrokenEconomy.

Other SpamSolutions

Hit back spam sites automatically?

http://www.newsfactor.com/story.xhtml?story_title=Lycos-Screensaver-Spams-the-Spammers&story_id=28726
Not sure about this one. What if the Spam comes from a hijacked PC and/or server? And then the retaliation from the other side further escalates the problem? The hijacked site could think they are being spammed first.

An interesting article in theregister (http://www.theregister.co.uk/2005/01/21/unintended_consequences/) references several possible spam solutions - (and their definitions, according to WikiPedia):

Domain Keys (http://en.wikipedia.org/wiki/Domain_keys)
Sender Policy Framework (http://en.wikipedia.org/wiki/Sender_Policy_Framework)
Sender ID (http://en.wikipedia.org/wiki/Sender_ID)

EditHint: Rename this topic to EmailSpamSolutions??

"How I Filter Spam" by TomVanVleck http://multicians.org/thvv/spamfilt.html

See: SpamDefenseRoadmap, WikiSpamSolutions

CategorySpam