Fixing spam with postage

Posted Feb 4, 2004 20:33 UTC (Wed) by csamuel (subscriber, #2624) [Link]

Of course, none of this could be motivated by a desire to create a proprietary
format for all Windows users that would mean that you would have to license the
technology from MS to send email would it ?

Cynical of Melbourne

Posted Feb 4, 2004 21:03 UTC (Wed) by Baylink (subscriber, #755) [Link]

IMHO, *the* *number* *one* problem in killing spam is that for any approach to work, it needs to get the buy-in of the "Big 10": AOL, Earthlink, AT&T, Yahoo, Hotmail, MSN, and the rest, in no particular order after the first two. (:-)

One such approach that's gaining traction in exactly that space is SPF (does it keep you from getting mailburn?) -- Sender Permitted From. SPF, which checks that the SMTP transaction is coming *from* a machine listed in the sending domain's DNS (as a TXT record), as sort of a "reverse MX", is in fact gaining traction in that important Big 10 space, with AOL among the carriers trying it out. The fact that I found the website for posting here with an unadorned Google search for "spf" probably means something all by itself.

My *other* favorite approach to spammers, which I personally think would kill them dead if we could get *it* implemented by a substantial majority of the Big 10, is the variable viscosity tar pit, which Marty Lamb is hidden away in his basement laboratory busily rewriting to make it sufficiently efficient to run in that environment. This one's idea is that the spammier a message gets to look *as the sending SMTP client is sending it to you*... the slower you ack each transaction record.

Since the spec for SMTP in RFC 2821, section 4.5.3.2 says that you can delay that ack up to 3 *minutes*... and I can pretty much guarantee you that the bigtime spammers, using software with built-in SMTP senders, have that timeout cranked WAAAAAY back, to like 10 or 20 *seconds*, well, if the message gets spammy enough, they'll give up on you and it didn't cost you anything. *AND*, it may well have tied up one of the spammer's limited number of sending threads.

Imagine what things would be like if *lots* of spammers had to wade through that.

It'd be kinda like La Brea.

"You wouldn't think dinosaurs would get that close to downtown, would'ja?"

But hey, maybe it's just me.

So many things are just me...

Posted Feb 4, 2004 22:16 UTC (Wed) by ncm (subscriber, #165) [Link]

The bigger problem with this scheme, as with the DNS-based ones, is that, besides its intrusiveness, it wouldn't work. Spammers now hijack ordinary machines authorized to send mail, and send from them. The owners of those machines would pay the postage.

Posted Feb 5, 2004 0:41 UTC (Thu) by jarek (guest, #4105) [Link]

Today, MUAs (mail user agent) and MTA (mail transfer agent) don't talk much. MTAs receives the mail and stores it in some place where MUAs are expected to find it. If however, the MTA could receive feedback from the MUA about the --quality-- of the email they transfered, they could begin to build a white list and a black list. Remote MTAs not on the white list would suffer delibrately slow response and perpahs even denying certain MTA once their spammer status has been establieshed with certainty to be entered into the black list. With no white- and no black-list, this system would still be operational within the RFCs and boot into fast operation within hours for a large email service and a few weeks for me ;-)

At least one good property of this approach is that you don't have to wait for large scale adoption before it works for you. You change it and you benefit. The problem, it seems, would hit large ISPs who would run out of TCP ports. Perhaps they could get started with a good black-list. There is still a problem with myDoom-type viruses if their spread rate is too fast for the black list to be effective, but that may not be a problem in practice.

For an ISP which use html-based email clients, the feedback is trivial since they are in control of the MUA. Traditional POP/IMAP mailboxes would require enchancement of that protocol (perhaps, I don't know for sure) and for those of us who run the MTA and MUA on the same machine there's no problem at all.

A good thing with distributed MUAs is that many of them run automated spam filtering software like spamassassin (and similar) which is not an option for a MTA due to the resources it requires. This load can easily be accepted by the distributed CPU power of the MUAs and provide fast feedback to the MTA without human intervention for more than 95% of the traffic.

/jarek

Posted Feb 5, 2004 2:15 UTC (Thu) by coderock (guest, #12382) [Link]

IMHO M$ should first take care of the worm problem, because they're the main reason for it.

Only when (hmm... if?) they solve that, they would be allowed to make proposals about other mail problems.

Posted Feb 5, 2004 5:35 UTC (Thu) by zooko (subscriber, #2589) [Link]

Adam Back's hashcash (sorry no link -- google it) solves the centralization problem, at the cost of a bunch of CPU cycles.

Posted Feb 5, 2004 5:50 UTC (Thu) by copsewood (subscriber, #199) [Link]

Postage carrying mail is as different from SMTP as SMTP is from IRC. I have designed the beginnings of a decentralised and distributed enough architecture that could theoretically do the microtransactions involved, together with a suitably automated currency exchange market. Whether this (MRS) is needed to solve the spam problem is another question. If this approach does gain momentum it would lead to a higher-value type of mail in which you were less likely to lose wanted messaged due to false positive spam detects. It would not be suitable for list server type mail. Certainly people will become a lot less willing to allow their PCs to become spam zombies when every message costs money from their account.

Posted Feb 5, 2004 7:37 UTC (Thu) by lutchann (subscriber, #8872) [Link]

I wish people would stop with the "email postage" idea. It is a BAD SOLUTION. Ignoring all the problems mentioned in the article, the premise itself is short-sighted.

If we assume we can actually build this postage system thingy, and then make the bigger assumption that it will stop spam without destroying the efficiency and convenience of email entirely, what will spammers do? Concentrate their efforts on instant messaging? Develop better software to create weblog comment spam? Auto-dial our wireless VoIP phones and play recorded messages? Maybe download advertisements directly into our brains with our neural uplinks?

The point is that putting all of our effort into designing a system specifically to tackle the RFC822 world would just push spammers into other net-based communications systems, where we'd have to start from the ground up to implement a totally new solution. (What's that you say? We'll just extend the postage system and start charging 5 cents to make a VoIP phone call? What a great idea! And a penny to send an instant message... Oh, no! My Internet bill is higher than my car insurance, because I'm paying for services with totally artificial prices!)

What we need is to create some sort of filtering or authentication system that can be applied to *all* Internet communications, and imposes technical limitations rather than economic ones. SPF is a step in the right direction, by adding authenticity to the sender address and accountability for abuse, and the concept can be extended to any IP communications. Once the offenders are identified, it will be much easier to filter them out than when they hide behind anonymous (and unaware) zombie relays. Maybe if the use of public key encryption software was more wide-spread, we could extend the accountability all the way down to the user, giving everybody the capability to filter and blacklist at the level at which the abuse takes place rather than indiscriminately blacklisting entire ISPs.

I wish all the hub-bub about email postage was refocused on a solution that would last longer than the keyboard-oriented human-computer interface, and didn't favor economically-advantaged users.

Posted Feb 5, 2004 10:02 UTC (Thu) by virtex (subscriber, #3019) [Link]

I've said it before and I'll say it again -- imposing a postage tax on email will hurt legitimate uses. There are groups out there that send large amounts of email that aren't spam. Consider BugTraq. They have something like 100,000 subscribers. If they had to pay a penny for every email, that would cost them $1000 per message. Multiply that by 30 messages a day and they're up to $30,000 a day just to send email. Also don't forget about the smaller groups. For example, my local LUG mailing list has about 500 subscribers, and is run by one of our members who doesn't make a penny off the service. If he had to start paying $10-$20 a day, he'd have to shut it down.

Oh, and before anyone suggests that mailing lists should be exempt from the tax, what's to stop spammers from using a mailing list? Charging a tax on email to stop spammers simply will not work, and I'm disgusted every time I hear someone bring it up as a solution. I'm doubly disgusted to hear someone like Bill Gates suggest it, since too many people will automatically agree with him. I would've hoped someone in his position would actually think these things through, but time and time again, I find that company executives have completely lost touch with reality.

Posted Feb 5, 2004 11:46 UTC (Thu) by smoogen (subscriber, #97) [Link]

I am wondering if there is some confusion on my part about what the cost is. I think there is a Microsoft research idea that people sending email would pay by 'donating' CPU cycles to the sendee. IE I send a mail message to a relay. The relay asks me some sort of mathematical question. I answer it and then I can send email to that relay. The postage is then collected that way. The more email I send, the bigger the math I do.

So it isnt money but the native currency of the NET, cpu that gets costed.

Posted Feb 5, 2004 15:49 UTC (Thu) by vblum (subscriber, #1151) [Link]

I would be very happy with Microsoft collecting a fee from its users for every message sent. This feature should be included in their client immediately.

Really, if any action is needed: Prosecute the advertising entities. If spam is sent in someone's name without that entity's knowledge, that should be reasonably easy to find out. If, on the other hand, someone does not stop spam-advertising despite repeated infractions, it should be simple to prove that party's guilt by mere specific scrutiny.

Authorities do prosecute virus authors and hackers, and take the time to prove their guilt. Why should professional spammers be treated differently instead?

Posted Feb 6, 2004 7:40 UTC (Fri) by hippy (subscriber, #1488) [Link]

I hear all the noise about how terrible the SPAM problem is and I see all
the hot air made about breaking the current email system for the
legitimate users by charging a postage fee. What I don't understand is why
you need to have either a free-to-send _or_ a pay-to-send system? Why not
have both and allow the market to decide.

If users really are prepared to pay to get rid of SPAM they can choose to
leave the SPAM filled current system and only have an address on the new
pay-to-send system. The usual rules of market demand and Metcalfs's law of
networks will look after the rest.

In the mean time the free-to-send system can work to combat SPAM as best
it can and if it succeed the users will come back (unless the pay-to-send
system offers enough extra features to make it worth while).

I have no problem with a pay-to-send email system, just as long as I do
not have to use it. I am prepared to suffer the hassle of running my own
anti-spam measures in return for free-to-send email. If others are not,
that should be their choice.

Richard

PS. I get ~150 SPAM a day so I know what bargain I am making.

Posted Feb 9, 2004 4:50 UTC (Mon) by ekj (subscriber, #1524) [Link]

Most of the problems mentioned here go away if you replace monetary payment with payment in cpu-cycles.

"Want this message delievered ?, ok I'll do so if you find some string whose sha1sum ends in 258f." The only known way of doing that is to try, on the average, hashing 32000 strings until you find one that match.

It's easy to adjust the postage required. If in some future, spamming is possible with a 16-bit collison (which is what I'm asking for above, "hello\n" would match by the way :-)), you could always say: hash-sum that ends in f2258f

Mailing-lists is a problem. But it could be solved by having a white-list of "free postage" servers, and changing the sign-up procedure for a mailing-list to include that the recipient does not demand postage from the mailing-list-server.