Stopping spam isn't as easy as you might hope

[Dave Farber <dave () farber net>]

> Date: Sat, 31 May 2003 04:01:08 -0400
> From: John R Levine <johnl () iecc com>
>
>
>
> The spam stopping ideas mentioned in two recent messages to IP, designated
> sender and e-postage, have been debated at length in the e-mail community.
> Unfortunately, each has technical and social problems that make them
> unworkable.  The existing e-mail system is large, complex, and has
> operational aspects that are often subtle, and a lot of superficially
> plausible ideas have already been evaluated and discarded for good
> reasons.
>
> Reverse MX and other designated sender schemes attempt to prevent people
> from sending mail from unauthorized hosts, so that. for example, yahoo.com
> could identify the hosts that are supposed to be sending mail with Yahoo
> return addresses, and receiving hosts can reject mail purporting to be
> from Yahoo that originates elsewhere.
>
> A significant technical problem with Reverse MX is that large mail domains
> like yahoo.com have distributed mail hosts all over the world.  Reverse MX
> proposes that a mail server make a DNS query to find the addresses of all
> of the valid sending servers for an incoming message, but all those
> addresses won't fit in a 512 byte DNS response packet.  (The DNS spec
> provides for larger packets sent with TCP, but in practice, larger packets
> are much slower and many DNS implementations don't handle them right.)
> This problem isn't hard to fix once you realize it's a problem; see Gordon
> Fecyk's Designated Mailer proposal which is similar but better thought
> out:
>
> http://www.ietf.org/internet-drafts/draft-fecyk-dsprotocol-02.txt
>
> The social problem with designated sender is that there are plenty of
> perfectly legitimate reasons for mail from a domain to originate someplace
> other than its home network.  Lots of people maintain accounts at Yahoo or
> other free mail providers, but send mail with their Yahoo address from
> their home ISP using the ISP's mail server.  Many others use forwarding
> services such as pobox.com, which would all be unable to function with
> designated sender, since mail forwarded by such services correctly retains
> the original sender's address, not the forwarding service's.  And finally,
> this won't really block any significant amount of spam, since there will
> always be some domains who out of political principle, malice, or
> incompetence designate the entire Internet as their valid sender ranges,
> and spammers can just use those.  Or spammers can register throwaway
> domains of their own, since burning an $8 domain for a 10 million message
> spam run isn't much of a deterrent.
>
>
> The other message proposes attaching "cybercoins" as e-postage on e-mail.
> The technical problem here is much more serious: nobody has any idea how
> to build a micropayment scheme that could scale up to the size needed to
> handle the world's e-mail and work reliably enough to deter spam.
> Cybercoin systems require that recipients ask the issuing bank if the coin
> is genuine and hasn't already been spent.  There are probably a hundred
> billion e-mail delivery attempts per day in the U.S. (Hotmail alone
> reports about two billion.)  By comparison, there are maybe 100 million
> credit card transactions a day, so this would require a system that can
> handle a thousand times the transaction volume of the credit card system.
> Some designs use statistical validation, only check some fraction of the
> coins, but in view of the reality that many systems report 80% or more of
> their mail is spam, you have to validate everything or else let a lot of
> spam through.  There are other technical problems (how do you clear a ten
> cent transaction between individuals the U.S. and Indonesia?)  but the
> transaction volume is the most obvious.
>
> Even if through some technical breakthrough we were able to affix e-stamps
> to every message, we'd turn the e-mail system into something like a phone
> network where all the numbers start with 1-900.  Since non-commercial
> mailing lists like IP couldn't exist if they had to pay postage, and most
> people don't want to charge their friends to write to them, proposals
> generally have some way to waive postage from known senders or only cash
> the coin if you don't like the message or otherwise vary the price at the
> receipient's option.  But this replaces the spam problem with a new world
> where you have no idea how much postage you'll be paying, and with lots of
> innovativive e-postage scams, both to avoid paying postage on outgoing
> mail, and to trick people into sending mail to receipients who want to
> collect the incoming postage.  Unlike the spam problem, these scams
> quickly involve large amounts of real money. Think of chain letters saying
> "write to this address to get coupons for free beer, they won't even cash
> your stamp."  (Yeah, right.)  Or let's say a virus on your computer sends
> out a thousand spams.  Who pays the postage?  If the answer isn't "you
> do", who decides to waive the postage?  How do you tell a user with a real
> virus from a spammer who deliberately infects his own computer?
> Doubtless we can come up with a whole set of laws and rules and
> adjudication procedures, but I don't see any reason to believe that what
> we'd end up with would be preferable to the admittedly lousy situation we
> have now.
>
>
> I'm not arguing that nothing can work so we should throw up our hands, but
> it's dismaying that the same old unworkable anti-spam approaches keep
> reappearing over and over, reinvented by people who haven't done the most
> rudimentary investigation of prior work, invariably foundering on the same
> problems that came up the last six times that similar proposals failed.
>
> There's plenty of room for innovative thinking, both to try to identify
> and deter spam, and to pick out the real mail from among the spam and get
> it to the receipients.  But please, let's stop going in circles, build
> some prototypes, run some experiments to see how they work, and try to
> move forward instead.
>
>
> Regards,
> John Levine, johnl () iecc com, Primary Perpetrator of "The Internet for 
> Dummies",
> Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer 
> Commissioner
> "I dropped the toothpaste", said Tom, crestfallenly.


-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/