Sunday, January 22, 2006

Sensible policies to solve the spam problem

The Internet, when it opened up to the general public in 1992, tended to attract bad actors, because it seemed at first to demand so little accountability. One of the largest temptations to people who have trouble succeeding in legitimate forms of business competition was spam, to make easy money by sending out tens of millions of unsolicited advertisements for no postage. Many of these ads were for questionable products or activities, and some of them offered easy get-rich overseas money laundering scams.

The largest cost of spam is probably born by ISPs, which must deal with the bandwidth that is consumed. Until about 2003, it was common for most email users to get large amounts of spam in their home accounts. Even children’s accounts and often work accounts would receive emails with inappropriate topics. Since about 2003 larger ISPs have become much more skilled at filtering out inbound spam, and have sued (or prosecuted, under new laws) and won court judgments against some spammers who consume enormous bandwidth resources.

The other big problem has been sender-id spoofing. Email protocols, developed for Unix when networks were much more private and confined largely to defense and universities, make it very easy for a fraudulent sender to fake the email address of another person. Although this can usually be detected with forensics, this takes effort and a clever spammer might be able to implicate an innocent domain holder. Persons have been banned by recipients because their email id’s are spoofed, and it is not inconceivable that there could be legal consequences sometimes. A major way to avoid spoofing is to not post one’s own email address on a webpage with the proper punctuation (the @ symbol). As things are now, one should not post the email addresses of others on a public web page without permission (and this goes for employers, too).

But industry could buckle down and solve this problem. So far there has not been a consistent approach from ISP’s and vendors. But some of the major opportunities are

∙ Charging a very small “postage” fee for each email sent, to prevent huge volumes from one source; some new registration mechanism would be needed for people who run their own servers. AOL and Yahoo, in early 2006, announced a "voluntary" postage program for approved commercial mailers to (AOL and Yahoo!) subscribers with guaranteed delivery bypassing spam filters.

· Allowing a recipient to charge unsolicited senders through an ISP charge-back mechanism

∙ Providing “opt-in” mechanisms

∙ A challenge response system, that sends a verification email back to the sender. A number of ISPs use this now. I do not have any problem with responding to a verification request when I get one, but some people feel that this system would seem rude or clumsy to customers or business contacts. Search for “challenge response” and Earthlink.

· A sender-id system that verifies that the sender matches an ISP on an approved list at the receiving ISP. Microsoft proposes requiring bulk emailers to use an ADV mark, with an exemption for commercial mailers who demonstrate compliance with a seal of good practice (and this could be difficult for small businesses). This is called “Sender ID” and is a co-sponsor. It would work best in a world with larger ISPs, which would cull lists of approved senders by application. (my main domain), for example, would have to be an approved sender for hotmail, with known sender lists. When an email that purported to be from this domain arrives, hotmail would check the real sending IP against the IP that had been registered for it, and would reject the email if it did not match. Anonymous senders would be stopped by this system. Microsoft has a major explanation on its own server now (search for “sender id” and Microsoft). I think that “sender id” has a major advantage over other proposals in that it would tend to protect persons who are spoofed as senders even in extreme situations.

Congress passed a somewhat wishy-washy “CAN-SPAM” act at the end of 2004, particularly to focus on sender spoofing and fraud, as well as deceptive subject lines, advertisement labeling, and allowing an opt-out method. Some states have proposed draconian laws that could penalize the sending of all unsolicited emails to residents of their states. It is not clear what would happen with such a law when someone is spoofed.

No comments: