Wednesday, December 27, 2006

Time to charge for sending email?

I'll start this post out by saying that this may indeed be high time to seriously consider charging for sending email. Perhaps a tenth of a penny (one mil) per mail, less with a listserver. But the idea is to take away a free resource that encourages spam, and worse, the viruses and worms that highjack computers, even at home, as zombies to send them. (I remember in the mid 1970s that terminal time in the workplace was a free resource, and the computer time by "compiling in demand" could be abused. What a parallel!)

The other major measure is to replace the SMTP mail protocol with a more sophisticated protocol that validates sender id's, to eliminate spoofing. I have long been concerned that spoofing could make "innocent" operations (particularly individuals or very small businesses) become perceived as nuisances that (like in zoning laws in the physical world) should be removed.

Several companues have explored mail security improvements. These companies include Earthlink, Yahoo!, and of course Microsoft and Apple. But they need to work together to come up with a solution. One remedy that is somewhat successful is a challenge-response mechanism used at least by Earthlink.

There has been quite a flow of media reports in the past two months. On Dec. 27, 2006 The Washington Post discussed reports that spam volumes had increased oved 70 percent during the last quarter of this year. The article is by Bryan Krebs, "Cybercrooks Deliver Trouble: With Spam Filters Working Overtime, Security Experts See No Letup in '07". The link is here.
(Visitors may need online subscription.)

CNN reported on this earlier in December, with Miles O'Brien himself advocating charging for email. One idea is that the revenue from the electronic postage would be used to fund better email security to stop the spam problem, as well as protect consumer privacy with better due diligence procedures from credit grantors.

Even earlier this monthm nn Dec 6, 2006, there had appeared major media reports about the increase of spam, especially from overseas where spammers are free from the strictures of the CanSpam Act.

Brad Stone has a report "Spam Doubles, Finding New Ways to Deliver Itself," in The New York Times, p A1, in which he eplains a ruse of spammers called "image spam" which outwits existing spam filter technology. Spammers also outflank attempts to prevent delivery of multiple copies of the same message. Many spam filters look for particular letters and patterns and do not have the contextual intelligence of a human to see everything. Teaching a system to recognize spam may be like writing a program to analyze an equal middle game position in chess.

Corporations are finding that spam hogs their bandwidth and causes them to have to spend a lot more money. The Seattle Mariners (major league baseball) switched from a system managed by Computer Associates to Barracuda Networks, with some success.

The Washington Times has an article by Kara Rowland, "Clever spammers stay 'one step ahead' of law: Federal act fails to stem the tide." The link is here. The article reviews the CanSpam provisions. It's good to review them here. (1) Senders must have legitimate headers, a non-misleading subject line, an opt-out method, and proper labeling of the message as an ad. (The idea of whitelisting and opt-in had been debated in 2004.)

Legitimate companies are harmed by the practice, as they are by phishing, which has become more aggressive (telling electronic banking customers that their electronic access will be terminated). Some spam schemes have promoted illegal "pump and dump" penny stock trading schemes, even without links to websites. There are suggestions that ISP's quarantine home users whose computers become infected with botnets, which are used by spammers to send spam from zombie machines.

I have noticed some increase in my own spam box on AOL, particularly recently with messages with multiple FWD's, almost certainly the product of a worm. Many of them have subject lines in unicode, Greek, or Russian, and are easy to spot. But some legitimate email is misidentified and I must always review it. My own spam folder has increase in the past two months, about three fold, to about four pages a day of junk.

In the physical world, where senders pay postage (but take advantage of bulk mail), I find myself cutting or shredding mail envelopes and the see-through letters. This is inexcusable. Why don't credit grantors have to practice more due diligence?

Update Jan 8, 2006 New York Times Story, by John Markoff: "Attack of the Zombie Computers Is a Growing Threat, Experts Say." The computers of one unnamed ISP were recruited to send over one billion spam messages in 24 hours in Dec. 2006. The article discusses the "botnet" and a particularly mophic one called "rustock" which right now is reportedly very difficult for security companies to detect. One woman in Denver with a older Windows 98 machine had her computer confiscated by sheriff's deputies in Sept 2006 when it was turned into a zombie to make purchases from Sears off a stolen credit card number, but she had disabled security protections provided by her ISP because they made the older machine too slow.

There is a new critical essay at one of my other sites on this matter, at this link.

Update: NBC Nightly News with Brian Williams will have a major story on the increase in spam on Monday, January 22, 2007 at 7 PM EST

Here is a posting about a spoofing scheme using MySpace to falsely imply that a MySpace user sent spam. It involves manipulation of the "friend request." It is on MSNBC, 12/25/2006 here.

Here is a recent story, 1/16.2007, about spam masquerading as a legitimate newsletter, at this link. I know someone in the legitimate newsletter business, and this would be a big problem.

(Picture: Quartz Mountains in Oklahoma)

1 comment:

Anonymous said...

Bill, email isn't free now. Mechanisms would need to be put in place to charge back, and some ISPs wouldn't implement--and those are the ones that spammers would use.