Microsoft, Yahoo Investigate Spam Solution

bllfrnch writes "The NY Times (account required, yada yada) has an article about the suggestion of email postage to stop the advent of spam. Apparently, both Microsoft and Yahoo! support such an initiative, as they are the largest email service providers. Best quote: ''Damn if I will pay postage for my nice list,' said David Farber, a professor at Carnegie Mellon University, who runs a mailing list on technology and policy with 30,000 recipients'."

Cha ching?

[monstroyer]

Paying for postage already exists, it's called a fax.

This is the worst solution ever and the only reason that MS/Yahoo support it is because of Hotmail/YahooMail. They stand to make huge profits because they host the inboxes of millions of users. Every email received at those accounts would invoice the sender. It's a no brainer for BARRELS OF CASH !!! (tm)

In fact, there already was a good solution [slashdot.org] proposed a few weeks ago, by microsoft no less. Combine it with Spam Assassin the way Spam Interceptor [si20.com] does (replacing the C/R component) and the solution is plausible.

It's a ridiculous concept

[MysteriousMystery]

It's a ridiculous concept really, the reasons email has become successful to begin with is that it's fast and free. If you charge for email, people will just move over to instant messengers or other systems. And how do you enforce charging people who you may or may not be able to track, the proposal to charge for spam based on the reciever's choice is absolutely ridiculous.

This will work

[Anonymous Coward]

(but only if the only people who get charged are the spammers.)

I like the computational challenge solution better

[kcornia]

Asking the sender to process a quick math question seems a better solution to me.

Spam boxes would be prohibitively expensive due to the heavy requirements for sending millions of spams, and it would have the added benefit of notifying people when their box has been owned due to 100% processor utilization on said owned relay box.

The money option just sounds like pushing for a new revenue stream. To heck with that.

Common sense...

[FrancisR]

"AOL is taking a different approach and is testing a system under development by the Internet Research Task Force. The system, called the Sender Permitted From, or S.P.F., creates a way for the owner of an Internet domain, like aol.com, to specify which computers are authorized to send e-mail with aol.com return addresses." Shouldn't AOL have thought of this a long time ago? I remember a few years ago when I used to use AOL and got deluged with FormMail spam with faked @aol.com return addresses. Good to see they're getting their act together.

Re:Cha ching?

[MadCow42]

Email postage might make sense under one of two conditions:

1) the recipient gets the postage fee
2) the ISP that gets the postage fee provides email / internet access to the user for free

If the ISP gets the cash without providing any FURTHER service, it's nothing more than a cash grab. I would still be likely to maintain a "free" mail account so my friends wouldn't have to pay to email me... I'd just be more likely to filter that heavily for spam.

MadCow.

I hate spam but...

[dolo666]

How will this affect websites sending their users emails from requested sources?

Like I'm the programmer of Gemsites [jcomserv.net], a Slashdot clone. When we register a user, we shoot them an email. So are we going to have to pay money to do that?

Because that would be totally stupid, and it would possibly put an end to discussion websites that require logons to validate users, unless there was a method to bypass the charge for sending email.

The way Microsoft will turn it, would be that we all *should* be paying per email, because of this reason or that reason. Bottom line is Billy Goat Gates on his mountain of cash, trying to pile up more of it.

I think I have a better solution.

[mikeophile]

Instead of billing the sender of bulk email, why can't the receiver bill the service provider who permitted the bulk email to be sent in the first place?

What you say? Microsoft would get huge bills because of the abusers of it's Hotmail service? That would be a pity, wouldn't it?

Already working?

[pen]

It seems that both Yahoo, and lately Microsoft, have discovered a pretty good solution for spam. My YM mailbox has been largely spam-free for a few months, and in the last week or two, Hotmail has been doing a pretty good job as well. Every now and then a spam gets through, but that's about it.

Why can't DNS solve spam???

[clusterix]

Why can't MX records become required to list all in AND out going official SMTP for a domain. From then on, SMTP servers could reject non matching MXed sender IPs and if spam does get through - you know you to blame.

Re:Cha ching?

[Awptimus Prime]

Agreed. I've said it before and I will say it again:

Replace SMTP with a more secure protocol. Give a 12 month window for everyone to upgrade their clients. Then make port 25 filtering mandatory for all ISPs.

Failure to comply results in no email gateway for your customers. Simple as that.

Postage -- even more spam!

[Mad Bad Rabbit]

Oh, great. One of the proponents is a bulk-emailer called "Goodmail", who wants this system because if they pay to send out spam (with the postage going to ISPs), the ISPs will have a financial incentive not to block them.

Yahoo supports this?

[mblase]

Yahoo! Mail already has a spam filter engine, and it's ridiculously effective for a freemail provider. I rarely use my Yahoo account, but still tend to check it daily for email that should go to my new email addy and doesn't.

On a typical day, Yahoo! Mail will have around 100 new spam messages for me, and only two to six of them will make it to my inbox. After a quick setup a month or two ago, I can now check them all with one click and have them identified and deleted as spam with a second click.

While I understand Yahoo! wanting to lessen the burden on their filtering software by supporting postage, I think the sheer cost of such postage would eliminate Yahoo! Mail as a free service and wipe out most of its users in the process. I honestly can't imagine why they would want to use it instead of their already very effective spam traps.

Goodmail just wants to eliminate all free spam

[Thagg]

The Goodmail "solution" is the worst of all possible worlds. What they want to do is convince people doing spam filtering that paid-for spam should still go through. They want to raise the quality of the spam, not get rid of it.

Please. That's not the answer.

thad

Escrow

[djtack]

And how do you enforce charging people who you may or may not be able to track, the proposal to charge for spam based on the reciever's choice is absolutely ridiculous.

This is not so hard at all; you simply require the payment be placed in an escrow account before the mail server will accept the message. The sender would include some unique token in the message headers that corresponds to the escrow funds.

Read about it here: Selling Interrupt Rgihts [ibm.com]. The article is from 2002, btw, this is hardly a new concept.

related story this morning on NPR

[fishbert42]

Reading the headline reminded me that I heard a story [npr.org] on NPR while laying in bed this morning about ways to go about eliminating spam on the internet.

Not sure if it contains any "new" information, but it might be worth a listen.

You should collect your own fees

[steveha]

The basic idea, to make spamming too expensive to be worth it, will work. But I don't want to have Microsoft, Yahoo, etc. collect the money; the email account owner should set the fee and collect it.

I wrote it up here:

http://slashdot.org/comments.pl?sid=94145&cid=8077 371 [slashdot.org]

The key points:

You set the fee, and collect it.

You can refund the fee if you wanted the email.

You can add people to a whitelist.

The whitelist uses digital signatures, not easily-forged header fields.

It doesn't really work unless we have a micropayment system that can charge small amounts (five cents) without expensive overhead.

In the discussion attached to that article, one person pointed out that this system could be exploited like this: advertise a job, one that looks like it's really worth applying for. Charge about 20 cents per email to accept resumes. Pocket all the money. It's a perfect small-time fraud scheme: you steal so little, from so many people; who would be motivated enough to check up on whether there was ever really a job to apply for?

I have to say, even without the charging of fees, a whitelist based on digital signatures would be great. You could have a special folder where known-good emails go, and another one for the rest. I'd have my email client play a chime sound when known-good emails arrive, but not the rest.

steveha

Post a postage bond...

[jordandeamattson]

Actually, this problem can be solved without charging postage on each and every piece of email.

The problem can be addressed by putting people at risk of being charged postage. This can be done by requiring that senders post a bond of say 1/10 of 1 cent per item sent.

If you are sending 30,000 pieces of mail a week, your bond would only be $30.00. If people like your email, you will never have to pay the toll, but if they don't like it, then you will be subject it.

The folks that will be caught in this web are spammers and direct marketers. They send millions of spams in the hope that just a few folks will bite. If we raise their cost of doing it above the return, they will be out of business ASAP.

The only way to kill spam, which depends on a frictionless mailing process, is to introduce some friction (i.e. cost) into the system.

Yours,

Jordan

This was not the original idea.

[stripmarkup]

I remember the original idea being something like this:

1) The user determines how much to charge to read email from someone not on his/her whitelist. For example, I would look at untrusted emails for at least $0.10 a pop.

2) The user can choose not to collect the payment if the unknown sender is someone legitimate, like an old acquaintance, a friend with a new email address, a job offer, etc.

This would effectively kill spam without creating much of an inconvenience to legitimate email.

Credit card payment?

[rjelks]

There are millions of stolen credit card numbers floating around. It may be risky to use them on products delivered to a home, but what about the spammers. How many spammers are going to be buying these numbers and using them to charge up their spam? Could this cause an increase to identity theft? -

Stop Email Newsletters; Switch to RSS

[rjamestaylor]

Philip Greenspun, I believe, commented at the height of Internet Hype email was still the killer app of the Internet, not the web. Indeed in 2000, iirc, Dave Winer sent out an email newsletter wherein he stated his amazement that more people rely on his newsletter for updates than visit his dymnamically updated website. No mystery to me: emailed newsletters require no action on my part except subscribing (and not always that is required, which is why we're discussing spam, eh?), has a familiar interface that my Mom, a grandmother many times over, has no trouble mastering, and is well-supported by various vendors. But email is overrun with spam, worms and viruses ... and forwarded conspiracies from grandmothers (*ahem*).

But another method of delivering news is available to content serializers: RSS feeds. RSS feeds allow for true "push" content delivery like email. But, RSS feeds are not as easy to grasp, access or view as email.

Proposal: create an add-in RSS feed aggregator into common email platforms such as Outlook, Outlook Express, Mozilla, Eudora, pine (kidding), etc. Build content creation mechansism into the same email clients with the ability to post the feeds to a public directory (Google? Anyone listening?) with various subscription options on both ends.

This way email could be returned to a person-to-person(s) communication tool for low-volume communication needs; content aggregators could better server their readers/viewers and we can all experience whirrled peas.

Whatever. Anyway, just an idea -- what thinkest thou?

Digital Signatures

[quork]

There already is a solution... It is called a digital signature and comes from a Certificate Authority. Couldn't ISP's, Yahoo, or even Hotmail be required to issue PKI certificates to a paying user? Email administrators would then have the option of dropping any email that wasn't digitaly signed (as coming from a legitimate CA). This digital signature would shed light on the responsible parties involved in sending SPAM. Then fines could be levied on the guilty parties. Screw the stamp people. I already pay for the privilage of sending email.

RSS is the prof's answer

[phildog]

The answer to the prof's concer is RSS. You give back control of subscriptions 100% to the 30,000 subscribers and eliminate all that mailman/listserv/lyris/yahoogroups/topica nonsense.

If you've ever seen a post to a public list that reads "please take me off your list" you know how goofy subscription management via email can be. RSS is intuitive. Email listserv is not.

I'm not endorsing the email postage solution, but I'll take it if it helps the spam problem significantly. I can control my own mailing lists, Professor. Don't underestimate your users. If they want what you got, they will find a way to get it.

Heresy?

[2marcus]

So, I realize that this is heresy on slashdot, but, playing devil's advocate:

What is so wrong about paying for a resource you are using? Few people expect free phone calls, why should sending "email" bits be different than sending "voice" bits? (ok, a lot of people now use the internet to have free international phone conversation, etc. etc.). Many people on slashdot believe in capitalism - under which you expect to pay in some way for most services. Do we just expect free email because we've always gotten free email, or is there a fundamental reason why email should be free?

Note, I am asking this as a philosophical question separate from implementability of a system like email stamps, or whether it will cost more to charge for 0.00001 cents worth of service than you get, or whatever.

-Marcus

Re:After looking at the possible solutions

[LesPaul75]

It's clear? I wouldn't say it's "clear."

What happens when your machine sends 500000 spam messages because it's infected with a virus? How exactly do you "guarantee" that won't happen? The only thing that's truly clear is that there is no guaranteed effective solution.

Who modded this up? Do Microsoft employees read slashdot?

Re:Cha ching?

[Zwoop]

if people just set up their mail servers to force authentication before outgoing mail can be sent, there wouldn't be any problems. Sorry there will be some problems, but I bet it would eliminate a lot of spam.

Hmmm, what kind of spam would this prevent? Open SMTP relays? Forged From: addresses? Sure, we might get rid of some spam that way, but it will not fix the real problem IMO. It's just too easy to setup your own SMTP spamming server to "bypass" this, unless of course we start requiring SMTP auth in all SMTP traffic (not just from the MUA to MTA). But what a nightmare to maintain the global directory of servers and credentials...

Also, setting up SMTP auth to work with all possible clients turns out to be somewhat of a pain. I've done it with sendmail, and although it worked nicely "out of the box" for most clients, at least one had serious issues with the SASL and TLS protocols (see this article [ogre.com] for instance).

And yeah, unfortunately there will always be victims out there who will buy from spammers and telemarketers. And there will always be predators ready to take advantage of them, if they can do so. Spam works well because it's virtually free to do, so even with some incredible small "click through" rate, it's profitable.

Making spamming computational expensive, as has been talked about several times, seems like the best solution right now. I don't particular like this postage stamp solution, although, it certainly addresses the root of the problem, it's too easy/inexpensive to spam.

-- leif

I WILL SAY IT AGAIN...

[quork]

There already is a solution... It is called a digital signature and comes from a Certificate Authority. Couldn't ISP's, Yahoo, or even Hotmail be required to issue PKI certificates to a paying user? Email administrators would then have the option of dropping any email that wasn't digitaly signed (as coming from a legitimate CA). This digital signature would shed light on the responsible parties involved in sending SPAM. Then fines could be levied on the guilty parties. Screw the stamp people. I already pay for the privilage of sending email. Digital Signatures are free!

List owners need not fear...

[vonPoonBurGer]

...as long as there's a way to send email "collect". If sending an email costs you 2 cents, you're not going to want to send out a list mailing to 30000. That's $600 per issue! However, if you can send each of those emails and have the recipient agree to pay the 2 cents, then there's no problem. Of course, then you need to prevent spammers from sending collect... Maybe have people wanting on your list pay 24 whole cents up front for a year's subscription? Idunno, seems like yet another 'net problem that could be overcome with micropayments.

KISS

[t_allardyce]

All this is going to do is make email totally proprietry and over complex. It will mean banding about digital cirtificates and various payment methods - (probably controlled by microsoft) just to send a simple email the length of this post. But something most people will probably miss is that if two people know eachother then they will just have their email addresses on a "safe" list in their email client and theres no reason they would need to use the payment system.

If your going to make email more complicated i dont see any reason to use a payment based system over a challenge-based system - eg: you send an email to someone for the first time, their server or client sends back an email with a human test (eg type a number from a graphic, answer a simple random question such as "if mary had a little lamb what animal did mary have?" or ask them the name and gender of the person they are emailing) the advantage being that its not a central system, its not complicated, it only needs to be done once, and it can be set/edited/tweeked by the user.

Re:Cha ching?

[Awptimus Prime]

Actually, they would be insane not to. It would save literally thousands of man hours chasing spammers. Not to mention the gigs of bandwidth saved per year if spam could be eliminated.

The major industry players would be the 'governing body', as you put it. They have historically played together decently since the dawn of DDOS attacks. Before smurf.c, ISP #1 would typically ignore anything ISP #2 said. That is not how things are these days.

Re:After looking at the possible solutions

[ComputerSlicer23]

Hmmm, "Sender Pays" is a technical fiasco. There's a reason that micro payment doesn't exist. The only reason send pays works just fine for the US Post Office. Because there is only one party to buy postage from, and you buy it, and tack something physical on a real piece of mail.

What charge are you going to have for sending a piece of mail? Is it a penny? What happens one you get charged a penny for a piece of mail you didn't send? What happens when you get charged a penny a quarter of a million times for a piece of mail you didn't send? How does the ISP keep track of who racked up the charges? How does the ISP bill the consumers for it?

Because I might have to make fiscal transactions with say 500-10000 different financial institutions, that will have a transaction fee that far exceeds what any sane person would be willing to pay to send a piece of mail. So once you solve this minor issue, that lots of people have been working on for years, it might just work. (E-Mail might be just the leverage you need to pull this off, micro payments have never really had a killer app).

However, enforcing someone to do a math problem has an absolutely trivial solution to new hardware. Make the problem harder. Nearly all of the problems involve doing some type of math problem. Want to make it more expensive. Require them to do the same problem, but with bigger numbers. Your next problem, is that Spammers will pay $20K to get custom built hardware to do the problems orders of magnitude faster then any generic piece of hardware could do it.

Finally, the easiest way, is to get all outgoing SMTP servers to add an X-Header signature to all e-mails. This e-mail minus the X-Header's digital digest with the private key on a public web of trust is "XYZ". Now your problem is that you've created an incentive for people to steal private keys. The private keys will have to be kept in pretty much in the clear somewhere on the machine (which will be a problem).

Now you've just made the size of each e-mail significantly large (most signatures are a 1-4K if I remember correctly).

Now you have to solve the PKI problem

Finally, my preferred solution, is to force the sender to sign the mail using the GPG key I give them. Technically speaking, they could sign it with any key they want, but I white list in any signature using my public key, and the public keys that are used on the mailing lists I'd like to follow. Then mailing lists only have to sign one mail message and send lots of duplicates of that single signature. Now, getting past my SPAM filter requires that you deal with an object that I control. So if Yahoo gets their private key stolen, some spammer will start spewing SPAM that can get past nearly all ISP's spam filters where the SMTP just signs the mail. In my system, I couldn't care less. My public/private (which is only used for this, I have another one for authenticating who I am), has no value. I'll gladly post both of them to the net. I can make it easy for people who I can to send me mail, and all my mail has some form of digitial checksum on it. All of which is good. My only problem would be if someone found a mailing lists private key. All I'd have to do is then tell the admin that his key has been compromised and somebody is sending SPAM with it.

I'm not fond of SPF, because all someone has to do is be able to forge an IP, which isn't particularly difficult. I can't control all the nasty corners of the internet. I can control what key I force you to use, and I can control what lists I put on my trusted key list if they cause problems for me.

The biggest problem with my solution is that it requires everyone to change how they work. Technically all they have to do is go fiddle with sendmail a bit, and add an outgoing X-Header, I can use that to white list people in until it reaches critical mass. Then I can just black list anybody who doesn't do that to outgoing mail.

Kirby

Postage doen't need to be money, time is better.

[Charles Dart]

[Please exuse me if this is what the article is about, I didn't feel up to sacrificing my first male child to the Times.] The newsletter for the Society for Industrial and Applied Mathematics has an interesting article about postage. from the article [siam.org] (link goes to page with link to PDF Read "Math 1, Spam 0")

The Penny Black Project instead uses "proofs of work," a concept first introduced in 1992 by Cynthia Dwork and Moni Naor of the IBM Almaden Research Center. The idea is simple: "If I don't know you, you have to prove to me that you spent ten seconds of CPU time just for me, and just for this message," says Dwork, who now works at Microsoft Research. For legitimate senders, spending ten extra seconds to send an e-mail message is no problem. Most of the time, you spend more time than that simply composing the message. But for spammers, those ten seconds are the kiss of death. The one thing that no one can steal is more seconds than there are in a day. For a single computer, the CPU time available in a day amounts to 86,400 seconds; a spammer who wanted to put electronic postage on millions of messages would thus need hundreds of computers. Dwork is betting that most spammers cannot afford that kind of expense. Spam costs almost nothing for a spammer to send, but a recipient who looks at the message and manually deletes it incurs a perceptible cost in lost time.

Re:smokescreen

[Lehk228]

if a system like that was imlemented then it would also make paypal obsolete entirely, it would be trivial to include a "big stamp" that could be set to $x.yz in order to pay for things

Don't pay the ISP. Pay the recipient.

[uncadonna]

If the recipient replies or authorizes, they forego the fee.

Advantages: real email stays free, spam costs, microtransaction standards emerge.

Disadvantages: Microsoft and Yahoo don't make as much money. Sorry.

Let Yahoo and MS charge for email

[imnoteddy]

It might be kind of nice if the big boys tried to charge for email because then people would have an incentive to find a solution. In other words kill email as we know it.

If there was going to be a charge for email, consider how one group of email users, namely universities, would react. First, they'd find a workaround/new protocol so internal "messages" wouldn't be charged for. Next, universities would find a way to exchange "messages" between each other without charges. Then others would pick up on the idea and ...

There are technical solutions, but they won't be adopted until a certain pain threshold is reached. Spam filters have improved a lot lately and have been holding the pain down. Charging for email would ratchet the pain level up immensely.

Yes, there has to be *some* cost for stranger-mail

[isdnip]

I'm drowning in spam, and it's getting in the way of my job. The only solution that can possibly work is one that involves putting a price tag on spam. So here's my proposal (which I've put on here before, btw; this is not a new topic). The only way to put a price tag on spam is to put a price tag on email. But it doesn't have to apply to all email.

The price, then, is for the right to touch MY mailbox IF you're a stranger -- if you're a mailing list that I've subscribed to, you would go onto my whitelist, and come in postage-free. If you are somebody I know, you go onto my whitelist, and come in postage-free. Yes, for this to work, there has to be some way for the POP server (NOT the client) to maintain per-user whitelists.

If you're not on my whitelist, you need to use a one-time "stampette", whose price would have to be high enough to discourage spammers, but low enough to not bother anybody worthwhile. I'm thinking around a quarter-cent per message, but it wouldn't be fixed by anyone in particular. These stampettes would be issued on a free-market basis, and anyone could set up a micropostage service, provided that the *recipient* whitelisted it. So if somebody were giving away stamps at, oh, a million per dollar, then spammers would use them, and those stamps wouldn't be on my whitelist. Again, it's a free market solution, no government intervention.

ISPs, in this scheme, should issue all subscribers a batch of stampettes (which mail clients would learn quickly to attach, if needed). A thousand for a quarter-dollar (or quarter-Euro) would be more than enough for a month, don't you think? How many strangers (or first-time correspondents) do you write to?

Re:Cha ching?

[Tokerat]

I have a question:

Why the hell ARE we sill using POP and SMTP? Would it really be that hard to get e-mail users to download the "New, Improved, Spam-Free E-Mail system"? Would developers really be unwilling to implement it?

The big hurdle is fragmentation of the current e-mail system, and the possibility of losing your e-mail address, but it's getting to the point where a large portion (I'm inclined to say "majority") of Internet traffic is spam, and that costs many people a lot of money.

Do like is planned for IPv6 (kinda): Let both systems co-exist for a while until the old one dies off. Hell, make sendmail accept both protocols and just warn you when e-mail comes the old way. Eventually we'll be able to turn that off, once everyone is adjusted to using the new system by default. Include it in clients, include it in servers, give the sysadmins migration instructions and hey, addresses need not even change. Would users even have to realize it happened?

Re:Attention Microsoft and Yahoo

[MillionthMonkey]

There has been a lot of talk about replacing SMTP with something better. Except I think "something better" will turn out to be as exploitable as SMTP if we ever try it, as long as messages can be sent for free.
Any messaging protocol is susceptible to spam if transmission is free and sending a message to someone merely requires knowledge of a fixed, relatively stable piece of information such as an email address. People come up with ways to complicate SMTP and they often don't realize that the replacement protocols they are devising will largely suffer the same problems. SMTP does make spam easy, but any protocol with these properties will make spam possible, and spam merely needs to be possible for the world to go to hell. The spam being so egregiously easy on top of being possible is very noticeable with SMTP, but in a practical sense it's irrelevant. The spam would arrive even if SMTP didn't make it so easy.

So it appears we have no choice but to charge for it. But most people, if given the chance of free, spam-infested email, and pay-per-send email, will opt for the free email, or at least elect to have it available. Who wants to get financial information involved? If I can manage to keep the address secret (yeah right, but I can hope!) I can get away with no spam and be able to send messages for free! Plus I will continue to need an SMTP account for the mailing lists I'm on, who cannot participate in this new pay scheme and send me mail at my Microsoft address.

We are all going to be receiving spam for the rest of our lives. Solutions to spam should be viewed as suspiciously as blueprints for perpetual motion machines.

Re:Cha ching?

[senatorpjt]

Maybe I'm just an idiot, but I didn't think I was running an open relay either. I tested it with some of the open-relay test webpages, but it turns out that Postfix was allowing relaying from the local /24 subnet on my ISP (which none of the tests would have shown), and it just happened that someone on the subnet noticed.