Microsoft, Yahoo Investigate Spam Solution 596
bllfrnch writes "The NY Times (account required, yada yada) has an article about the suggestion of email postage to stop the advent of spam. Apparently, both Microsoft and Yahoo! support such an initiative, as they are the largest email service providers. Best quote: ''Damn if I will pay postage for my nice list,' said David Farber, a professor at Carnegie Mellon University, who runs a mailing list on technology and policy with 30,000 recipients'."
Cha ching? (Score:5, Interesting)
This is the worst solution ever and the only reason that MS/Yahoo support it is because of Hotmail/YahooMail. They stand to make huge profits because they host the inboxes of millions of users. Every email received at those accounts would invoice the sender. It's a no brainer for BARRELS OF CASH !!! (tm)
In fact, there already was a good solution [slashdot.org] proposed a few weeks ago, by microsoft no less. Combine it with Spam Assassin the way Spam Interceptor [si20.com] does (replacing the C/R component) and the solution is plausible.
It's a ridiculous concept (Score:5, Interesting)
This will work (Score:1, Interesting)
I like the computational challenge solution better (Score:4, Interesting)
Spam boxes would be prohibitively expensive due to the heavy requirements for sending millions of spams, and it would have the added benefit of notifying people when their box has been owned due to 100% processor utilization on said owned relay box.
The money option just sounds like pushing for a new revenue stream. To heck with that.
Common sense... (Score:2, Interesting)
Re:Cha ching? (Score:4, Interesting)
1) the recipient gets the postage fee
2) the ISP that gets the postage fee provides email / internet access to the user for free
If the ISP gets the cash without providing any FURTHER service, it's nothing more than a cash grab. I would still be likely to maintain a "free" mail account so my friends wouldn't have to pay to email me... I'd just be more likely to filter that heavily for spam.
MadCow.
I hate spam but... (Score:5, Interesting)
Like I'm the programmer of Gemsites [jcomserv.net], a Slashdot clone. When we register a user, we shoot them an email. So are we going to have to pay money to do that?
Because that would be totally stupid, and it would possibly put an end to discussion websites that require logons to validate users, unless there was a method to bypass the charge for sending email.
The way Microsoft will turn it, would be that we all *should* be paying per email, because of this reason or that reason. Bottom line is Billy Goat Gates on his mountain of cash, trying to pile up more of it.
I think I have a better solution. (Score:5, Interesting)
What you say? Microsoft would get huge bills because of the abusers of it's Hotmail service? That would be a pity, wouldn't it?
Already working? (Score:3, Interesting)
Why can't DNS solve spam??? (Score:5, Interesting)
Re:Cha ching? (Score:5, Interesting)
Replace SMTP with a more secure protocol. Give a 12 month window for everyone to upgrade their clients. Then make port 25 filtering mandatory for all ISPs.
Failure to comply results in no email gateway for your customers. Simple as that.
Postage -- even more spam! (Score:3, Interesting)
Yahoo supports this? (Score:3, Interesting)
On a typical day, Yahoo! Mail will have around 100 new spam messages for me, and only two to six of them will make it to my inbox. After a quick setup a month or two ago, I can now check them all with one click and have them identified and deleted as spam with a second click.
While I understand Yahoo! wanting to lessen the burden on their filtering software by supporting postage, I think the sheer cost of such postage would eliminate Yahoo! Mail as a free service and wipe out most of its users in the process. I honestly can't imagine why they would want to use it instead of their already very effective spam traps.
Goodmail just wants to eliminate all free spam (Score:4, Interesting)
Please. That's not the answer.
thad
Escrow (Score:3, Interesting)
This is not so hard at all; you simply require the payment be placed in an escrow account before the mail server will accept the message. The sender would include some unique token in the message headers that corresponds to the escrow funds.
Read about it here: Selling Interrupt Rgihts [ibm.com]. The article is from 2002, btw, this is hardly a new concept.
related story this morning on NPR (Score:3, Interesting)
Not sure if it contains any "new" information, but it might be worth a listen.
You should collect your own fees (Score:3, Interesting)
I wrote it up here:
http://slashdot.org/comments.pl?sid=94145&cid=807
The key points:
You set the fee, and collect it.
You can refund the fee if you wanted the email.
You can add people to a whitelist.
The whitelist uses digital signatures, not easily-forged header fields.
It doesn't really work unless we have a micropayment system that can charge small amounts (five cents) without expensive overhead.
In the discussion attached to that article, one person pointed out that this system could be exploited like this: advertise a job, one that looks like it's really worth applying for. Charge about 20 cents per email to accept resumes. Pocket all the money. It's a perfect small-time fraud scheme: you steal so little, from so many people; who would be motivated enough to check up on whether there was ever really a job to apply for?
I have to say, even without the charging of fees, a whitelist based on digital signatures would be great. You could have a special folder where known-good emails go, and another one for the rest. I'd have my email client play a chime sound when known-good emails arrive, but not the rest.
steveha
Post a postage bond... (Score:5, Interesting)
The problem can be addressed by putting people at risk of being charged postage. This can be done by requiring that senders post a bond of say 1/10 of 1 cent per item sent.
If you are sending 30,000 pieces of mail a week, your bond would only be $30.00. If people like your email, you will never have to pay the toll, but if they don't like it, then you will be subject it.
The folks that will be caught in this web are spammers and direct marketers. They send millions of spams in the hope that just a few folks will bite. If we raise their cost of doing it above the return, they will be out of business ASAP.
The only way to kill spam, which depends on a frictionless mailing process, is to introduce some friction (i.e. cost) into the system.
Yours,
Jordan
This was not the original idea. (Score:3, Interesting)
1) The user determines how much to charge to read email from someone not on his/her whitelist. For example, I would look at untrusted emails for at least $0.10 a pop.
2) The user can choose not to collect the payment if the unknown sender is someone legitimate, like an old acquaintance, a friend with a new email address, a job offer, etc.
This would effectively kill spam without creating much of an inconvenience to legitimate email.
Credit card payment? (Score:2, Interesting)
Stop Email Newsletters; Switch to RSS (Score:3, Interesting)
But another method of delivering news is available to content serializers: RSS feeds. RSS feeds allow for true "push" content delivery like email. But, RSS feeds are not as easy to grasp, access or view as email.
Proposal: create an add-in RSS feed aggregator into common email platforms such as Outlook, Outlook Express, Mozilla, Eudora, pine (kidding), etc. Build content creation mechansism into the same email clients with the ability to post the feeds to a public directory (Google? Anyone listening?) with various subscription options on both ends.
This way email could be returned to a person-to-person(s) communication tool for low-volume communication needs; content aggregators could better server their readers/viewers and we can all experience whirrled peas.
Whatever. Anyway, just an idea -- what thinkest thou?
Digital Signatures (Score:2, Interesting)
RSS is the prof's answer (Score:2, Interesting)
If you've ever seen a post to a public list that reads "please take me off your list" you know how goofy subscription management via email can be. RSS is intuitive. Email listserv is not.
I'm not endorsing the email postage solution, but I'll take it if it helps the spam problem significantly. I can control my own mailing lists, Professor. Don't underestimate your users. If they want what you got, they will find a way to get it.
Heresy? (Score:2, Interesting)
So, I realize that this is heresy on slashdot, but, playing devil's advocate:
What is so wrong about paying for a resource you are using? Few people expect free phone calls, why should sending "email" bits be different than sending "voice" bits? (ok, a lot of people now use the internet to have free international phone conversation, etc. etc.). Many people on slashdot believe in capitalism - under which you expect to pay in some way for most services. Do we just expect free email because we've always gotten free email, or is there a fundamental reason why email should be free?
Note, I am asking this as a philosophical question separate from implementability of a system like email stamps, or whether it will cost more to charge for 0.00001 cents worth of service than you get, or whatever.
-Marcus
Re:After looking at the possible solutions (Score:2, Interesting)
What happens when your machine sends 500000 spam messages because it's infected with a virus? How exactly do you "guarantee" that won't happen? The only thing that's truly clear is that there is no guaranteed effective solution.
Who modded this up? Do Microsoft employees read slashdot?
Re:Cha ching? (Score:3, Interesting)
Hmmm, what kind of spam would this prevent? Open SMTP relays? Forged From: addresses? Sure, we might get rid of some spam that way, but it will not fix the real problem IMO. It's just too easy to setup your own SMTP spamming server to "bypass" this, unless of course we start requiring SMTP auth in all SMTP traffic (not just from the MUA to MTA). But what a nightmare to maintain the global directory of servers and credentials...
Also, setting up SMTP auth to work with all possible clients turns out to be somewhat of a pain. I've done it with sendmail, and although it worked nicely "out of the box" for most clients, at least one had serious issues with the SASL and TLS protocols (see this article [ogre.com] for instance).
And yeah, unfortunately there will always be victims out there who will buy from spammers and telemarketers. And there will always be predators ready to take advantage of them, if they can do so. Spam works well because it's virtually free to do, so even with some incredible small "click through" rate, it's profitable.
Making spamming computational expensive, as has been talked about several times, seems like the best solution right now. I don't particular like this postage stamp solution, although, it certainly addresses the root of the problem, it's too easy/inexpensive to spam.
-- leif
I WILL SAY IT AGAIN... (Score:3, Interesting)
List owners need not fear... (Score:2, Interesting)
KISS (Score:2, Interesting)
If your going to make email more complicated i dont see any reason to use a payment based system over a challenge-based system - eg: you send an email to someone for the first time, their server or client sends back an email with a human test (eg type a number from a graphic, answer a simple random question such as "if mary had a little lamb what animal did mary have?" or ask them the name and gender of the person they are emailing) the advantage being that its not a central system, its not complicated, it only needs to be done once, and it can be set/edited/tweeked by the user.
Re:Cha ching? (Score:5, Interesting)
The major industry players would be the 'governing body', as you put it. They have historically played together decently since the dawn of DDOS attacks. Before smurf.c, ISP #1 would typically ignore anything ISP #2 said. That is not how things are these days.
Re:After looking at the possible solutions (Score:3, Interesting)
What charge are you going to have for sending a piece of mail? Is it a penny? What happens one you get charged a penny for a piece of mail you didn't send? What happens when you get charged a penny a quarter of a million times for a piece of mail you didn't send? How does the ISP keep track of who racked up the charges? How does the ISP bill the consumers for it?
Because I might have to make fiscal transactions with say 500-10000 different financial institutions, that will have a transaction fee that far exceeds what any sane person would be willing to pay to send a piece of mail. So once you solve this minor issue, that lots of people have been working on for years, it might just work. (E-Mail might be just the leverage you need to pull this off, micro payments have never really had a killer app).
However, enforcing someone to do a math problem has an absolutely trivial solution to new hardware. Make the problem harder. Nearly all of the problems involve doing some type of math problem. Want to make it more expensive. Require them to do the same problem, but with bigger numbers. Your next problem, is that Spammers will pay $20K to get custom built hardware to do the problems orders of magnitude faster then any generic piece of hardware could do it.
Finally, the easiest way, is to get all outgoing SMTP servers to add an X-Header signature to all e-mails. This e-mail minus the X-Header's digital digest with the private key on a public web of trust is "XYZ". Now your problem is that you've created an incentive for people to steal private keys. The private keys will have to be kept in pretty much in the clear somewhere on the machine (which will be a problem).
Now you've just made the size of each e-mail significantly large (most signatures are a 1-4K if I remember correctly).
Now you have to solve the PKI problem
Finally, my preferred solution, is to force the sender to sign the mail using the GPG key I give them. Technically speaking, they could sign it with any key they want, but I white list in any signature using my public key, and the public keys that are used on the mailing lists I'd like to follow. Then mailing lists only have to sign one mail message and send lots of duplicates of that single signature. Now, getting past my SPAM filter requires that you deal with an object that I control. So if Yahoo gets their private key stolen, some spammer will start spewing SPAM that can get past nearly all ISP's spam filters where the SMTP just signs the mail. In my system, I couldn't care less. My public/private (which is only used for this, I have another one for authenticating who I am), has no value. I'll gladly post both of them to the net. I can make it easy for people who I can to send me mail, and all my mail has some form of digitial checksum on it. All of which is good. My only problem would be if someone found a mailing lists private key. All I'd have to do is then tell the admin that his key has been compromised and somebody is sending SPAM with it.
I'm not fond of SPF, because all someone has to do is be able to forge an IP, which isn't particularly difficult. I can't control all the nasty corners of the internet. I can control what key I force you to use, and I can control what lists I put on my trusted key list if they cause problems for me.
The biggest problem with my solution is that it requires everyone to change how they work. Technically all they have to do is go fiddle with sendmail a bit, and add an outgoing X-Header, I can use that to white list people in until it reaches critical mass. Then I can just black list anybody who doesn't do that to outgoing mail.
Kirby
Postage doen't need to be money, time is better. (Score:2, Interesting)
The Penny Black Project instead uses "proofs of work," a concept first introduced in 1992 by Cynthia Dwork and Moni Naor of the IBM Almaden Research Center. The idea is simple: "If I don't know you, you have to prove to me that you spent ten seconds of CPU time just for me, and just for this message," says Dwork, who now works at Microsoft Research. For legitimate senders, spending ten extra seconds to send an e-mail message is no problem. Most of the time, you spend more time than that simply composing the message. But for spammers, those ten seconds are the kiss of death. The one thing that no one can steal is more seconds than there are in a day. For a single computer, the CPU time available in a day amounts to 86,400 seconds; a spammer who wanted to put electronic postage on millions of messages would thus need hundreds of computers. Dwork is betting that most spammers cannot afford that kind of expense. Spam costs almost nothing for a spammer to send, but a recipient who looks at the message and manually deletes it incurs a perceptible cost in lost time.
Re:smokescreen (Score:2, Interesting)
Don't pay the ISP. Pay the recipient. (Score:5, Interesting)
Advantages: real email stays free, spam costs, microtransaction standards emerge.
Disadvantages: Microsoft and Yahoo don't make as much money. Sorry.
Let Yahoo and MS charge for email (Score:3, Interesting)
If there was going to be a charge for email, consider how one group of email users, namely universities, would react. First, they'd find a workaround/new protocol so internal "messages" wouldn't be charged for. Next, universities would find a way to exchange "messages" between each other without charges. Then others would pick up on the idea and ...
There are technical solutions, but they won't be adopted until a certain pain threshold is reached. Spam filters have improved a lot lately and have been holding the pain down. Charging for email would ratchet the pain level up immensely.
Yes, there has to be *some* cost for stranger-mail (Score:3, Interesting)
The price, then, is for the right to touch MY mailbox IF you're a stranger -- if you're a mailing list that I've subscribed to, you would go onto my whitelist, and come in postage-free. If you are somebody I know, you go onto my whitelist, and come in postage-free. Yes, for this to work, there has to be some way for the POP server (NOT the client) to maintain per-user whitelists.
If you're not on my whitelist, you need to use a one-time "stampette", whose price would have to be high enough to discourage spammers, but low enough to not bother anybody worthwhile. I'm thinking around a quarter-cent per message, but it wouldn't be fixed by anyone in particular. These stampettes would be issued on a free-market basis, and anyone could set up a micropostage service, provided that the *recipient* whitelisted it. So if somebody were giving away stamps at, oh, a million per dollar, then spammers would use them, and those stamps wouldn't be on my whitelist. Again, it's a free market solution, no government intervention.
ISPs, in this scheme, should issue all subscribers a batch of stampettes (which mail clients would learn quickly to attach, if needed). A thousand for a quarter-dollar (or quarter-Euro) would be more than enough for a month, don't you think? How many strangers (or first-time correspondents) do you write to?
Re:Cha ching? (Score:3, Interesting)
I have a question:
Why the hell ARE we sill using POP and SMTP? Would it really be that hard to get e-mail users to download the "New, Improved, Spam-Free E-Mail system"? Would developers really be unwilling to implement it?
The big hurdle is fragmentation of the current e-mail system, and the possibility of losing your e-mail address, but it's getting to the point where a large portion (I'm inclined to say "majority") of Internet traffic is spam, and that costs many people a lot of money.
Do like is planned for IPv6 (kinda): Let both systems co-exist for a while until the old one dies off. Hell, make sendmail accept both protocols and just warn you when e-mail comes the old way. Eventually we'll be able to turn that off, once everyone is adjusted to using the new system by default. Include it in clients, include it in servers, give the sysadmins migration instructions and hey, addresses need not even change. Would users even have to realize it happened?
Re:Attention Microsoft and Yahoo (Score:3, Interesting)
Any messaging protocol is susceptible to spam if transmission is free and sending a message to someone merely requires knowledge of a fixed, relatively stable piece of information such as an email address. People come up with ways to complicate SMTP and they often don't realize that the replacement protocols they are devising will largely suffer the same problems. SMTP does make spam easy, but any protocol with these properties will make spam possible, and spam merely needs to be possible for the world to go to hell. The spam being so egregiously easy on top of being possible is very noticeable with SMTP, but in a practical sense it's irrelevant. The spam would arrive even if SMTP didn't make it so easy.
So it appears we have no choice but to charge for it. But most people, if given the chance of free, spam-infested email, and pay-per-send email, will opt for the free email, or at least elect to have it available. Who wants to get financial information involved? If I can manage to keep the address secret (yeah right, but I can hope!) I can get away with no spam and be able to send messages for free! Plus I will continue to need an SMTP account for the mailing lists I'm on, who cannot participate in this new pay scheme and send me mail at my Microsoft address.
We are all going to be receiving spam for the rest of our lives. Solutions to spam should be viewed as suspiciously as blueprints for perpetual motion machines.
Re:Cha ching? (Score:3, Interesting)