America: Land of the free, still home of the BIGGEST spammers on the planet The US prides itself on being the best at a lot of good things. And, judging by the latest data from security vendor Sophos, America is still the best at spaffing spam in the world. Countries sending spam Gold medal in spam goes to the US The firm's quarterly list of countries that send spam (as opposed to hosting spamming …
Commercial speech is free speech, so let me inundate you with my constitutionally protected ads for Viagra and naked pictures! (The naked pictures are not really MY pictures. Tthere are some forms of self-expression that even the First Amendment can't condone.)
Where's the Old Glory icon??
I think this would basically work, but you would need to have an interface to SMTP email, and that side of the email would remain polluted. I think a better way to attack the spammers' business models would be an integrated anti-spam tool built into the email system.
Right now we have "Report spam" button that simply tunes the spam filters a bit. Imagine a "Hunt spam" button that would trigger an analysis of the spam. You would get a webform of your analyzed spam, with embedded radio buttons to confirm the analysis. You would confirm or reject the various results, and then submit, and it would send you another webform based on those results. The second analysis would be more refined, and it might go for several rounds until all of the aspects of the spam had been confirmed, and you had recommended the most plausible countermeasures.
Of course we shouldn't be allowed to form a lynch mob, but we can help with the targeting against the spammers. We can disrupt ALL of the spammers' infrastructure, pursue ALL of the spammers' accomplices, and help ALL of the spammers' victims. The profits of spam will go down, and the value of the Internet will go up.
> if I had to pay for every email, this would become untenable quickly.
A proper balance has to be struck. The OP's idea of a 1/10 penny might even be much too high.
1/100 of a cent might even be sufficient or 1/1000 of a cent considering these people are spewing out millions of emails.
The elephant in the room through is that a lot of SPAM comes from bot nets so the spammers would not be paying anything anyway.
@Shannon Jacobs, @pierce @skelband:
To avoid making a TL;DR post, I did not really flesh out my ideas. Implementation-wise, there are many details that leave most people behind. PKI can be difficult to understand.
Whatever the technical details, PKI makes it possible to know who a sender is or to know that the sender is recommended by someone you know. Spammers could not send you mail because there is no way they could gain a credible recommendation and no way they can afford to pay you to accept traffic from a stranger.
The cost associated with the 'digital stamp' is so that legitimate senders can always get an important message through. It would block trivial messages from legitimate senders, but arguably that is SPAM.
The reason to depend upon something akin to digital currency is because it is important to legitimize the sender without necessarily identifying them personally.
Cost would have to be adjusted to some reasonable minimum that made SPAM unprofitable but allowed ordinary legitimate mail to be economically feasible.
To support the stamps, essentially digital currency, you need a PKI infrastructure anyway. That being the case, mailing lists that you wanted to encourage could be given a pass under a 'bulk rate'. Ones you did not want to encourage would be discouraged.
You could develop a system of rates for unsolicited mail vs mail from known senders and mail being sent 'first class', 'regular', 'bulk', etc. The PKI can allow you to differentiate between senders whose keys are signed according to how much you trust the signer. People managing a huge mailing list would have to send 'bulk' and/or they would have to re-evaluate the value of sending to the list. I am skeptical of the net value of mailing lists to the recipients and it is the recipients we are trying to serve. If you have something you send out to a million users every week, you would have to switch from a 'push' model to a 'pull' model by placing the message on a server where interested readers could pull it down.
Re: "a lot of SPAM comes from bot nets"
That is true. AFAIK, most SPAM is now coming from bot nets. Do you think that it is unreasonable to require that people in charge of putting a PC on the network bear some responsibility for damage it does? This is probably a good way to get users to be more diligent and to force companies like MS to take security more seriously. This would effectively cause all of that type of traffic to be 'metered' and would end up returning an enormous amount of the aggregate capacity of the network back to us.
Given that the digital stamps involve actual money, the system responsible for placing the stamps would be more secure and to the extent it was breached, it would be limited to how much it could send by the money available for stamps. You could also make it so that the system asked for permission before using stamps, etc. You could have a special wallet to act as a 'postage meter' limited to a small amount sufficient for normal mail.
Part of the reason we have SPAM at all is that PKI is in a dreadful state. It should be both usable and used by everyone. It should be largely incorruptible. Instead, it is hardly usable even for experienced users, not used except in basically broken ways and the root CAs are all fundamentally corrupt.
Unfortunately, one of the things holding us back is that the bad guys have hijacked the PKI and DRM conversation(1) and are driving us inexorably toward 'treacherous computing'. It seems to me that the good guys who know enough to use the stuff are reluctant to vigorously pursue its use because of the danger that DRM presents.
I am not expert in this area, but I do have some experience. As far as I know, we can definitely implement things like digital stamps and we can definitely put in place PKI such that outbound traffic from a given system is done using a PK pair and that inbound traffic can be checking up a chain of signatures to establish trust.
Signed keys are not limited to a single one, nor are they intrinsically limited to a single use. If we have the infrastructure to deal with digital stamps then we also have in place infrastructure capable of verifying along the route from sender to receiver such that unsigned traffic is never forwarded by routers or accumulated by mail servers.
Of course, as people worried about DRM would know, the above requires that we have a distributed trust system that cannot be tampered with by agencies like the NSA or other hostile forces. If any single entity or any colluding oligarchy gains control over the system they can(2) cause havoc and cripple the Internet.
Technically, it is quite possible to implement digital stamps and surrounding infrastructure to eliminate SPAM as such. On the way, there are some impediments, but these (a) are political not technical and (b) need to be dealt with anyway.
We *will* move toward some sort of micro-payment capable system and some sort of distributed trust. Along the way, we *will* have DRM. It is going to happen. However, it is very important that *well before* we implement the DRM part we entirely remove control from unfaithful trustees like Verisign, Sony, Microsoft, etc.
(1) The 'trust' conversation currently involves the bad guys insisting that everyone must trust the bad guys above all. They demand that we give them control of all of the master keys and do as we are told. They want to breach trust going in. I'm against that and so are any other decent people with a clue about PKI. Control of things involving trust such as DNS, SSL root certificates, etc need to be distributed so that breaches of trust are effectively impossible. Currently they are controlled by the bad guys.
(2) Eventually, by Murphy's Law, we know that eventually, 'can' == 'will'.
> A marginal cost of a tenth of a penny would be easy to bear for any normal mail volume,
This would have no effect whatsoever on spam.
The spammers would simply steal credit in the way they currently steal bandwidth.
> Making it *not* pay is the only real way to shut it down.
Indeed, but your proposal does nothing to affect that profitability.
The Boulder Pledge is the only way to stop spammers, and that's a *very* long-term proposition.
Vic.
That was Microsoft's idea, it didn't catch on.
There have been numerous proposals for impeding email spam with one sort of tax or another. I doubt Microsoft was the first to propose a micropayment system, and non-payment resource-tax proposals go back at least as far as 1997, with Back's hashcash.
All of these, and btrower's (overly long and vague) proposal, suffer from two fatal flaws. One is that actual reputable research into the problem indicated that the benefit does not justify the cost: even when such a system works, it can't be tuned to eliminate a significant portion of traditional (mass-mailing from a limited set of accounts) spam without occasionally obstructing legitimate email.
The other, as Tom 13 and others have noted, is that most spam transmission is distributed over such a wide range of compromised machines that the tax is simply ineffective - a calculation that btrower gets quite wrong in that section of the manifesto.
(I was going to offer more critique of the manifesto, but it's not worth it. It rarely is. I'll just note in passing that "PKI infrastructure" is redundant.)
Bad idea because you ignore the reality of the spam culture as it exists today. The people who could be hit with an email tax aren't the spammers or wouldn't notice it. The people who would be eliminated by it have already pretty much been done in by ISP filtering. That's right, as the article noted most spam these days isn't generated from legitimate accounts on legitimate email systems. It comes from a vast army of zombie PCs sending out only a few emails each. Just like a DDoS attack, it leverages a lot of machines instead of a fast one.
More than anything this highlights how increasingly useless the Food and Drug Administration has become. A significant part of their mandate is to control not only the distribution of prescription pharmaceuticals, supplements and medical devices, but also the advertising and marketing of them.
They can't do that though because they're too busy finding reasons not to approve drugs the rest of the world can access, OTC in many cases. Well, that and finding reasons to fast track approval of drugs for rare conditions and those with a negligible impact over what is already available but have lost patent protection and can be produced generically.
From a humanitarian standpoint, the FDA does more damage to the US population than any other agency. God they suck.
"Third and fourth place on the list belong to India and Italy respectively, with both showing big increases in spam generation in the first three quarters of the year. Kuwait and Israel are new entrants to the Sophos list this quarter, holding seventh and twelfth place respectively."
This last paragraph is referring to different data lists. Third and fourth place, by volume, are India and Italy. Seventh and twelfth place, per capita, are Kuwait and Israel. The text is misleading.
Back in 1994 the first spamming came from lawyers Laurence Canter and Martha Siegel
No. That was the first commercial Usenet spam, but it was neither the first Usenet spam or the first commercial spam.
The first Usenet spam is believed to be Thomas' religious spam ("Global Alert for All: Jesus is Coming Soon"1), which was posted earlier in '94. Wikipedia cites Thuerk's ARPANET spam of 1978 as the first known commercial spam message. Even if there are no earlier examples, that means email spam predates Canter/Siegel by some sixteen years.
1In fairness to Thomas, there were widespread reports at the time that Jesus was breathing heavily.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
