Interesting People mailing list archives
Stopping spam isn't as easy as you might hope
From: Dave Farber <dave () farber net>
Date: Sat, 31 May 2003 08:33:55 -0400
Date: Sat, 31 May 2003 04:01:08 -0400 From: John R Levine <johnl () iecc com> The spam stopping ideas mentioned in two recent messages to IP, designated sender and e-postage, have been debated at length in the e-mail community. Unfortunately, each has technical and social problems that make them unworkable. The existing e-mail system is large, complex, and has operational aspects that are often subtle, and a lot of superficially plausible ideas have already been evaluated and discarded for good reasons. Reverse MX and other designated sender schemes attempt to prevent people from sending mail from unauthorized hosts, so that. for example, yahoo.com could identify the hosts that are supposed to be sending mail with Yahoo return addresses, and receiving hosts can reject mail purporting to be from Yahoo that originates elsewhere. A significant technical problem with Reverse MX is that large mail domains like yahoo.com have distributed mail hosts all over the world. Reverse MX proposes that a mail server make a DNS query to find the addresses of all of the valid sending servers for an incoming message, but all those addresses won't fit in a 512 byte DNS response packet. (The DNS spec provides for larger packets sent with TCP, but in practice, larger packets are much slower and many DNS implementations don't handle them right.) This problem isn't hard to fix once you realize it's a problem; see Gordon Fecyk's Designated Mailer proposal which is similar but better thought out: http://www.ietf.org/internet-drafts/draft-fecyk-dsprotocol-02.txt The social problem with designated sender is that there are plenty of perfectly legitimate reasons for mail from a domain to originate someplace other than its home network. Lots of people maintain accounts at Yahoo or other free mail providers, but send mail with their Yahoo address from their home ISP using the ISP's mail server. Many others use forwarding services such as pobox.com, which would all be unable to function with designated sender, since mail forwarded by such services correctly retains the original sender's address, not the forwarding service's. And finally, this won't really block any significant amount of spam, since there will always be some domains who out of political principle, malice, or incompetence designate the entire Internet as their valid sender ranges, and spammers can just use those. Or spammers can register throwaway domains of their own, since burning an $8 domain for a 10 million message spam run isn't much of a deterrent. The other message proposes attaching "cybercoins" as e-postage on e-mail. The technical problem here is much more serious: nobody has any idea how to build a micropayment scheme that could scale up to the size needed to handle the world's e-mail and work reliably enough to deter spam. Cybercoin systems require that recipients ask the issuing bank if the coin is genuine and hasn't already been spent. There are probably a hundred billion e-mail delivery attempts per day in the U.S. (Hotmail alone reports about two billion.) By comparison, there are maybe 100 million credit card transactions a day, so this would require a system that can handle a thousand times the transaction volume of the credit card system. Some designs use statistical validation, only check some fraction of the coins, but in view of the reality that many systems report 80% or more of their mail is spam, you have to validate everything or else let a lot of spam through. There are other technical problems (how do you clear a ten cent transaction between individuals the U.S. and Indonesia?) but the transaction volume is the most obvious. Even if through some technical breakthrough we were able to affix e-stamps to every message, we'd turn the e-mail system into something like a phone network where all the numbers start with 1-900. Since non-commercial mailing lists like IP couldn't exist if they had to pay postage, and most people don't want to charge their friends to write to them, proposals generally have some way to waive postage from known senders or only cash the coin if you don't like the message or otherwise vary the price at the receipient's option. But this replaces the spam problem with a new world where you have no idea how much postage you'll be paying, and with lots of innovativive e-postage scams, both to avoid paying postage on outgoing mail, and to trick people into sending mail to receipients who want to collect the incoming postage. Unlike the spam problem, these scams quickly involve large amounts of real money. Think of chain letters saying "write to this address to get coupons for free beer, they won't even cash your stamp." (Yeah, right.) Or let's say a virus on your computer sends out a thousand spams. Who pays the postage? If the answer isn't "you do", who decides to waive the postage? How do you tell a user with a real virus from a spammer who deliberately infects his own computer? Doubtless we can come up with a whole set of laws and rules and adjudication procedures, but I don't see any reason to believe that what we'd end up with would be preferable to the admittedly lousy situation we have now. I'm not arguing that nothing can work so we should throw up our hands, but it's dismaying that the same old unworkable anti-spam approaches keep reappearing over and over, reinvented by people who haven't done the most rudimentary investigation of prior work, invariably foundering on the same problems that came up the last six times that similar proposals failed. There's plenty of room for innovative thinking, both to try to identify and deter spam, and to pick out the real mail from among the spam and get it to the receipients. But please, let's stop going in circles, build some prototypes, run some experiments to see how they work, and try to move forward instead. Regards,John Levine, johnl () iecc com, Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner"I dropped the toothpaste", said Tom, crestfallenly.
------------------------------------- You are subscribed as interesting-people () lists elistx com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- Stopping spam isn't as easy as you might hope Dave Farber (May 31)