Brad Templeton Home
ClariNet

Interviews

EFF

Jokes / RHF

SF Publishing

Software

Articles

Spam

DNS

Dot!

Packages

Interests


RHF Home

Copyright Myths

Emily Postnews

Photo Pages

Panoramic Photos

Africa

Burning Man

Alice Pascal

The Rules for Guys

Bill Gates

   
 

A variety of weapons against SPAM that don't require laws

A variety of weapons against SPAM that don't require laws

Here are the methods I have examined, and in many cases can endorse, in the fight to stop SPAM, the abuse of bulk E-mail. Most of these are systems already in use or just coming into use. Some are new systems still being explored.

Those new methods are:

  1. New-User Bulk Mail Blocking combined with contract law.
  2. E-stamps, a more distant future digital-money based solution that makes spam cost-ineffective.
  3. "No UBE" virtual signs on mailboxes that mimic the action of the "no soliciting" sign you can put on your door.
  4. Whitelist or "secretary" style screening, where a computerized secretary gives people you know faster access to you.

Some of these methods are only of partial effectiveness. The best effective solution will come from a combination of techniques -- limiting bulk mail for users of trial accounts, better ISP contracts, good filters, whitelists and occasional use of blacklists, and recipient/customer revolt.

In the future, methods like a new bulk-mail protocol, E-stamps and the use of digital signature could put the final nails in the coffin of spam. In the meantime, going after spam that's already illegal, including fraudulent offers and mail-relay abuse is also worthwhile.

Recipient Revolt

At first Spam was reacted to with ire by recipients, in E-mail and in the physical world. This has helped significantly to scare more legitimate companies away from using junk E-mail, and this is good.

Complaints to ISPs, while somewhat unfair to them, have pressured most ISPs to develop anti-Spam policies and contracts.

It has also caused many Spammers to send their mail from fake addresses or to simple ignore all E-mail response. The former turns out to have a positive aspect -- fake domains can be detected and blocked.

It has also caused some, like Cyberpromotions, to wallow in the outrage for the publicity it brings them. However, over time Cyberpromotions did give in.

It's also worth noting that once other methods eliminate a large proportion of the Spam, recipient revolt can be far more effective against the remaining items. When users get 30 per day, they feel "resistance is futile." For just one, it is not.

People should start by just not doing business with abusers, and join together in civilized complaint.

Customer Revolt

A very small minority of Spams come from places the recipient has had contact with, such as web sites they gave their E-mail address to or companies they have done business with.

Customers fortunately have power over companies, and revolt and anger by customers is far more effective than anger at strangers.

Companies should be pushed to disclose what they will do with any data they collect from a customer/user, and stick by that disclosure. Users should be encouraged to pressure companies to join programs like Trust-E to make sure they comply.

It should be noted that junk mail from parties with whom you have a relationship is more abuse of that relationship than abuse of the net. It's also more an issue of privacy rights and data collection procedures.

Don't patronize companies that abuse bulk E-mail, and publicise their offense. Ask companies that collect E-mail addresses disclose what they will do with them.

Filters

Pattern Filters

Many mail tools now can filter out mail or redirect based on analysis. Some search for known patterns or the names of known junk mailers. Some just look for generic items uncommon in regular E-mail such as mail not directed at the user, or subject lines in all upper case.

Such systems are not a likely long-term solution. They can always be gotten around. It's just a war of escalation. As long as the patterns can be found out, as they can in any product, the mailers will learn not to use them.

Domain filters

Many mailers now refuse mail from domains that don't exist. This is reliable, but drives abusers simply to use real domains and addresses. Totally anonymous mail becomes blocked

Blacklist Filters

Blacklist filters use databases of known abusers, and also filter unknown addresses. A real-time blacklist system is in place at some sites to block even the initial mail connection from known abusers. There is a constant battle to keep such lists up to date, and the system is somewhat wasteful. There is a significant risk of blacklisting innocents, or those using the same ISPs as innocents.

Some judge that the risk of blacklisting the ISPs of innocents is an acceptable cost, as it pressures those ISPs.

Real Time Filters

A company called BrightMail has developed a system that uses "spam bait" addresses to track bulk mail abuses as they happen, and control filters at customer sites in real time to block exactly those messages that are going to the bait addresses and judged by their human staff to be spam. This is new, but can be quiet effective against certain types of large-volume bulk mail abuse.

Whitelist Filters

Mailer programs learn all contacts of a user and let mail from those contacts through directly. Mail from strangers is redirected to other folders or challenged. It may be discarded if it matches certain patterns.

These systems are very effective, though there are some holes which can be used by a determined abuser. The main cost is delay or redirection of desired mail from strangers, as well as anonymous mail.

Address Tricks

Use special addresses in public

The name you use when you reveal your E-mail address in public in a newsgroup or on a web site doesn't have to be your main, full-access mailbox. It's possible to define aliases that get mail to you but are more heavily filtered because they are exposed to the spammer's evil "address harvesting." They can be used for a short time and eventually discarded.

These still slow down some legitimate mail from the outside world, of course.

Try using different aliaes to stop and track address harvesting, but I don't recommend the use of entirely fake addresses (unless you need to remain anonymous) as these just break the system for legitimate users.

Stop relay abuse

One fundamental step that's doing a lot is the fight against relay abuse. Spammers take advantage of the fact that most systems, by default, are open, and will relay mail from site to site as a courtesy. They get these sites to do their bulk mail for them. Done in volume as it is, this may already be criminal theft of telecommunications, but it isn't stopping them.

Sites are closing up the open status. Another proposal is to have sites refuse to accept mail that has been relayed unless the relay put in a tag indicating they were willing. This would stop all relay abuse but require everybody who does willing relaying (mailing list hosts) to put in a tag.

Without relay abuse, Spammers need to use a lot more of their own resources, and can't as easily use a slow connection.

This could be made stronger by having sites refuse to accept mail that has been relayed unless the relayer has included a tag indicating their assent. This requires all relayers to put in these assent tags.

Relay abuse is already illegal -- it should be stopped.

Voluntary Tags

Standards can be developed to tag bulk mail, providing headers or other information listing the number of recipients of the mailing, whether the recipient requested the mail, or whether the sender is personally known to the recipient.

On their own, however, their value is limited.

Tagging can't do enough on its own and mandatory tagging is a bad idea.

For more details see this description of one tagging methodology.

Insisting on tags

They become valuable if recipients start insisting mail they receive be tagged, and diverting untagged mail to a low-priority folder. And of course diverting mail tagged in ways they don't wish to receive.

Such a scheme requires that Spammers be honest. There is evidence that many would not be. However, it is possible that some laws may force them to be.

This area needs more research. If done, it should relate to the time and manner of E-mail, not the content.

Digital Signature

For non-anonymous mail, a digital signature that verifies the sender has many uses. Many want this for other purposes. Such a signature can be used for reliable whitelisting and blacklisting. In addition, the signature can come with a digital certificate stating the sender has agreed to a certain code of E-mail ethics.

Recipients might insist on such a certificate. Or the simple fact that the sender, and their ISP can be reliably identified may be enough to make people willing to give E-mail access, with non-signed mail diverted.

Anonymous mail is impeded by this and other schemes. Anonymous mailers must find some way to assert they are not abusing the system or recipients may delay, redirect or filter their mail. Valid methods include the use of remailers that protect identity and vouch for (or assure) non-abuse.

I support the building of a digital signature infrastructure, but do not wish the government to be the sole certifying authority, and want to assure that the infrastructure supports anonymous communication.

E-stamps

Once a digital signature and digital-money infrastructure comes into play it is possible to implement an E-stamp scheme.

Such a system works regardless of borders, and allows anonymous mail without abuse. However, it requires the build-up of lots of technical infrastructure and the redesign of mail systems.

This idea might work in the future, but it's still a long way off.

Enforce anti-fraud, theft of service, impersonation laws

A good portion of Spams are illegal for other reasons. They make fraudulent claims. They claim to have "remove" lists but don't. They claim to be referrals from friends but they are not. They bombard systems, acting like a denial-of-service attack. They provide forged return addresses that are actually the addresses of innocent third parties. Already some lawsuits in this area have been successful.

However, a significant number of Spams do not violate any laws directly, or they could remove their illegal portion without major loss.

ISP User Contracts

Already many ISP "terms of service" (TOS) call for E-mail codes of conduct. As this becomes more and more common, it may provide sufficient recourse.

To help this along, a consistent definition of E-mail abuse backed by all ISPs is important.

Today a problem exists since most ISPs, to market their services, use free trial accounts. They can't do anything with such accounts but shut them off. Users of free trials are not easily held accountable for violations of their TOS contract. The solution to that is below.

I support the power of ISPs and users to, as consenting contractual parties, take steps to stop abuse of the net. However, they should only do so with the consent of their users.

Open access to bulk mail only for agreement-bound users

Perhaps the most suitable non-governmental scheme would involve ISPs only granting "open" access to E-mail ports on the internet to parties who have agreed to a code of E-mail ethics. All others, as well as anonymous mailers, would be allowed to only send mail to special relaying servers. (Today most ISPs and ordinary users already mail via such a scheme.)

The relaying servers would be programmed to mail for any (except perhaps unrepentant abusers) but would "throttle" the volume of E-mail to enough to handle the needs of non-bulk mailers. Ie. the server would allow users on any given network or computer the ability to only send a few messages per minute, per hour or per day.

This allows some abuse but the inherent limitations make the problem tolerable.

Those wishing to send bulk mail, such as the operators of mailing lists, would agree to a code of E-mail ethics.

Anonymous bulk E-mail would not be possible, except by arranging for another party who has signed the code of ethics to act as a gateway. That party would take responsibility for abuse by the anonymous party.

Here is a more detailed description of this plan.

This, or a variant of it as described below may be the most effective technological solution -- and one that will work globally.

New Bulk Protocol

Currently there is only one internet E-mail protocol, SMTP. If this were split into one protocol for single (or low volume) mail and mass mailings, it would be far easier to distinguish between them and put more limits on bulk mail. These limits could apply only to new users or users who have not yet agreed not to abuse the net. Attempts to do bulk mail using the single mail protocol would be throttled, and if overdone would be a "denial of service" computer intrusion.

ISP peering contracts

The internet works because ISPs "peer" (exchange data) with one another. ISPs may eventually refuse to peer with ISPs that don't have anti-Spam E-mail conduct codes in their TOS. It is unknown if this would be restraint of trade.

I support ISPs working together to stop abuse, so long as it is done fairly, with principles of appeal and complaint, and with the knowledge and consent of users.

E-mail equivalent of "no trespassing" sign

The IETF could, and should, develop modifications to the E-mail protocols to allow users and sites to put the electronic equivalent of a "no trespassing" sign on their mailboxes. This sign would in effect say "no unsolicited bulk E-mail from strangers" with perhaps some tunable parameters to define how many messages a bulk mailing is.

Once defined, this sign can be given the same force of law as other signs people place on their property to display policy, so that violating the policy would be a tort.

This is about the only form of legal solution I would endorse. It may not require any new law.

Mandatory compliance with opt-out

The law could compel senders of bulk E-mail to comply with an opting-out system. They could require that "remove" lists be faithfully maintained, or that a national opt-out list be supported.

The above "no UBE from strangers" sign is also an expression of an opt-out.

For technical reasons, because mail is often sent to a relaying server that will not know the wishes of the final recipient, a tagging system must also be in place so that the decision can be made further down the chain.

Such rules are similar to rules that apply to postal service mail, phone calls and the like. If a person asks you not to send them messages, you should be required to comply.

As noted, these are the only sort of laws I might support. However, they face the problem of all laws, namely that they apply only in one jurisdiction.