On The Insider: Britney's Bikini-Clad Top 10
BNET Business Network:
BNET
TechRepublic
ZDNet

October 26th, 2007

Why spam can only be managed, not ended

Posted by George Ou @ 5:30 am

Categories: Infrastructure, Technology policy

Tags: Microsoft Corp., Difference, Bottom Line, Cyberthreats, E-mail, Spam, Security, Online Communications, Spam And Phishing, George Ou

Years ago when I was still a bit more naive, I thought we could end the spam dilemma if we would simply implement domain-level sender authentication using digital signatures.  In fact when David Berlind wrote  “Why spam could destroy the Internet” in November 2002, Berlind quoted me saying that every domain’s official SMTP server should digitally sign each message to prove the email came from that domain.  SenderID and Yahoo’s DomainKeys came out around 2004 gave me the satisfaction of knowing that I wasn’t alone in calling for domain-level authentication and DomainKeys is very similar to what I was proposing in 2002.  The difference is that I proposed using standard commercial digital certificates from commercial Certificate Authorities to distribute public keys whereas DomainKeys used DNS to publish its public key information.

I was so sure at the time that if we could only get people to use this system we would surely stop spam.  Microsoft’s Bill Gates gave me some company in 2004 when he proclaimed that “spam will be a thing of the past in two years’ time”.  As it turns out, we were both wrong and naive to say that we can stop spam because it’s like saying you can stop crime and the most we can ever hope for is to manage it to tolerable levels when there are determined adversaries who will do anything to get around any barrier you can put up.  I am coming clean on this now because there are still so people who believe that stopping spam is simple and that if it isn’t stopped, it’s must be the fault of the major ISPs and corporations for dragging their feet.

My colleague David Berlind blamed the spam problem on the big-four email vendors and declared rDNS (reverse DNS) and maybe SPF (Sender Policy Framework) the solution.  Now I’m certainly not trying to belittle David Berlind because his heart is definitely in the right place.  In fact, I’m essentially saying that Bill Gates and I were wrong to say that say that spam could be stopped and that it’s about time my colleague David Berlind takes a good hard look at the problem and stop implying that spam could be stopped if only we did XYZ.

The fundamental challenge here is that we’re will never stop spam because we will never go to the pure white-list model where we will only accept email from verified entities.  In fact there’s the little problem of human rights we have to deal with because words can get you imprisoned or executed in many countries.  I never gave much consideration to this issue in the past but I’ve given it some thought over the years and I’ve given in to the legitimate need for anonymous and decentralized email.

Why charging for email to stop spam is just plain dumb
One of the most commonly floated ideas for stopping email spam is that if only we charged a postage fee for every email ever sent, then the cost of spending spam would be so outrageous that it would deter spammers.  Not only will it not work, but there is the risk of abuse by some larger ISPs to charge users and legitimate companies for sending legitimate bulk email under the justification of stopping spam.  Why bother charging honest people for email when you can simply fine the bad apples and leave everyone else alone?For one thing, spammers don’t send the spam directly; they have their hijacked botnet armies send it for them.  These are personal computers (and some servers) that have been taken over with malicious software by criminal.  If anyone is going to pay, it will be the owners of those computers who pay.

The second most obvious thing that proponents of the email postage idea missed is that if you actually had such a massive billing scheme in place, it would have to have every sender registered with their credit card on file and every email ever sent had a digital signature that proves it was sent by the purported sender.  If this were the case, you would have already stopped spam without charging a dime for any emails because you can slap them with a massive fine if they ever dared send spam.  Why bother charging honest people for email when you can simply fine the bad apples and leave everyone else alone?

<Next page - The key to managing spam is reliable white-lists

Pages: 1 2

George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.

  • Talkback
  • Most Recent of 138 Talkback(s)
RE: Why spam can only be managed, not ended
Simple!! Format your HDD yearly this will get rid of your botnet you may be sending!! (Read the rest)
Posted by: gdude@... Posted on: 11/05/07 You are currently: a Guest | | Terms of Use
But bot nets can use white listed computers  shis-ka-bob | 10/26/07
Then you lose your bond and get kicked off the list.  georgeou | 10/26/07
Permanently off the list?!  Anton Philidor | 10/26/07
No, more money to get back on the list  georgeou | 10/26/07
The solution is really much simpler than that...  Information_z | 11/04/07
trustworthy is relative  shis-ka-bob | 10/26/07
Good point, that is the challenge that needs to be addressed.  georgeou | 10/26/07
Expensive solution...  Information_z | 11/04/07
addressbook virus; was Re: you lose your bond and get kicked off  mandehu@... | 10/29/07
How about smarter ISPs?  bidemytime | 10/26/07
re: smarter ISPs  ace101pub@... | 10/26/07
The cost for 3 probably out ways the cost of 1  mrOSX | 10/26/07
out what?  lysdexia | 11/01/07
Perhaps  epcraig | 10/26/07
Funny you say (smart) ISP's  Suicida| | 10/26/07
But they do...  peter@... | 10/29/07
its so easy when youre not knee deep  linuxoverwindows | 10/29/07
Disallow Port 25  grunter_z | 10/30/07
target the companies EMPLOYING the spammers, NOT THE SPAMMERS themselves  ace101pub@... | 10/26/07
Two things  bidemytime | 10/26/07
Well, there have been cases of companies being framed  georgeou | 10/26/07
Vigilante justice...  Anton Philidor | 10/26/07
I agree  dragosani | 10/26/07
not necessarily...  craig-wilson@... | 10/29/07
Target yes, but legally  fnash | 10/28/07
Re: target legally  mandehu@... | 10/29/07
That's why  fnash | 10/30/07
Unsolicited Email should be a crime  Bobajot | 11/03/07
Not again.  bjbrock | 10/26/07
Meanwhile what do retail folks do when ISPs don't care?  osreinstall | 10/26/07
The sender's domain...  bjbrock | 10/26/07
Your solution is great for a server  osreinstall | 10/26/07
I see.  bjbrock | 10/26/07
I kinda figured that.  osreinstall | 10/26/07
Message from the average user  Hrothgar - PCLinuxOS User | 10/28/07
Nevermind.  osreinstall | 10/28/07
The average user  Hrothgar - PCLinuxOS User | 10/29/07
The average user has a tough time.  osreinstall | 10/29/07
set up; than  lysdexia | 11/01/07
I would if I had some money  osreinstall | 11/01/07
Fine. Then how about...  D. T. Schmitz | 10/26/07
Re: dig  mandehu@... | 10/29/07
RE: Why spam can only be managed, not ended  mattwolc | 10/26/07
Gates/Microsoft sued a lot of spammers  georgeou | 10/26/07
Russian Spammer Murder Story Deemed A Hoax  lysdexia | 11/01/07
BUT BILL GATES PROMISED!!!  itanalyst | 10/26/07
Google and Microsoft  andycher | 10/26/07
There are effective anti-spam solutions in place  georgeou | 10/26/07
Not my case  johnson12 | 10/29/07
RE: Why spam can only be managed, not ended  wkulecz | 10/26/07
And then?  Anton Philidor | 10/26/07
So what?  doug@... | 10/26/07
New standard to solve spam?  Anton Philidor | 10/26/07
Licenses don't work...  nottheusual1 | 10/29/07
RE: Why spam can only be managed, not ended  techrepublic@... | 10/26/07
The solution to the problem is right where you stated...  TripleII | 10/26/07
All I ask...  Anton Philidor | 10/26/07
You keep trying to poke holes  TripleII | 10/26/07
The real purpose of SPF  fazalmajid | 10/26/07
RE: Why spam can only be managed, not ended  mjd420nova | 10/26/07
I agree 100% that no stopping spam and Whitelisting  dragosani | 10/26/07
OpenPGP and GNU Privacy Guard  D. T. Schmitz | 10/26/07
The Anatomy of an OpenPGP email  D. T. Schmitz | 10/26/07
Why are you hanging one of your own out to dry in a ZDNET Blog?  Slamshifter | 10/26/07
I just hung myself too, this is about dialog.  georgeou | 10/26/07
New way to get hits:  nizuse | 10/26/07
I can assure you that nothing is staged here  georgeou | 10/26/07
George, you are either with us or against us.  osreinstall | 10/26/07
"ended"  nizuse | 10/28/07
It can be ended, but all must comply  pcguy777 | 10/26/07
re  pcguy777 | 10/26/07
That's the attitude that we must stop  georgeou | 10/26/07
I have disovered the cure for all spam.. please read my previous post  pcguy777 | 10/26/07
Re: bots paying  Rick_R | 10/26/07
ok  pcguy777 | 10/26/07
Read the second point  georgeou | 10/26/07
RE: Ridiculous  shanedr | 10/26/07
Spam is already illegal  georgeou | 10/26/07
I accept all emails....  vinyl1 | 10/26/07
Ending Spam is Easy  Drac144 | 10/26/07
Not so easy  lonniemcclure | 10/26/07
Here's news for you, spam is already illegal  georgeou | 10/26/07
RE: Why spam can only be managed, not ended  The Rifleman | 10/26/07
lose its  lysdexia | 11/01/07
We can do a MUCH better job.  CobraA1 | 10/26/07
RE: Why spam can only be managed, not ended  tracy anne | 10/26/07
Same for security and piracy ...  johnfenjackson@... | 10/27/07
That's how everything is  georgeou | 10/27/07
Status Quo and another Inconvenient Truth  D. T. Schmitz | 10/27/07
Re: That's how everything is  The Rifleman | 10/27/07
Time for a new paradigm  PAIGED@... | 10/27/07
They'll spam the header then . . .  CobraA1 | 10/28/07
use authentication, like in IM ... bayesian  cfortune | 10/27/07
Good Catch  Drac144 | 10/28/07
To end spam, just...  mikecepek | 10/28/07
... kick the reader in the booty?  nottheusual1 | 10/29/07
What? No engineering solution!  tonymcs@... | 10/28/07
Third World dictators do not have the right to send SPAM  Absolutely | 10/28/07
Bot nets to cut  Hrothgar - PCLinuxOS User | 10/28/07
RE: Why spam can only be managed, not ended  thungurknifur | 10/29/07
Like I said, I was wrong, Bill Gates was wrong, Berlind is now wrong  georgeou | 10/29/07
ISP's CAN help this issue.  Bozzer | 10/29/07
you probably dont realize...  linuxoverwindows | 10/29/07
Finally  jedwards123 | 10/29/07
RE: Why spam can only be managed, not ended  Neuromage | 10/29/07
RE: Why spam can only be managed, not ended  CodeBubba | 10/29/07
How spam can be stopped!  kps_46635@... | 10/29/07
How to stop spam emails  kps_46635@... | 10/29/07
Evolving  lektaric@... | 10/29/07
Enforce reply rating  bart.viaene@... | 10/29/07
Free e-mail sites  davedufour | 10/29/07
RE: Why spam can only be managed, not ended  webmasterjay2007@... | 10/29/07
Can't we all just get along?  Narg | 10/29/07
Postage charges haven't stopped junk mail...  chas_2 | 10/29/07
postage charges would also be much more difficult to apply selectively  Absolutely | 10/29/07
used an html tag by accident  Absolutely | 10/29/07
what the pseudo-code should look like:  Absolutely | 10/29/07
The solution to spam is not to be found in the technical realm... BUT...  Tim Lathouwers | 10/29/07
RE: Why spam can only be managed, not ended  Mr Orez | 10/29/07
A great idea!  Abner Kravitz | 10/29/07
RE: Why spam can only be managed, not ended  MarBrock | 10/29/07
RE: Why spam can only be managed, not ended  BaltimoreBarry | 10/29/07
RE: Why spam can only be managed, not ended  Prof. LittleOldman | 10/29/07
RE: Why spam can only be managed, not ended  phatkat | 10/29/07
RE: Why spam can only be managed, not ended? Bull crap, I do it !  versitalbear | 10/29/07
so who is getting this spam?  linuxoverwindows | 10/29/07
Whitelist is not the answer SPF is!  brittonv | 10/29/07
SPF and SenderID lack non-repudiation and they break SMTP relay  georgeou | 10/30/07
I wholeheartedly disagree, DKIM Won't work SPF/SenderID  brittonv | 10/31/07
I AIN'T KIDDING---  BALTHOR | 10/29/07
RE: Why spam can only be managed, not ended  skipplummer | 10/29/07
RE: Why spam can only be managed, not ended  simon89 | 10/29/07
RE: Why spam can only be managed, not ended  batterycharger | 10/29/07
if you're  tekWatcher | 10/30/07
go after the advertisers  tekWatcher | 10/30/07
I too have wondered this  brittonv | 10/31/07
Barracuda  plaga_nerezza@... | 10/31/07
RE: Why spam can only be managed, not ended  gdude@... | 11/05/07

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Click Here
advertisement

Recent Entries

Top Rated

    advertisement

    Archives

    ZDNet Blogs

    White Papers, Webcasts, and Downloads

    SmartPlanet

    • Thought-provoking progressive ideas on diverse topics that intersect with technology, business, and life, and matter to the world at large. Visit SmartPlanet
    • More from IBM
    • Innovate your business' process model, play against the market, compete against others on our scoreboards and WIN! Try INNOV8 2.0: A BPM Simulator
    • Enabling Real-World Business Transformation through IBM Service Management Read the EMA Analyst Report
    Click Here