Brad Templeton Home


Brad Ideas
(My Blog)


ClariNet

Interviews

EFF

Jokes / RHF

Photo Pages

Panoramic Photos

SF Publishing

Software

Articles & Essays

Spam

DNS

Jesus
The Book

Dot!

Packages

Interests


RHF Home

Ty Templeton Home

Stig's Inferno

Copyright Myths

Emily Postnews

Africa

World Heritage Sites

Burning Man

Phone Booth

Alice Pascal

The Rules for Guys

Bill Gates

Contact Me

The Spam Solutions

The Spam Solutions

An overview of solutions to the junk E-mail problem

(Heavily revised for 2003)

Here are some proposed solutions to the problem of unwanted junk E-mail. In many cases there are levels of complexity not revealed here.

Non-governmental

Recipient Revolt

At first Spam was reacted to with ire by recipients, in E-mail and in the physical world. This has helped significantly to scare more legitimate companies away from using junk E-mail, and this is good.

Positive
  • ISPs changed policies
  • Legit companies very afraid to spam.
  • Legit companies all fairly good about working list-removal.
  • If it gains momentum, has a nice positive feedback. The fewer spams the more effort can be spent on punishing them.
Negative
  • No effect on scumbags
  • Severe burden on ISPs handling valid complaints and invalid complaints.
  • Forging of E-mail often results in complaints against the wrong person.
  • Spammers try hard to hide identities, causing some to block all unknown and anonymous mail.

Customer Revolt

A very small minority of Spams come from places the recipient has had contact with, such as web sites they gave their E-mail address to or companies they have done business with.

Customers fortunately have power over companies, and revolt and anger by customers is far more effective than anger at strangers.

Companies should be pushed to disclose what they will do with any data they collect from a customer/user, and stick by that disclosure. Users should be encouraged to pressure companies to join programs like Trust-E and the BBB to make sure they comply.

It should be noted that junk mail from parties with whom you have a relationship is more abuse of that relationship than abuse of the net. It's also more an issue of privacy rights and data collection procedures.

Positive
  • As with recipient revolt.
Negative
  • False complaints are a problem.

--Recommendation: Promote Customer complaint

Vigilante Attack

Some have taken to more serious efforts, including methods that are illegal or which break net "rules." Mail-bombs and denial of service attacks, sometimes against the innocent, in particular are a bad idea.

Positive
  • Nasty
Negative

Sinks to their level. Sometimes illegal.

    Pattern and Bayesian Filters

    Many mail tools now can filter out mail or redirect based on analysis. Some search for known patterns or the names of known junk mailers. Some just look for generic items uncommon in regular E-mail such as mail not directed at the user, or subject lines in all upper case.

    Such systems are not a likely long-term solution. They can always be gotten around. It's just a war of escalation. As long as the patterns can be found out, as they can in any product, the mailers will learn not to use them.

    Positive
    • Fairly effective
    • Action needed only by mail recipient
    Negative
    • Does not reduce server load
    • False positives block legitimate mail. Often block mail about spam.
    • Sometimes put in place without recipient's knowledge.
    • Often don't bounce to tell user they were blocked.
    • Attacks correlated items, not the core of the problem. Content based rather than volume based.
    • Requires constant arms-race with spammers.

    Domain filters

    Many mailers now refuse mail from domains that don't exist.

    Positive
    • Blocks a lot of spam.
    Negative
    • Pushes spammers into forging real people's domains.
    • Eliminates ability to send legitimate anonymous E-mail.

    Blacklisting

    Blacklist filters use databases of known abusers, and also filter unknown addresses. A real-time blacklist system is in place at some sites to block even the initial mail connection from known abusers. There is a constant battle to keep such lists up to date, and the system is somewhat wasteful. There is a significant risk of blacklisting innocents, or those using the same ISPs as innocents.

    Positive
    • Effective against some spammers.
    • Saves server load.
    Negative
    • Innocent sites get blacklisted. Many blacklists do not have highly effective appeal process. Some blacklists are entirely capricious and blacklist people they don't like.
    • Blacklisting open relays punishes spammer's victim. Can be done even if the relay is not actually relaying significant volumes of spam.
    • Is a global censorship tool if not careful.
    • Some blacklisters blacklist entire ISPs and networks in the hope that other users will push to punish the spammer on the same network. Punishes the innocent in order to get the guilty -- never acceptable in a just system.

    Whitelist Filters

    Mailer programs learn all contacts of a user and let mail from those contacts through directly. Mail from strangers is redirected to other folders or challenged. It may be discarded if it matches certain patterns.

    If users respond to challenge, their mail is delivered and they are whitelisted.

    There are simple responses (just reply) and fancy ones (Identify the object in this picture) which can't be automated. Today just replying works but it won't work forever.

    Positive
    • Extremely effective
    • No false positives if you scan the list of blocked unresponded messages.
    • Can be used in combination with other tools (filters, stamps etc.)
    Negative
    • Anonymous mail difficult.
    • Delay of mail from new parties.
    • Possible false positives if user can't afford to scan, or blocking is done.
    • Arms race with spammers if they decide to try to automate response to challenges.
    • Mailing lists must be individually whitelisted.

    Hide your address

    Many are reacting to Spam by refusing to reveal their E-mail addresses in public and sometimes even in private, for fear of a privacy-invading deluge of Spam.

    Variants include using temporary addresses for replies that are shut down after a few weeks, addresses written in natural language that computers can't understand, or using a different address every time and closing off addresses being spammed.

    Positive
    • Cuts back on spam, but spammers have other ways to get addresses.
    • Being perfectly meticulous is hard. Must never mail any mailing list which has a web archive, for example.
    Negative
    • Makes it much harder for legit people to contact you.
    • Breaks fundamental principles of an open net.

    Stop relay abuse

    Blacklisting open relays is just one technique to stop this abuse. Regular social campaigns have also helped, and all new mail software does not relay by default. Other technologies (like SMTP-after-IMAP) have sprung up to allow remote access to relays with authentication.

    Positive
    • Relay abuse is already illegal, so serious tactics can be done against it.
    • Campaign has been effective, open relays are now much fewer.
    Negative
    • There are still some and they get abused by spammers.

    Contract-Law and limiting trial accounts

    Require no-spam contracts between ISPs and users. For those who won't agree, or trial accounts who have not had time to agree, limit SMTP use to ordinary mail volumes, but throttle bulk by redirecting traffic through throttling SMTP servers. Full Details are available.

    --Recommendation: Perhaps the best entirely technical solution.

    Voluntary Opt-Out lists

    Opting out means requesting to receive no Spam. Either in a global "opt me out of everything" list (such as the DMA maintains for paper junk mail) or by requesting those who mail you to remove you from their list. Neither of these tend to work. Abusers are ignoring them or worse, pretending to take requests and adding names to more lists.

    Sadly, a list of E-mail addresses can't really be built the way one can for phone numbers. Any one mailbox has a large number of valid E-mail addresses.

    Tags are a form of opting-out, in that the recipient needs to ask (or program) their mailer to discard mail with tags that match what it wants to opt-out from.

    Opt-out is best implemented where possible at the mail protocol (ESMTP) level, so that undesired mail is never even sent if possible. This is most efficient.

    --Recommendation: Note that the principle is good, but they are unlikely to work with the worst offenders.

    Voluntary Tags

    Standards can be developed to tag bulk mail, providing headers or other information listing the number of recipients of the mailing, whether the recipient requested the mail, or whether the sender is personally known to the recipient.

    On their own, however, their value is limited.

    --Recommendation: Encourage the use of non-content oriented tags.

    For more details see this description of one tagging methodology.

    Insisting on tags

    They become valuable if recipients start insisting mail they receive be tagged, and diverting untagged mail to a low-priority folder. And of course diverting mail tagged in ways they don't wish to receive.

    Such a scheme requires that Spammers be honest. There is evidence that many would not be. However, it is possible that some laws may force them to be.

    --Recommendation: Initiate support to reach level where users can insist on them.

    Digital Signature

    For non-anonymous mail, a digital signature that verifies the sender has many uses. Many want this for other purposes. Such a signature can be used for reliable whitelisting and blacklisting. In addition, the signature can come with a digital certificate stating the sender has agreed to a certain code of E-mail ethics.

    Recipients might insist on such a certificate. Or the simple fact that the sender, and their ISP can be reliably identified may be enough to make people willing to give E-mail access, with non-signed mail diverted.

    Anonymous mail is impeded by this and other schemes. Anonymous mailers must find some way to assert they are not abusing the system or recipients may delay, redirect or filter their mail. Valid methods include the use of remailers that protect identity and vouch for (or assure) non-abuse.

    --Recommendation: Support building of infrastructure. Assure ability to be anonymous if desired is support. Push E-stamps as eventual solution.

    E-stamps

    Once a digital signature and digital-money infrastructure comes into play it is possible to implement an E-stamp scheme.

    Such a system works regardless of borders, and allows anonymous mail without abuse. However, it requires the build-up of lots of technical infrastructure and the redesign of mail systems.

    As noted in the article cited, my support for this idea has waned, as there are far better systems, including far better "stamp" style systems which use things like proof of CPU time spent, among others.

    --Recommendation: Oppose, but consider as the seed of a long-term solution using non-monetary tokens.


    Quasi-governmental

    The following methods involve the government, but only as an enforcer of existing contract law or intellectual property law.

    Enforce anti-fraud, theft of service, impersonation laws

    A good portion of Spams are illegal for other reasons. They make fraudulent claims. They claim to have "remove" lists but don't. They claim to be referrals from friends but they are not. They bombard systems, acting like a denial-of-service attack. They provide forged return addresses that are actually the addresses of innocent third parties. Already some lawsuits in this area have been successful.

    However, a significant number of Spams do not violate any laws directly, or they could remove their illegal portion without major loss.

    --Recommendation: Support lawsuits and other efforts, but this is not enough.

    Trade-mark/Fraud Enforced Tags

    A tagging scheme could be enforced by placing a valid trademark on the name of the tag, and allowing the mark to be used only by those who follow proper standards of E-mail ethics. Those who use it against the guidelines -- by lying in their tags -- could be sued and stopped.

    This can work, with difficulty, in many countries but not all. In general, mail must be authenticated as to where it comes from in order to be able to sue. Truly anonymous mailers can't be sued, though rarely can they provide a means to buy their product.

    It's also possible that lying on tags in order to get mail through to people for commercial purposes may be fraudlent in some fashion, and thus stoppable.

    --Recommendation: Support experiment in this area

    ISP User Contracts

    Already many ISP "terms of service" (TOS) call for E-mail codes of conduct. As this becomes more and more common, it may provide sufficient recourse.

    To help this along, a consistent definition of E-mail abuse backed by all ISPs is important.

    Today a problem exists since most ISPs, to market their services, use free trial accounts. They can't do anything with such accounts but shut them off. Users of free trials are not easily held accountable for violations of their TOS contract.

    --Recommendation: Support, provide sample contract terms and definition.

    ISP peering contracts

    The internet works because ISPs "peer" (exchange data) with one another. ISPs may eventually refuse to peer with ISPs that don't have anti-Spam E-mail conduct codes in their TOS. It is unknown if this would be restraint of trade.

    --Recommendation: Support, but promote principles of fair dealing.

    Open access only for agreement-bound users

    Perhaps the most suitable non-governmental scheme would involve ISPs only granting "open" access to E-mail ports on the internet to parties who have agreed to a code of E-mail ethics. All others, as well as anonymous mailers, would be allowed to only send mail to special relaying servers. (Today most ISPs and ordinary users already mail via such a scheme.)

    The relaying servers would be programmed to mail for any (except perhaps unrepentant abusers) but would "throttle" the volume of E-mail to enough to handle the needs of non-bulk mailers. Ie. the server would allow users on any given network or computer the ability to only send a few messages per minute, per hour or per day.

    This allows some abuse but the inherent limitations make the problem tolerable.

    Those wishing to send bulk mail, such as the operators of mailing lists, would agree to a code of E-mail ethics.

    Anonymous bulk E-mail would not be possible, except by arranging for another party who has signed the code of ethics to act as a gateway. That party would take responsibility for abuse by the anonymous party.

    Here is a more detailed description of this plan.

    --Recommendation: Most effective immediate non-governmental solution. Support -- possibly even support creation of server.


    Governmental

    All governmental approaches suffer from the problem of being unable to deal with Spam from outside the country that passes the law. In theory a large number of nations might outlaw Spam and this would limit it a fair bit. Indeed, a law in the USA would have some effect.

    Traditionally Spammers have tended to not be that responsive to laws. Many such messages already propose illegal things, such as pyramid schemes or other fraud.

    If there are to be laws, it is vital that they be as minimal as possible, to protect free speech and past the Central Hudson first amendment test. Several laws have been proposed that are stronger than necessary.

    In general, government regulation of E-mail should be considered as a last resort, to be used if the tragedy of the commons that is Spam threatens to destroy the medium.

    --Recommendation: Laws to be used only if other methods are unable to make significant gains.

    U.S. State Regulations

    Some states are drafting and passing laws to regulate junk E-mail and other E-mail, ostensibly within the state. However, the laws are bound to (and supporters hope they will) have effects outside the state. While similar to the issue of multiple national jurisdictions, what's different here is that the U.S. Federal government may be given jurisdiction, removing it from individual U.S. States.

    --Recommendation: Oppose regulation by individual states of geography-independent aspects of the internet, including E-mail.

    Required tags

    Tagging as described above could be made mandatory by law on bulk mail from strangers. To send such bulk mail without correct tags could be a tort. Users would be responsible for filtering their own mail based on tags, and prosecuting violators.

    Tagging must not relate to content, lest it be compelled speech. Government enforced tags must be limited to entirely factual matters about the nature of the mailing itself, not the message.

    Some proposed tagging laws have been put forward. One suggests that the Subject line contain the word "advertisement." This is bad because it talks about the content of the message, and it's technically poor. Any tagging or protocol based scheme should be defined by the IETF. Governments might simply provide penalties for lying with such tags.

    Tagging schemes could be more complex with additional, voluntary tags.

    It should be noted that any law which bans a type of E-mail could immediately be made less restrictive by instead requiring that such E-mail be tagged. Thus the government would never prohibit any type of E-mail, only the sending of it without suitable and/or correct tagging.

    --Recommendation: Oppose content based tagging. Support time-and-method tagging as best choice if non-legal methods fail.

    Mandatory compliance with opt-out

    The law could compel senders of bulk E-mail to comply with an opting-out system. They could require that "remove" lists be faithfully maintained, or that a national opt-out list be supported.

    Better would be an ESMTP protocol to allow the expression of opt-out wishes, and a law compelling senders of certain types of mail to obey. In effect an electronic "no bulk solicitors" sign, with teeth, on the mail server.

    For technical reasons, because mail is often sent to a relaying server that will not know the wishes of the final recipient, a tagging system must also be in place so that the decision can be made further down the chain.

    One law proposed in California allows sites to opt-out with a web page policy. This does not easily allow individual user choice, or a formal way of obtaining opt-out/opt-in status.

    --Recommendation: Support as 2nd best legal solution if non-legal methods fail. Encourage individual opt-out over site opt-out. Oppose protocol definition by the government.

    Required identification

    Several recently proposed laws are asking for mandatory identification of the senders of commercial E-mail. Such laws would create greater accountability for abuse, but violate the right to communicate anonymously when parties desire it.

    Less restrictive are rules stating that if identification is false, it be marked as false. (Such rules only make certain things more efficient, since it is possible, though cumbersome today to test if an address is valid, if by no other means that mailing it to see if it bounces.)

    --Recommendation: Oppose government-required identification.

    Banning unsolicited commercial E-mail

    Several laws seek simply to unsolicited commercial E-mail a tort or otherwise unlawful. They ban single piece of E-mail based on content. This is a poor idea. An analysis of the most well known of these bills, HR 1748 in the US Congress, is available.

    --Recommendation: Strongly oppose

    Banning unsolicited bulk E-mail

    Banning single E-mails based on content is probably unconstitutional in the USA. Since it is bulk mail that is the source of the Spam problem (without computer automation of mailing to multiple parties, the volume of junk mail is naturally limited to a tolerable level) regulation should focus on that. It is possible that restrictions on bulk mailing, as so-called "time and manner" restrictions, might not violate the 1st amendment in the USA.

    Definition of bulk is actually better left to law than to computers. While it is easy to tweak 1,000 messages in some way so that they look different to a computer, humans and the law can read through such tweakings to the intent behind a message

    --Recommendation: Primarily an example of how laws that don't focus on bulk are not the least restrictive laws available. Other approaches must be tried first before any E-mail bans.

    Regulation of single commercial E-mails, mandatory ID & 'remove'

    The U.S. senate recently passed a bill regulating such E-mails. It has some good basics that a law should have if there should be a law, such as working on an opt-out basis rather than changing things for everybody by default, but this law has many problems, including bad definitions, government definitions of protocols best left to the IETF, a misunderstanding of the non-unique nature of E-mail addresses and several others.

    --Recommendation: Oppose or require serious revision.