Slashdot Mirror
IBM Researcher Offers an E-Stamp Spam Solution
UnanimousCoward writes "This Internet Week article describes a research project by Scott Fahlman that looks to limit spam using e-stamps. Here is more detailed description of the system under his CMU homepage along with a link to the original paper." As crappy as it sounds, charging some tiny fee per email would cut spam dramatically. 207 of the buggers so far today. Hundreds of megs a month. I'd love to see something done.
cut spam dramatically? how do you explain all the junk mail I get IRL? they pay for postage on that, you know....
I'd rather deal with filtering the spam I get, than have to pay for sending email.
As crappy as it sounds, charging some tiny fee per email would cut spam dramatically
Yeah. Sure.
How much crap do you get a day in your postal mailbox? How much of that was sent with a $0.37 First-Class stamp? How much of that was sent with heavily discounted postage because of its "bulk mail" status? (I won't even go into how ordinary citizens end up subsidizing this crap, even junkmail from large companies that could afford a full-cost stamp).
How much you wanna bet that some kind of postage on email won't make much difference, as the cost will either be so low that most won't care, or there'll be ways for companies to get out of it (or to get a much cheaper rate)?
Sure, it might cut back some. Maybe. But remember how the big junkmail senders got cheaper rates in the first place: Lobbyists. So I wouldn't expect it to last.
habeas is a way to help prevent spam sent to you. By subscribing to Habeas, you have X-Habeas headers put into your email. You can filter based on these to help prevent more spam and know the email is legit.
Check it out. I don't use it personally, one of the mail lists I'm on uses it.
-- DuckWing
And this is why. Assuming you have the computer, phone line and small monthly fee(depending on service) Email a an effective and free form of coomunications. In effect, you are already paying for it, when you pay for your monthly service. Adding a fee for E-mail would in effect be an "E-Mail tax", but instead of going to public works or anything like that, it goes to line the pockets of the sellers of the E-stamps.
Case in point, bad idea.
You say you want a revolution....
Lots of people have talked about this sort of system (pay $.01 per email you send, receive the same per email you get), but it's good to see someone writing it finally.
A question remains: my Social Implications teacher also teaches Telecommunications Law. She maintains that this sort of thing will open a floodgate of per-use fees on our internet access that we won't want.
I guess that by having a third party do it (instead of the ISP), we can get around that problem for now. Does anyone have any idea if she's right, and if so if it could affect this as well?
-- Bill "Houdini" Weiss
Quote from the pdf:
"When a message arrives at my machine or mail-server, it is examined. If the sender is on my accept list, the message is passed through to my in-box."
spammers do this with forged email addressess all the time... and pass trough whitelists all the time as well.
How about a protocol for personal PGP stamps.
I can issue stamps with as many tags as I like and configure my email front end to deal with messages based on the stamps
"Friends"
"I am a customer of company X"
"I work for A and buy from B"
"I work for A and sell to C"
"Registered at site M to enter contest"
"Tech web site registration"
"News web site registration"
"Entertainment web site registration"
In the event you went on holiday you could even set up forwarding based on the message stamps.
I have previously worked at an ISP, and now in a software development organization, and it has always been common practice to send automated emails from webpages or servers.
How would a pay-per-email fee affect people like this? What about the "Forgot Your Password?" links on sites that email your registered email?
I think something like this would hit the Internet a lot harder than people think, since most people just seem to be concerned with Joe User at home sending 50 joke mails a day.
no comment
Every time you send an email, you pay the recipient $0.01.
:)
End result?
The average email user breaks even if they send as much as they recieve. Someone who sends much more than they recieve is only out $1. Legitimate buisnesses will only pay about $0.05 per sale on average. Still peanuts. However, a spammer that sends out 10,000,000 emails ends up having to fork out $100,000. Still alot cheaper than snailmail spam, but you KNOW they'll be checking thier lists alot more carefully and targeting a bit more precisly than the sun. When that 1 in 10,000==success plan starts running $100/success. It cuts into the profit margin. They'll want to reduce that to a 1 in 1000 for the higher return spams (which are probably 1 in 100,000 or more anyways).
If you really wanted to make money by doing nothing each day, with that setup it'd be possible just by recieving the spam
If you think education is expensive, you should try ignorance -- Derek Bok, president of Harvard
National... international, who would govern this blacklist of spammers?
Mail clients should just give the option to deny people without a proper certificate. If certificates are hard to get than blocking a domain of certificates would help block the amature spammers.
--------
Free your mind.
I think a better though analogous solution was already proposed and discussed on slashdot. Basically, to accept or relay any e-mail (not on a whitelist) the sender would have to perform a small numerical calculation of the recipients choice. E.g. find the roots of a sixth order polynomial with 7 coefficients provided by the recipient.
This takes a few millisecond to calculate the answer and its is trivial to check. One could dial up the problem strength as needed.
For normal users this is a trivial cost since my CPU is definitely idle many many milliseconds every time I send an e-mail. But for bulk senders its a problem.
It could be done either by the relaying e-mail servers or as long at the final recipeint. The latter is probably superior as long as forged sender info does dont create accidental DOS attacks.
In any event, it adds a trivial burden to the amount of internet traffic, and given a reduction in spam traffic over time would save on total traffic. And It cost nothing since it uses unexploited resources. And it would I believe kill any centrally served spam dead.
In fact one could actually get useful work out of this.
Imagine this scheme. To get your stamp of approval you have to get a ticket issued from some grid computing server that supplies the mini-tasks. For example, I might sign up with some service that issues mail stamps in return for doing 1 second of calculation on some easily stated but hard to solve problem (prime searching, etc...)
Some drink at the fountain of knowledge. Others just gargle.
all incoming & outgoing mail and if the mail you receive is not encripted then send it to /dev/null. If someone has to contact you then they can get your key from a website.
So even if spammers got your key they would have to go through the process encrypting the email which is more time consuming and would probably result in less spam sent each day.
But then they could buy more expensive machines and we would end up at square one!
Ah forget what I said!
My penguin ate my sig
I started using ASK( Active Spam Killer ).
It works great. It works by requireing a response the first time someone emails you. They repond to an automated email and are whitelisted. Since spam has it's replay lines forged the spammer never replys to the automated email and you don't get any spam.
Since I have started using this 2 months ago I have gotten 2 spam emails. That is down from about 40 a day.
The other bonus is that unlike filters if someone needs to get an email to you they will and it wont accidentally be junked.
... about an "email tax", consider this: Microsoft's Penny Black Project aims to do the same thing, but implementation only requires some sort of cost, not necessarily monetary.
One method is especially interesting, the CPU-based scheme in which "the sender must solve a recipient-defined puzzle in which computation of the solution is moderately and provably hard." If that were the case you wouldn't even notice if you're sending one email, but a spammer certainly would if he tries to send out 1,000,000 at a time.
.
To end Spam, you must "de-monetize" it.
To do this you must increase the bandwidth loading of the spammer's sponsor (the 'business' paying to have the spam sent) beyond tollerable levels. The only way to do this is with a distributed "insincere curosity attack".
To do this you must write a mail app plug-in that allows you to drop spam into an analyser bucket on your desktop. This analyser would parse the spam for URLs and toll free numbers in the body of the spam. This analyser then routes these "targets" out on to a peer to peer, gnutella style network. As soon as each peer in the network gets about, say, 20 or so copies of that same target submitted from other peers, then a small HTTP client would start making random requests to the target URL or toll free number. This would keep up until the target disapears.
Oh, and to play the Flute, you just blow across the little hole on the one end while moving your fingers back and forth on the outside of the tube.
"A microprocessor... is a terrible thing to waste." --
GeneralEmergency
i think whoever posted last week that they should start suing the advertiser, not the spammer would cut down spam significantly. in the end, you know who it's coming from. it's from whoever hired the spammer to advertise their crap.
:(
the only problem with this (if it ever happened) is that if i got a hard on for getting slashdot in trouble and started mailing spam advertising slashdot then...if all goes well, Slashdot gets sued for sending spam
The easiest effective solution would be to "indirectly" transfer the cost to the sender as follows:
You make sure mail is stored on the sending server, and that only a message header with a link to the message body is stored on the receiving server.
This way, spammers will either a) need their own server (which can unambiguously identified and blocked), or b) the spammer's ISP will have to store the millions of message bodies and handle all the generated traffic. This will give a good incentive to the spammer's ISP for getting rid of the spammer.
A nice side effect of this is that you get rid of fake originating server identification in headers, as a fake header would lead to no message body.
For this to work, it is important that the message subject be considered a part of the message body, not its header. Otherwise, spammers will try to put their message in the subject!
It doesn't necessarily even require the SMTP infrastructure change.
This change does not equire any change to the SMTP protocol. Emails can still be sent as they are now. But we add a new "MIME Type" with something such as:
MIME-Content-Link: (address/ID information)
All the message is is a standard message header with no body, but the above information, and a dummy subject "Subject: none". If a mail client sees the above it would have the option of retrieving it based on the address/port/ID information given.
You sign up on a website that sends you an activation code for your account there. The site you signed up on is a small business that can't afford to pay to get this email through to you. So either you have to remember to add their email address to your free whitelist, or you don't receive the email (and many users wouldn't have any clue why). The small business thus gets so much less business that they go under.
The same goes for subscribing to an eZine or mail lists (can you imagine how many bounces bugtraq would have to deal with?), receiving any other email from a site where you sign up, etc. And every time a friend changed their email address or you met someone new, you'd have to update your whitelist.
This kind of system would be useless for an email address where you accepted bug reports for products, etc. (any address that you would HAVE to keep open for free).
I guess if there are people who would want to use such a system, then I'm all for someone creating it. But I won't be using it, and I can't see myself paying to get my emails through.
Convert RSS to HTML - integrate webfeeds into your website
It has several advantages that pay solutions don't.
It doesn't require a micropayment solution
It doesn't require a central registry
An additional benefit is that for small senders the cost remains negligibly small -- perhaps 2 seconds per e-mail address sent to. For spammers 2 seconds per e-mail address is a huge burden. If you're trying to mail to 10 million addresses, you need 231 hours of processor time to compute the hashcash "stamp" required for all the address. It's not an impossible feat, but if a spammer needs to set up server farms just to compute stamps their profit margins shrink signifigantly.
Group working on an implementation of hashcash
ISTM that this only compounds the problem, not cures it. The goal is to maximise the signal to noise ratio on the Net, so multiplying the noise by 5 seems an ineffective way of getting there. Surely you would do better by creating a form letter demanding to be removed from the spam list, reporting the abusers to postmasters, and so forth.
The future is here. It's just not evenly distributed yet. -- William Gibson
I'm not one for paying for anything I don't have to (Witness my email addy. Let M$ pay for anyone who wants to flame me.) but I don't see anything wrong with a kind of toll. "This user doesn't want unsolicited email, and you're not on the list, so if you want access you gotta pony up some change."
This would certainly wipe out the low end of the spam world; webcams, anatomical enlargements, etc. If some decent sized corporation wants to send me mail, that's fine.
The problem comes in through identity checking. How do you know the person who is sending you mail is on the list? I'm sure everyone here knows how to send email from a port 25 hack; even if you don't, it's completely obvious that spammers know how to forge whatever name they want.
So, in order for this to work, digital signatures would have to become much more common. Which I don't see happening any time soon. (vis a vis, if you only accepted digitally signed email, there would be no spam.)
Blah blah. I'll just stick with my filtering.
Just my 0.113620 Egyptian pounds's worth.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
In this scenario spamming would be a tax deductible expense.
I don't think anyone wants to see that.
It won't get rid of scam artists who use SPAM, but it will force legitimate businesses that send out SPAM to conform. If the field is present in the header then mail servers could scan the header prior to receiving the entire message. End users could instruct the mail server to selectively filter the SPAM based on the value present in the "UnSolicited" field.
So, when I have a baby, how do the IRL spammers (junk mail companies) *find out* I've had one? My concern is that even with e-stamps, there will still be lots of spammers that abuse the email, and find ways to get 'bulk e-stamps' at a reduced rate.
My Journal.
... which means there are potential problems with this pay system. I may owe only a limited amount of money to a few people, and all the cumulative senders to me may only owe me a few bucks if I decided to collect. That means that there are probably millions of dollars to be collected overall. I some enterprising startup pays 10-25% to individuals for the right to collect on the Debts there is a lot of money to be had and a lot of incentive for someone to pursue it.
Use your head, can't you, use your head,
You're on earth, there's no cure for that - S. Beckett
I'm not sure that's indicative of a desire for better spam filtering, or a bunch of major consumer ISPs trying desperately to differentiate themselves from the other two in a way that doesn't cut their profit margins to the *bone*.
OK, a large amount of spammers rely on *guessing* e-mail addresses. Why not charge per e-mail miss. I know, what about the guy who just mistypes a valid e-mail address. Have the ISP give out 10-20 free e-mail misses per month. This would more than cover any mistypes by us "normal" users while crippling the spammers who rely on guessing e-mail addresses.
My $0.02
ILuvSP
Easy. Add a field to the form, into which you paste your own "stamp" for the site to use on the email that is sent to you.
Same method could be used for those "mail this web page to a friend" links you find on CNet and the like. The concept is analogous to the "Self Addressed Stamped Envelope".
For a server that sends automated emails (e.g. weekly activity reports), you could provide a self-signed "reusable until revoked" certificate (aka "stamp") for all future emails.
The easiest way to do this would be for the web page to present you with a certificate naming their server and sending domain or full email address. you would "sign" this certificate with your personal email key, then paste the signed certificate back to the form and submit.
If the site "goes bad" and starts spamming you, you have the option to revoke the certificate.
I do not deploy Linux. Ever.