How to Kill Spam Without the State

WaxParadigm writes "The Colorado Freedom Report, an online libertarian publication in Colorado, has an article today about How to Kill Spam Without the State. Will our heavy-handed attempts to stop spam through legislation have the outcome we desire?" The article advocates putting the burden on the end user, saying "We must also take personal responsibility to kill spam. We can't pretend the politicians will do it for us. Their incentive is to develop a cute re-election flyer, not solve the problem. If you're still tempted by the political approach, ask yourself one simple question: who is more technologically savvy, your average spammer or your average politician? There are steps each of us can take to kill spam, and to help foster a culture that encourages spam killing." While this forgets the onus of spam on the ISP and telco companies, it should well be part of a multi-tiered plan against spam.

Spam is not going away

[Dancin_Santa]

No matter how technically savvy you are, if your email address is picked up by a spammer you will receive spam. Whether it hits your inbox or not, somewhere along the line someone has had to relay that message to your mail server and the bandwidth is already wasted.

Get a good filter, use whitelists, whatever. Just don't think that you will be able to eradicate spam without governmental help.

The broken-ness of email

[Alioth]

We need more than this to stop spam. There's too many idiots about who'll buy spammer's products.

I don't think SMTP itself is fundamentally broken - we just need some improvements to the administration.

In the early days of road transport, drivers were unlicensed - anyone with the money could buy a car and drive it. As traffic built up, eventually this was no longer tenable. As email traffic builds up - lack of licensing for MTA operators is becoming untenable. My server has rejected over 1.2 *gigabytes* of malware in the last week (mostly Swen worms). SpamAssassin kills 80 spam messages a day in my mailbox alone - and still about 15 a day get through. The option of "doing nothing" about email is no longer viable. Schemes like "sender pays" are untenable too (and unfair - why should I pay yet another fee to use bandwidth I'm already paying for once?)

What is really needed is a licensing scheme for people who operate MTAs, just like there is for amateur radio. In brief, here's an outline of what could be implemented. I know this will probably draw the ire of Slashdotters who think they should be able to just run an MTA on their cable modem connection with no qualifications - but this is *exactly* where the problem stems from: to be sure of not dropping too much 'ham' we have to accept SMTP connections from more or less anyone. And this means we get flooded with over a gigabyte of Swen worm traffic in a week.

This list of requirements is by no means comprehensive - it's just a starting point for discussion.

* If you want to run an MTA, you must be licensed to do so.
* A licensed MTA operator may only relay mail from their own network or from other licensed MTA operators. In the case of a home user, this means they can only relay mail from their LAN. In the case of an ISP, from their own netblocks etc.
* A licensed MTA operator may only receive mail from other licensed MTAs. This means you must reject email from the unlicensed (virus/spam spewing) MTA on adsl-192.14.5.6.pacbell.net.
* A licensed MTA operator may only send mail to other licensed MTAs.

MTA licensing can be based on digital certificates. The MTA oper's signature will appear in the header of the email.

To obtain a license, the MTA operator would have to take an exam. The awarding and administering of licenses will be done by TLD. (A good idea would be that the licensing authority must not be the same company or subsidiary of the company that runs the TLD, so VeriSign is not allowed to be the licensing authority for .com/.net, and Nominet is not allowed to be the licensing authority for .uk, and Domicilium is not allowed to be the licensing authority for .im) There can be more than one licensing authority per TLD.

The upshot of this is that if a licensed MTA operator passes spam or malware, they can have their license suspended or revoked, or fines levied. MTA operators at the ISP level will be *very* careful to ensure they don't harbour spammers because they'll lose their MTA license. They will be *very* careful they configure their system to not allow executable attachments, or at least scan them for malware. Small MTA operators will be *very* careful not to accidentally configure their mail server to be an open relay.

To obtain an MTA license, an exam should be passed not for a specific MTA such as Exim or Sendmail, but general good practise in operating an email server, and general knowledge about internetworking - just like amateur radio licenses don't have exams on a specific model of ICOM radio. Additionally, the MTA operator must provide positive ID when applying for the license - this way, we make sure the MTA oper is accountable for what their MTA emits.

Of course, an actual implemented system like this will be more complex than what's outlined in this posting. Of course, most Slashdotters will hate the idea expressed above - I wouldn't really like to have to take exams to keep running the mail server I already

What they're missing

[Phroggy]

Spam exists because it works; enough people buy products that are advertised through spam that the increased sales more than make up for the cost of spamming.

Companies choose Microsoft solutions because Microsoft provides the most flexible, stable and secure systems, with lower TCO than the competition.

I believe both of these statements are false, but are believed to be true by people making the decisions. Why? Because spammers and (to a much lesser extent) Microsoft salespeople are dirty rotten lying scumbags out to make a buck by cheating whoever they can. On top of that, spammers also sell their service by claiming what they're selling is not spam - it's direct marketing to a targeted opt-in list of interested consumers over the Internet. We all know in reality it's completely untargetted and their definition of "opt-in" includes allowing your e-mail address to appear unobfuscated on any web page, using it to register a domain name or post to a newsgroup, or simply choosing an e-mail address that could be guessed at random. We know that, just like we know Windows almost never has a lower TCO than anything. But the people paying the money don't, because they simply don't know better.

This article says nothing

[hankaholic]

This article was a waste of my time to read.

For those who haven't read it (and I hope you haven't -- don't waste your own time), basically it says this:

End-users should take responsibility for spam, and the best way to prevent spam is to stop putting email addresses in mailto: links on web pages and in unmunged form in posts to Usenet.

However, it really doesn't explain how the author thinks that people can do something to take responsibility for receiving unsolicited (!) email.

The article fails to mention dictionary attacks and worms, both of which have the potential to find millions of addresses which aren't listed on any web page or in any newsgroup.

I'd be truly surprised if there weren't a worm in the works which would not only act as a mail relay, but which would take care to forward mail to every address listed in a person's address book. Rather than worry about maintaining lists of email addresses, spammers could feed their message to the network of worms (possibly through IRC, or maybe even an instant messaging protocol), and the network would feed messages to every address listed on an infected user's hard drive, and probably to several variants of the addresses as well.

What the article fails to address is this: how can the person who never publishes their email address anywhere take responsibility for spam in the face of dictionary attacks, and when they have no control over friends putting the person's address in their address books?

The article says that when fighting spam, you shouldn't look to the politicians, because they have not the technical knowledge to make legislation stick.

In response to that, I suggest that you not look to the article for spam-fighting advice, because the author seems not to have the technical knowledge to actually develop a solution, or even offer suggestions beyond never publishing unmunged headers.

To those of you who read the article, I feel your pain. You will never get those wasted moments back. But did anyone else cringe when he suggested using graphics to display email addresses in Usenet postings?

My thought is that people advocating posting graphics to Usenet with every post probably don't have a spam solution either. In fact, they're suggesting placing a higher load on NNTP servers, in effect doing the same thing to news servers as spammers do to mail servers: clog them with extra, unneeded garbage, reducing their overall capacity with respect to legitimate communication.

Oh, and have a nice day, everyone!