How to Kill Spam Without the State

WaxParadigm writes "The Colorado Freedom Report, an online libertarian publication in Colorado, has an article today about How to Kill Spam Without the State. Will our heavy-handed attempts to stop spam through legislation have the outcome we desire?" The article advocates putting the burden on the end user, saying "We must also take personal responsibility to kill spam. We can't pretend the politicians will do it for us. Their incentive is to develop a cute re-election flyer, not solve the problem. If you're still tempted by the political approach, ask yourself one simple question: who is more technologically savvy, your average spammer or your average politician? There are steps each of us can take to kill spam, and to help foster a culture that encourages spam killing." While this forgets the onus of spam on the ISP and telco companies, it should well be part of a multi-tiered plan against spam.

Spam is not going away

[Dancin_Santa]

No matter how technically savvy you are, if your email address is picked up by a spammer you will receive spam. Whether it hits your inbox or not, somewhere along the line someone has had to relay that message to your mail server and the bandwidth is already wasted.

Get a good filter, use whitelists, whatever. Just don't think that you will be able to eradicate spam without governmental help.

The broken-ness of email

[Alioth]

We need more than this to stop spam. There's too many idiots about who'll buy spammer's products.

I don't think SMTP itself is fundamentally broken - we just need some improvements to the administration.

In the early days of road transport, drivers were unlicensed - anyone with the money could buy a car and drive it. As traffic built up, eventually this was no longer tenable. As email traffic builds up - lack of licensing for MTA operators is becoming untenable. My server has rejected over 1.2 *gigabytes* of malware in the last week (mostly Swen worms). SpamAssassin kills 80 spam messages a day in my mailbox alone - and still about 15 a day get through. The option of "doing nothing" about email is no longer viable. Schemes like "sender pays" are untenable too (and unfair - why should I pay yet another fee to use bandwidth I'm already paying for once?)

What is really needed is a licensing scheme for people who operate MTAs, just like there is for amateur radio. In brief, here's an outline of what could be implemented. I know this will probably draw the ire of Slashdotters who think they should be able to just run an MTA on their cable modem connection with no qualifications - but this is *exactly* where the problem stems from: to be sure of not dropping too much 'ham' we have to accept SMTP connections from more or less anyone. And this means we get flooded with over a gigabyte of Swen worm traffic in a week.

This list of requirements is by no means comprehensive - it's just a starting point for discussion.

* If you want to run an MTA, you must be licensed to do so.
* A licensed MTA operator may only relay mail from their own network or from other licensed MTA operators. In the case of a home user, this means they can only relay mail from their LAN. In the case of an ISP, from their own netblocks etc.
* A licensed MTA operator may only receive mail from other licensed MTAs. This means you must reject email from the unlicensed (virus/spam spewing) MTA on adsl-192.14.5.6.pacbell.net.
* A licensed MTA operator may only send mail to other licensed MTAs.

MTA licensing can be based on digital certificates. The MTA oper's signature will appear in the header of the email.

To obtain a license, the MTA operator would have to take an exam. The awarding and administering of licenses will be done by TLD. (A good idea would be that the licensing authority must not be the same company or subsidiary of the company that runs the TLD, so VeriSign is not allowed to be the licensing authority for .com/.net, and Nominet is not allowed to be the licensing authority for .uk, and Domicilium is not allowed to be the licensing authority for .im) There can be more than one licensing authority per TLD.

The upshot of this is that if a licensed MTA operator passes spam or malware, they can have their license suspended or revoked, or fines levied. MTA operators at the ISP level will be *very* careful to ensure they don't harbour spammers because they'll lose their MTA license. They will be *very* careful they configure their system to not allow executable attachments, or at least scan them for malware. Small MTA operators will be *very* careful not to accidentally configure their mail server to be an open relay.

To obtain an MTA license, an exam should be passed not for a specific MTA such as Exim or Sendmail, but general good practise in operating an email server, and general knowledge about internetworking - just like amateur radio licenses don't have exams on a specific model of ICOM radio. Additionally, the MTA operator must provide positive ID when applying for the license - this way, we make sure the MTA oper is accountable for what their MTA emits.

Of course, an actual implemented system like this will be more complex than what's outlined in this posting. Of course, most Slashdotters will hate the idea expressed above - I wouldn't really like to have to take exams to keep running the mail server I already