Would you Warranty Your Email?

Kurt writes "A team from the University of Michigan is proposing an economic solution to spam. Instead of relying on technical solutions or government regulations, they use a sender warranty system. In some cases, they argue, it can even be superior to a perfect filter with zero cost, and no errors. Their working paper is available at SSRN. With the caveat that some infrastructure is necessary (isn't it always?), they also claim their approach restores control to the recipient, halts spam, and creates a marketplace for valuable information exchange."

Summary

[iota]

The idea is basically this: You (the recipient) put a value (say $10) on incoming mail from strangers. If someone wants to send you mail, they have to put that in an escrow account. Then if they meet your requirements, you can recieve the mail. -- If you don't like the mail from any reason, you can take the money from escrow. If you don't do anything, escrow will be released after some time. Oh, they mention that this might not be neccessary for people you already know (whitelists).

This is just lame. The amount of "infrastructure" required is totally ridiculous.
They ignore the fact that email is a general communications media / People who do not like eachother do email because it's practical / but under this nutty system, people would only email people they trust not to "steal" their money in escrow. Mailing lists, anyone?

Once again, someone thinks that you can "solve" spam for the recipient at a huge penalty to a legitimate sender.

Arrg! I hope they didn't get paid to write this tripe.

Re:Maybe I'm out of the loop

Yes, Bill just talked about this exact solution a few days ago. However, the University of Michigan team gave a presentation on this work at Microsoft Research last December. Coincidence that Microsoft now believes in it?

false positive/negative definition?

[silicon+not+in+the+v]

They use what seems to me to be a backwards definition of false positive and false negative with respect to spam filtering. From the article:

Better filters learn recipient preferences and eliminate unwanted messages while suffering from fewer false positives (passing junk messages) and false negatives (screening valuable messages).

I think of this in terms of being tested for HIV. If someone has a false positive, that means they have incorrectly been identified as having the virus being checked for. Doesn't a spam filter indicate "positive" for spamminess to be filtered out, rather than "realness" to be passed? Their definition with respect to spam is the opposite of how I've always heard.

Simplified.

[khasim]

I send you email. I have to put money in an account.

You receive my email, but you've set a monetary level to be checked before it is delivered to you. If I didn't put enough money in my account to meet your level, it doesn't get delivered.

Now, you read my email and don't like it. You get to collect the money I have in my account at the level you set.

If you do like my email, I go on a whitelist.

Example #1: I put $1 in my account, you set your level at $5. None of my email will ever be seen by you.

Example #2: I put $5 in my account, you set your level at $1, you get my email. You don't like my email, you collect $1 from me.

Example #3: I put $5 in my account, you set your level at $1, you get my email. You like my email, so I go on your whitelist.

Simple, really. In theory.

In practice, almost impossible to work.

Better links

The /. summary only links to the umich homepage. But, here are some better ones, pulled from the article. [Posted anonymously to prevent accusations of karma-whoring.]

• Center for Information Technology Integration. These guys are cool. Besides thinking up schemes like this, they also work on things like NFSv4.
• EECS Dept.
• School of Information

---
Proud UofM Alumnus

More info, in a less technical format

[Thede]

Hi, I'm one of the authors of the paper mentioned in this post. We have a short summary of reasoning behind the design posted here It is a little less dense than the SSRN paper. Also, I'll get a protocol diagram up shortly, and a short FAQ, linked from the one pager.

Thede Loder
University of Michigan.

Re:Why not use PKI authentication instead?

[Russ+Nelson]

You are describing Domain Keys. Oh, and the Web-o-Trust.
-russ

Re:stuff

[KGBear]

Orson Scott Card did exactly that on "Shadow of the Hegemon". A lot of the book is comprised by e-mail exchanged by the characters. The format he used was "user%key@domain". If you have the key you go through, if you don't have it you get rejected. This might work, but it would just make the spammer's job harder, not impossible.

Shorter and Easier to read Description

[rwash]

http://www.eecs.umich.edu/~tloder/one_pager.html

That site has a shorter and easier to read description of the ideas presented in the paper. The paper is really a technical economics paper, not a mass-market thing. The one-pager is much easier to read, and its the same people.

Re:Why not use PKI authentication instead?

[ka9dgx]

PGP is a type of Public Key Infrastructure... SSL keys aren't the only game in town. The only difference between the whole "Root CA" and PGP is that the "Root CA" list gets distributed with most SSL implementations, with PGP, you make your own lists.

Technically, anyone can make themselves a root CA, just like anyone can set up their own DNS root. It's a simple matter of consensus, the roots are as valid as the users believe the are.

--Mike--

Re:Get The Geeks Out Of It

[mabu]

You are totally right.

I am having to spend $8000 this month to build a new mail server.

Why?

Because 80% of the mail traffic to my system is unsolicited spam and now I need more resources to handle the mail services for my legitimate users because 80% of my resources are dealing with crap.

Because the authorities don't prosecute the spammers, people like me have to pay for the resources they consume even though I didn't invite them to exploit my resources in this manner.

Something needs to be done, and it has to do with enforcement, not figuring out yet another boneheaded way to inject profit motive into the SMTP stream.

Re:how to fix email

[friendscallmelenny]

stratjakt sayeth: "only degenerates and hotmail users recieve spam." You are forgetting people whose email is listed on a company or univ. website. "Degenerates" that use usenet also get spammed, alt.kool-aid should not attract penis cream ads for god's sake

Re:Thanks, but no thanks

[eclectechie]

IMHO this means the end of mailing lists - what would prevent me from signing up (automatically, of course) to thousands of mailing lists and collecting all the bonds placed for messages posted through these lists ?

Are you sure?

The mailing list puts no money in escrow.

• Those who white-list the list receive the list's mail.
• Those who intend to grab the list's money never see list mail, because it is not delivered for lack of escrow.

Mailing lists are safe.

But I do not think this scheme is feasible, for reasons mentioned elsewhere in this thread.

Re:Why not use PKI authentication instead?

[SwiftOne]

Note the headline of that page:
"Trust gets personal with Thawte's Web of Trust (WOT)"

This is not a discussion of the Web of Trust concept as a whole, but of Thawte's use of the terminology in their little setup. As they are trying to make money off the deal, you can expect them to be slightly skewed.

Note also that their system starts by awarding Trust Points for showing up in person. The Web of Trust PKI concept doesn't care WHO you are, so much as that you are the same person every time, and if you are (whatever you claim to be). So the above poster's hope is that spammers would be unable to be marked as useful/acceptable by anyone within your web of trust. Simple, beautiful.

(The unfortunate weakness, however, is that it just takes 1 security hole on any system in the web of trust, or 1 clueless user, to insert tainted approvals, which can then start spreading. There are fixes to this, but the fundamental simplicity is lost when you insert stupid (read: normal) users.)

Re:Would you Warranty Your Slashdot Posts?

[Pedrito]

Actually, mod-bombing works for a while, as I discovered. Then, suddenly, you're no longer given the ability to mod. I got ticked at someone and mod-bombed them for a few weeks. Then it all came to a sudden end about 2 years ago and I haven't been able to mod since. Oh well.

Another one bites the dust

[Tom]

Another solution that won't work, mostly because it doesn't contain the magical phrases "shotgun" and "spammers head".

Seriously, though: Spammers have been breaking into computers for years now. The current international spam mafias run bot-networks of several hundred-thousand machines each.

So sending mail will cost money (stamp, warrenty, tax - no matter the mechanics). Why exactly should the spammers care? It's not like they're sending from their machines or spending their money.

The serious, working solution to spam is two words: Jail time.

Re:Bad idea

[Alien+Conspiracy]

I can't imagine wanting to receive anonyous mail, though I already use a pseudonymous pay-to-send remailer that works.

Can't see much that is newsworthy in this article. Move along please, nothing to see here...

Re:Would you Warranty Your Slashdot Posts?

[ncc74656]

Yeah, but M2 doesn't work.

Well, that's rather broad - what, in particular, doesn't work in the meta-mod system?

Overrated (the favorite tool of the modbomber) isn't subject to M2. (Neither is Underrated, for that matter.)