Slashdot Mirror


Would you Warranty Your Email?

Kurt writes "A team from the University of Michigan is proposing an economic solution to spam. Instead of relying on technical solutions or government regulations, they use a sender warranty system. In some cases, they argue, it can even be superior to a perfect filter with zero cost, and no errors. Their working paper is available at SSRN. With the caveat that some infrastructure is necessary (isn't it always?), they also claim their approach restores control to the recipient, halts spam, and creates a marketplace for valuable information exchange."

18 of 395 comments (clear)

  1. Why not use PKI authentication instead? by ka9dgx · · Score: 5, Insightful
    I favor an alternative approach, which the authors concede has some merits, but quickly dismiss, sender authentication.

    If I start rejecting all email which is not from a verifiable sender, I'll quickly cut spam, and impose some costs onto those who wish to sent me email. I'm willing to pay those costs when it becomes my turn to send an email. I would start with the recent authorized sender protocols, in addition to Public Key Infrastructure, to begin to authenticate a sender.

    Once PKI starts to take hold, there would be an incentive for the spammers to start creating throw-away identities, which we could counter with a reputation system for the sender's domain. We could also create a "web of trust", automatically managed by our mail servers, or ourselves, to nip the counteroffensive.

    So, there it is... my alternative... sign and validate all email.

    --Mike--

    1. Re:Why not use PKI authentication instead? by Ieshan · · Score: 4, Insightful

      The worst part about all this is that suddenly everyone who writes an email is required to be identified.

      Email is one of our last few partially anonymous methods of communication. Emailing (and posting) as "Anonymous Coward" is a seriously useful thing and taking it away from people will probably be more disasterous than originally imagined.

    2. Re:Why not use PKI authentication instead? by gcaseye6677 · · Score: 3, Insightful

      Anonymity vs. accountability is always a tradeoff. If it is easy for anyone to send emails without disclosing their identity, this can have its advantages. But if they start spamming, how will you stop them? People should have the option of receiving only email from trusted sources, which can pretty much eliminate spam for them. They can easily filter out any source they do not wish to receive from. Someone who is not comfortable with this idea can always choose to receive from anyone and then use appropriate filtering techniques that work for them. Its kind of like setting your slashdot filters. You can choose to include everyone, or you can filter out ACs, low rated posts, foes, etc. You could even choose to only read posts from people you trust, if that's your preference. Having a moderation type system for email, combined with other filtering systems, is by far the best way to cut down on spam.

    3. Re:Why not use PKI authentication instead? by Phillup · · Score: 5, Insightful

      Whoa there partner...

      You are only required to be identified if the receiver requires it .

      While you have every right to "free speach"... you have no right to force someone to listen to said speach.

      Quite frankly, I don't want any "Anonymous Cowards" in my home.

      I go to Slashdot... and other web sites. But, I bring my mail into my house. At least, in the social sense of things.

      So, right off the bat... to me there is a huge difference between encountering information I might not want to encounter because I went somewhere, and encountering the same information because it was sent to me.

      --

      --Phillip

      Can you say BIRTH TAX
    4. Re:Why not use PKI authentication instead? by jsebrech · · Score: 4, Insightful

      First of all, there is no credible difference between holding a discussion over slashdot or holding a discussion over email. Do it through a hotmail account and you're even using the same program to do it. You can come to slashdot and read something you find offensive without warning in advance that it is, just like can happen with email. So trying to draw an arbitrary distinction between anonymous cowards on slashdot and anonymous cowards in email is just that, arbitrary.

      One might also argue that shielding yourself from that which you find offensive is bad for the mind. If you shy away from extremes, inevitably your comfort zone shrinks, and you become close-minded. It's only by trying to see the viewpoints of those who disgust you that you can come to truly new realizations about how the world works. Treading the trodden moral paths doesn't take you into uncharted lands, though it does guarantee you a pretty average and "normal" life.

      Secondly, the problem is that if a pki system were to take hold to identify senders, eventually it would become required to be identified just for someone to SEE the mail you're sending to them. Although it is possible to devise a system where the net identity of someone is thrustworthy while at the same time not revealing their real life identity, it is ridiculously unlikely that such a system would be promoted by the big isp's. They've already got the riaa and friends breathing down their neck wanting identification of customers, they're not going to back a system that helps people stay anonymous while comitting crime.

      Too bad the founding fathers didn't recognize privacy as a right that could be threatened. Until a few decades ago, it wasn't feasible to tie together the knowledge the world has amassed on someone into one large fount of dirty details. Today it is. Most people can have their lives ruined just by the not-so-secrets that are spread around the globe about them (don't believe me? think about everything you've ever purchased with a credit card, now think about everyone in your life knowing about those purchases... unnerving, isn't it?).

      There are two ways out of this, force privacy by law, or admit there is no privacy and stop holding people's pasts above their heads. Both are unlikely, and any other system leads to major abuses.

  2. Bad idea by ObviousGuy · · Score: 5, Insightful

    One benefit to having email is the ability to post information anonymously in order to avoid possible repercussions. Slashdot has that feature with the "Post Anonymously" checkbox (which should be pointed out, is not 100% anonymous and can be tracked by IP and logged-in account name) and it also exists with anonymously emailers.

    Forcing someone out into the open by the use of such 'warranties' imposes a chilling effect on free speech through email.

    I hate spam, but I hate the idea that important speech could be stifled by the use of badly considered spam 'solutions'.

    --
    I have been pwned because my /. password was too easy to guess.
    1. Re:Bad idea by ceritus · · Score: 5, Insightful

      Yep, and this is the crux of the whole spam problem: We want to be able to send as many emails with any content in it to anyone we want without any cost yet, we don't want someone to send us tons of email that we consider crap. You just can't have both these things; it's impossible to seperate the two. We can't be hypocritical and say to someone "I should have the right to this free speech medium while this guy over here can't have the same because he's doing something we don't like". I think we're going to have to give up some of our "rights" in e-mail to get rid of this junk mail. I don't like it but I have the feeling that it's going to have to happen.

  3. Nice thought; won't work by shystershep · · Score: 4, Insightful
    Stripped of jargon and graphs, their idea is to create a system based on whitelists. If you're not on a whitelist of the person you send a message to, they can deduct money from an escrow account that you have set up for that purpose. The premise is that people won't open mail from people not on their whitelist unless there is money in that escrow account to pay for their time, thus imposing sufficient costs on spammers to make the current model unprofitable.

    The primary problem I see with this is getting enough people to start using this system. The majority of people probably aren't going to bother with it unless they have to, which means that most emails will be accepted whether or not it costs the sender money, good or spam, because most of a given recipient's contacts will not have the escrow set up. Unless creating the escrow account is mandated, which makes it no different than most of the 'tax' systems, I don't see this model working any better than what we have today.

    What looks good in an academic paper doesn't always translate into the real world. Would their idea work? Yes, with sufficient participation. Will there ever be sufficient participation? No. Look at pgp keys/signatures. There are means of validating the sender's identity now that would stop spam, but they are not used because it requires people to opt-in and most people don't care enough (no matter how much they complain about spam).
    --
    The bigotry of the nonbeliever is for me nearly as funny as the bigotry of the believer. - Albert Einstein
  4. Re:Would you Warranty Your Slashdot Posts? by Evil+Adrian · · Score: 3, Insightful

    The problem is, there are a TON of moderators that will go and mod-bomb people because they don't like them, regardless of how well-reasoned their post is. Posts are supposed to be moderated, not individuals, but that's not how a lot of people do it.

    --
    evil adrian
  5. this is so not the way to go by hswerdfe · · Score: 3, Insightful

    why does evry problem in life have to be solved by creating a free and open market?

    I for one think that there are some things that can not be solved simply by attaching a price tag to it.

    do you want to polute? how much money do you have to buy pollution credits?
    do you want to send email? how much money do you have to buy a warenty?
    do you want to get laws passed how much money do you have to "lobby" with.

    sigh...:(

    --
    --meh--
  6. First, secure every machine. by Russ+Nelson · · Score: 5, Insightful

    So these guys want our computers to spend our money? First they have to secure every machine. Of course, once you do that, you don't have DDOSes, nor proxy spam. The first step of their solution *is* the solution; the remaining steps would be a waste of time.
    -russ

    --
    Don't piss off The Angry Economist
  7. Thanks, but no thanks by cwernli · · Score: 5, Insightful

    After having introduced the concept of "whitelists" for known senders the article continues:

    In the case of strangers, the warranty mechanism is more suitable. Analogous to a standard bond mechanism, delivering email to an inbox requires an unknown sender to place a small pledge into escrow with a third party. In the case of screening, recipients determine the size of this bond, which they can dynamically adjust to their opportunity costs. The email is delivered only after the recipient receives suitable confirmation that the bond has been posted. When the recipient opens the email, she may act solely at her discretion to seize the pledge. Taking no action releases the escrow after a period of time.

    IMHO this means the end of mailing lists - what would prevent me from signing up (automatically, of course) to thousands of mailing lists and collecting all the bonds placed for messages posted through these lists ?

    "Of course mailing list operators would first get your approval that you let through all their messages".

    This is where it starts getting complicated. And complexity is exactly what I don't want with email - it is simple, and shall remain simple.

    Therefore I am perfectly willing to put up with the current spam levels - hey, I can deal with those five to ten messages a day which pass through my Bayesian filter. On certain days I get more than that in my smail box.

  8. Uh no. by KalvinB · · Score: 4, Insightful

    Ohhh look another "best idea on the internet" that's the same old "charge them" idea that many others have had that's still stupid.

    Basically this idea annoys everyone and solves nothing. There would be a lot of rich people who simply spend all day signing up on lists and then collecting the "fine" when they get e-mails.

    The way to stop spam that doesn't require messing with STMP is to use web-forms. The web-form on my mail server is written in PHP and is basically a custom e-mail client. It connects to the mail server and sends to exactly one address that's hard coded in the script. Giving it random letters and numbers would prevent spammers from guessing it and users wouldn't care because they don't have to remember it. My particular PHP script only sends text only e-mails as well.

    If you use a non-generic web-form with a unique filename and unique variables, it makes it quite impossible for spammers to make bots to whore their spam automatically.

    What would be really clever if you want to prevent bots entirely you just have an array of images. And an array of questions, one for each picture. And the user has to answer the question like "what color is the apple?"

    No amount of image scanning by a bot is going to figure that out.

    Then instead of telling people an e-mail address you just give them your domain. It's still SMTP so you can contact people out side the script if you want.

    The other method I use on the server side is filtering domains that spammers use to host their product pages or images. I've gotten hundreds of e-mail attempts according to RinetD's logs and only a couple spams with domains I hadn't added to the filter yet have gotten through. Since the PHP script goes through the mail server and doesn't actually send the e-mails itself, all the spam prevention is also applied to the web-form. And since no legitimate e-mails use those domains, I've had 0% collateral damage.

    I get virtually no spam and have yet to break SMTP or charge anyone anything just to send me an e-mail. It's really not that hard.

    Ben

  9. Hotmail by cgenman · · Score: 4, Insightful

    Email is one of our last few partially anonymous methods of communication. Emailing (and posting) as "Anonymous Coward" is a seriously useful thing and taking it away from people will probably be more disasterous than originally imagined.

    There was some drama recently around an anonymous e-mail communication this past few weeks at my roommate's place of employ. What did the sender use? Hotmail.

    Hotmail, yahoomail, and other free mail services use ciphers to identify people as human beings, and track IP's to resist automated signup scripts, but the medium is still essentially anonymous. Except for the IP address of the sender, which can be masked via a little wardriving or a trip to the library, the system is as anonymous as the sender wishes.

  10. it's a shame... by *weasel · · Score: 4, Insightful

    ... that i have no mod points.

    I agree completely and emphatically. Email is not a free-speech/privacy issue, and i think people are forgetting that.

    There is no provision in the constitution that guarantees an audience for free speech, yet this is precisely what anonymous email does. It puts a burden on me, the recipient, to sort through the garbage of others.

    If you want more anonymous speech, get a blog, post to a web board, post to usenet.

    Your freedoms stop when they infringe on the freedoms of others. Your freedom to be heard is wholly consitutionally blocked with my right to post a no soliciting sign.

    I see no reason why I can't effectively put a similar sign on my email box. (let alone my meatspace mailbox)

    the only reason bulk mail persists, is because it's effectively privately subsidizing the outdated and inefficient USPS. Spam, on the contrary, is wholly an economic drain on the delivery system. there is no benefit to anyone to retain spam, except those corporations who wish to have no responsibility to maintain an honest opt-out policy.

    sure, spam finds willing recipients, so someone must want this garbage - but so do door to door salesmen. And I'm perfectly within my rights to forbid them from coming onto my property. a right which does not in any way infringe on their right to be heard, or their ability to simply bug my neighbor.

    --
    // "Can't clowns and pirates just -try- to get along?"
  11. Re:Summary by shic · · Score: 3, Insightful

    I disagree with your position. The fundamentally different thing about this warranty idea is that it presents a payment system which would permit cost free maintenance of legitimate mailing lists. When a user wishes to subscribe to a mailing list they send an email with warranty to the list maintainer, who claims (or puts this sum in permanent limbo) the warranty funds, which should exceed the warranty demands of the subscriber. The subscriberwould then remain subscribed at no additional cost until such time as they either request to unsubscribe (under which circumstances the funds are released back to them) or they claim the warranty on an email sent on the list... which would be detected by the list maintainer and effect a termination of the subscription. I personally suspect a very low warranty value would prove remarkably effective... $1 associated with each of millions of spam messages would get expensive, whereas tying up $20 for a typical user with only a handful of messages in limbo at any one time is unlikely to be a significant burden.

    I agree that the infrastructure would be considerable - but I for one, remembering how useful email was a decade ago, would be willing to pay whatever it takes to establish a system in which any individual can contact me easily but where a few dozen arrogant cretins don't bother me every few hours with their typically criminal mass mailed proposals. I like the idea of warranties far more than I like the idea of micro-payments which (in my opinion) are likely to prove a far more significant burden for honest email users.

  12. Re:More info, in a less technical format by iota · · Score: 4, Insightful

    From the parent: Warning Signs of a Flawed Proposal

    And I would say at least these apply:
    (Quoted from the site above)

    # You have discovered the Final Ultimate Solution to the Spam Problem (FUSSP).
    # You are the first to think of the FUSSP.
    # You started looking for the FUSSP after observing that it is impossible to filter more than 99% of spam with fewer than 0.1% false positives by currently available mechanisms.
    # You don't plan to make a fortune from the FUSSP, but you do expect fame as its generous and public spirited netizen inventor.
    # You are deeply hurt and angry because you are not respected as "spam fighter."
    # People don't see the value of the FUSSP because they have axes to grind, are jealous, or are too stupid to understand it.
    # You learned how to stop spam during the more than six whole weeks you've been fighting it.
    # The FUUSP assumes that your attention is so important that strangers, other than advertisers, from will pay money to send you mail.
    # You cannot name several potentially fatal flaws in the FUSSP.
    # All you need to do to get the FUSSP implemented and deployed is to publish an RFC or get a law passed.
    # You don't recognize any significant difference between deploying and implementing the FUSSP.
    # You plan to publish an RFC mandating the FUSSP but have never heard of RFC 2223 or RFC 2026.
    # Inventing the FUSSP did not require that you know the difference between RFC 821 and RFC 822 or that they have been replaced by RFC 2821 and RFC 2822.
    # You don't know the relevance of "consensus" or "IESG approval" to publishing RFCs.
    # Spammers won't ignore, subvert, or exploit the FUSSP if you publish it as an RFC.
    # The FUSSP depends on spammers or mail recipients changing their behavior without any immediate gain.
    # The FUSSP won't be effective until it has been deployed at more than 60% of SMTP servers and that's not a problem.
    # Your job is done after having explained the FUSSP to the IETF or The Industry..
    # Programmers will drop everything to implement the FUSSP.
    # You know that SMTP has no authentication and have never heard of SMTP-AUTH, SMTP-TLS, S/MIME, or PGP.
    # You know that the failure of SMTP servers to authenticate the SMTP clients of strangers is a major bug in SMTP instead of an expression of a primary design goal.
    # The FUSSP requires a small number of central servers to handle certificates, act as "pull servers" for bulk mail, account for mail charges, or whatever, but that is not a problem.

    ** Well, in this case worse -- It requires a whole banking system!

    # The FUSSP requires that anyone wanting to send mail obtain a certificate that will be checked by all SMTP servers.
    # You have found that most Internet users would be happy to pay $5/month to avoid spam and do not know the prices of anti-virus software or data.
    # You have never heard of RFC 2554 or RFC 2487 and the FUSSP includes fixing the lack of authentication in SMTP.
    # The FUSSP involves replacing SMTP.
    # Your definition of spam differs significantly from "unsolicited bulk email."
    # You frequently use math, statistics, and information theory, and almost as frequently notice people hiding grins or stifling laughs.

  13. Re:Don't speak ill of moderators... by 4of12 · · Score: 4, Insightful

    where (gasp) you might not like what the person is saying!

    I find this is where MetaModeration enters the picture for me.

    Moderating, I get so few points (how are you ever going to do a good moderating job with just 25 points, I mean) that I'll use them up quickly, mostly doing +1 on well-written, well-reasoned posts that I agree with, and maybe 10-15% of the time pushing trolls and flamebaits down into the basement.

    But Meta Moderating I've re-inforced +1 ratings that other Moderators have given to well-written comments that oppose my own views.

    Is there anything more boring than listening to like-minded people? Are we so insecure that we need constant ego inflation that "we're right. we're good. we're valued."?

    --
    "Provided by the management for your protection."