Slashdot Mirror
Would you Warranty Your Email?
Kurt writes "A team from the University of Michigan is proposing an economic solution to spam. Instead of relying on technical solutions or government regulations, they use a sender warranty system. In some cases, they argue, it can even be superior to a perfect filter with zero cost, and no errors. Their working paper is available at SSRN. With the caveat that some infrastructure is necessary (isn't it always?), they also claim their approach restores control to the recipient, halts spam, and creates a marketplace for valuable information exchange."
I wonder how well this would work if everyone on Slashdot could warranty their posts. It could be implemented by adding a checkbox next to Post Anonymously, call it Post With Warranty. Your comment then gets bumped up to "+5, via Warranty." If people think it's not worthy of being +5, and they have mod points, they can moderate it down. If they mod it down, they take subscription points from the poster. If the metamoderator disagrees, the moderation is reversed as expected *and* the subscription points are returned to the poster.
I think this could work. But it sounds like a pain to implement.
(fp)
A programmer is a machine for converting coffee into code.
Isn't this what they do, at least at an ISP level?
These guys must be going for their Advanced Circumlocution degree. After the usual introductory review of existing solutions that don't work, they dive directly into graphs proving how their system will increase everyone's well-being. I gave up halfway through. Could somebody briefly sum up the mechanics of their solution -- what exactly are they proposing that the sender and receiver (and the third party) do? Maybe it was so obvious that I just missed it.
So you get infected with MyDoom.D and it warrants your email... then all the people in spams collect the small fee for each message and you're broke.
Mailing lists would be a bit difficult too, not to mention usenet gateways. If I mail a gateway and it posts to usenet, does that count as one email? What about the other way around: I post to usenet, does the gateway owner have to cover the cost of the message going to all subscribers... I shouldn't, I didn't even send an email.
Then people who get this nonsense in their inboxes can get together and take the companies who use spammers (and the spammers themselves) to market their junk to court. Once the companies who use this service start getting served with class action court orders to stop or else, they should soon get the message.
Of course, there's nothing to stop the spammers moving/subcontracting to e.g. India or some other place where sending unsolicited emails isn't illegal, but it's a start. Ultimately we can hopefully have a worldwide ban against the sending of unsolicited commercial emails.
-- Fuck Beta
I'm a geek. I'm a security engineer. I'm here to say -- the solution is not in the packets, but the dollars.
Spammers have gotten to the point where they're breaking into people's machines to get them to illicitly send spam. Look at that carefully -- you can't even trust your friends not to spam you anymore. If you don't think Spyware is going to adapt to a spam transport, you're not paying attention. Ultimately, we need criminal prosecution for fraud that follows the money (because money transfers are really well traced). The money link needs to be broken.
Nothing else has even a hope of working.
--Dan
Is there anyone who ISN'T proposing an economic solution to spam or email? Every day it seems like someone is proposing it and making it sound as though they are the first ones who are making the suggestion. Everyone making a proposal would a long, long way to show why all of the competing methodologies will fail or be compromised and why theirs will succeed (or have a greater chance of succeeding).
Let us not forget what William Henry Gates III said [1], "I don't care what the information superhighway looks like as long as I've got a tollbooth on it." Everyone is making suggestions to charge for email not because the ideas are technically superior but because they want to be the tollbooth collecting a microcent for every piece of email running across the 'net. Unless|until there are certain issues taken care of online, micropostage will not solve the spam problem although it may still drop money in someone's open pocket (and they will likely not care about spam once that happens).
[1]ca. 1995-96 just after he returned from his annual sojourn and realized Microsoft almost missed the Internet boat.
I don't think that free speech requires anonimity ... Basically, you add accountability.
Which would lead to --
"Children should be seen and not heard." (Because they cannot be held accountable for what they say.)
"The nail that sticks up, gets hammered down." (Because you can't voice dissent without drawing attention to yourself and your family.)
Effective free speech requires anonymity -- There's usually needed a period of underground "pot-stirring" in order to add momentum to a movement.
For example: Let's say your boss regularly beats the shit out of you when you walk in the door in the morning. But it's your first job, so you don't know if it's normal or not. But your family depends on your income. You could post anonymously on some forum asking "Hey everyone! Do your bosses kick your asses in the morning like mine?" / or sign your name and likely get a bigger ass whopping along with being fired.
Your argument is flawed. PKI and "web of trust" are in essense incompatible. PKI is hiarchic in its design : depending on a root CA to sign certificates. "Web of trust" (like in PGP) does not have any concept of a "root" or centralized control that PKI implies.
Their system relies on a sender verification system How else would the link between email message and escrow account be made?
Once a reliable sender verification system exists, then is the proposed system of any extra value (except to the people running the escrow network)?
I saw this presentation at MIT, and it reeked of a VC presentation. I bet the term "the VISA of the email network" comes up a few times in their actual biz presentation.
The problem is, there are a TON of moderators that will go and mod-bomb people because they don't like them, regardless of how well-reasoned their post is
Who are these mod-bombers? I mean, what does it take to earn the wrath of people on Slashdot? Who takes Slashdot that personally?
Myself, if I've got mod points, I mod up when I find value to the post, I mod down if I feel it's overrated, and very rarely I'll mod down for other reasons.
How do these mod-bombers get mod points? doesn't the meta moderation system let you put the screws to these mod-bombers? Can't we moderate their own posts down, so that the system deems them unworthy of mod points?
Anyone else getting this:
Hotmail.com has added some interesting new filtering to their 'spam blocking' tools. Essentially, they're blocking mail based on the content of the message (what you send), but they won't tell you why it was blocked. There's a magical formula there somewhere. It is not blocked by IP address, as some messages go through and some do not.
This is occuring from *all* senders, in *all datacenters*.........It's a hotmail specific problem. Here's a microsoft.com employees response to the issue:
quote:I've been talking with others here at MSN Hotmail and going over possible options for a domain having this problem with our filtering system and trying to find out what we can do about it.
We recognize that our filtering technology is blocking your email and unfortunately, we are not able to reveal the details. Although we have no obligation to ensure that your email is delivered, we are working on a solution for people in your situation. At this time, however, we have no solution to offer you.
We have hopes of such a solution sometime by next couple of months but that is by no means a guarantee.
I'm sorry I can be of no further help in this matter.
Julius Caesar - Act I, Scene i: "What mean'st thou by that? Mend me, thou saucy fellow!"
What are some other solutions then? There are alternatives, but they are not as good. In basic terms, there has to be some cost to keep someone form doing something they want to do. In the US, the only entity that can take extreme measures is the goverment (like taking a basic freedom away, i.e. right to freedom goes away in jail, right not to be prosecuted for your actions unless it infringes on someone elses rights as in the case of threatening someone, etc.) Asking for the goverment to step in is something most people have pushed against, so what other costs can we put against spammers?
BTW, I'm not dissagreeing per say, but I'm really intersted in some other ideas. spam sucks...
Or better yet, why not a real warranty, like the kind you get with your toaster.
The government could simply make a word ("warrentemail" for example) and a law that includes the exact legal definition of the word as it relates to email.
The legal definition would state that all people that put this word in the subject line of their email warrant that either a)the email is for personal, non-business purposes only or b) if it is for business purposes then the sender has a preexisting relationship with the recipient, much like the do-no-call list specifies.
The law would also specify a $10,000 tax for domestic use or a $10,000 tariff for international use with 20% of all tax or tariff going to any improper recipient. It would apply to anyone who used the word but didn't meet the correct legal criteria. It would apply to each improper email sent.
Then everyone just makes a simple filter to filter out everyone that does not include this word in their subject line.
Result - No new infrastructure cost. Very minor burden on personal use. Very minor burden on legitimate business use. No burden on anyone who doesn't use the word. Major burden on anyone who spoofs the word. Major incentive for both private and public parties to catch and prosecute offenders. Actual criminal offenses for offenders that don't pay up because tax evasion is a federal offense.
TW
And yet, there are moderators who will mod down anything that goes against the "geek norm", regardless of content. On some recent thread about movies, I posted what I thought were reasons why LOTR-ROTK was just a good movie and not fantastic. I was modded as a troll faster than you can download a picture of Natalie Portman. See for yourself Now granted, I didn't go on in great length about my points, but I still think that if you can let go of the fanboy fanaticism and look at it honestly, what I said holds. I was by no means trolling.
The problem with moderators is that meta-moderating is just a little-too-late. And even if it did work well, it wouldn't be able to stop biased moderating. Or it would plunge it into the void of predictable moderating. Or are we already there? There is a mod of "Troll", but not of "Karma Whore".
My beliefs do not require that you agree with them.
I might be missing a critical idea. I feel that I must be. (In my defense, I was up all night playing Crimson Skies and then preparing for an 8:30AM project status meeting.)
It seems that this warranty, escrow account system would not work well with hacked computers, viruses, et cetera. Here's a simple example; please tell me that I'm wrong. My grandma makes a reasonable attempt to secure her system but leaves some holes. Some hacker, working for a spammer, gets in her system and installs a nice little backdoor program. The spammer starts emailing people from her computer until the money in grandma's escrow account can no longer cover the warranties. The recipients are obviously angered by receiving this spam and collect the money on the warranty. How is she going to get her money back?
I don't need to belabor this point, but does this plan assume that all email sent from a user's account was purposefully sent by that user? If so, I can't support that. Virus writers and hackers aren't going away. Computers may become more secure; users may become more experienced. But our increasingly interconnected world is simply too complex to eradicate every security hole.
The best current solution is really the only one. Have a list of friendlies ( possibly with server information ).
How often do you get an email from a complete stranger that you really want to read. For most personal accounts you have a limited set of email buddies, a lot like an instant messenging service.
Building this list is the big issue.
Say you buy something from amazon.com, or another site. The web application needs to be able to add itself to your friendly list. Of course this does not happen automatically, but with something you click. A simple standard would not be that hard to devise so any mail client could recieve the message. Upon receiving the message the user is asked if the email is a friendly. At this point the program could check for a valid MX record, and a slew of other tests to see if the record is valid and issue a warning, or give the green light.
Now if the email is webmaster, or your the kind of person that does get lots of emails from people on the Web, like a CmdTaco you need some
more tools. But current spam checkers matched with MX lookup could seriously limit the number of records. You could also do some kind of verification routine where your email program sends an auto-response with one of those pictures. This has gotten worked around with letting porn surfers answer the question for you, but I'm sure it won't be long before people write bots to answer the porn guys wrong.
MX lookup I think will be the first step. If you can reverse an address, then ask that server if the email is authentic, and even give a CRC/timestamp to see if the email came from it. This would make it harder to run your own email server, but if you doing this you probably know what the hell MX records are.
You just seem to dislike open markets. Am I to infer Central Planning is more effective?
You imply laws are passed in a open market fashion, and they maybe after a fashion this is so by side effect of effective lobbying, but no one suggests that this is a correct solution.
You dislike the idea of pollution credits obviously, but fail to show how pollution is increased by use of pollution credits, or fails in its intent to redress certain inequities in the patch work of pollution regulation we have. You just have a gut feeling people shouldn't be given permission to pollute, but this is what regulation is all about, how much and to what end.
Spam is an example of "the tragedy of the commons"
Some type of barrier to access is the only way to solve it. By making it an open market everyone has access, but they indulge their use as makes economic sense. The beauty of open markets is that they are self regulating. Call it an emergent behavior from enlightened self interest.
I am not saying these gentleman have the correct solution for spam, but to just denigrate it because it has open market as a model is unfair. Open or Free markets work well in many situations, they also fail in many situations. Many times failures attributed to open or free markets are really failures of regulation, that only free certain aspects of a market but leave others restricted. The only thing we should be concerned with is does the solution work and is it fair. Lets not discard it simply because you dislike open markets, and may I also infer capitalism?
Letter To Iran
Would you Warranty Your Email?
No, I wouldn't. It's an interesting approach, but I'd never participate in it. It will COMPLETELY break the way things work, and make communications much more complicated. For example, friends/family/colleagues send me a ton of crap. Let's suppose for a minute that I set my cost as $50 per message. I have multiple addresses, so when people forward some ridiculous chain mail on some topic that I vehemently disagree with them on, I get multiple copies. So let's say I get three copies of this chain mail from someone. With the click of a button, I can set a friend out of $150. Obviously, they wouldn't remain a friend for long, and maybe there's something to be said for making people think twice about forwarding me crap.
But now consider a corporate setting. Let's say I'm really sick of spam at work, and set the price to $500 a message. My boss sends me mail informing me of budget cuts; I'm angered by it, and thus flag it as spam, charging my boss $500.
And I won't even get into the potential for abuse, where I try to impersonate someone else sending me spam, charging random people insane amounts of money.
And this just won't work. Spammers have a 'spam and dump' mentality -- they're sign up for a server, or find a new open relay, dump a ton of spam, and move on. I would fully expect spammers to completely disregard this, running up hundreds of thousands of dollars of debt on a credit card they used to purchase the server. They never pay the bill, and move on. In some strange way, it's kind of like the "If you outlaw guns, only outlaws will have guns" -- spammers will find ways around this, and we'll only inconvience people trying to send legitimate e-mail. And the basic premise sounds to have a ton of potential issues.
________________________________________________
suwain_2
They miss an important point in the article :
... unlimited.
... right, noone.
In RL, a warranty usual is the value of the purchase, that is from 1$ to
Now, who has ever returned a floppy disk to the store to claim the warranty
Warranties ONLY make sense if they are expensive, at least 50$ or so, but 1cent warranties just dont work. The money at steak must be important enough for the customer to actually justify the trouble for claiming the warranty.
In their proposal, the trouble of claiming is minimized for the recipient, so that they may be more kin to claim the warranty. However, even then, this still doesnt make sense. I wouldnt do more than click on ONE button to claim 1 cent. If I had to click on two buttons, it wouldnt be worth it.
(I might, however, do it anyway, but in this case not for me, but to punish the spammer, hoping that others do it too)
BUT : the warrant must also be large to justify the trouble of FIGHTING a false claim. As well as the spammer will be harmed by millions of claimed warranties, a hacker could make the world send him 1cent warranted emails and claim the warranty on all of them.
This is far more realistic then the 1000$ warrant someone mentioned. If I'm charged 1000$, I go to the police. Will you go to the police if someone steals you 1 cent? But with computers, a hacker could easily steal 1cent from millions of people, making tens of tousands of money.
As the warrant is to small to make it worth fighting a false claim, we will see a complete new wave of cyber-crime here.
And this even without the technical problems of actually tracing an email.
I have discovered a truly remarkable proof for my post which this sig is too small to contain.
This technology requires a sender-verified, secure, trackable, unbreakable e-mail system that ensures the sender is who they say they are, the recipient is who they say they are, and the message is exactly what the sender sent. All mail-sending accounts must be registered and accessible in a centralized database, and must contact that database to send mail.
The domain hosts then become responsible for the activities of the spammers, because the discovery of the spammer and their account address becomes trivial. Deal with the problem, or be black holed. Or, alternatively, the spammer can be locked out at the db level.
No where does charging the spammer become necessary. The spammer is simply locked out. E-mail stays free. Nobody gets charged when hacked.
Personally, I would support a domain-sender-message verification system, whereby a message is Md5'd (or some quicker form of hashing) on its way out and stored in a database for each 12 hour period. Upon receiving the mail, the recipient's mail server queries the reported sender's mail server with the message's listed Md5 key. The mail server goes through the databases for the last 3 12 hour periods (in reverse order) and searches for the listed key. If the key matches, it gives a positive response. If not, the message is destroyed.
Bingo, verification that the message originated in the particular domain, and that domain is responsible for the activities of its constituents. If that domain owner refuses to take action, their domain and their IP addresses would be blacklisted.
The ______ Agenda