Attention Bonds Gain Momentum

Thede writes "Hi all - the ABM, a proposed solution to spam first posted to /. back in February, is gaining some momentum and refinement. It has been presented it at the Federal Trade Commission, the ACM, the National Bureau of Economic Research (NBER), and at the ITU in Geneva earlier this month. The original post referenced an academic article that not so accessible. We now have a short FAQ and a very detailed Q and A that covers a lot of the issues raised over the last five months. Next step (barring gaping holes) is to get a standards effort going - and most of the needed standards already exist."

If they can authenticate the sender ....

[Jason1729]

to get the bond, then why can't they use the same technique to simply stop all unauthenticated email. If the sender is forced to use their real name, spam will stop pretty fast.

Re:If they can authenticate the sender ....

[Bios_Hakr]

Could open up a new can of worms. I rather like being Bios Hakr. I'd really have a hard time posting to groups like this if I had to go by my real name.

There are also about 10,000 other privacy concerns. With your idea, you might as well use your social security number as your global user name...and your mom's maiden name as your password. That way, when you piss off someone, it's easy for them to find you.

no more free email accounts

[hdd]

Does this mean we all need a credit card to sign up for gmail and other similar "free" email accounts?

It's just another special case of my scheme

[argent]

It's another special case of the same general scheme which I call "tokens". Examples of token-based schemes include whitelists, challenge-response with automatic whitelists, digital signatures, micropayments: the common factor is that the recipient chooses a token that all mail they recieve needs to contain. The token can start out simple (just requiring a special word in the subject line works wonderfully right now) and can be made more complex and expensive as the spammers adapt to it.

The mistake these people make is the same one most "perfect token based schemes" make: they assume that they have to start with the most complex and difficult token that they "know" spammers will never adapt to right from the first day. You don't. You can start out with a simple easily forgable token and worry about switching to one of the cryptographically secure or money-based tokens later... in my case my family has been using simple tokens for a couple of years now and a grand total of two spammers... 419-ers, as it turns out... have bothered to jump through even that simple a hoop.

Could it stop stupid forwards from work?

[6Yankee]

If companies have to put up a bond for every outgoing email, and lose that bond when recipients don't want to read it, it might even cut down on the number of clueless twits who forward the same tired old jokes, etc., from their work account.

When someone from IT appears at their desk with a log printout and a total cost, and demands repayment on the spot, the idiot user might get the message. First offence, maybe the money gets donated to the corporate charity; second offence, the user in question gets suspended by their underwear from a 40th-floor window and left to rot.

On the other hand, if IT weren't smart enough to figure out who was doing it (or if the user were smart enough to foil them), what would stop some disgruntled employee sending thousands of stupid jokes just to cost the company money?

The three best reasons to reject this idea,

[nusratt]

even if one assumes that all the prior "there's a hole" posts are wrong . . .

Reason #3: SPF. I didn't even need to read beyond the ABM FAQ's TOC. Just look at the length of the TOC itself. Although there's a TOC item "Will the ABM be complicated to use?", the answer is obvious without reading it. Now contrast this with SPF: how long does it take you to understand SPF, or to explain its BASIC CONCEPTS to someone else?

Reason #2: ABM doesn't itself kill anonymity, but it makes it easier for government to do so. As one poster has already said:
"There isn't a central database from which funds are collected that has everyone's name and bank information. The only requirement is that you have funds available to back up your email, and like it says, this can be accomplished by paying in person with cash for an anonymous e-mail account."

It's a bitter lesson of the past three years -- or it should be, if you haven't already realized it -- that there are few limits to the extent to which government will regulate (read "criminalize") financial transactions in order to control individuals, in the guise of "fighting terrorism".
If you don't believe this, then go to the service desk in any large grocery chain where they sell money orders, and look on the wall for the sign which describes the maximum anonymous cash transaction which can be performed without triggering a report to the government. (I'll provide additional detail and examples if anyone chooses to dispute this.)

Implement ABM, and just how long do you think it will take for some publicity-hungry politicians to propose that all ABM payments require identification?

Reason #1: The ITU supports it. I have no problem with organizations like IETF. But in view of recent trends of trans-national political authorities (like the EU) taking action contrary to human rights, I'm immediately suspicious of a proposal supported by an organ of the UN ("tin-foil-hat" insults notwithstanding).

Counterfit Escrows?

[pentalive]

Would it be possible for me to own my own escrow service and make counterfit escrows?

Re:unfair for almost everyone. just not viable

[JSBiff]

Well, some of the problems you point out are valid. . . this is, in part, another micro-payment system and runs into the same problem that almost every other micro-payment system runs into - namely that the transaction costs could potentially be higher than the payment itself.

You ask, "how about I am totally careless with my email address, can i then send repeated claims for bond money from all these companies that want to sell me something.[sic]" (note: when you ask a question, you should end the sentence with a '?' not a '.') Well, yes, if you read the FAQ this is exactly the point - to force spammers to be wary of who they send spam to. Right now the spammers just send them to *everyone* and hope they get less than a 1% response rate. This bond system would force spammers to pick the best candidates, and to post a high enough bond to persuade the mark, err, I mean consumer to read the message. If they are carefull, they should be able to make more than enough in sales revenue to offset the bonds they have to pay.

But, I think you misunderstand something fundamental about the proposal. According to the FAQ posted above, this isn't exactly a pay-per-email system. You state, "This system sucks and white listing sucks too, unless you never lost contact with old friends or changed your isp or got in touch with a company." Well, unless your friends are jerks or idiots, they won't claim the bond, so you don't lose any money. That is, under this proposal, you are saying I am willing to warrant that this message is not spam, and I"ll warrant it in the amount of X dollars. When your friend receives the email, they see it's from you, think "Oh it's good to hear from him again." and hit the 'not spam' button, and the 'add to address book' button. Viola, you get your 25 cents (or whatever you posted) back. In fact, you don't *have* to post anything at all, but it's likely that if you don't post a bond, your friend will never even see your message. I think part of this system even allows you to query to find out what bond amount your friend set for messages to get past his filter.

"heck thinking about it somebody makes a product gets a lot of customer complaints then claims their repeated emails from dissatisfied customers is spam and claims the bonds."

Personally, if this system ever gets implemented, I simply would not do business with a company that requires me to post a bond to send customer support email. Under this system, mail recipients can choose whether they require a bond or not, and how much the bond amount has to be. That being the case, I would expect that the company's customer support would either whitelist me as a customer (if they want to use a bond to discourage spam from being sent to their cust support address), or just not require a bond.

The thing about this system is that it's all voluntary. You are never *forced* to pay for an email. No one might ever see your email if you don't post a bond, but you are never actually forced to.

Wrong type of solution

[gerardrj]

SPAM is a social problem. You can't use market, technical or legislative processes to solve a social problem. Attempts to do so lead to more problems and don't solve the original problem ie: crime, poverty, drugs, all are social problems and none have ben eliminated by any of the above means despite decades of trying.

You need a social solution to the social problem of email spam, though some may call this a technical solution.

numerous aliases, one account.

You have one base email account the address/name of which you never reveal to anyone. No, not even people you trust. Too many worms harvest addresses from messages stored on infected systems.

You then have a web and/or email interface to the mail server with which you can create email addresses on the fly which all dump their mail in the one mail account. These are not "temporary" or "one-time-use" accounts, they are however mutable at will.

You make up an alias for your close family to use, one for your friends, one for each major company you receive email from, one for mailing lists, etc. Despite having many email addresses, all of your mail is delivered in to one mailbox and only one account needs to be checked for mail.

If you should ever start receiving spam on a particular alias, you simply change it alerting the one or few entities that use that address. The remainder of your addresses remain unaffected.

It's also really fun to tell the phone company that your email address is mci@my-domain.com. The look on the librarian's face was priceless when I told her my email address was library@emiaildomain.com.

Does this require work on the part of the email user? Yes. One time for initial setup of the account(s), and then again if spam is received on an address.

The up-side... you only receive spam once on an address, then you change the address. Spam is then stopped before the message is sent from the remote server. Anyone with their own mail server, or an ISP who supports this can start using it right now, it doesn't require any new protocols or changing of any existing ones. It doesn't place any additional burden on the network, and in fact alleviates server loads because sending back a "550 user unknown" after the "rcpt to:" takes up a lot less resources than receiving the entire message and then trying to filter it based on content.

Is it a a perfect solution? No.
What are the flaws:
1. Setting up, remembering and maintaining the list of aliases. This is a problem with laziness of users, not with the idea itself. In the end it will require no more work than installing and training a learning filter.

2. Setting up your mail client to operate with multiple outgoing addresses and only one incoming address. Some mail clients (OS X Mail.app for one) require incoming mail server info for an account (even if it will never receive mail) and require that there be a unique server/username combo for each "account". But there are workarounds.

3. Still susceptible to brute force guessing of the main account or the aliases (which requires changing one or both). Most mail servers today have hardening against brute force attacks though. Even if your mail email address (the one you never give out) is guessed, you can have it changed and all of the aliases re-directed to the new address without having to tell anyone about it. All the aliases stay intact.