Slashdot Mirror
Selling Your Attention to Spammers
Dotnaught writes "Can the free market stop spam where technology has failed? As described in InformationWeek, Professor Marshall Van Alstyne of Boston University School of Management has co-authored a soon-to-be-published paper that proposes an "attention bond" -- money put up by email senders that recipients collect only if they consider the message a waste of time. Supposedly, this market-based filter performs better than a perfect technology-based solution, with no false positives or negatives. A company called Vanquish already has a working model. Is selling one's attention the answer to spam?"
Your post advocates a
(*) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(*) Mailing lists and other legitimate email uses would be affected
(*) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(*) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(*) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
(*) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(*) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
what? what I thought we were in the trust tree in the nest, were we not?
I must be missing something...it seems like the same tactics spammers use to evade law enforcement today could be used to evade the imposition of this "attention bond mechanism".
____
~ |rip/\/\aster /\/\onkey
money put up by email senders that recipients collect only if they consider the message a waste of time
I get that already, it's called "my salary".
Trolling is a art,
I bill triple digits per hour (but still less than a phone sex operator at $4.99/min). Doctors and lawyers charge even more. Unsolicted messages are an uncompensable waste of time and a theft of network resources.
Bill Clinton: Pimp we can believe in. - The Shirt!!!
Why is a spammer going to put up money when relaying through a zombie net or open relay is easy and free?
I don't need no instructions to know how to rock!!!!
money put up by email senders that recipients collect only if they consider the message a waste of time
Sounds like a fancy way of taxing the internet...
One man's Funny is another man's Offtopic.
The other thing that can happend is that it is so hard to cash out this money, that noone will bother, since it'll be likely to take twice the time of hitting delete, or the sum has to be big enough to be worth the hassle ($1?) which agains brings us to the first point, people will cash out on every email.
Assembling etherkillers for fun an profit
I'm sorry, the whole "fee" idea just doesn't work for me... What is to stop someone signing up for a whole load of mailing lists, and then claiming that they were all a waste of time? The only time anyone would not bother taking that cash is if there was someone they knew on the other end, getting pissed off.
It sounds like a good idea, but it's not a solution any more than CAN-SPAM. Spammers will not cooperate if it's just going to hurt them. Until you crack down on spam in the same way that the telemarketer do-not-call list has, you won't see any improvement. And that's not even realistic given the ease with which email can be masked or forged.
It's similar to the argument that gun rights advocates make - stricter gun control laws or programs will hurt legitimate owners, but the real problems will still lie with the criminals who don't abide by those laws anyway.
Crack down on spammers. Make spam outright illegal and make penalties for ISPs that fail to comply.
While it'd be inconsequential to me to put up 10c to send each message (or probably even $1 if my employment related emails didn't count) it doesn't scale well between different countries.
Third world countries will find that sort of money a huge barrier to entry for sending email.
Similarly this will be open to google ad type exploitation. People will set up email addresses and sign up to all sorts of solicited and unsolicited email just to collect the cash. Again for people in poorer countries this might be a practical job.
What's to stop someone from signing up for every mailing list everywhere and setting up an automated application to flag it as spam so the money starts rolling in? Three or four thousand such flags per day, even at a few cents each should start to add up fairly quickly.
I'm a big tall mofo.
My time is free! I'll give them all the time they want and then some! They just need to come over to this dark alley... say, have I shown you my baseball bat? Look at these fine details... now just hold still.
the only field where you can get a nobel for being wrong
I'd like to try this on Slashdot. I can collect money for articles that I think are a complete waste of my time. Then this money can be used to post messages like this, which are a complete waste of other people's time.
I don't get it. This kind of "disincentive" has already been implemented in just about every business plan on earth in a much less logistically challenging way. When you advertise, you have to pay for it. Let's say you advertise too 1,000 people, it costs you two cents each, and only one person is receptive to your message. That person buys your product for $50. Great! Your ad campaign was successful. On the other hand, if nobody bought your product, you'd be out $20.
This is pretty basic stuff. The problem with spam is that spammers are continually finding ways to pay nothing to advertise. If one person in a thousand replies to a message you paid nothing for and sends you $50, you've made almost double the profits vs. if you had to pay 2 cents per recipient. That's always going to be an attractive market for people with useless crap to sell, because the real rate of return on crap might be considerably less than one in a thousand.
This plan gives people the warm fuzzies because it sounds like each individual will be able to profit from unwanted advertising, but in reality it would never work that way. On the other hand, you'd get the same "punitive" effect on spammers if you just found a way to force them to pay to send spam.
Breakfast served all day!
Then why are you on Slashdot?
While it's not a great idea, it's a fairly obvious one. Papers on this go back decades. I was one of the earliest to propose it in the Unix community almost a decade ago, but later denounced my own ideas.
But what amazes me is that like clockwork, somebody will publish an article on this "great new idea" for dealing with spam, several times a year it seems. They have clearly read none of the spam literature, nor done a search. And on top of that, journals and magazines also think it's new and publish the items, even slashdot publishes them.
What gives?
Has it been over a year since you last donated to the Electronic Frontier Foundation
Ah, I see...
Professor Marshall Van Alstyne of Boston University School of Management
That pretty much explains it.
Great...three people managed to post this bright idea before me.
Last time I answer the phone at work!
____
~ |rip/\/\aster /\/\onkey
at http://www.cs.uwaterloo.ca/~klarson/teaching/F04-8 86/papers/loder04.pdf
4) Profit!
The US Federal Trade Commission says that over 80% of spam involves some violation of Federal law. Not just the CAN-SPAM act, but mail fraud, false advertising, money laundering, computer crime, drug counterfeiting, and racketeering. There should be no problem filing charges.
If we had an FBI director who made this a priority, most spam could be eliminated in a year. Just divert some of the FBI Baltimore people who do child pornography, who are already experienced at tracking people on the Internet, off that job and onto tracking down the major spam operators.
In a sense, CAN-SPAM has been effective. Spamming by even vaguely legitimate companies is down. Almost all spamming now involves felony criminal activity of one kind or another.
Wallace & Rines' revamped spambone was to do just that. It didn't pan out.
If I understand correctly, which I might not, this is how it will work: spammer sends me an e-mail, I mark it as spam and receive money, spammer gets a notice so he can remove me from his list.
What's to stop me from biting the cost of a large mailing, collecting all those notices, and reselling them to other spammers as a list of verified active addresses? My customers could use the lists in a country not on board with the idea, since this will require legislation to enact (which is a problem too obvious to need explanation.)
Seems like a major problem, but I'll wait until the paper is released before making my final judgement.
Robert Heinlein in one of his stories required that telephone callers post a bond before the hero would answer the phone. If the hero agreed that the phone call was worth it, he'd reverse the charges.
In his 1996(?) book The Road Ahead. It was exactly the same, the recipient would have the choice to not collect if the message was wanted. For example, if it was from a long-lost friend. So it only took nine years to write a paper on this idea which was published by on e of the most famous figures in the technology industry?
Walt
Right.
People flag list traffic for which they subscribed as spam all the time. What is so special about putting up a financial bond that will cause people not to flag mail they requested in March as spam in May, or accidently marking mail from aunt Mildred as spam. I just don't see it.
This fails every test of an anti-spam proposal I can think of, including the most important: It doesn't stop spam.
--OgAttention bonds don't work, as described here in more detail:
* Creates opportunity for traffic monitoring by people we'd rather not have doing that
* Creates money trail alongside email trail, making legitimate anonymity almost impossible
* Makes trolling a profitable business model
* Participants who are poor, or not allowed to form legally binding contracts (such as children) can't have email anymore
* If only applied to email, moves the spam problem to other media without solving it
* Creates obligation for email receivers to actually pay attention to the messages of paying spammers; can't set the price high enough to make that okay, without chilling too much non-spam communication from senders who can't risk being forced to pay a large bond
* Can be used as a payment system for underground economy (porn, gambling, drugs, general money laundering)
* Mustn't allow any communication beyond the bond amount, or else that'll be used for spam; but the bond amount isn't really enough information to make the read/don't read decision
* Senders often don't have the choice of talking to a different receiver on a given subject instead, so system can be abused by anyone you NEED to send mail to (e.g. legal notices, tech support, recipients of emergency communications, etc.)
* Human beings known to behave irrationally when involving transactions in small amounts of money (same reason micropayments fail)
* Creates complicated international payment system with huge numbers of participants; not possible to keep such a system secure. (Like credit cards but a thousand times worse)
* Large companies like Microsoft will use embrace-and-extend to create/extend monopolies and punish users of competing software
* Probably already subject to conflicting patent claims
* Creates need for middleman businesses that have no other function; opportunity for abuse, like the domain name registration racket.
* Escrow system likely to end up using anti-robot captchas (like domain name registration), making legitimate non-human, and disabled human, email users unable to participate.
* Either malware on your machine can make you owe a lot of money to random people, or else spammers can escape having to pay their attention bonds by invoking whatever mechanism protects malware victims.
Education.
If we educate the users/unwashed masses(what every you want to call them) that BUYING from the SPAMMERS is A BAD IDEA(TM) and only makes the problem worse, the users might not buy cheap tobacco/blue pills/radio controlled cars/fake rolexes from the adverts.
Would the small minority please stop supporting this crud, then maybe I wouldn't stop one week fighting trojans nd the next fight the spam they've started spawning (Sober.o/p and sober.q).
No practical, I know of lots of ISP's with 100,000's of email addresses. Any global register would have to handle thousands of updates per minute. Even more than DNS...your idea is SPF on steriods, and that doesn't work.
Not to mention privacy issues...would I want an ex-boyfriend/girlfriend with a grudge being able to query this info on mass etc etc
Also most spam-ware has it's own SMTP engine and sends direct to the MX address (or secondary is quite popular too).
The only solution to spam? Replace SMTP.
SMTP is an outdated, insecure protocol which is ill-suited to modern email.
We need to replace it with a protocol which is authenticated at both ends. A friend and I came up with the following; which although not perfect and probably subject to a few tweaks is a step in the right direction.
J Random Hacker/Company/Joe Sixpack leases a domain name from J Random Registrar. Let's call it jrh.com
That registrar provides a private key and a public key pair based on the domain name.
The CMTP (or Complex Mail Transport Protocol - I made that up) server on jrh.com wants to send an email to target.com. It signs the outgoing message with the private key (ie puts a hash in the header - and you could base it on time and date or other arbitrary data to make sure there's no forgery) and then connects to target.com. target.com then asks jrh.com's registrar for jrh.com's public key (either that or it's propagated over DNS). If the pair match up, the email is accepted. If not it's dropped at the door. No questions asked.
During the phase in period, SMTP traffic could be configured for a 15 minute delay on each target server, whereas CMTP traffic is dealt with immediately. I compare it to how Telnet was slowly phased out in favour of its more secure replacement, SSH.
So, if a spam zombie Windows box is spewing out SMTP traffic in a CMTP world, most servers would drop it at the door. The spammers can't go to CMTP because:
1) They can't use a private key they made up because it's checked against the public key held at the registrar.
2) If they use the private key of a domain they hold (ie install it as part of the worm infection) when people get even 1 spam from them (yes 1 spam - it would be that unusual) the server just ignores mail sent with that signature.
The solution works because the motivation would be there for companies to prevent spam on their networks. As soon as they switch to CMTP, they get no spam over it. And eventually they will get no SMTP email at all. Just as nobody uses Telnet anymore, SMTP will die out if replaced with something better. You can make all the laws you like but at the end of the day, the SPAM solution is a technical one.
"And then I visited Wikipedia
Overly complex, ineffective, and useless.
Who collects and distributes these (micro)payments?
Who enforces that the mailserver supports this?
In the event of someone getting zombied, who is liable? Especially in the event that the zombied box is fully patched.
How does a 13 year old from a dirt poor country send an email from the shared village PC to a uni professor in London or NYC? Where is his escrow acct?
What about anon email accts? How is my bank/paypal/whatever tied to that? (Not that I want it that way)
How does a free, but popular mailing list afford the escrow acct needed to cover new recipients?
There are a host of other problems that we haven't even begun to consider.
That should be a combo technical/market based solution, but you get the point. It won't work. It's a dumb idea.
Spammers aren't going to pay money. Spammers profit by stealing resources. It's a tremendous leap of faith to assume that any significant percentage of spammers would buy into such a boneheaded idea, but then again, coming from a college professor (who likely has very little real world business experience), it's not surprising.
Bill Gates put this idea in The Road Ahead back in 1996. Basically, in order to send an unsolicited message, you have to attach some e-cash to it. If it's just a message from some long lost friend presumably you won't actually redeem the attached e-cash.
Anyway, like a million other ideas about solving spam, it'd work if you could just convince everyone in the world to adopt it. Convincing everyone in the world to switch over to the new system is left as an exercise for the reader.
Sorry.. but I have Adult ADD and won't be able..
oh look, a kitty!
() Lack of centrally controlling authority for email
-- it doesn't appear to use this - it appears to be recipient's-end charging, which can be deployed in a decentralized manner
() Open relays in foreign countries
-- those don't matter here - if they sender doesn't pay, the recipient doesn't read it, and relays only make it harder to pay.
(*) Mailing lists and other legitimate email uses would be affected
-- you correctly marked "whitelists suck", which is part of why it's hard to implement this one correctly.
(*) Users of email will not put up with it
-- this is the big problem with TMDA, hashcash, and many similar systems
(*) Many email users cannot afford to lose business or alienate potential employers
-- you missed this one too. See previous.
() Requires too much cooperation from spammers
-- not a problem. This one requires cooperation from non-spammers.
() Unpopularity of weird new taxes
-- unless I grossly misread the article, this doesn't apply here - the sender pays the recipient or recipient's ISP, not some third party.
(*) Public reluctance to accept weird new forms of money
-- Yup. Either you need weird new money or old-fashioned real money, and the latter is usually too expensive per transaction.
(??) Armies of worm riddled broadband-connected Windows boxes
-- Maybe. If enough people start using this, and there's a convenient mail-sender interface so senders don't need to pay attention very often, then worms will start to abuse it. Otherwise they won't care, and the five people who still use it will have whitelisted each other.
() Dishonesty on the part of spammers themselves
-- Doesn't hurt the recipient, who sets the price high enough that he's willing to read an occasional Nigerian Herbal Fake Vi***a ad and keep their $5 just to annoy them. This proposal suffers from dishonest recipients, who convince legitimate that they should be willing to pay the money to get the recipient's attention. It's a serious enough problem that it can even lead to "Make Money Fast By Reading Email At Home" spammers inviting you to become a recipient
() Why should we have to trust you and your servers?
-- Because you want me to read your mail. Don't care? Don't send money, and I'll ignore you. If I'm a sufficiently interesting public figure, like Rush Limbaugh or Daily Kos or the Editor of the New York Times or Britney Spears, maybe you'll pay to get my attention. Alternatively, maybe the fact that I'm charging for my attention will make you think I'm some over-inflated ego who's not worth the effort, and my 15 minutes of fame will time out faster.
(*) Sorry dude, but I don't think it would work.
-- My conclusions's a bit more positive than yours
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Hehe.. Just kidding.. ;)
(I hope I didn't just sign a death-wish for my karma...)
Just when you make it idiotproof, some idiot builds a better idiot.
Heinlein came up with it first -- one of the characters had a doorbell which would only ring after a deposit was made -- refundable if it was agreed that her time was not being wasted. I think someone else here referred to Heinlein doing the same thing with a telephone call at some point or another -- I'm not sure if it's the same reference (and one of us is misremembering it) or if he used the same idea twice (which is really quite plausable).
I have absolutely no problem with this. I'd love a second income, and I'd be more than happy to sell my att.. oooh, shiny!
https://www.eff.org/https-everywhere