News

Jousting at Spam Windmills

• By Mike Gunderloy
• January 26, 2004

You might not have caught the news, because it came in late Friday. Bill Gates was off hobnobbing with the other movers and shakers at the World Economic Forum again, and this year he had some things to say about spam. According to the Associated Press story, Bill says "Two years from now, spam will be solved." He went on to discuss some of the solutions that Microsoft is working on:

• Requiring the sender of an e-mail to solve a puzzle that only a human can handle.
• Requiring an expensive computation on the part of the sender (this has been put forth by Microsoft Research as the "Penny Black" proposal).
• Letting receivers bill senders for unsolicited e-mail

According to the AP, Gates predicted that "In the long run, the monetary (method) will be dominant."

It's fairly obvious why Microsoft is interested in curbing spam, on several fronts. First, the whole company runs on e-mail; if you've ever been in touch with a Microsoftie when their e-mail wasn't working, you'll know that it's not a pretty sight. Second, between Hotmail and MSN, Microsoft hosts some zillions of e-mail accounts as a business. Finally (and they'd probably prefer you not remember this), Microsoft is responsible for a lot of the spam in your mailbox. That's because more and more spam is sent by proxy through hijacked computers on the Internet - hijacked thanks to some of the numerous security holes that Windows and other Microsoft applications have displayed in recent years.

So, it's nice to see Microsoft attempting to become part of the solution. But I fear that declaring the spam problem "solved" will have no more effect than the United States government's misguided CAN-SPAM Act of 2003. (Have you seen a dropoff in your spam since this law took effect at the start of the year? Funny, neither have I.)

So, let's think about this monetary proposal a bit more (the other two are just variations on a theme, substituting brain power or computing power for bank accounts). As I understand it, the notion is something like this: you set a price for accepting unsolicited e-mail to your account, perhaps a dollar or, if you're feeling generous, five cents. When e-mail comes in from an unrecognized source, you examine it carefully. If it's from your long-lost uncle, writing with good news about your inheritance, you can graciously waive the fee. But if it's a new product promising to enlarge some part of your body and simultaneously lower your mortgage rates, you can gleefully collect. Thus, no one will send mass unsolicited mailings, for fear of being nibbled to death by ducks.

This might work well if everyone on the Internet had the high moral character of a Bill Gates, or even of my high school graduating class members. But folks, we're dealing with spammers here: people who are roughly upstanding enough to walk under a snake without any great trouble. I can see three approaches to beating the system from the spammer's side.

First, they can just go ahead and send out their mailings anyhow, without whatever piece of electronic identification that says they're a part of the anti-spam monetary system. After all, there's no way that the entire Internet will adopt the new system at once; even if Microsoft somehow manages to upgrade Exchange and Outlook to handle this idea, and convinces Yahoo! and AOL to go along, there will be millions of other SMTP servers out there happily passing along unmarked, old-style mail. Sure, you could automatically put such mail into a junk mail folder, or delete it. But one of them might be that note from your long-lost uncle, or a lucrative job offer from an employer who just happens to use a sendmail server. Just ignoring the mail that's not a part of the system seems like a guarantee of missing something important, unless you relentlessly scan this potentially-junk folder. And when you do that, you still get to see the spam.

Second, the spammers can redouble their attempts to hijack servers, now concentrating on ones that are a part of the web of trust. If that happens, you'll find spam in your Inbox with the proper monetary markings. Rubbing your hands, you demand the 50 cent bounty that you've put on spam, and it comes in - from the coffers of ABC Corporation, where a hapless new sysadmin accidentally left a server open to mail relaying. Or from a computer at the same corporation that's been hacked by taking advantage of the latest IE security hole. At best, Mr. Big (who runs ABC) is going to demand his money back from you; at worst, he's going to tell his sysadmin in no uncertain terms to never participate in such a hare-brained scheme again.

Third, a variation on a theme: the spammer can set up an account at some ISP that's spam-friendly (and yes, there are plenty of them around the world), and guarantee to pay the spam tax when users come to collect. Then, in addition to owning computers, they'll go out and buy a few stolen credit card numbers. Then you'll find your spam bill being paid by someone's unsuspecting grandma who left a charge slip in the trash, or by Joe College Student who had his new card lifted from his mailbox. Once again, the real spammer doesn't pay a dime.

Meanwhile, all the people who are not using the anti-spam version of Exchange continue to get just as much spam as ever.

I'll happily print a correction if I'm shown that the schemes Bill Gates is proposing don't suffer from these flaws. But in the mean time, this sure doesn't sound like a solution to me.