News
Jousting at Spam Windmills
- By Mike Gunderloy
- January 26, 2004
You might not have caught the news, because it came in late Friday. Bill
Gates was off hobnobbing with the other movers and shakers at the World Economic
Forum again, and this year he had some things to say about spam. According to
the Associated Press story, Bill says "Two years from now, spam will be solved."
He went on to discuss some of the solutions that Microsoft is working on:
- Requiring the sender of an e-mail to solve a puzzle that only a human can
handle.
- Requiring an expensive computation on the part of the sender (this has been
put forth by Microsoft Research as the "Penny Black"
proposal).
- Letting receivers bill senders for unsolicited e-mail
According to the AP, Gates predicted that "In the long run, the monetary
(method) will be dominant."
It's fairly obvious why Microsoft is interested in curbing spam, on several
fronts. First, the whole company runs on e-mail; if you've ever been in touch
with a Microsoftie when their e-mail wasn't working, you'll know that it's not a
pretty sight. Second, between Hotmail and MSN, Microsoft hosts some zillions of
e-mail accounts as a business. Finally (and they'd probably prefer you not
remember this), Microsoft is responsible for a lot of the spam in your
mailbox. That's because more and more spam is sent by proxy through hijacked
computers on the Internet - hijacked thanks to some of the numerous security
holes that Windows and other Microsoft applications have displayed in recent
years.
So, it's nice to see Microsoft attempting to become part of the solution. But
I fear that declaring the spam problem "solved" will have no more effect than
the United States government's misguided CAN-SPAM Act of 2003.
(Have you seen a dropoff in your spam since this law took effect at the start of
the year? Funny, neither have I.)
So, let's think about this monetary proposal a bit more (the other two are
just variations on a theme, substituting brain power or computing power for bank
accounts). As I understand it, the notion is something like this: you set a
price for accepting unsolicited e-mail to your account, perhaps a dollar or, if
you're feeling generous, five cents. When e-mail comes in from an unrecognized
source, you examine it carefully. If it's from your long-lost uncle, writing
with good news about your inheritance, you can graciously waive the fee. But if
it's a new product promising to enlarge some part of your body and
simultaneously lower your mortgage rates, you can gleefully collect. Thus, no
one will send mass unsolicited mailings, for fear of being nibbled to death by
ducks.
This might work well if everyone on the Internet had the high moral character
of a Bill Gates, or even of my high school graduating class members. But folks,
we're dealing with spammers here: people who are roughly upstanding
enough to walk under a snake without any great trouble. I can see three
approaches to beating the system from the spammer's side.
First, they can just go ahead and send out their mailings anyhow, without
whatever piece of electronic identification that says they're a part of the
anti-spam monetary system. After all, there's no way that the entire Internet
will adopt the new system at once; even if Microsoft somehow manages to upgrade
Exchange and Outlook to handle this idea, and convinces Yahoo! and AOL to go
along, there will be millions of other SMTP servers out there happily passing
along unmarked, old-style mail. Sure, you could automatically put such mail into
a junk mail folder, or delete it. But one of them might be that note from your
long-lost uncle, or a lucrative job offer from an employer who just happens to
use a sendmail server. Just ignoring the mail that's not a part of the system
seems like a guarantee of missing something important, unless you relentlessly
scan this potentially-junk folder. And when you do that, you still get to see
the spam.
Second, the spammers can redouble their attempts to hijack servers, now
concentrating on ones that are a part of the web of trust. If that happens,
you'll find spam in your Inbox with the proper monetary markings. Rubbing your
hands, you demand the 50 cent bounty that you've put on spam, and it comes in -
from the coffers of ABC Corporation, where a hapless new sysadmin accidentally
left a server open to mail relaying. Or from a computer at the same corporation
that's been hacked by taking advantage of the latest IE security hole. At best,
Mr. Big (who runs ABC) is going to demand his money back from you; at worst,
he's going to tell his sysadmin in no uncertain terms to never participate in
such a hare-brained scheme again.
Third, a variation on a theme: the spammer can set up an account at some ISP
that's spam-friendly (and yes, there are plenty of them around the world), and
guarantee to pay the spam tax when users come to collect. Then, in addition to
owning computers, they'll go out and buy a few stolen credit card numbers. Then
you'll find your spam bill being paid by someone's unsuspecting grandma who left
a charge slip in the trash, or by Joe College Student who had his new card
lifted from his mailbox. Once again, the real spammer doesn't pay a dime.
Meanwhile, all the people who are not using the anti-spam version of Exchange
continue to get just as much spam as ever.
I'll happily print a correction if I'm shown that the schemes Bill Gates is
proposing don't suffer from these flaws. But in the mean time, this sure doesn't
sound like a solution to me.
About the Author
Mike Gunderloy has been developing software for a quarter-century now, and writing about it for nearly as long. He walked away from a .NET development career in 2006 and has been a happy Rails user ever since. Mike blogs at A Fresh Cup.