Reason Magazine

The Spam Wars

How should the Internet deal with junk mail?

Wendy M. Grossman from the November 2003 issue

(Page 2 of 3)

The technical solutions are probably the most familiar because they're the things you can do for yourself. Primarily, these solutions involve filtering the junk out of the stream of e-mail. There are several places along the path from sender to recipient where filtering can be carried out: at the sending ISP, at the receiving ISP, and through the recipient's own e-mail software. Early in the Internet's history, any mail server was available to send e-mail on behalf of any user: You just specified the machine in your e-mail software, and the server relayed the mail for you. When junk e-mail became a problem, these relays were one of the first things to go. Running an open relay, once seen as a social contribution, became socially irresponsible. The cost was that closing those relays down made it more difficult for travelers and guests to send e-mail while out of range of their own systems.

A number of ISPs offer filtering services for their customers using a third-party service like Brightmail or SpamAssassin, and these vary from discarding the junk on your behalf to marking suspected junk in such a way that you can set your e-mail software to filter it into a separate location. The advantage to the first scheme is that you never see the junk; the advantage to the second is that you can see what's being discarded, and if a legitimate message is incorrectly marked you have a way of retrieving it.

San Francisco's conferencing system the WELL employs the second approach; it uses SpamAssassin, which marks the junk for filtering. SpamAssassin assigns a score to each message that in its estimation indicates the likelihood that the message is spam. A Web interface provided by the WELL lets users set the threshold above which the message is marked. At the default settings, the WELL's implementation catches about two-thirds of the junk. It's not enough: WELL accounts tend to attract a lot of spam even if they haven't been used outside the WELL itself.

At the user level, a number of companies make plug-ins for standard e-mail software, some free, some commercial. These sit between your e-mail software and your ISP, and examine your messages as they arrive, marking or deleting anything they can identify as spam. Internally, they all work slightly differently. Some of these filters check the origins of messages against one or more Realtime Blackhole Lists and eliminate anything that comes from known spam-tolerant ISPs. These blacklists do weed out a lot of junk, but again there's a price, since it's always possible for an innocent domain to get listed by mistake or malice. Of course, the same is true of system administrators who put filters in place; they've been known to block whole countries (including the U.K.).

Collaborative filtering systems, such as Cloudmark and Spamcop.net, collect reports from the first people who get a particular spam and apply them to the entire user base so that everyone gets less. SpamAssassin, which is built into several different e-mail client plug-ins, uses a type of statistical analysis known as Bayesian filtering to help it learn from existing spam to identify unfamiliar spam more accurately, theoretically getting better and better over time.

One significant strand of technical development is challenge-and-response systems such as SpamArrest and iPermitMail. With these, you white-list known correspondents and always accept e-mail from them. Unknown correspondents are sent a challenge that a human being can read and answer but a spambot can't (yet, anyway). When the response is received, the original e-mail is let through to its destination. A complex variant of this approach, developed at AT&T and marketed to corporations as Zoemail, uses unique addresses for each correspondent; at the first hint of spam to an address, the correspondent's address is voided and replaced. One problem with challenge-and-response is that many legitimate correspondents find it hostile and don't bother to respond. Another is that it's disruptive to mailing lists, which rely on automated systems.

As the trend toward virus techniques shows, this is a technological arms race. There is already a company, Habeas, whose mission in life is to sell direct marketers a product to help their messages get past spam filters. So far it's been impossible to get ahead of the spammers for long, but a lot more brainpower is being trained on the problem than in the past; MIT even hosted a technical conference on the subject earlier this year.

Law and Economics

From time to time, someone proposes an economic solution to spam. There are a number of variations, but they all boil down to one idea: You should pay, literally, for all the e-mails you send. This is a popular idea because even a tiny charge that wouldn't cost individual users very much would impose a substantial burden on spammers. At a penny per e-mail, for instance, sending 1 million messages would cost $10,000. At the very least, such a fee would get spammers to clean their lists.

There are several problems with this idea. First and foremost, no ISP in the world is set up to charge this way. It would require an entirely new infrastructure for the industry. In addition, charging for e-mail would kill free services such as Yahoo! and Hotmail in a single stroke and, with greater social costs, make today's many valuable mailing lists economically unfeasible.

If we had micropayments -- that is, the technical ability to manage transactions of a penny or even fractions of a penny -- we'd have more flexibility to consider charging schemes with fewer social costs. If, for example, you could require that unknown correspondents attach one cent to an e-mail message, you could void the payment for wanted e-mail, leaving only the spammers to pay it.

But we don't have micropayments and we have little immediate prospect of getting them. Given the costs to the industry of altering its billing infrastructure, the only way a pay-per-message scheme would work is if it were legally mandated -- and even then, such a mandate could not be imposed worldwide.

In one of the biggest turnarounds in Net history, many people who formerly opposed the slightest hint of government regulation online are demanding anti-spam legislation. So far, the European Union has made spam illegal, 34 states in the U.S. have banned it, and a number of competing federal bills are in front of Congress, which has considered such legislation before. Various proposed federal laws would require spam to include labels, opt-out instructions, and physical addresses; to ban false headers; to establish a do-not-mail registry; or to ban all unsolicited advertising. Most of the state laws require labeling and opt-out mechanisms.

Not everyone is happy with the U.S. legislation's provisions, however: Steve Linford, head of Europe's Spamhaus Project, says America's opt-out approach will legalize flooding the world with spam. He notes that the world's 200 biggest spammers are all based in Florida. With an opt-out system, anyone would have the right to put you on any list at any time, as long as they remove you if you request it. Linford believes instead that "opt in" -- prohibiting companies from adding addresses to lists unless their owners have given their specific consent -- is the key to effective anti-spam legislation.

Whatever the merits of Linford's and others' proposals, there's an important point to remember: None of the anti-spam laws passed so far has been effective, and that's not likely to change. Lots of spam includes opt-out instructions that don't work; the key is getting businesses to honor them. A do-not-mail registry would double as a free address registry for spammers based offshore. And requiring a physical address for the sender would, like any mandated identification system, make anonymous speech on the Net illegal. Just about everyone is against spam, but most people are for anonymous speech and its ability to let whistleblowers and other vulnerable people speak their minds. Existing and proposed legislation seriously threatens anonymity, raising legitimate worries about censorship.