GoogleIt Mail IT Print IT PermaLinkTaking It Easy At Lotusphere - And A Rant About Economic Spam Solutions
11:48:23 PM

After yesterday's bout with apparent food poisoning, I took it slow today. I kept the walking back and forth between hotels to a minimum, went to a few sessions, visited a few labs, visited a few booths on the show floor, talked to a few people, went to the Penumbra suite, to the JamFest, and back to the Penumbra suite for a bit more, and finally back to my room. I drank only water and powerade, and I ate next to nothing. I had a soft pretzel, a few vegetable sticks, a few crackers, and one piece of cheese (which I wasn't supposed to, but you got to take some risks!). That's in the 36 hours since lunch yesterday. If only they could bottle whatever it is that suppresses the appetite after a nasty bug like this. It's amazingly effective. I'm not in the least bit hungry.

The most worked up that I got today was in the Innovations Lab, a.k.a. IBM Research lab. I was talking to the fellow who was there to show off SpamGuru, and we got to talking about various other anti-spam technologies that IBM was looking into, and he mentioned "economic methods". That set me off. I'll talk about this briefly during the session on Wednesday, but we're going to be rushed and I won't be able to do it justice, so let me tell you why the first words out of my mouth when the IBMer said "economic methods" were "that's a non-starter", and why I went off on a bit of a rant to back up my position.

In the anti-spam community, "economic models" means "pay-to-send". For the life of me, I can't figure out why anyone thinks that these types of systems can ever be implemented, or that they can do any good, but there are two basic ideas that some researchers are indeed looking at. One idea is that the sender of a message must pay in computer time, by solving some sort of computational puzzle in response to a challenge from the receiving server before the mail will be accepted. This "computational tax", supposedly, slows down the sending machine, making it hard for spammers to achieve the volume that they need. The second form of pay-to-send involves paying postage (i.e., real money), or promising to do so at least until the the recipient waives the payment requirement upon confirming that the mail message wasn't spam. The problem with both of these models is this: spammers are criminals.

That spammers are criminals was true before the CAN-SPAM act, and it remains true today. They were criminals before CAN-SPAM because there is some form of fraud associated with just about everything that has ever been sold via spam. Furthermore, spammere were stealing computer resources. Spammers don't use their own computer time to send their spam, so all that a computational tax will do is force spammer to steal more computer time, and that's not really a big problem for them. It won't be a big problem for them until virtually all of the hundreds of millions of computers around the world are running fundamentally secure application software on a fundamentally secure operating system, and the day when that will be true is nowhere near in sight.

As for postage, what will happen is that the bills will go to the same innocent victims whose computers are being hijacked to send spam today. I am as certain of this as any I am of any prediction I have ever made about anything in my lfe. If a spammer can take over a computer, then we know that that computer is fundamentally insecure, and there is no reason at all that we can presume that the spammer won't also gain access to whatever account is used on that computer to pay postage.

This page has been accessed 227 times. .
Comments :v

1. Chris Linfoot01/24/2006 04:08:54 AM

As usual, you are right. My take on this issue is unchanged.

- Spam will not be solved by market forces.
- It will not be solved by legislation.
- It can be very significantly mitigated by technological approaches, most of which do not need to be complex.
- However, it will only be solved, as you say, when virtually all of the hundreds of millions of computers around the world are running fundamentally secure application software on a fundamentally secure operating system.

Is that day nowhere near in sight? No. It's worse than that. It will never happen.

2. Jon Johnston01/24/2006 10:10:33 PM

You go, Rich! I think the only reason someone has this idea in their head is that they work for a large corporation that wants to be the one (or part of) that gets to control the payment of the "economic solution".

Enter Comments^

Email addresses provided are not made available on this site.

You can use UUB Code in your posts.

[b]bold[/b]  [i]italic[/i]  [u]underline[/u]  [s]strikethrough[/s]

URL's will be automatically converted to Links

:-x :cry: :laugh: :-( :cool: :huh: :-) :angry: :-D ;-) :-p :grin: :rolleyes: :-\ :emb: :lips: :-o
bold italic underline Strikethrough

Remember me    

Monthly Archive
Responses Elsewhere

About The Schwartz


All opinions expressed here are my own, and do not represent positions of my employer.