New: Blog!

The Adventures of JStar88 on The Blue Marble

Recent Articles

Exploring with Google Earth Infomania
Prepared for Poker Online?
Digital Afterlife
The Terror of BitTorrent
Canada Ready for Emergency?
Blogging the Tsunami
My Top Ten Toronto Blogs
Phishing Gets Frightening
The Ultimate Head Game
Decoding the Coffee Genome
Trending Towards Biometrics
more...

Recent Projects

ChartAttack.com Year-End Poll
Including authentication system & sophisticated demographic reporting tools

KickInTheHead.com Messenger
Beta-verion of a MSN Instant Messenger tab service

Digital Youth
Integrated DY store with Moneris server for secure credit card transactions; Also, extensive revisions to site's framework.

Smart & Biggar
Extended Content Management System to include WYSIWYG HTML editor

Safer Schools
Created CMS for website

Intranet Development
Posted excerpt from recent book

Web Properties

KickInTheHead.com
For the Canadian music community.

MusicJoke.com
A music joke Compendium.

Contextual Ad Test

A shorter version of this article originally appeared in NOW Magazine's March 4, 2004 issue. It can be accessed at www.nowtoronto.com/issues/2004-03-04/goods_next.php
Defeating Spam: Why SPF instead of E-Postage?
By: Jeffrey Haas, © 2004. All Rights Reserved.

Bill Gates says Spam will not be a problem two years from now. He made this declaration while sharing his vision of an e-mail postage system at the World Economic Forum in Davos, Switzerland, earlier this year.

His theory is that the rising tsunami of junk e-mail would become a dribble if senders had to pay even a penny for each message they send.

Spammers typically go out hunting with a large shotgun, hoping that a few pieces of shot will hit targets in among the millions being fired. While the actual consumer response rate for these messages is incredibly low, that's not a factor in the economics of spam due to the negligible costs associated with sending torrents of e-mail.

Once a per-message charge is applied, however, non-commercial e-mailers like you and I won't suffer too badly from paying a cent each time we send an e-mail, but spammers would suddenly have a business model that sucks like a gaping chest wound.

Gates' proposal is more complicated than a simple flat levy per-email sent. He talked about several possible solutions, including the introduction of charge-backs when an e-mail recipient can cause the sender to pay if they deem a message to be spam. The finer details haven't been worked out yet, but it doesn't really matter as the Microsoft plan will never see the light of day.

For an e-mail postage system to work, there would need to be a system of clearing houses to process transactions and send electronic micro-payments to the appropriate accounts. This system could be centralized or distributed globally and still potentially function properly, but it would need to be integrated with one central point of authentication for the planet's e-mail senders.

To hold people accountable for e-mail they send, it's necessary to know who they are. An authentication system would ask for their user name and key (a password, pass phrase or biometric input) to make them prove to be who they claim they are. Once authenticated, all e-mail they send would include a digital signature and, perhaps, an electronic stamp.

Guess who has the largest, most ubiquitous and arguably best authentication system on the Internet? Yep, Microsoft.

Microsoft's Passport is used by some of the biggest web properties to authenticate their users. Hotmail, NASDAQ, E-Bay, McAfee and MSN Messenger use it, as do scores of others. Microsoft provides this service to a growing number of partners and would love to become the default Public Key Identity (PKI) infrastructure provider for Earth. Tying this line of business to all e-mail traffic that flows over the Internet would be a fait accompli Chairman Gates could claim as yet another legacy.

Terry Sullivan, a self-professed Independent Academic armed with a PhD in information science from the University of North Texas is a member of the Anti-Spam Research Group and thinks that the Microsoft idea is "terrible."

"E-mail is user-to-user, from e-mail server to e-mail server," he says. That's how e-mail works on a global scale. The idea that we're going to insert an intermediary layer and charge a fee or ask a question or require a DNA sample for users to have permission to send e-mail are schemes ultimately doomed to fail."

Sullivan believes Gates' plan "would cost more to implement than it would save" and that "it would essentially break e-mail" as we know it. Besides which, "Microsoft has made no secret of the fact they want to take the computer you bought and paid for and turn it into a metered utility."

Then what are the alternative solutions?

First, let's look at the technical root of the spam crisis.

Authentication is the primary problem with spam today. If we knew who the spammers genuinely were, then we could block their e-mail addresses - placing them on our collective "do not receive" black list - and never see another offer for Penis Enlargements or Viagra. But we can't because spammers forge the from and return addresses of their e-mails so they appear to come from other people.

The forging problem comes out of a weakness in the SMTP (Simple Mail Transfer Protocol) format which makes it a simple matter to send e-mail appearing to come from someone else (even bgates@microsoft.com). SMTP was created at the dawn of Internet time (1981), when there were a few thousand computers sending e-mail and there was little reason to fake an identity. Now that we have almost 700 millions users sharing the network, maybe the solution to the spam problem should be a SMTP fix?

That proposition leads to an interesting observation. Only one week before Gates was proselytizing at Davos, a gathering of almost 600 developers, lawyers and researchers from academia and industry were meeting at MIT's Spam Conference. Their primary topic of conversation was an anti-spam technology called SPF (Sender Permitted From), an open-standard SMTP extension that stops spam by rejecting e-mails coming from forged addresses.

Under SPF, the owner of a domain name specifies which IP addresses are authorized to send e-mail with their domain specified as a return address. That allows a recipient to look up the from domain name of an e-mail in the SPF Registry and determine its legitimacy. If all illegitimate e-mail is discarded, then spammers would need to broadcast from legitimate addresses. And once those addresses are known, it will be much easier to maintain accurate black lists.

Eric Raymond, outspoken anti-spam activist and president of the Open Source Initiative is a promoter of SPF, but warns that it "is not in itself a solution," but rather part of something larger. "Spam is like a plague. You can't stop it with any one technique. You can't stop it with any one defense. You need a combination of things like authentication, filtering and blacklisting."

That being said, he still thinks it's a much better solution than Gates'. "We don't trust the Microsoft solution," he says, as they will "turn it into [a] market control tactic."

The global roll-out of an open-source spam solution like SPF or some other modification (or replacement) of SMTP is far more likely to be the cure for what ails us than an e-mail postage system which would need a myriad of almost-unattainable approvals from businesses, academics, governments and standards bodies.

Finally, it's important to note that even e-mail postage will not stop spam altogether. Advertisers pay the post office to deliver all manner of flyers, and they'll pay Internet service providers to do the same. You are an impressionable audience and people will pay for your attention.