ATTN: Ryan Hamlin
RE: The Coordinated Spam Reduction Initiative
A Technology and Policy Proposal
Microsoft Corporation
Published: February 13, 2004
First, we want to express our support and thanks to you, your group, and Microsoft Corp. for your efforts to define a method of defeating spam mail and making your deliberations open to industry feedback. This is undoubtedly a well thought out proposal as indicated by the detail of the specifications.
Unfortunately because of the concerns over disclosure of intellectual property and our current patent application, we will not be able to discuss technical details of the proposal. However, we do believe that we can contribute to the discussion by addressing the main points of the proposal.
As we understand it, the proposal consists of three measures used in a "virtuous circle" for blocking spam e-mail: Mail Filters, Non-spammer Evidence, and a version of Caller ID. We will address these three categories one at a time.
Reference listings appear at the end of this document and are indicated in the body using braces ([n]).
RESPONSE:
Mail Filters
No discussion about spam mail should begin without a clear understanding of what spam mail is. Many have defined spam as Unsolicited Bulk E-mail (UBE). Others have defined it as Unsolicited Commercial E-Mail (UCE). These definitions beg the questions: What is meant by "bulk" and what is meant by "commercial"? Can one message be spam if it's commercial?, Are two messages "bulk"?, or Is anything that's unsolicited, spam? If the trade has a hard time answering these questions, how are filters going to do it?
Mail filters have been the first out-of-the-box response to the spam problem. Unfortunately, these filters with their potential for false positives, no matter how sophisticated, are a mixed blessing and the scourge of legitimate business promotion. For instance, ImagineNation has stopped sending a very informative e-commerce newsletter because, at last attempt in October of 2003, over 30% of messages were being returned as undeliverable. This had been a well purged and edited mail list in use for over three years with typical returns running well below 5%. When we contacted some of our clients about the failed deliveries, they were outraged. Some clients complained to their ISP and adjustments were made to the filters but we soon realized that much of the effort to improve delivery and educate ISPs would fall to us. We threw in the towel!
In an article last fall, Digital Impact and Harris Interactive [1] reported on a consumer survey of Internet users. Results showed that consumers could clearly distinguish between spam and legitimate e-mail marketing. The problem is can filters do the same?
A Computer Internet Advisory Information Bulletin of the US Department of Energy points up some of the pitfalls of filtering [2].
The point here is that ISPs often set filtering criterion at the server and even when e-mail recipients set the criterion at the inbox, the recipients do not have a good insight as to the consequences. We suspect that if you ask an e-mail recipient if they would rather receive 100 spam messages and one legitimate message or lose all of the messages, they would elect to receive all of the messages, spam not withstanding. Sadly, many recipients do not know if the filters are discarding important messages. We see many of the filtering techniques as the equivalent of your postman standing at your mailbox, reading your mail and deciding which letters he'll let you have. Therefore, we see filtering as only a stopgap measure in the fight against spam mail.
On the other hand, mail sorters which you describe as used for classifying mail are a desirable client utility. These sorters categorize the mail and deposit the messages in appropriate mail boxes. We see this as a positive service to clients since no mail is lost and the client can see what is happening and possibly adjust the sorting criterion.
Part of the justification in the proposal for filters is based on the premise that mail filters will decrease spam mail. The opposite appears to be true. Spam mail is on the rise in spite of filters. In fact, it is our contention that filters encourage the increase of spam mail as spammers send greater quantities of messages in an effort to get some of them through to the intended recipient. Even if we could assume that spam reaching the mailbox is diminishing, the evidence is that spam continues to rise with the consequent impact of more, not less, Internet traffic. See for instance an article on the bounce-back rate at Internet Retailer [3].
Our conclusion is that, in light of potential alternatives, mail filtering as currently implemented, without the direct control of the mail recipient or not simple enough to be completely understood as to consequences, is not a good idea and should not become a part of any specification for solving the spam problem. An interesting survey summary of consumer attitudes and definitions of spam and the efforts to block spam mail is available from an ePrivacy Group and Ponemon Institute Study [4].
Non-spammer Evidence
There is no doubt that it would be very desirable to somehow positively distinguish between a spammer and a legitimate e-mail sender. If this could be done, all of us could rest easy. However, this appears to be the most problematic portion of the proposal as evidenced by the somewhat convoluted implementation.
There is good evidence that the e-mail recipient, as indicated in the ePrivacy Group and Ponemon Institute Study [4], is good at spotting a spammer, at least according to an individual's own definition of what spamming is. Unfortunately, we're not sure we are equally as good!
In our opinion, any policy initiative for separating the good guys from the bad is in effect a political initiative subject to the vagaries of personal opinion and vested interest. The proposal does not make clear how a policy initiative applies to the individual sender of e-mail and as Microsoft has experienced, certification, such as the issuance of SSL certificates, is not immune from distortions potentially brought about by the pursuit of economic gain. This kind or favoring of the big guy over the little guy is not likely to go down well with the Internet community.
This proposal for spam reduction makes the case against a policy initiative better than we can by suggesting an alternative approach of economic disincentives to avoid creating classes of users. An ePrivacy Group article on the Economics of Spam [5] is informative in this regard.
The economic disincentive if fact is one that has been suggested by your own chairman, Mr. William Gates, in a talk given at a recent World Economic Forum [6]. He goes on to suggest what some have called hashcash as one way to impose cost on senders of e-mail. Hashcash is the use of computing time rather than real money to make a sending server pay a price for sending messages. It is a concept that has been put forth from time to time but has never gained much traction. We ourselves see this as a somewhat gimmicky approach to implementing a fee based system and take issue with the premises used in the proposal that states:
"....computers of a majority of smaller organizations are typically lightly loaded. These computers have lots of "wasted" CPU cycles: on average, the microprocessors in these computers have almost nothing to do. On the other hand, the same is not true of the computers used by those whose large volumes of spam: their computers are busy almost 100% of the time doing the work of sending out their millions of messages."
While the premise has a certain intuitive appeal, it's not evident to us that this is a valid assumption. One could argue that large organizations have better and faster computers that are no more loaded than those of smaller organizations.
That having been said, and we're assuming throughout that by "senders" the proposal is referring to e-mail servers and not originators or intended recipients of e-mail messages. We do not believe it is in the general interest of the enterprise to create a situation in which significantly greater computing resources are required of any portion of the e-mail system. Actions like this go against the grain of encouraging efficiency.
We think this proposal as well as others has too quickly discounted the ability to use a cash disincentive to sending spam mail. The proposal correctly asks five legitimate questions regarding a real money, fee-based system. However, we can infer from the questions, the answers to which are referred to as "a daunting challenge", that the proposal has not considered all of the possibilities. There are fee-based solutions. Forester Research has a study available on "the Real Answer to the Spam Problem" [7] that discusses a fee-based method. And we have a solution that we're recommending.
Unfortunately because of your caveat regarding intellectual property and for our own protection, we cannot go into details at this time. Suffice it to say that we have filed for patent protection on a method and means called eMstamp [8] which:
» simplifies a fee based e-mail system
» is entirely transparent to originators and intended recipients of messages
» uses very little additional communication resources
» functions within existing SMTP protocols
» provides benefits not here-to-for contemplated
A couple of the benefits from our eMstamp system are that it allows users to set a numerical privacy level for their mailboxes and it stops invaders from spreading Trojan horse mail viruses using the victims mail list and a built-in mailer.
The privacy level setting is especially interesting because by simply setting a numerical value, the e-mail recipient can dictate how many monetary credits are required of the sender to affect delivery to their individual mailboxes. Spammers sending millions of messages will be reluctant to commit to the cost of delivering to high privacy boxes. Since we envision a basic cost of say 1/10 cent per message, private messaging and legitimate enterprises should have no problem funding the outgoing server. In fact, since servers can reuse credits from incoming mail, the only real cost will fall to servers sending more mail than is received. That is: only spammer servers will experience the economic disincentive. Other servers may actually earn income.
Caller ID
There is no doubt that domain spoofing is a major problem, especially onerous when used with hijacked e-mail addresses and the phishing type of e-mail fraud.
Phishing is a term coined to describe the process of making an e-mail message appear to originate from a legitimate business in order to induce the recipient to visit the fraudulent business site and provide private information such as a credit card or social security number [9]. The site in question often mimics the legitimate business site. A linked URL in the message will use the legitimate domain name followed by an at sign (@) with the bogus site domain name appended. This linking technique will take the recipient to the bogus site even though, when viewing the link, unknowledgeable viewers will mistakenly believe they are going to the legitimate site.
Given this kind of criminal activity and other deceptions related to domain spoofing, we fully concur that any e-mail spam solution must include some way to verify e-mail origins. The proposal suggests a type of caller ID for this verification. Caller ID, as the proposal has so carefully detailed, would indeed provide a solution. Unfortunately, caller ID goes beyond the scope of sender verification and seeks to implement sender identification. Caller ID in fact could form the basis for litigation against abusers of the e-mail system and necessarily must invoke complex mechanisms to cope with the variety of mail services such as list servers, relays, etc. In some instances caller ID may have to resort to alternate protocols to achieve verification. It is our opinion that such complexity and specificity will not serve the enterprise well nor is it necessary.
The objective is for a coordinated spam reduction initiative. Identifying the sender isn't a necessary element for reducing spam. Simply verifying that senders are members of a legitimate e-mail enterprise by verifying that they are using legitimate mail servers is adequate. Enterprise members may interpret the caller ID part of the proposal as creating a complex e-mail system for positively identifying the originating organization and providing the possibility of litigation against senders? This complexity combined with a potential social initiative will naturally have a detrimental effect on the implementation of the entire proposal and may reflect badly on any organization supporting it.
Caller ID has appeal because it allows people to assign blame. However, we think a more appropriate approach to reducing spam is to eliminate the incentives for engaging in this bad behavior. That way policing becomes unnecessary. Unfortunately, as this proposal stands, caller ID is a necessary part of the initiative, forming a "virtuous circle".
IN SUMMARY:
While we recognize that this proposal is a dedicated attempt to solve a thorny problem, we don't think the objectives can be met without considerable effort, complexity, and unforeseen and unintended consequences. Without doubt, we have a vested interest in an alternative, fee-based solution to the spam problem but this isn't our only agenda. We too would just like to see the spam problem go away. However, it's well known that economic incentives and disincentives, when they can be reasonably implemented, can provide simple solutions to incredibly complex problems. In this context, an excellent overview of the spam situation and an economic solution is available in pdf form from the Pacific Research Institute [10].
We also recognize that without going into specific details of our own initiative, it is difficult to be credible with a responsible audience, especially when the solution we are suggesting is inherently simple. At ImagineNation we have a saying: The best ideas become obvious in the telling!
Since we all have an interest in solving the spam problem, it is our hope that you can establish a mechanism where we can more fully disclose our invention and enter into discussions concerning its implementation.
Thank you very much for your kind attention.
Melville G Davey
Melville G Davey III
ImagineNation Inc.
REFERENCES:
[1] Digital Impact and Harris Interactive article:
http://www.internetretailer.com/dailyNews.asp?id=7665
[2] Computer Internet Advisory Information Bulletin of the US Department of Energy
http://ciac.llnl.gov/ciac/bulletins/i-005c.shtml
[3] Bounce-back rate article based on DoubleClick information
http://www.internetretailer.com/dailyNews.asp?id=7692
[4] ePrivacy Group and Ponemon Institute Study:
http://www.eprivacygroup.net/spamstudy/
[5] ePrivacy Group, The Economics of Spam
http://www.eprivacygroup.com/article/articlestatic/58/1/6
[6] Report on W. Gates talk at World Economic Forum
http://www.internetretailer.com/dailyNews.asp?id=11175
[7] The Real Answer To The Spam Problem
http://www.forrester.com/ER/Research/Brief/Excerpt/0,1317,33324,00.html
[8] eMstamp System Website
http://eMstamp.org
[9] Phishing
http://www.internetretailer.com/dailyNews.asp?id=11317
[10] An Economic Solution, Pacific Research Institute
http://www.pacificresearch.org/pub/sab/techno/2004/spam01-26-04.pdf