Your professional spammer can send out millions of e-mail messages for a trivial amount of cash. All it takes is an unscrupulous spammer, an ISP that doesnt care, and a list of addresses. While almost everyone on the receiving end of these messages consider this a problem, theres no reason for the spammer to be discriminating in sending out their e-mails. The marginal cost of adding another address in the list is as close to zero as anything gets in the commercial world.
For this reason, a number of Internet observers have proposed that there be a cost associated with sending e-mail. The first way I heard this cost structure proposed was in the form of a tax on sending an e-mail. But whoever would charge (or collects) these fees wouldnt matter: the cost would be so minimal few real users would notice the cost.
For example, suppose it cost one percent of a penny to send a message and you send 100 e-mails a day. I doubt you do, but its a nice round number. That rate would cost you a penny a day, working out to all of $3.65 per year. Whoa!
On the other hand, if youre a spammer sending out a million messages a day, it will cost $100. Thats actually a pretty big increase in costs for spammers, but maybe its not enough to stop the current flood of mail. The tax that might make a difference to spammers would need to be on the order of a tenth of a cent.
Regardless, the specific amount really doesnt matter, because theres no way to implement such a system—or no practical way without ripping out and replacing the worlds e-mail infrastructure, which only happens in technology columns and science fiction novels. Even if we assume that authentication were mandatory for SMTP perhaps through new protocols like Authenticated Mail Transfer Protocol,) there are a large number of difficult, even impossible problems with any Sender Pays scheme.
Here are the top three roadblocks:
Number 1: The Internet, in case you havent noticed, is an international network. People in Belarus and Myanmar can send e-mail to folks anywhere else, such as here in the States. So implementing Sender Pays would require an international treaty. (Perhaps we can add Sender Pays to the Geneva Convention and make spamming a war crime?)
Number 2: Micropayments remain a problem. Conducting a payment on the Internet has an associated cost, so charging three cents for a transaction becomes a losing proposition.
In addition, payment systems would have to be set up so that innocent parties wouldnt be stuck covering the cost of other persons e-mails. Probably everyone would have to pay some amount in advance to cover the mail we might send.
Number 3: Finally, by adding a cost to a message, Sender Pays would certainly impact the free e-mail business. Such services would have to decide whether to pass the costs along or pick up the tab. I wonder how many messages are sent through Hotmail and what the cost to Microsoft would be if they were to absorb the micropayments. Of course, the resulting elimination of spam could result in a large cost savings to services like Hotmail. Their costs for bandwidth would go down. But would it be enough to cover the tax? Hard to say.
Heres another interesting problem: allegations have been made that there are Internet worms and other attacks that create an open proxy for spammers on an infected system (I admit, however, that I have seen no convincing proof of this). In other words, inside the worm is an SMTP server (a normal part of such worms these days) and a secret remote interface that allows a spammer to use the infected system to send mail. While this particular form of hijacking is built on old-fashioned SMTP, it would still suggest that Sender Pays will require that we first solve the open proxy problem—yet another difficult issue.
Sender Pays is a great theory for big thinkers who dont sweat the details. Realistically, its better as an example of how intractable the spam problem is, since all the good theoretical solutions are impractical to implement. The best we can do now is to mitigate the problem and dutifully check our spam filters.
Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer