The threat of spam is no secret. most people—even e-mail marketers—agree that it could make the e-mail medium effectively useless. The main problem with spam is economic: Sending a message is nearly free, but receiving it costs money in the form of network bandwidth, disk space, processing cycles and administrator time. Spam-filtering software and the administrative expertise to install it are also costs borne by recipients.
Spam filtering, however, often leads spammers to send even more e-mail, just to maintain the same number of messages seen by actual humans. After all, they are selling products, and spammers spam because spamming pays. We should look for a solution in shifting costs from recipients to spammers.
There are many anti-spam bills pending at both federal and state levels. Legislation may help, but it will never be enough. Enforcement is difficult because you cant sue someone you cant find and the Internet obeys no national boundaries. In addition, although outright fraud may be easy to identify, there is a large gray area of Internet scams thats harder to define.
Then there is technology. Filtering spam based on content, whether using heuristics, Bayesian classifiers or some other algorithm, does not shift costs. In particular, all such algorithms require the body of the message, so bandwidth and processing costs remain high.
Designated senders, which designate the Internet hosts that are allowed to claim to be a sender, have serious problems, notably with aliasing, but can sharply reduce some forms of fraud. However, they dont classify spam.
Real-time black-hole lists, or online tables of known spammers, are too dull a tool and are easily attacked.
Challenge/response shows some promise in terms of economics, but users find it confusing and often misunderstand the challenge messages. Challenge/response does have the effect of shifting costs back to the sender; to get around it, spammers can run their own incoming mail server and answer the challenges, some of which are hard for computers to solve.
To reduce the burden on legitimate senders, white-listing is required for trusted senders. Unfortunately, white lists can easily be spoofed, so hard authentication, such as cryptographic signatures, will be required.
The long-term solution to spam is something like a white-list- based system that makes the sender pay more to send mail to an address that hasnt white-listed the sender. We need a solution that is fair to everyone, receivers and legitimate senders included. Its worth the effort because the future of e-mail depends on it.
Eric Allman is chief technology officer of Sendmail Inc. and the creator of the Sendmail system. Free Spectrum is a forum for the IT community and welcomes contributions. Send comments to [email protected]