Many people have made the suggestion, without a whole lot of thought behind it, that we could solve the spam problem with a “sender pays” scheme. Just as with snail mail, the sender of an e-mail should pay a “postage” fee. It neednt be large; even a fraction of a penny would change the economics of spam to make it impractical.
These observers dont often move to the next obvious step of the proposal: Given that the e-mail infrastructure of the Internet doesnt provide for such payments, or even an authentication system to determine who actually sent a message, how would they implement postage? Ive written about this myself in the past. Such petty details are not the concern of big thinkers, I guess.
Microsoft Research has come up with a different angle on the idea of postage. Their “Penny Black” project describes a system wherein the recipient of a mail message requires that the sender perform some computational task and report on the results. The task neednt be meaningful, but it needs to be nontrivial. The basic idea of the proposal is that sending 1,000,000 messages will cost the sender a lot in terms of computing time. The project is named after the Penny Black postage stamp, which revolutionized snail mail after it was introduced to the British postal system in the 1830s.
Before I explain more about how it works and how cool it is, Ill point out that there are two main problems with the idea. First, it does little (or, depending on your point of view, nothing) to stop the use of hijacked open-proxy systems for sending spam. (These are systems infected, typically with a worm like SoBig that allows a spammer to take remote control and send spam.) Second, its not a replacement for an authentication system like Sender Policy Framework or caller ID or Yahoos Domain Keys, and in an environment where one or more of those schemes are implemented, Penny Black loses most of its appeal.
Tripping up spammers
But, ignoring those (ahem) minor issues, Penny Black is really a slick idea. The compute payment would only apply to senders you dont know, so it should not bother you or your regular correspondents. When you, the recipient, receive a message from me, the sender, and Im not on your whitelist, you send me a computational puzzle to solve. Theres enough randomization involved that I really do have to solve the puzzle on a case-by-case basis. Only when I send you the correct result will you accept the message from me. If the computation is complex enough, it will take far longer to send large numbers of unsolicited messages than it does now, throwing a monkey wrench into the economics of spam.
The nature of the problem that the sender has to solve is central to the idea of Penny Black. The problem isnt a classic problem-solving computation; it is a problem designed to take a particular amount of time, no matter the speed of the CPU. So when they say there is a cost in computing time, they mean it. Microsoft is specifically proposing “about 10 seconds” of compute power. That would mean a 10-second delay for the sender on his or her system. (Im assuming that with task prioritization this neednt be a system-modal 10 seconds in which nothing else is happening but that it will consume 10 seconds of the CPU over some period of time.)
There are 60*60*24=86,400 seconds in a day. Divided by 10 seconds, that means that one CPU could send no more than 8,640 messages per day. Of course, the real number is less than that because the CPU will have more to do than just Penny Black problems. Microsoft says that spammers would have to invest heavily in CPU resources, and the company is betting they cant. By the way, this 10-second figure is only a proposal and would certainly have to be agreed upon by the community at large.
Lets think about it another way: Right now the cost to send 1 million e-mails is between trivial and nothing. 1,000,000 divided by 8,640 equals just less than 116, so the cost under a Penny Black system is more than 115 CPU days. Thats nontrivial.
Thoughts from Microsoft Research
I asked Microsoft about the problem I mentioned above with respect to hijacked open-proxy systems, and I got this response from Ted Wobber and Cynthia Dwork, both senior researchers at Microsoft Research, Silicon Valley:
Both are good points, but are they good enough?. Im pretty sure that most users infected long-term with worms like SoBig are oblivious to such problems and will take their compute-power beating with a virtual “Thank you sir, may I have another.” But Wobber and Dwork are right when they say that if the postage is high enough, these systems wont be able to send anywhere near as much spam.
But whats the point of all this when authentication systems are far easier to implement? Unlike Penny Black, they dont require any changes to the user mail software. Lets assume that authentication systems do authenticate properly. They still leave the possibility of spammers sending spam from authenticated systems without all the spoofing they currently use. Authentication advocates (thats me, folks) generally presume that some such spam would get through, but that reputation systems would quickly pick up on authenticated spammer domains and get the word out on them. Penny Black could then be a useful alternative to stop such spam from being practical.
Im a big fan of authentication, in large part because it requires no changes at all in the client software, as Penny Black does. So even though Penny Black makes authentication work better, I cant get too excited about it. It would be hard to get all the server changes invoked to make authentication work. Getting Penny Black to work requires a brain transplant on the whole e-mail infrastructure. Whatever its merit, its right up there in likelihood with pigs flying, Castro declaring free elections and a Cubs-Red Sox World Series.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:
More from Larry Seltzer