Wandering Thoughts archives

2008-02-16

StoppingSpamWithMoney

The only way you can stop spam with money

The corollary of the funding capture issue is that the only way for an anti-spam scheme involving money to work is for the people receiving email to pay for it; only then are the economic interests kept aligned. Naturally this is not very popular with people getting spammed, which helps to explain the enduring popularity of proposed schemes where someone else pays.

Unfortunately, this creates a perverse incentive that's familiar from the anti-virus world: if spam goes away, so do the anti-spam organizations. Their continued existence is in practice based on the very thing they are theoretically supposed to make ineffectual, and it helps them when this thing is seen as a big menace.

(Thus I am not sure I trust various anti-spam vendors' numbers for spam volume. Regrettably, their scary figures do roughly agree with my own back of the envelope numbers.)

The good news is that I'm pretty convinced that the perverse incentive isn't very big so far, which is also bad news because it means that the overall spam problem really is that bad. And I don't believe it's going to get better any time soon, especially since the future of spam is likely to be hard to stop.

(Arguably the virus writers used to be encouraged by the publicity that anti-virus companies gave them, but spammers have been driven by money right from the start.)

StoppingSpamWithMoney written at 23:59:13; Add Comment

2008-02-09

CertifiedMailProblemII

The other reason certified email won't solve the spam problem

The other problem with certified email as a way to solve the spam problem is a basic idea:

People don't pay for what they don't need.

So ask yourself: who actually needs to pay for a certification that their email isn't spam?

Significant sources of good email certainly don't need to pay; people already want email from them and will raise heck if stuff starts getting blocked. No one can afford to block GMail, for example.

There's some motivation for smaller sources of good email to pay up, but this only works if big ISPs and email providers do anything with the certification, which is unlikely. And even if it works, the smaller sources are going to feel that they're being held to ransom, since they have to pay for something that the big sources don't.

There's a big motivation for senders of unsolicited email to pay up, since people they're sending it to don't know to complain to their ISPs if it doesn't arrive. However, this is the sort of email that gets the most complaints and winds up being the least wanted overall.

(Some of it will be genuine spam from genuine spammers; some will just be newsletters or helpful notices or the like that people forgot about, no longer want, or didn't realize that they were signing up to.)

Or in short: the people who most need their email certified as good are the people who's email has the highest chance of being unwanted. This does not exactly create a strong motivation for people to accept the certification.

(One comment.)
CertifiedMailProblemII written at 23:19:33; Add Comment

2008-02-02

CertifiedMailProblem

Why certified/authenticated email cannot solve spam

There are a number of schemes for dealing with spam that boil down to 'people will get SSL certificates, you only accept email with a valid certificate, and if people still spam the certificate authority will revoke their certificate'. There is a simple, core problem with these schemes:

Certificate revocation never works.

Certificate authorities are paid by the people who they issue certificates to, not by the people accepting those certificates. The people who provide the money do not want their certificates revoked, and so it is not in the economic interests of the CAs to revoke certificates. So they don't. Oh, they always have reasons, and sometimes they are pushed to revoke a certificate or two to keep their business rolling in, but that's it.

(The other problem is that revoking certificates does not make the CA any money; it is a cost center, not a profit center. And any organization spends as little on cost centers as they can get away with, which means that cost centers inevitably work badly.)

The same is true of schemes for email authentication. In practice, pretty much the only time that a certificate is going to get revoked is if it was issued to the wrong organization. If it was merely 'misused' inside the organization, that's an internal matter for the organization, not something that the CA will get involved in.

(This entirely ignores all of the practical problems with certificate revocation, which are highly non-trivial.)

(One comment.)
CertifiedMailProblem written at 23:14:20; Add Comment

(Previous month | Next month)
By day for February 2008: 2 9 16; before February; after February.

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Twitter: @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.