Over at Circle ID today is an article that reflects what I was saying recently on how branding is the solution to spam. In essence, someone else needs to assure you that the sender is not a spammer; the sender needs to have placed some sort of collateral at risk if they do spam; the collateral needs to be sufficiently large to make spam uneconomic; and the number of “someone elses” doing the assurance needs to be modest (otherwise we haven’t solved the problem if every message requires me to authorize the sender).
My proposal was that your ISP is the natural assurer that the sender is kosher. You (or a delegate) maintain a list of whitelisted ISPs. CircleID’s proposal is that the mail server is the source of assurance. Every mail server comes with a unique key; every mail server is paid for; the supplier of the mailserver maintains the whitelist of kosher mailservers.
This alternative system delivers the trust assurance into the hands of Microsoft and IBM. You trust the source of an email to be correct and non-spamming because the Microsoft brand makes you believe in their whitelist. Your ISP isn’t adding value over and above operating the system on behalf of Microsoft. Free open source software is neutered, because the very act of not having to pay eliminates any associated economic incentive not to abuse the product — there’s no excommunication event for spammers using Sendmail.
CircleID goes one step further and suggests that only recipients with a mail server from the same vendor will be able to use the filter, delivering a near-instant monopoly to Microsoft because of the network effect.
The problem with making the mailserver supplier the center of trust is that it is a one-size-fits-all solution. What may be spam to you might be perfectly legitimate to me. It is also not an exclusionary business in the same way that operating systems are. Hosting multiple OS’s and learning how to use them is a significant barrier to end users, hence the Windows monopoly. Adding multiple trusted sender assertions to an email is not an issue — the receiving mail server and client deal with it on behalf of the user. So maybe some hybrid approach will emerge.
My suspicion is that telcos have never even thought of decomposing where value comes from in communications, and which parts of the value chain they want to be in. They aren’t even aware that third parties are about to nibble at their lunch. They don’t know what their brands are supposed to be asserting to the user. Am I promising you clear unsullied personal connectivity at the IP layor or the application layer?
There is no reason your ISP has to be your access provider. My email server and hosted web space can be bought from anyone. (This subtle distinction is often lost — ISP is often used synonymously with access provider.) Access is slowly becoming cheap, fast and easily substituted. But the trust you place in a third party to filter your communictions to only things of interest is not easily substituted. It’s like wanting to marry a second wife on a trial basis before you divorce the first one. The world just doesn’t work that way.
Whether it is ISPs or software platform vendors that capture the trusted intermediary role, the telcos lose either way.
Posted by Martin Geddes at 11:53 AMTrackBack URL for this entry:
http://www.telepocalypse.net/cgi-sys/cgiwrap/mgeddes/MT/mt-tb.cgi/61.
Listed below are links to weblogs that reference Another can of spam:
»
online poker from online poker
You can also check out the pages dedicated to online poker party poker
[Read more]
I like your site. What if, instead of asserting whether an email is spam, or whether the sender is a spammer or not, the mail server simply asserts the identity of the sender, or at least that the From: address is valid, or was valid at the time the mail was sent (which it can determine from AUTH SMTP and other ways at the time). Then, the recipients decide what action to take based on that sender, using whatever schemes/services they like. Spammers rely on annonimity and hiding their actual source/servers. Having a middle-man (like the ISP) decide who is a smapper and who isn't has problems, as your describe (the one size fits all issue, among others). However, what the ISP can assert is the validity of the sender address/host/account/username. This does not prohibit anonymous emails, but if you elect to be anonymous, you accept that some recipients may not accept your mail.
Posted by: at November 13, 2003 11:29 AMfollowing on from above, which I think is only half way there... sure you can get the ISP to authenticate you, but what is to stop a spammer from having, or making new identities, each identity being perfectly validatable? The identiity must have a cost associated with it, regarless of whether access control (authorisation) is central or end-user. And if identiites have a cost, then we are back to having a brand - brands are just idenities that have a value, to the point where vast sums of money are invested in maintin the value of an identity.
The register has a nice little summary (http://www.theregister.co.uk/content/55/34063.html) of an article (http://www.telusinternational.com/Download/spam.pdf) on the Economics of spam by Andrew Leung. The argument being that the cost of sending is so low that you only need 1 in a million click throughs to make it all work. Of course if the cost of spamming could be raised...
Posted by: at November 19, 2003 04:51 AM