Payments as an answer to spam

Joseph Ashwood ashwood at msn.com
Tue May 13 15:28:27 EDT 2003 

----- Original Message ----- 
From: "Ian Grigg" <iang at systemics.com>
Subject: Payments as an answer to spam


> "McMeikan, Andrew" wrote:
>
> > Put a valid 1mdc payment cheque in the subject line and I guarentee to
read
> > your email!
>
> That's about the bottom line for prevention of
> spam.  Add a payment to each email.  That doesn't
> really prevent spam, it just makes it more
> value-oriented.

Won't work. Here's what happens there.

Let's pretend for a moment that all the mail systems throughout all the
world require this. The spammers will now send out duplicate checks in their
batches; why? simple because most of the messages will reach the inbox
before the check is cashed (a smart spammer will use duplicate checks and
then cash the check once the bulk is in inboxes, just on the chance of
getting their money back), so for $0.01 they can send let's say 1 million,
999,999 of those won't be able to cash the check, but it won't matter, most
users will read before cashing, goal accomplished. As an added bonus look
what this does to the intermediate systems (since my home DSL line isn't
filled to capacity by my daily dose of spam), the intermediate systems now
have to verify checks (compute intensive for a server), this leads to
increased duty loads, and high value targets (any attacker that wanted to
make money would just hack such an intemediate system and steal all the
checks that go through). The overall result though is that the email system
slows to a crawl as the checks have to be verified at every step, increasing
the email in transit, and sucking up disk space like there's no tomorrow;
while simultaneously costing the spammers a few dollars a day, and creating
prime targets for instant wealth. This proposal does the opposite of its
intent, it increases the difference between the spammer and regular user
burden.

The best solution I've seen is still the sign everything model. Digitally
sign the outgoing messages, endpoint servers start checking signatures
against an active database (unfortunately right now this would mean
Verisign), email clients start verifying signatures before display, and you
start discarding automatically all unsigned emails. This ends up costing the
spammers marginally less (a few dollars a day), but done properly would
actually enforce the one time computation (include the end target ID in the
signature). But as was pointed out, this won't work unless everyone does it
at the same time, or functionally just AOL and MSN start doing it at the
same time, everyone else will follow suit soon enough. Then the spammers can
be identified, traced and properly persued for the costs they incur. In my
view the ultimate goal should not be to get rid of unsolicited email, it
should instead be to create an environment where unsolicited email has to
pull it's own weight from an infrastructure standpoint, this should put the
junk mail in your inbox at roughly the same level as the junkmail in your
postal box, a livable level.
                    Joe


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list