With the culmination of the media spam frenzy at the FTC’s Spam Forum a couple weeks ago, you might think you’ve heard everything there is about deceptive, unsolicited junk email.
Let’s take a quick look at the essence of the past few weeks’ events. First, the organizations that are able to solve this problem seem to be getting serious about doing so. Several interesting proposals and announcements have surfaced recently, indicating genuine effort and interest in eradicating this plague once and for all. Keyword: collaboration.
AOL, Microsoft, and Yahoo (popularly dubbed AMY) announced they will collaborate on a spam solution. Though lacking specifics, the announcement garnered a lot of interest. It’s not insignificant, given some 30 percent of U.S. email volume is likely handled by these three players alone.
The Network Advertising Initiative’s (NAI’s) E-mail Service Provider Coalition (ESPC) introduced a blueprint called Project Lumos (I chair the tech group responsible for defining the project). Lumos outlines a way to change how senders email messages so they themselves can be identified and their performance monitored..
ePrivacy Group, a small privacy consultancy and technology development company, introduced a “Trusted Email Open Standard” white paper. It describes best practices, technology, and oversight as the three elements of the proposed standard.
Though the major ISPs have for some time used anti-spam features as a competitive differentiator, it’s significant they are now engaging in a broad dialogue on how to solve spam. Also significant is the ESPC’s almost 40 companies that provide email services and technology for over 200,000 organizations, large and small. ESPC is calling for greater accountability and transparency. The companies want to be held accountable for what they send, because they realize that’s the only way to beat spammers.
Finally, we appear to agree spam can only be solved through the collaboration of senders and receivers. We need to “upgrade” existing email technologies and establish a yet-undefined governing body to accomplish this.
Monitoring Performance and Rating E-Mail
A consistent theme of the above three announcements is a need for persistent and secure sender identity. As I discussed in my last column, unless we know who the email senders are, stopping spammers is very difficult because they just keep morphing their identity, thereby avoiding detection.
Assume we’ll soon be able to securely determine the sender’s identity. This alone won’t stop spam. Sending illegal or deceptive email will be more difficult, but it won’t do much to stop unsolicited or just plain annoying stuff from landing in our inboxes. A spammer could simply buy new identities every time he’s blocked. We could make it really expensive to receive a new certificate of identity, but that prohibits legitimate senders without deep pockets from being certified. We need some other measure that, combined with identity, makes it very difficult to get mail delivered for identity-churners.
The answer? Couple identity with an objective rating of a sender’s performance, measured by an independent entity. Anyone can buy an identity, but she must also earn a rating. Think of it as a credit rating, earned through fiscally good behavior over time. Getting a loan, or even a credit card, without having a credit rating is painful. Once you’ve had one for a while, obtaining a line of credit is a lot easier as your credit risk is known.
This is how email ratings would work. A new mailer won’t have a rating. Receiving mail gateways will therefore very carefully scrutinize his (high-volume) email. Once he’s mailed for a while and used a persistent identity, characteristics of how well his email is received will have been monitored over time: complaint level, number of bounced messages, number of repeat unsubscribe requests, and so on. His rating will be calculated. As a mailer builds up a good rating, that rating (past performance), combined with his identity, determines whether his email is delivered. If his score is not good, his email will end up in the bulk folder.
The past few months’ collaborative spirit has been very encouraging. We mustn’t forget any final solution must be inclusive and workable for a broad spectrum of email senders and receivers. AMY demonstrates commitment and leadership, but still represents only a minority of email users. A large portion are with small ISPs, corporate mail systems, and educational and nonprofit institutions. Such organizations usually have few resources available to implement new email standards or to monitor adherence to those standards.
No doubt, the first step in implementing a solution must focus on identifying senders so they can no longer hide. Though that part of a total solution may help big senders get email delivered to big ISP subscribers, it won’t do much for the majority of users. Big ISPs will invest the resources in building their own internal performance tracking and whitelist solutions using secure identities to keep track of who sends the good email and who sends the bad. It may help smaller players and corporate mail gateways stop some illicit sending practices and make spam-filters a bit more effective, but it won’t solve the problem for them.
In the end, all mail processing must be based on objective quality measures to determine how to handle incoming mail. All mail gateways (not just the big ones) need information to help them determine how well a sender performs in regard to published standards and policies.
Let’s make sure we agree on a solution that cleans up email not for a few, but for all. Performance monitoring and sender rating are the missing links. They will level the playing field and ensure objective mail handling across the entire email infrastructure.
Hans-Peter delivers the keynote address at ClickZ E-Mail Strategies in New York City on May 19 and 20.