Shine a Light on Spammers

The way to solve spam is to shine a big, bright light on all legitimate high-volume senders. Make it mandatory to prove you are who you claim to be if you want your email delivered.

Last month, I described why defining consent standards won’t solve the spam problem. I suggested seeking sender accountability is where we must direct our energies in a search for a solution to this plague. Only by shining a light on all high-volume email senders and holding them accountable for what they send can we rid the digital ether of spam. Why? As cockroaches don’t like light (it makes them vulnerable), spammers won’t survive illumination. They will no longer be able to hide.

The difference between the shine-a-light approach I propose and the detection approach of current anti-spam solutions is the difference between attacking the root of the problem and attacking just its symptoms. Today’s spam-catching technologies amount to an endless guessing game. The technology doesn’t actually know what’s spam nor what’s legitimate email requested by a recipient. It guesses. Approaches range from statistical filters that learn from the recipient’s behavior to challenge-and-response solutions that allow mail through only if the sender can demonstrate he is human.

An increasingly sophisticated range of technologies are being deployed to detect and block an increasingly sophisticated community of spammers. The biggest problem with the detection approach is it’s imperfect. The result is false positives. A recent informal study by a small company called Assurance Systems in Colorado found the top 10 ISPs’ spam detection software incorrectly identified 15 percent of legitimate, solicited email as spam, on average.

The reliability of the medium is threatened if we can no longer depend on email we expect or need to do our work to be delivered. Stopping spam by attacking the “symptoms,” that is, guessing which email messages are spam and filtering them, is not a workable solution.

Spam can be eradicated, but only by attacking the root of the problem. Make it impossible for spammers to hide. As you’d expect, spammers spend most of their creative energy trying to conceal their identities. They create trails to avoid detection and escape the filters.

How does shining a light work? Obviously, it would be a tad naive to think asking spammers to identify themselves will solve the problem. That would be like asking Saddam Hussein to make a public appearance. So, lets flip it around. Let’s instead ask nonspammers to identify themselves. Let’s ask those who have a legitimate reason to send, and who are willing to have their email monitored, to step into the spotlight. When they do, catching spammers becomes nothing more than an exercise in blocking, or carefully scrutinizing, all high-volume senders who emerge from the illuminated parts of the Net.

OK, this may all sound well and good. You may be thinking that, to your knowledge, there are no floodlights on the Internet. What does “shining a light” mean beyond the metaphor?

It means a new approach to sending email, one in which we actually change the Internet’s architecture. Lawrence Lessig, in his excellent and thought-provoking book “Code and Other Laws of Cyberspace,” argues behavior and norms on the Internet are governed by code. By changing code (or architecture) we change behavior.

That’s exactly what we must do to solve the spam problem. E-mail wasn’t designed for trusted connections between sending and receiving mail servers. The code change that’s needed would establish a way for a receiving mail system to know the sending mail system is, in fact, what it says it is. Incoming mail therefore originates from a known, trusted sender who can be held accountable for what’s sent.

Once good mailers are willing and able to make themselves known, the world will look very different. If I am a sender, tell you who I am, and am unable to continually morph my identity, we’ve got a foundation for accountability. If I send email that continually gets complaints or I have “dirty lists” that generate high bounce rates, my message soon won’t be delivered. As long as I send messages recipients want to receive and clean my lists if they change addresses or unsubscribe, I’ll be just fine and my mail will get through.

Individuals need not identify themselves any more than they do now unless they send high volumes of email. The ability to remain anonymous would continue for individual senders (although the volume of email they can send may be restricted). Only high-volume mailers would need to identify and authenticate themselves. The architecture change will, and must, be implemented in a way that preserves and guarantees the ability to remain anonymous when sending personal email.

We can change the code so hiding who you are and continuously morphing identities become difficult to impossible. When that happens, it solves the spam problem.

Next, I’ll discuss the second part of the accountability puzzle: how to objectively measure senders’ performances once they stand up and identify themselves.

Meet Hans-Peter at ClickZ E-Mail Strategies in New York City on May 19 and 20.

Related reading