News and views from a software developer's perspective
Thursday, October 23, 2003Senate Passes Anti-Spam Law
The U.S. Senate passed an anti-spam law by a vote of 97-0. That such a law was passed is no surprise. It's about time.
The law provides for a do-not-spam list, which is to be similar to the do-not-call list for telemarketers. I wonder how long that will last. The list is likely to be huge. There are certainly many more email addresses than there are phone numbers. And email is less restricted by national borders than telephone calls. So, with a do-not-spam list that contains 200 million entries, which are probably secure hashes of the actual email addresses, and with spam originating from any and every country in the world, how can such a do-not-spam list possibly work? How will they update the list? If they make it too easy, spammers may attack it in spirit of a denial-of-service attack. One possibility would be just to add many fake email addresses to the list with a view to make the list to large to be practical. Another issue will arise as to how a user confirms that he wants his email address on the list.
Certainly, some of the worst spamming practices, such as promoting scams or sending sexually explicit content, need to be made explicitly illegal, if for no other reason than to make it easier to prosecute cases against such practices.
The bill is weak in many areas -- opt-out is permitted, rather than opt-in, for example. I don't have a problem with a weak anti-spam law, because I favor technical means to fight spam. However, I really believe that we are headed to a new era in spam where unsolicited messages are sent from otherwise respectable companies. Expect messages announcing the big weekend sale at J.C. Penny or Sears, for example. These messages will be allowed under an opt-in policy. Expect to have to opt-out daily.
In short, this bill is all about clearly defining the boundary between legitimate commercial email and illegitimate commercial email. Once that boundary is clearly defined, expect more "legitimate" commercial email. At least the legitimate commercial email should be easier to filter.
Simple Sender Authentication 2
Following up on my earlier post on Simple Sender Authentication, I propose an even simpler way to create an effective white list. The sender need only include a "password" somewhere in his message. I think the best place for it would be in the "signature" at the bottom of the message. If we had smart client software, it could associate the signature with the email address. When a message is received, smart client software could examine the signature and the sender's email address and could decide if the message looks legitimate or suspicious.
Again, this is not security. Obviously, anyone who knows the sender probably has the sender's signature, and so he would be able to forge a message. But how often does this happen? And if or when it does happen, there are social consequences. Would you forge a message from a friend or acquaintance of yours?
It's interesting to consider the possibility of intelligent email clients. Sure, Bayesian-like spam filters try to be intelligent. But in the end, most spam filters make a yes-or-no decision. "Yes" it's spam, or "no" it's not spam. Here are a couple of other ideas about intelligent email clients:
Intelligent sender identification. A client can remember certain facts about a sender, including the email address, the mail client used, the SMTP server that the message is normally submitted to, the signature at the end of the message. By recognizing these features, a smart mail client could sort mail intelligently.
Intelligent mail sorting. A client doesn't have to make a yes-or-no decision about spam. Better would be for the client to sort the new messages in order of relevance. Messages from your wife or kids come first, then your boss, then any messages that mention your current work project, and so on. Last of all come the spam messages.
This method of sorting is more than just spam control. It's the kind of organization we all dream about, taking back control over our lives. It would help us to focus our attention on what is really important, and to cut through so much noise.