Cockroaches - Technology Review


Like Fighting Cockroaches
By Dave Crocker
June 16, 2003
Letter to the editor, in Technology Review

The Technology Review article on spam shows the wide range of approaches that are trying to deal with the problem, and the implication that effective control is going to need the combined effect of more than one. The piece suggests that people promoting a particular approach tend to think that it, alone, is necessary and sufficient. This makes discussion about incremental (i.e., partial or combined) effect very difficult. So the article does a good job communicating just how messy the topic is.

My own combination of social science training, commercial network operations, and participation in the evolution of e-mail technology tempers my emotions and expectations about spam. It is a serious problem and needs serious attention, but that attention needs to be realistic rather than simplistic. I suggest that we view spam the way we view cockroaches. We are not going to eliminate roaches, but we can control them down to an acceptable level. However it takes a range of techniques—what the article nicely calls an "arsenal." Worse, just like these nasty critters, spammers adapt over time, and as with roach control, spam control techniques must adapt over time.

As we consider the ways to stock the arsenal, there are some key points we need to keep top-most in our minds: The article notes that spam has no core, technical differences from legitimate mail. John Mozena correctly observes, "It's not as if the Internet is broken. You can't address social problems solely with technical means." Alas we do not even have broad agreement about an operational definition of spam. Folks range from saying it is "whatever I don't want" to "unsolicited bulk e-mail" (UBE). If we build controls based on the first definition, we will never have any spontaneous contacts through e-mail. So I prefer the latter term.  Most folks agree that UBE is a core problem, even if some insist that the total problem is larger. If we do something useful about UBE, we will have a meaningful impact on spam.

Let's consider some of the items to place in the arsenal. I think that the article's discussion of legal actions misleads the reader. It is popular to cite the dominance of U.S.-based spam and that its financial basis makes it possible to "follow the money." It also suggests that we might be able to throw out the existing e-mail service and replace it with something newer and better. This creates a strong sense of being able to hold spammers accountable and it forgets the observation that spammers adapt.

At the Federal Trade Commission's April Spam Forum that the article mentions, some presenters discussed their attempts to enforce existing laws and had painful stories about the difficulty in tracking down spammers. Better laws will not change this. Note that there is no "international" law and we are never going to get all countries in the world to pass, and vigorously enforce, strong anti-spam laws. Spammers will mount their global attacks from whatever haven is available. Better laws will provide a clear, common, operational definition of spam, and better laws will provide meaningful guidelines for acceptable behavior. This will be useful for controlling "responsible" spammers—those nice people who run legitimate, accountable businesses but are just too aggressive with their e-mail marketing campaigns.  The laws will have no effect, however, on other, "rogue" spammers.

I disagree with my correspondent in this dialogue, Barry Shein, on one big point. His claim that spam is inherently fraud—what Jon Praed is quoted in the article as calling a violation of Common Law prohibition of unauthorized use of someone else's property—is just plain wrong. It is entirely acceptable for me, personally, to send one message to any random person and it always has been. Law likes precedent, and Internet mail has always operated with implied permission for such unsolicited contact. So, yes, I want to fight spam vigorously, but let's not distort the legal issues.

With respect to simply replacing existing e-mail with "something better" the question is what needs to be in that something better and why can't it be supported as an increment to current e-mail? E-mail has gone through 25 years of constant change, always building incrementally. For example, there is already a mechanism for restricting access to SMTP relaying. And there are already two techniques for signing messages digitally. So, perhaps we will have to replace SMTP-based e-mail, but we need the technical and operational reasons to be clear and compelling. So far, those reasons are missing in action.

Like everyone else who is engaged in discussing this topic, I could ramble on for quite a few more screenfuls. I'll stop here, to let folks start shooting back.