Groups Rally to Can Spam. Calling the medium 'inherently deceptive,' consumer advocates submit new measures to FTC to attack unsolicited commercial e-mail. [internetnews.com: Top News]
I hate spam as much as the next guy. But I am not in favor of a lot of new FTC regulations. Why can't ISPs, the IETF, and large software makers take steps to solve the problem? Just simple steps?
ISPs: Allow users to create unlimited aliases. Sendmail allows "plus addresses". If my assigned email address is dws@example.com, then sendmail would deliver any mail sent to dws+anything@example.com to my mail account. I could use this to create email addresses that are hard to guess, and I could use those email addresses to filter incoming mail. For example, for important business correspondence, I could use an address like this: dws+8tj11@example.com. That's an address that is hard to guess, and I could filter all mail to that address to a special folder.
ISPs: Provide the SMTP envelope information, so that users can reliably filter their mail. The envelope information includes the sender and recipient used during the transfer of the mail, which is not necessarily the same as the From or To fields in the message itself. The SMTP envelope information is absolutely essential for recipients to reliably filter their mail based on the recipient's address.
Software vendors: Provide simple-to-use filters for mail, including a simple white list of known senders.
Software vendors: Provide a simple way to identify legitimate mail. This could be as simple as adding a new header field that contains a single token. The technique could be an alternative to using "plus addresses" in the case that ISPs don't allow the use of "plus addresses". It's really simple. You compose an email to me at dws@example.com. Before you send the email, you enter the token that I gave you (it's probably on my business card, or somewhere on my web page). The token goes into a header field in the email. When I receive the email, my mail client finds the token and puts the email into a folder that contains legitimate mail.
IETF: (Admittedly, I don't follow this closely, as I should. Perhaps the IETF has already done a lot to provide tools for fighting spam.) Promote Best Common Practices, such as the suggestions above for ISPs and software vendors.
Users: Don't make your email address widely available in machine readable form. On your web page, use a GIF or PNG image that contains your email address. Use an image, too, when you post messages to Usenet newsgroups.
Users: Don't pick an email address that is easy to guess.
All it takes, really, is the initiative of two or three large ISPs, or one large software vendor (Microsoft), to change the whole email landscape with respect to spam. If AOL and MSN started supporting "plus addresses", users would learn about them and use them. Other ISPs would follow suit. Even better yet, if Microsoft added support for tokens to Outlook Express and Outlook, and made them very easy to use, and actively promoted their use, then other mail clients would soon support tokens.
(We would also need a new convention for dealing with tokens. How should they be written? Here's just one suggestion: dws(yy55)@example.com. The token is in parenthesis. Possibly, such an address could be stored just like this in an address book. The mail client software would know what to do with it.)
These suggestions would provide tools to help fight spam. But would tools to help fight spam eliminate spam? My guess is that they would, to a large extent. Spammers send spam because it is cost-effective to them. If the response rate goes down to less than one response per million, or some other ridiculously small number, then spam will no longer be cost-effective.
Posted by Doug Sauder at September 5, 2002 08:26 AM