On July 6, 2025 at 10:18 nanog@lists.nanog.org (John R. Levine via NANOG) wrote:
On Sat, 5 Jul 2025, bzs@theworld.com wrote:
It's a fine paper but it has one problem which is it sets up a strawman: It proposes a particular architecture for e-postage (ok, granted, more than one, but similar) and proceeds to knock it down.
1. Professional spammers send O(1B) msgs per day per each.
In the aggregate, sure, but there are plenty of spammers who send a lot less than that.
No doubt it's a "long tail" but this source estimates about 160B email spam msgs per day (2023): https://www.emailtooltester.com/en/blog/spam-statistics/ The reason we all get the same spam messages to the point that one can satirize one and get laughs from a crowd seems to indicate something closer to the O(1B)/each, that is, not that many sources. "Long tail" reasoning would say that of that 160B/day probably less than 100 spam operations account for 100B or more which gets one pretty close to O(1B)/day. Admittedly totally back of the envelope but I doubt they're spread evenly among sources.
The B2B spam I get from throwaway accounts at large mail providers is probably only 1000 or less at a time since that's all you can send that way. I do not think there is one master criminal with a million throwaway Gmail accounts.
You've moved from spam to ham, no?
3. We only need to increase the costs to the sort of people who send O(1B) messages per day to introduce some sanity into the system.
Beyond the fact that the underlying assumption is wrong, that's extremely unlikely to work unless you envision a world where you have to show ID and get a license to send mail. It is certainly true that a large flow of mail from an unfamilar place is suspicious, so spammers have lots of ways of making their stuff look like lots of little flows. It even has a name, snowshoe spamming.
I think you just set up another strawman and knocked it down. Do you have to show ID to drop a stamped envelope in a postal box? No, only to operate a postage meter and even in that case they aren't a high security operation. You just can get in a lot of trouble for defrauding them, even for using one w/o paying your bill. So most businesses operate their postal meters honestly because the downside of not doing so isn't worthwhile. But anyone can buy a book of stamps, even a few thousand, and use them w/o any ID.
At this point I get a whole lot of mail from Salesforce and Sendgrid. I would love to block them but unfortunately they also send a lot of mail my users want, so I have to do hacks that try to recognize the customer and let through the less bad ones. It is painfully clear that they have made business decisions not to spend enough money on abuse management to clean this up. The mail gets through, why should they?
Again this is what is generally called "ham" unless you want to apply it to anything you're not personally interested in. I tend towards that definition since they're not paying for it. But not the main event here and I believe I already made that point: That the tide of "ham" is rising because why not, it's just about free in a world where any other form of advertising or marcom costs big bucks. One of the approaches post-9/11 to undoing the worst terrorist networks was to disrupt their economics. Some if it was almost comical, they were taking in millions per month on grocery coupon fraud by bullying grocery store owners to submit fraudulent coupon reimbursements. Did it wipe out terrorism? No, not really, but it probably hurt and was more creative than adding new cryptography requirements to coupons. So all I'm saying is we have to start thinking more about disrupting spammers' economics and less about designing sharper razor wire fences. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*