On March 27, 2014 at 12:14 owen@delong.com (Owen DeLong) wrote:
On Mar 27, 2014, at 11:15 AM, Barry Shein <bzs@world.std.com> wrote:
On March 26, 2014 at 22:25 owen@delong.com (Owen DeLong) wrote:
Actually, a variant on that that might be acceptable� Make e-postage a deposit-based thing. If the recipient has previously white-listed you or marks your particular message as �desired�, then you get your postage back. If not, then your postage is put into the recipients e-postage account to offset the cost of their emails.
Thoughts?
It's a fine idea but too complicated.
Look, the (paper) post office doesn't say "oh, you WANTED that mail, ok, then we'll return the cost of postage to the sender!"
Why? Because if they did that people would game the system, THEY'D SPAM!
How would they benefit from that?
From what, being able to send free paper mail? I think that would be considered a benefit by most junk mail advertisers. But see next...
SPAM � Pay, say $0.10/message. Then Claim you wanted the SPAM, get your $0.10/message back for each SPAM you sent to yourself. Or, claim you didn�t want the SPAM and get $0.05/message for each message you received while the original provider keeps the other $0.05.
And it would take way too much bookkeeping and fraud identification etc.
Please explain in detail where the fraud potential comes in.
By my interpretation, you�d have to somehow get more back than you deposited (not really possible) in order to profit from sending SPAM this way.
Well, it's advertising, so they do. Advertising is a valuable commodity. Free advertising is particularly valuable, ROI with I close to zero. Look, we can get lost in metaphors, but the point is that by the time the post office gets your mail to your doorstep virtually all the cost is sunk. So offering to not charge you because you wanted that mail makes no sense, right?
Let's take a deep breath and re-examine the assumptions:
Full scale spammers send on the order of one billion msgs per day.
Which means if I gave your account 1M free msgs/day and could reasonably assure that you can't set up 1,000 such accts then you could not operate as a spammer.
Not sure how you enforce these user account requirements or how you avoid duplicative accounts.
If you want to attach e-postage you have to go get some and that can be a contract which says you don't do that, if you have multiple accounts you split it among your accounts or buy more. And if you do what you describe you understand that it is criminal fraud. Click Agree [ ] before proceeding, or similar.
Who can't operate with 1M msgs/day?
Well, maybe Amazon or similar.
But as I said earlier MAYBE THEY SHOULD PAY ALSO!
I, for one, don�t want my Amazon prices increased by a pseudo-tax on the fact that they do a large volume of email communications with their customers. They have enough problems trying to get IPv6 deployed without adding this to their list of problems.
That assumes that spam is free for them, and you. Including "free" as in "stealing your time". Also, companies like Amazon probably wouldn't mind being able to out-capitalize spammers and others in competing for your eyeballs. They could probably put a price on that. They're well aware that when they send you an email that says that some new book related to one you bought is available that the ad is surrounded by dozens if not hundreds of spam messages and likely you'll delete them all without reading. So that's already a cost to them in terms of wasted advertising effort and lost sales. I'd say we need to ask Amazon et al whether they'd see it as an economic plus if by paying a small amount of e-postage they could wipe out or seriously reduce all the chaff? Would that be a net positive or net negative to their bottom line? Although I can certainly understand skepticism about whether this approach would deliver effectively I don't think the business case, the dollar value of reducing spam significantly, is disputable. You'd always rather be the only billboard on the highway rather than just one in a hundred. Even if it costs you more (obviously up to a point.)
We really need to get over the moral component of spam content (and senders' intentions) and see it for what it is: A free ride anyone would take if available.
I disagree. I see it as a form of theft of service that only immoral thieves would take if available.
How can it be a theft of service if we're not charging anything? Well, if they use others' resources it's a theft of those resources, such as botnets, is that what you mean? But by morality I mean that we tend to define spam in terms of generally agreed to be undesirable email content such as questionable herbal cures or other apparent fraud or near-fraud -- I dunno, maybe someone hiring a spammer really believes their herbal hair re-growth tonic works. I assert that the line is getting fuzzier all the time. Even if the product is completely legitimate and maybe there's some business relationship someone can draw it doesn't mean I like being pummeled with hundreds of ads per day (some of that is projection, remember.) But, just as importantly, the people who want to send me an ad would like to see me pummeled with less junk so maybe I pay attention to their ad or communication. Heck, I alreadly almost never read email from what appears to be my bank because it's just too much time and effort to verify that it's legitimate. It'd be just as much effort under this, perhaps, but at least maybe I won't feel like I'm desperately trying to sort through 300 msgs that came in while I was asleep.
Ok, a million free per acct might be too high but whatever, we can all go into committee and do studies and determine what the right number should be.
I'd tend towards some sort of sliding scale myself, 100K/day free, 1M/day for $1, 10M/day for $100, 100M/day for $10K, etc. Something like that.
Why would it work?
Because that's how human society works.
People who are willing to pay their $10K/mo will demand something be done about freeloaders, enforcement has to be part of the cost overhead.
But who charges these fees and how do they enforce those charges against miscreants that are sending from stolen hosts, bots, fraudulent IP addresses, etc.?
I think it would have some parallels to selling SSL certificates, as a business model. Sending from stolen hosts etc doesn't help them unless they have also broken into your e-postage stash. Which might happen of course but at that point we've reduced it to something like using your user SSL cert. For example if you had to enter a passphrase (other methods are possible) to enable mail sending with e-postage from your email client, to decrypt your e-postage cert, then they'd have to get into that also, not just use your cycles. That's possible but it's another hill for them to climb. Since you probably would value your e-postage at the very least there should be a little widget on your screen (or similar) with something like you have used 323 out of an allocation of 300,000 this month and if that suddenly says 32,323 out of 300,000 and you can't imagine why maybe you'll do something, call someone, some recommended response could be laid out like if that's way out of line then click here. That's not that different from how modern Windows systems pop-up a dialogue which says "XYZ wants to use administrator privilege to install software". That is, encourage the user to be aware of how much email they are sending and give them some reasonable course of action if something doesn't look right. Think of bandwidth caps on mobile phones. If you hit your cap and you don't have a clue why you become interested. If it's due to a virus or similar, even a misbehaving app you downloaded (it happens), you are interested because you're now being charged for bandwidth or whatever happens when you exceed your cap. One reason few are currently interested in their system being botted is because they don't hit a cap, nothing really happens. And there's certainly little support infrastructure to help them fix the problem. If there was some money on the table, like with mobile phone caps, then perhaps there would be some infrastructure for that. Right now there's just excuses from ISPs et al that if someone gets botted oh well, block them or something, or in many cases do nothing because you don't want to annoy a paying customer and it just would increase your support costs when they call demanding to speak to someone. If there were a profitable e-postage infrastructure whose livelihood depended on all this working then maybe that wouldn't be the case.
And it'd create an economy for hunting down miscreants.
So you�ve got a set of thieves who are stealing services to send vast volumes of email and you want to solve that problem by charging them more for those services that they are stealing (and, by the way, also charging some legitimate users as well).
My guess is that the spammers are going to keep stealing and the people now being taxed for something that used to be free are going to object.
I think you're skipping the point about how they'd have to successfully attach e-postage to every piece of email they sent from your system. So it's not the resources, it's the authorization which we're trying to control. Right now every piece of email they send from your botted system is the same as any email you'd send. If there were some sort of e-postage system with some basic security and tracking that becomes much more difficult for the spammer. Or they can use your system to send out a million msgs with no e-postage which, one hopes, will be rejected by receiving systems without delivery, much like fraudulent DKIM or SPF credentials. Which, one hopes, won't be profitable for them any more.
P.S. And in my vision accepting only email with valid e-postage would be voluntary though I suppose that might be "voluntary" at the provider level. For example someone like gmail at some point (of successful implementation of this scheme) might decide to just block invalid e-postage because hey your gmail acct is free! Let someone else sell you rules you prefer like controlling acceptance of invalid e-postage yourself.
Well, here we get a hint at how you envision this working. There are lots of details that need to be solved in the implementation of such a scheme and I think the devil is prevalent among them.
I agree, but I hope my efforts indicate it's not entirely half-baked or off the cuff. I don't think it's inherently much more difficult than the SSL certificate ecology thought it has some differences. And it introduces some actual economy in fighting fraud because fraud becomes more like counterfeiting money or real life postage stamps, someone loses money, someone is getting a free ride, and there's money at that point to investigate and prosecute just like we do with counterfeiting. One problem with the current anti-spam economy is that it doesn't particularly encourage fighting spam. If someone makes a living selling anti-spam software or appliances the sudden and complete disappearance of spam is not really good news, unless it's entirely due to their product. But I mean putting spammers out of business big-time. In my model it is good news, it means the model is working so keep buying that e-postage because it's the only thing keeping the barbarians outside the gates.
Owen
-- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada Software Tool & Die | Public Access Internet | SINCE 1989 *oo*