Silicon Chisel

The flow of spam (”Unsolicited Commercial Email” or “UCE”) into Internet citizen’s email accounts is seemingly endless and boundless. Email users and corporations are forced to use server-side and client-side filters, challenge systems, and other means to protect their server assets from the deluge. There have been various attempts at legislation as well, which want to attack the problem from different angles.

But this is a war. And one of the most effective ways to win a war is through logistics. Cut off the enemy’s ability to wage war. In the case of spammers (and phishers, for that matter) the means to this end are actually available.

Probably the largest reason that UCE is so prevalent is that it is virtually free. It costs the sender next to nothing to send out tens of thousands of emails. Worst case they need to hire a few people to hijack some identities and/or pirate some unsuspecting sendmail servers. But compared to the actual work of real marketing organizations, the costs are negligible. If each unwanted piece of spam mail cost the sender some amount of money, then this would change the dynamic.

The origin of the spam also provide the key to attacking it. In order for spam to be a useful marketing tool, it must send the reader to a web site. This site will be hosted on a commercial ISP and if the site wishes to take volume orders it will need some kind of commercial banking. The key word here is “commercial” - go after the corporation ultimately responsible for sending the spam instead of the minions who do the sending.

The Proposal

The US already has a “do not call” list for telemarketing. What is needed is something similar for email, but with more teeth, and tied into the Internal Revenue System. The system would begin with a “do not email” list which people could sign up for. This would give the signee a code with which to register complaints. Note that ISP’s would also be able to sign up for such a list to report traffic which crossed its servers.

Complaints about spam would be handled through an automated system which would accept forwarded email messages, along with the signee’s code. The originating compaint email address and headers would have to mach the signee’s email or the complaint would be rejected.

What the IRS would do is gather these complaints and when a certain message hit some threshhold of frequency they would drill down to the body of the message and isolate the corporation which sent it, as well as their ISP. US corporations would be fined 1 penny per email complained about. Offshore corporations, immune to such taxes, would be attacked through their ISP’s. The carrying ISP would be advised to no discontinue hosting the offending corporation or all traffic from their service would be blacklisted from the US backbone. Or deal with the bank where the offshore corporation holds its accounts.

Sure, this would foster the growth of “underground” banks and ISP’s who make their dollar from hosting spam farms and the corporations who rely on them. And they would charge a hefty fee for the service. Which is fine. It makes doing business via spam mail more expensive, more difficult. It attacks the line of supply. Eventually the cost of doing business through such means will get to the point where if it is a legitimate corporation they will decide they may as well play by the rules.

Growing Pains

The hardest part of implimenting this plan is the beginning. It requires a critical mass of people to sign up for the “do not spam” list, and to send in complaints. It also requires ISP’s to get on board. And there will need to be a grace period when legitimate companies are given a chance to re-authenticate their mailing lists to avoid unwarranted fines.

There will also be difficulties in that the spammers will spend time searching for new techniques with which to defeat the system. So be it. The IRS will have plenty of incentive to make sure that the system is enforced. If only a million email users participate, and complain about only 20 spam emails a day, that’s a potential revenue stream of $200,000 per day that the IRS could gather. And if they get the major ISP’s to register as well, then multiply that by the hops the UCE takes on it’s way to the recipient.

Some legitimate companies will no doubt get caught in the nets by mistake. Either because of out of date mailing lists or hackers doing things which spoof the system into levying erroneous fines. But since more email is spam than is not, the odds are that more “bad guys” will get caught than good.

Conclusion

Whether this plan would work or not is not really the point. The real point is that the war is currently not being fought on the right battlefield. Filter- and challenge-based systems are defenses to protect the end user. Black-lists are defenses to protect end users and ISP’s. What is needed is a way to attack the companies responsible for the spam. The ones who want us to buy their products. And the best way to attack them is financially. Make it cost to do business this way and it will end.