Actually, it's not just "sender pays", it's "a whitlist for my friends, all other others pay cash", but "sender pays" will do for a start. :-) Cheers, RAH ------- <http://www.nytimes.com/2005/02/13/business/yourmoney/13digi.html?th=&pagewanted=print&position=> The New York Times February 13, 2005 DIGITAL DOMAIN How to Stop Junk E-Mail: Charge for the Stamp By RANDALL STROSS OMPARE our e-mail system today with the British General Post Office in 1839, and ours wins. Compare it with the British postal system in 1840, however, and ours loses. In that year, the British introduced the Penny Black, the first postage stamp. It simplified postage - yes, to a penny - and shifted the cost from the recipient to the sender, who had to prepay. We look back with wonder that it could have ever been otherwise. Recipient pays? Why should the person who had not initiated the transaction be forced to pay for a message with unseen contents? What a perverse system. Today, however, we meekly assume that the recipient of e-mail must bear the costs. It is nominally free, of course, but it arrives in polluted form. Cleaning out the stuff once it reaches our in-box, or our Internet service provider's, is irritating beyond words, costly even without per-message postage. This muck - Hotmail alone catches about 3.2 billion unsolicited messages a day - is a bane of modern life. Even the best filters address the problem too late, after this sludge has been discharged without cost to the polluter. In my case, desperation has driven me to send all my messages sequentially through three separate filter systems. Then I must remember to check the three junk folders to see what failed to get through that should have. Recipient pays. Do not despair. We can now glimpse what had once seemed unattainable: stopping the flow at its very source. The most promising news is that companies like Yahoo, EarthLink, America Online, Comcast and Verizon have overcome the fear that they would prompt antitrust sanctions if they joined forces to reclaim the control they have lost to spammers. They belong to an organization called the Messaging Anti-Abuse Working Group, formed only last year. It shares antispam techniques and lobbies other e-mail providers to adopt policies that protect the commons. Civic responsibility entails not merely screening incoming mail to protect one's own customers but also screening outgoing mail that could become someone else's problem. Carl Hutzler, AOL's director of antispam operations, has been an especially energetic campaigner, urging all network operators to "cut off the spammer's oxygen supply," as he told an industry gathering last fall. And those operators who do not "get smart soon and control the sources of spam on their networks," he said, will find that they "will not have connectivity" to his provider and others who are filtering outgoing e-mail. He did not spell out the implications for customers, but he doesn't need to: we can select a service provider from the group with a spam-free zone, or one that has failed to do the necessary self-policing required for joining the gated community and is banished to the wilds of anything-goes. One measure backed by advocates like Mr. Hutzler is already having a positive impact: "Port 25 blocking," which prevents an individual PC from running its own mail server and blasting out e-mail on its own. With the block in place, all outgoing e-mail must go through the service provider's mail server, where high-volume batches of identical mail can be detected easily and cut off. Internet service providers are also starting to stamp outgoing messages with a digital signature of the customer's domain name, using strong cryptography so the signature cannot be altered or counterfeited. This is accomplished with software called DomainKeys, originally developed by Yahoo. It is now offered in open-source form and was recently adopted by EarthLink and some other major services. A digital signature is what we will want to see on all incoming e-mail. If your Internet service provider is not on the working group's roster, you can insist that it take the oath of good citizenship. This month, MCI found itself criticized because a Web site that sells Send-Safe software gets Internet services from a company that's an MCI division customer. Send-Safe is spamware that offers bulk e-mail capability, claiming "real anonymity"; it hijacks other machines that have been infected with a complementary virus. Anyone can try it out for $50 and spray 400,000 messages. MCI, for its part, argues that it has an exemplary record in shutting down spammers, but that the sale of bulk e-mail software is not, ipso facto, illegal. Unfortunately, there has been no good news on the legal front. When the first batch of antispam bills was introduced in Congress in 1999, one could have reasonably expected that legislators were ready to stamp out unsolicited e-mail, just as they had banned unsolicited faxes with the Telephone Consumer Protection Act of 1991. While spam-filled e-mail boxes do not entail monetary costs in the form of fax paper and toner, they cost us dearly in time. Surely Congress would not be so literal-minded when comparing e-mail with faxes as to miss the parallel and equally offensive notion of "recipient pays"? The years passed, the antispam bills multiplied, hearings were held and more bills were introduced, with each session's bills weaker than the previous ones. In the end, in 2003, we got the Controlling the Assault of Non-Solicited Pornography and Marketing Act, or Can-Spam. Its backers took a brave stand against deceptive subject lines and false headers and then went home. The law did not prohibit unsolicited commercial e-mail and has turned out to be worse than useless. "Before Can-Spam, the legal status of spam was ambiguous," said Professor David E. Sorkin, an associate professor at the Center for Information Technology and Privacy Law at the John Marshall Law School in Chicago. "Now, it's clear: it's regarded as legal." Only fraudulent representations in unsolicited bulk e-mail are verboten, but "unsolicited" has now been blessed, and so, too, has "bulk." Katie, bar the door! Instead of giving marketers access to our e-mail boxes only if we expressly indicate that their attention would be welcome, which is an "opt in" system, Can-Spam gives the direct marketers the gift of an "opt out" system, where the onus is on us to notify each sender, one by one, that we do not wish to be on its list. Recipient pays, again and again. If one goes back and reads the transcripts of the hearings held in the summer of 2003, before the bill's passage, one is treated to an edifying "how a bill becomes law" lesson. An especially enlightening moment was when Representative Richard Burr, a North Carolina Republican since elected to the Senate, spoke passionately about unsolicited commercial e-mail: "I think there is one thing that we can all agree on. One, we would all like to get the discount airfare offers, we would like to get the discount hotel offers. We never know when they are going to be advantageous to us." Looking to the future, let's not count on Congress to do any better in spurning the blandishments of the Direct Marketing Association. And let's not count on authentication technologies like DomainKeys as a panacea. Even when most mail is properly authenticated, we will still have to figure out whether to trust names that are unfamiliar to us. What we need is a way to make all bulk e-mailers pay for the privilege of using our e-mail boxes. That would make legitimate businesses focus on the best prospects, just as bulk mailers of ordinary junk must do. And it would force spammers to shell out for an expense unfamiliar to them: buying "stamps." That would bring a swift, permanent end to their activities. What we need, in other words, is what was proposed in 1992 at the International Cryptology Conference. In a paper titled "Pricing Via Processing, or Combating Junk Mail," two computer scientists, Cynthia Dwork and Moni Naor, came up with a way to force a sender to pay every time a message was sent - payment not in money, but in time, by applying the computer's resources to a computational puzzle, devised on the fly for that particular message. Ms. Dwork now works at Microsoft Research in Silicon Valley and has continued to work on the project. It has yet to be adopted in a commercial e-mail service, but it shows promise in its current form. The puzzle uses an intricate design involving the way a computer gains access to memory and resists a quick solution by speedy processors, requiring about 10 seconds. It is not so long that you'd notice it for the occasional outgoing message, but if you have eight million Viagra messages queued up, good luck in getting each one "stamped." Use of the system would always be voluntary, and wholly unnecessary when sending to friends and family. On the receiving end, your e-mail program could be set to filter incoming messages arriving from unfamiliar senders on the basis of proof of completion of the assigned problem. No stamp, no entry. Ms. Dwork and her colleagues have named this the Penny Black Project. Sender pays. Randall Stross is a historian and author based in Silicon Valley. E-mail:ddomain@nytimes.com. Copyrigh -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'