How to Stop Junk E-Mail: Charge for the Stamp

R.A. Hettinga rah at
Sun Feb 13 12:01:55 PST 2005

Actually, it's not just "sender pays", it's "a whitlist for my friends, all
other others pay cash", but "sender pays" will do for a start. :-)



The New York Times

February 13, 2005

How to Stop Junk E-Mail: Charge for the Stamp

OMPARE our e-mail system today with the British General Post Office in
1839, and ours wins. Compare it with the British postal system in 1840,
however, and ours loses.

 In that year, the British introduced the Penny Black, the first postage
stamp. It simplified postage - yes, to a penny - and shifted the cost from
the recipient to the sender, who had to prepay. We look back with wonder
that it could have ever been otherwise. Recipient pays? Why should the
person who had not initiated the transaction be forced to pay for a message
with unseen contents? What a perverse system.

Today, however, we meekly assume that the recipient of e-mail must bear the
costs. It is nominally free, of course, but it arrives in polluted form.
Cleaning out the stuff once it reaches our in-box, or our Internet service
provider's, is irritating beyond words, costly even without per-message
postage. This muck - Hotmail alone catches about 3.2 billion unsolicited
messages a day - is a bane of modern life.

Even the best filters address the problem too late, after this sludge has
been discharged without cost to the polluter. In my case, desperation has
driven me to send all my messages sequentially through three separate
filter systems. Then I must remember to check the three junk folders to see
what failed to get through that should have. Recipient pays.

Do not despair. We can now glimpse what had once seemed unattainable:
stopping the flow at its very source. The most promising news is that
companies like  Yahoo,  EarthLink, America Online,  Comcast and  Verizon
have overcome the fear that they would prompt antitrust sanctions if they
joined forces to reclaim the control they have lost to spammers.

 They belong to an organization called the Messaging Anti-Abuse Working
Group, formed only last year. It shares antispam techniques and lobbies
other e-mail providers to adopt policies that protect the commons. Civic
responsibility entails not merely screening incoming mail to protect one's
own customers but also screening outgoing mail that could become someone
else's problem.

Carl Hutzler, AOL's director of antispam operations, has been an especially
energetic campaigner, urging all network operators to "cut off the
spammer's oxygen supply," as he told an industry gathering last fall. And
those operators who do not "get smart soon and control the sources of spam
on their networks," he said, will find that they "will not have
connectivity" to his provider and others who are filtering outgoing e-mail.

 He did not spell out the implications for customers, but he doesn't need
to: we can select a service provider from the group with a spam-free zone,
or one that has failed to do the necessary self-policing required for
joining the gated community and is banished to the wilds of anything-goes.

One measure backed by advocates like Mr. Hutzler is already having a
positive impact: "Port 25 blocking," which prevents an individual PC from
running its own mail server and blasting out e-mail on its own. With the
block in place, all outgoing e-mail must go through the service provider's
mail server, where high-volume batches of identical mail can be detected
easily and cut off.

 Internet service providers are also starting to stamp outgoing messages
with a digital signature of the customer's domain name, using strong
cryptography so the signature cannot be altered or counterfeited. This is
accomplished with software called DomainKeys, originally developed by
Yahoo. It is now offered in open-source form and was recently adopted by
EarthLink and some other major services. A digital signature is what we
will want to see on all incoming e-mail.

 If your Internet service provider is not on the working group's roster,
you can insist that it take the oath of good citizenship. This month,  MCI
found itself criticized because a Web site that sells Send-Safe software
gets Internet services from a company that's an MCI division customer.
Send-Safe is spamware that offers bulk e-mail capability, claiming "real
anonymity"; it hijacks other machines that have been infected with a
complementary virus. Anyone can try it out for $50 and spray 400,000
messages. MCI, for its part, argues that it has an exemplary record in
shutting down spammers, but that the sale of bulk e-mail software is not,
ipso facto, illegal.

Unfortunately, there has been no good news on the legal front. When the
first batch of antispam bills was introduced in Congress in 1999, one could
have reasonably expected that legislators were ready to stamp out
unsolicited e-mail, just as they had banned unsolicited faxes with the
Telephone Consumer Protection Act of 1991. While spam-filled e-mail boxes
do not entail monetary costs in the form of fax paper and toner, they cost
us dearly in time. Surely Congress would not be so literal-minded when
comparing e-mail with faxes as to miss the parallel and equally offensive
notion of "recipient pays"?

The years passed, the antispam bills multiplied, hearings were held and
more bills were introduced, with each session's bills weaker than the
previous ones. In the end, in 2003, we got the Controlling the Assault of
Non-Solicited Pornography and Marketing Act, or Can-Spam. Its backers took
a brave stand against deceptive subject lines and false headers and then
went home.

 The law did not prohibit unsolicited commercial e-mail and has turned out
to be worse than useless. "Before Can-Spam, the legal status of spam was
ambiguous," said Professor David E. Sorkin, an associate professor at the
Center for Information Technology and Privacy Law at the John Marshall Law
School in Chicago. "Now, it's clear: it's regarded as legal."

 Only fraudulent representations in unsolicited bulk e-mail are verboten,
but "unsolicited" has now been blessed, and so, too, has "bulk." Katie, bar
the door!

Instead of giving marketers access to our e-mail boxes only if we expressly
indicate that their attention would be welcome, which is an "opt in"
system, Can-Spam gives the direct marketers the gift of an "opt out"
system, where the onus is on us to notify each sender, one by one, that we
do not wish to be on its list. Recipient pays, again and again.

If one goes back and reads the transcripts of the hearings held in the
summer of 2003, before the bill's passage, one is treated to an edifying
"how a bill becomes law" lesson. An especially enlightening moment was when
Representative Richard Burr, a North Carolina Republican since elected to
the Senate, spoke passionately about unsolicited commercial e-mail: "I
think there is one thing that we can all agree on. One, we would all like
to get the discount airfare offers, we would like to get the discount hotel
offers. We never know when they are going to be advantageous to us."

Looking to the future, let's not count on Congress to do any better in
spurning the blandishments of the Direct Marketing Association. And let's
not count on authentication technologies like DomainKeys as a panacea. Even
when most mail is properly authenticated, we will still have to figure out
whether to trust names that are unfamiliar to us.

What we need is a way to make all bulk e-mailers pay for the privilege of
using our e-mail boxes. That would make legitimate businesses focus on the
best prospects, just as bulk mailers of ordinary junk must do. And it would
force spammers to shell out for an expense unfamiliar to them: buying
"stamps." That would bring a swift, permanent end to their activities.

 What we need, in other words, is what was proposed in 1992 at the
International Cryptology Conference. In a paper titled "Pricing Via
Processing, or Combating Junk Mail," two computer scientists, Cynthia Dwork
and Moni Naor, came up with a way to force a sender to pay every time a
message was sent - payment not in money, but in time, by applying the
computer's resources to a computational puzzle, devised on the fly for that
particular message.

Ms. Dwork now works at Microsoft Research in Silicon Valley and has
continued to work on the project. It has yet to be adopted in a commercial
e-mail service, but it shows promise in its current form. The puzzle uses
an intricate design involving the way a computer gains access to memory and
resists a quick solution by speedy processors, requiring about 10 seconds.
It is not so long that you'd notice it for the occasional outgoing message,
but if you have eight million Viagra messages queued up, good luck in
getting each one "stamped."

 Use of the system would always be voluntary, and wholly unnecessary when
sending to friends and family. On the receiving end, your e-mail program
could be set to filter incoming messages arriving from unfamiliar senders
on the basis of proof of completion of the assigned problem. No stamp, no

Ms. Dwork and her colleagues have named this the Penny Black Project.

 Sender pays.

 Randall Stross is a historian and author based in Silicon Valley.
E-mail:ddomain at

R. A. Hettinga <mailto: rah at>
The Internet Bearer Underwriting Corporation <>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

More information about the cypherpunks-legacy mailing list