[Top] [All Lists]

Re: [ietf-smtp] Anti-spam - paid network

2015-12-03 15:45:27
The one big difference I see is that, the debacle with the
initial deployment of DMARC and mailing lists notwithstanding,
the DNS-and-header-field approaches seem fairly easy to deploy
(and confer benefits) incrementally.  The "pay" approach, at
least as I understand it at this point, requires deployment and
acceptance of a new trust structure to be at all useful.

It's not just a trust structure, it's a payment system.  There seems
to be a tendency to assume that problems in areas that we're not
familiar with are easier to solve than ones in areas that we
understand.  In this case, we all know about the misery of spam
filtering, but most of us haven't spent a lot of time looking at
payment systems.

To pick a few straightforward problems: the number of email messages
sent every day is at least in the billions.  The largest online
payment system is Visa's, which has a burst capacity of 47K
transactions/sec, which would be about 4 billion per day.  That's not
a real number since they can't run flat out all day at the peak rate,
but it tells us that to handle mail payments we'd need to create a new
system as large as Visa's, but for an average transaction of 10c,
while Visa's is about $100.  Visa's per transaction fee is at least
25c, so even if all the money went to pay for the network it's not
close to being enough.  The situation is actually much worse since
most mail is spam. most spam won't have a valid payment, so unlike
Visa we'll have vast numbers of failed transactions with no revenue to
cover the costs.

The usual next suggestion is Bitcoin!, but anyone who has looked at
bitcoin knows that the current system tops out at about 10 tps due to
block size limits, and it takes 10 minutes or more to clear a transaction
which will not make mail users happy.

Even if we assume we can wave our hands and somehow invent a
transaction system, the next problem is who pays for bogus
transactions because this is real money.  For example, if a bad guy
plants malware on your PC and sends 1,000 messages, who pays for them?
If the answer is not "you do", who decides, and how do you tell the
difference between a real victim and a spammer who plants malware on
his own computer?  If it is "you do", how do you explain to Grandma
that if she uses e-mail, random crooks are likely to steal money from
her mail account every time she clicks on an unfamiliar link?

Then there's the mailing list problem -- who's going to pay the $10
per message for the 100 people on the list?  If we assume that the
postage is somehow waived, how's that going to work, and how will we
deal with all of the scams it enables?

There's more, see

My point here is that if we want to make progress, we need to stand on
(to borrow a phrase) the shoulders of our predecessors, not on their
toes.  Everything I've said in this message has been well known for a
decade, so I'm somewhat in despair that we keep recycling the same
bad ideas because people don't do their homework.


ietf-smtp mailing list