Dean Anderson wrote:
It isn't the case that the spammer
intended to send a message about the superbowl, but somehow "noise"
altered the message to a solicitation on viagra. Rather, they intended to
send a message on viagra, and you recieved their message, noise free.
But seeing the solication for viagra, you became upset, and reported a
complaint about the inappropriate use of the channel. In
information-theory-speak, you report a "communication in violation of the
security model"; a covert or sneaky channel.
I guess we agree that if the message can be read by the intended recipient
then it's not in a covert channel. A covert channel is one that can't even
be detected by the intended recipient. But, you may ask, "who" is the
intended recipient?
In anti-spam email systems, we can usually recognize three "whos":
#1: My MTA
#2: My MUA
#3: Myself
The spammer's strategy is to send the spam message in such a way
that it is undetectable by my MTA-MUA, while it is detectable and
readable by me. In short, it needs to use a covert channel through my
MTA-MUA, but not to me.
An example of such a covert channel is if a spammer hides information
in the subject line by using wrongly spelled forms of "viagra",
information which my MTA-MUA cannot detect. It's not a covert channel
for me but it is for my defenses. But, once that message passes
through to me, it becomes detectable, readable and I call it spam.
Does this mean that spam is defined by the rule
"I (only) Know It When I See It!"
and we have to accept a large failure rate in preventing spam, that
can only be solved by laws and law enforcement?
I want to emphasize that it does not have to be. Suppose a user can make
email senders pay a burden at their MTA or even at their MUA (e.g., a
bounce requesting encryption and solution to a puzzle). In addition, using a
selective scale defined by the user (so that selected mail senders have
less burden) at their MTA and MUA, the user can make the spammer pay a
price *as high as desired* by the user (not limited by R. Brown's comments).
In such case, the covert channel cannot even be established unless
the spammer pays a price -- a price that can be *as high as desired* by
the *user*. This is the essence of the proposal (the devil is in details).
I take the example of the front door of your house. If you leave it open,
so that a thief has no burden getting in, a thief probably will steal
something from you -- even though the law says that theft is illegal.
What we need is to put a lock into our email communications door. A lock
that can be as hard to pick as the user wants, and yet easy to use
as the user wants it to be used.
Spammers are thiefs -- they steal time and resources, they make us
reject legitimate email. They cost a lot of money to all of us.
They have not been and will not be deterred by law alone. There
is also no "world law" and spammers are often hidding behind
legitimate users that change all the time. We can't lock the
spammers' doors everywhere, we have to lock our door at our house.
BTW, to propose something simple, "running code" helps before any
discussion. In a system as complex as email, however, one would
have to be naive to even think about "running code" before "running
comments." I thank you all for the public discussion on this topic,
through which I have learned a great deal, including people's first
barriers to change.