Why Bill Gates doesn't have the Answer to Spam

Recently Bill Gates of Microsoft fame has been hyping bizarre ideas for stopping spam, including the latest today that involves charging senders of e-mail a "postage rate" in the form of requiring them solve a computational puzzle. While details are scarce, I believe this type of technology is inherintly flawed, and the implied mega-corporation control over our freest medium for communication is chilling.

The first problem is that it is technology that Microsoft is seeding with patents, so presumably everyone would have to pay Microsoft to use the new e-mail system (if there is anything more sinister than VeriSign's attempts to hijack HTTP requests, this is it).

In order to not encumber personal users, there would be thresholds set at which you can have a "free pass" until you start sending more than your allotted amount of e-mail (who decides how much is too much is not clear). Spammers will of course, exploit these limits for individual accounts, either by continuing their current practice of generating hundreds of thousands of e-mail addresses for each domain they legitimately own, or by continuing to use thousands (if not hundreds of thousands) of compromised machines around the world to send spam for them.

Further, there are no details provided (at least, not in the article that I read) about how the time limits or puzzle solving would be enforced. If it relies at all on client-side software, the spammers will simply hack it. It's been proven time and again over the last year (and indeed, even prior to that in my personal experience) that spammers actively team up with hackers to gain access to more boxes to use for sending spam, harvest more e-mail addresses, and just in general to bypass technical defenses.

Even ignoring the inevitability of hacking, with the rate at which computing speeds are advancing, it's unlikely that any puzzles will remain difficult to solve quickly by computers 6-9 months into the future. This means that the algorithm would have to constantly be updated in order to keep ahead of the fastest computers on the market, but what about low-end home users that send a lot of e-mail to friends and family members from obsolete systems, or what about businesses that only upgrade their IT systems every 3 years?

Raising the bar to challenge fast systems will be annihilating the ability of older systems (probably anything 18 months off the current technology) from being able to communicate in anything approaching real-time. Spammers have proven a great willingness to hijack computers from others in order to off-load processing and bandwidth, so this isn't going to necessarily slow down spammers much--but poor owners of trojaned boxes will likely suffer greatly when their computer trying to send millions of messages slows to a snails pace trying to solve mathematical problems millions of times.

OK, but let's be optimistic and assume that spammers will be completely restricted to their own machines, and that they won't be able to hack the controls that limit the rate at which they can send. With PC hardware (and even older Sun hardware) being such a commodity these days, and with Linux' ability to cluster, run on multiple CPU boxes, handle large amounts of RAM, and all for free, spammers could easily construct arrays of Linux super computers fairly cheaply that could solve the mathematical puzzles at a dizzying rate. This very same approach was used by the EFF years ago (hundreds of 486 processors working as a Linux cluster) to brute-force the DES encryption algorithm very cheaply ($250,000 for the entire project, if I recall correctly). With the amount of money that spammers make, a one-time investment of this size should not phase the bulk mailers responsible for the majority of spam today.

All of this is also ignoring what I alluded to in the first paragraph, which is the disturbing similarity to what VeriSign is attempting to do by taking control of popular Internet protocols and regulating them in a commercial and extremely centralized manner. Essentially, this will allow Microsoft to "own" e-mail in the same way VeriSign is trying to "own" the .COM and .NET gTLDs. It's a radical shift from "the edge" to "the center", where "the edge" essentially means individuals and "the center" means giant corporations imposing control (no matter how benevolent they make themselves out to be). It's a blatant land-grab with a not-so-veiled implication of incredible profit potential.

Why would this imply centralization? Very simple. Someone has to keep updating the kind of puzzles that need to be solved, their difficulty, etc and distribute them in an enforced way to the edges. If the distribution isn't enforced, then stubborn users can simply remain at older, simpler puzzles to solve and send spam more cheaply than anyone who does install the updates. Unless some central source is controlling SMTP, the "postage" solution can never work. I wonder who Microsoft thinks that central source should be?

The real solution to spam is authentication. If the recipient is given the option of requiring the sender to authenticate, then the power is in the hands of the end-user (or end-user organization) and they may dictate their own policy, as lax or strict as they wish. The flow of e-mail between consenting parties is not impeded, and individuals do not surrender to mega corporations their right to communicate freely.

Standards like Sender Policy Framework do exactly that. They provide a means for end-user organizations (collectively, The Edge) to opt-in or opt-out of any type of authentication mechanisms. Everyone has the right to send e-mail, and everyone has the right to refuse e-mail. Other standards, such as Domain Keys (championed by Yahoo!), and E-mail Caller ID (introduced by Microsoft) operate roughly on the same idea, but we should be wary of accepting Internet standards that are built on patented mechanisms. More research into these authentication methods, and an assurance of a patent-free solution are needed.

No one is forced to use these technologies. If The Edge wants to not have any e-mail protection, that is their choice. If they want to send mail without authenticating themselves, that is also their choice (although no one is obligated to receive it). It's about time corporate America got back in-step with the spirit of the Internet, because VeriSign and Microsoft appear to have strayed about as far from it as possible.

Brian Keefer