Internet and e-mail policy and practice
including Notes on Internet E-mail


Click the comments link on any story to see comments or add your own.

Subscribe to this blog

RSS feed


27 Nov 2008

Facebook wins $800M against spammer. So what? Email
In a widely reported court case, Facebook won an $800M default judgement and injunction against a Montreal man named Adam Guerbuez, who has a long and sordid history. But it probably won't make any difference.

See more ...

  posted at: 10:52 :: permanent link to this entry :: 0 comments
Stable link is

22 Nov 2008

Attention Bonds Email

A proposed anti-spam technique called Attention Bonds has been getting a lot of press lately. It's not a particularly new idea; Philip Raymond of Vanquish, Inc. has a patent on the technique applied for in 2002 and issued earlier this year.

In its latest incarnation, it's proposed by University of Michigan economists, starting with an analysis that comes to the not very surprising conclusion that we'd all be better off if something other than spam filters allowed more mail that people want to be delivered. Their propose a form of e-postage in which recipients can demand a monetary ``bond'' from unknown senders, which the receipient can either keep if the message is spammy, or return if the message turns out to be nice.

Attention bonds are an unfortunate idea, particularly in an international forum. The first problem is that they make the all too common assumption that the bad guys will play by the rules. As I note in my e-postage whitepaper, as soon as you make e-mail cost real money, you open up a wide range of financial frauds and scams, ranging from fake payments from fake banks to scams where the bad guys induce people to send them mail and collect all the payments. Although it would be possible to create a set of rules and tribunals to deal with the new problems, there's no reason to assume that the result would be any less expensive and awful than the situation now. There's also the closely related problem that we still don't have any workable authentication scheme for e-mail so there's no way to prevent bad guys from lying about who they are and forging mail purporting to be from your friends.

Second, they don't seem to appreciate how expensive it would be to build the necessary infrastructure, waving it away in one of their presentations by noting that phone systems bill to the second. The system that bills and settles payments among phone companies is big, complex, and expensive, and there are a lot more ISPs and networks than phone companies, even before you start to think about how you'd remit payments to individual mail users.

Internationally, an attention bond system would kill e-mail from LDCs and countries with non-convertible currencies. For you or me, a bond of a couple of dollars is no big deal, but for someone at a cybercafe in Ghana or Nepal, or a student in Iraq using facilities at school (I currently correspond with one), two dollars would be a large chunk of a week's disposable income, if they could buy the bond at all, which they probably couldn't since they don't have a bank account.

Even if you wave your hands and give everyone a bank account, the system is not set up for vast numbers of automated transactions. Paypal is the most widely used online payment system. It's a swell system, and their highly automated system is cheaper than manual credit card charges. but each transaction requires logging in and working through a series of screens, both to be sure the transaction is the one the user wants, and for Paypal to minimize the risk of fraud. Paypal currently handles about 500,000 payments per day (according to their SEC filings). Even if only one message in a hundred did a bond thing, when you consider how much e-mail flows around the world every day, that's still something like a thousand times more transactions than Paypal handles, and considerably more than the entire credit card system handles. Scaling that up wouldn't be either easy or cheap, and would require the investment of many billions of dollars. More hand-waving argues that there'd be multiple banks to spread the load around, so you need only verify a message's bond with the bank that's issuing its bond. That's OK, but we have to assume that spam will all have fake bonds that will need to be checked and rejected, which is nearly as expensive as a successful verification, but doesn't lead to a transaction that helps pay for the transaction system. Futhermore, if you, the recipient, expect to be paid, you'll need to check with your own bank to see if they trust the other bank to pay up, since it won't take long for the First Deceased Military Officers' Bank of Lagos, Nigeria to start issuing bonds that they will cheerfully verify but never pay. It's not impossible for your bank to provide you with an updated set of other banks whose bonds they'll accept, but lacking a central registry like Visa and Mastercard have, which would be a chokepoint, negotiating all of the agreements between all of the banks all over the world would be at the least painful, sort of a throwback to the way international banking worked in the 1930s with letters of credit to correspondent banks overseas.

A friend of mine noted that any e-postage system needs good authentication to make sure the money flows to and from the right people. But with good authentication, there's more direct ways to deal with spam, such as third party reputation systems. Rather than spend billions of dollars to build a system that people will hate becuase it'll be a non-stop source of fraud and scams, wouldn't it make more sense to address the spam problem more directly?

Addendum: one of the U.Mich group, Thede Loder, was at the ITU WSIS spam conference pitching attention bonds, and I had a chance to talk to him at some length. I hope he's now less underinformed about the realities of the world of e-mail, but based on subsequent e-mail correspondence, I'm not sanguine.

  posted at: 07:18 :: permanent link to this entry :: 0 comments
Stable link is

19 Nov 2008

More spam from Postini Email
A few months ago we had a most interesting colloquy when I posted with some amusement a piece of spam that Postini had sent me, suggesting that a company that claims to be in the spam filtering business should consider using its own product, and a former Postini employee expressed bafflement and outrage that anyone should expect Postini to bear any responsibility for mail sent through their servers. Well, they're back!

See more ...

  posted at: 04:52 :: permanent link to this entry :: 1 comments
Stable link is

14 Nov 2008

ICANN finally turfs EstDomains ICANN

After all the uncomplimentary things I've said about ICANN, in fairness I should acknowledge that they do, finally, seem to have terminated famously sleazy registrar EstDomains, brushing off last ditch attempts by its owner to claim that his conviction for fraud was under appeal and that he wasn't an officer any more. His conviction was nine months ago, and there's well documented evidence of years of involvement in crime ranging from phishing to child porn, but better late than never.

I remain interested to see what, if anything, ICANN plans to do about registrar DynamicDolphin, whose owner also has been convicted of a felony.

Followup Note: On 24 November, the 281,000 domains registered by EstDomains become available to transfer to any other registrar who wants them. But who'd want a portfolio of domains that are mostly notable for being used for criminal purposes? What if no other registrar wants them? Are they all just deleted? Go into limbo? If they're in limbo, how could a registrant take them out of limbo? Does ICANN have a plan? Stay tuned and in two weeks we'll find out.

  posted at: 14:10 :: permanent link to this entry :: 2 comments
Stable link is

08 Nov 2008

Registrar hide and seek ICANN
In the past year ICANN has been putting a lot more effort into
its compliance activities, which is a good thing, since the previous level was, ah, exiguous. That's the good news. The bad news is that while they're paying more attention to misbehaving registrants, the registrars, gatekeepers to the world of domains, have serious issues that ICANN have yet to address.

See more ...

  posted at: 19:54 :: permanent link to this entry :: 1 comments
Stable link is


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

It turns out you don’t need a license to hunt for spam.
62 days ago

A keen grasp of the obvious
Italian Apple Cake
620 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse

My Mastodon feed

© 2005-2024 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.