Tuesday, 15 May, 2001
Stopping Spam By Verifying Senders
So there's a bill in Congress that restricts unsolicited commercial email (UCE, or spam to the rest of us), and prescribes punishments for spammers. I'm less than excited about the bill for a number reasons. First because I have a mistrust of government regulation in general, and second because this particular bill has almost no teeth. My biggest objection, though, is that spam is something that the Internet community should be able to control without legislative intervention.
SMTP is a totally open protocol that lets anybody send mail to anybody else, with very few restrictions. There is little (if anything) done on the part of SMTP servers to verify that the sender is indeed who he claims to be. It's trivial to change the ReplyTo and ReturnPath fields in an SMTP header, and only slightly more difficult to supply a bogus address in the IP header. It's like telephone before Caller ID became available. And that's the root of the problem. If there was some way to guarantee the sender's identity, then spam would dry up because we'd just block all mail from known spammers.
How to do it? First, get people who operate SMTP servers to agree on a certification agency similar to the Verisign system. Each server obtains a digital certificate that it must present in order to send mail to another server on the network. In order to obtain a certificate, the applicant must agree not to originate spam or allow spam to be forwarded through the server. Most publicly accessible SMTP servers already prevent anonymous forwarding, and most ISPs require dedicated connections or user ID and password logins, so this wouldn't be a huge burden. Note also that this doesn't prevent people from using standard old SMTP if they want--they just won't be able to send mail to "certified" servers.
There's no technical reason why this system can't be put in place starting today. We'd get resistance from anonymity advocates who want the ability to send anonymous messages, but they have to make a choice: spam or anonymity. I'd prefer this to a legislative solution. The Internet community has to show that it is capable of policing itself, and controlling spam would be a perfect opportunity. If we require legislative assistance to control spam, we're showing that we are unable to police ourselves and inviting further and more intrusive legislation over the entire Internet.