The Merry Spam Killers of Slashdot

The Colorado Freedom Report:  A libertarian journal of politics and culture.

The Colorado Freedom Report--www.freecolorado.com

The Merry Spam Killers of Slashdot

by Ari Armstrong, October 8, 2003

Summary: 1. State-level anti-spam laws won't work. 2. Anti-fraud laws already exist that might be used to crack down on spammers. 3. Legal suits against spammers are already a possibility. 4. Spam itself, or the intentional circumvention of filters, might be considered trespass, though not without raising difficult issues. 5. It may or may not be possible to create a national anti-spam law that is enforceable and that prevents abusive application. 6. Using special reply forms on web pages might simultaneously hide e-mails from spammers and provide human users with an easy way to correspond.

On early Thursday morning, October 2, I released the article, How to Kill Spam without the State. That article was posted to Slashdot ("news for nerds, stuff that matters") early on Friday morning. By that evening, over 450 posts had commented on the article. I felt more than a little overwhelmed, but I decided to read the enormous stack of messages. I had asked for input, after all, so I figured I ought to review it. No, I still don't know precisely what steps might be taken to destroy the spam industry (I'm not sure anybody does), but I have a little better understanding of the problem and of the general ways it might be alleviated.

I'll start with a few notes about Slashdot. I find it extraordinary that, in a day's time, I can hear from scores of (mostly) intelligent people I've never met, on a web page I'd never before heard of. The internet is a super-fed petri dish for growing memes. A lot of people seem disappointed with the rather mundane impacts of the internet, but I believe the technology is altering society in a host of subtle ways that won't be fully appreciated for decades.

And I will thus repeat a point I made previously. Even if spam remains a problem that can be managed only poorly, it is a small price to pay for the benefits of the internet. Yes, spam wastes time and increases the costs of internet service. But if we conducted a thorough cost-benefit analysis of e-mail, I think it's obvious the time and costs saved -- and the extra benefits achieved -- are phenomenal. By analogy, there is exactly one way to be absolutely confident you won't suffer another cold. I'll happily live with the occasional sniffles, given the alternative. Viruses are a part of life. Spammers are a part of the internet. If we can "cure" particular diseases, that's great -- but let's not lose our sense of perspective. Life isn't perfect, and the internet will never be.

General Approaches to Killing Spam

It occurred to me that techniques for defeating spam are the same as those for vanquishing any foe. There are three basic strategies: hide, defend, and attack.

In terms of spam, we can try to hide our e-mails from the spammers. Using non-clickable e-mail contacts on web pages is a way of hiding. Defending against spam consists mostly of employing filters of various sorts. Attacking spam may consist of two parts: attacking the spammers themselves, and attacking those who fund the spam industry, the spam-suckers.

Offhand, it seems reasonable to expect a comprehensive approach to reducing spam should include all three basic tactics. Surely it's the case that different people and organizations are better adapted to different strategies.

It must be understood that each of these basic three approaches -- hiding, defending, and attacking -- come with costs. If we hide from spammers, we might also hide from people we'd rather hear from. One Slashdot user worried that if he put a non-clickable e-mail in graphic form on a web page, that would constitute a barrier to those who wanted to contact the user for legitimate purposes. That's an understandable concern. Strategies that work great for some people will work poorly for others. Filters are obviously imperfect: they let some spam through and incorrectly block some legitimate users, and they do little to save bandwidth. And in attacking spammers or spam-suckers, we risk attacking innocent users.

Probably some combination of tactics will prove most useful. However, the economically efficient level of spam surely is greater than zero. By analogy, the only way to completely eliminate one's risk of auto injury is to avoid traveling by or near automobiles. I know of nobody willing to do that. Thus, we're looking for the equivalent of seatbelts, airbags, safe designs, education, and sensible use rules to establish an internet with a tolerable level of spam.

We can draw another analogy to human health. Biological attackers evolved along with the human immune system. Our immune systems cannot totally guard against attackers, but most healthy immune systems can effectively manage the onslaught of attacking viruses and bacteria. We're looking to develop a healthy immune system against spam. Most of these guards will develop in an evolutionary, spontaneous way, the collective result of millions of individual actions, rather than the result of a top-down conscious design. Lots of people used to die in plagues, mostly because they lived in trashy, rat-infested cities. Today, health has improved dramatically in many regions because of better sanitation. It would be a mistake, though, to view health -- either physical or technological -- as something that can be "finally" guaranteed. Health is a management process.

Users can't figure out the most effective ways of dealing with spam without learning more about how spammers operate. Here are just of few of the relevant questions.

* Is most spam international, or is most of it sent within national borders?

* How much spam involves actual mail-order -- that is, the spammer ships some sort of product in return for payment?

* How much spam is outright fraud?

* How many people actually spend money to support spammers (and thus the spam industry)? Are most purchasers one-time suckers, or do a small subset of users repeatedly part with their cash for spam-related items?

* What percent of e-mail falls within that gray area, material that some would consider spam and others wouldn't?

However, while a sound approach to dealing with spam will require a full empirical investigation of the nature of spam, there is one general economic point that should be made. It would be illegitimate to look to past trend lines in trying to predict future levels of spam. Some sort of equilibrium point will be reached that will be determined by a number of factors, including the amount of money spent on spam-related items, the costs associated with sending spam, and the effectiveness of the counter-measures taken. Even if no counter-measures were taken, the amount of spam would naturally level off (or grow roughly at the rate of the internet). The more spam there is, the less likely it is that any particular spam will generate a hit. Even though the marginal cost of sending out spam is nothing, spammers still have out-of-pocket costs and opportunity costs.

Government Approaches to Spam

While reading the Slashdot comments, I got the impression that a number of people weren't especially concerned with keeping in mind the context of my original article. Some seemed disappointed that my political web page is not instead a technology web page. Others seemed to ignore the fact that my previous article was mostly a response to the push for a Colorado anti-spam law. True, I made general arguments against more anti-spam legislation, and perhaps I did not properly qualify some of my comments. Still, a number of Slashdotters seemed not to have read my article at all prior to responding to it. In addition, a number of Slashdotters incorrectly attributed a variety of motives to me. I know technology is improving, but I'm fairly confident mind-reading is not yet a service offered to Slashdot posters.

Other Slashdotters argued that my article was wrong for the same reason that libertarian theory in general is wrong. But this line of critique is strange. Some libertarians, after all, support laws regulating telemarketing and spam, on the grounds that such laws protect property rights. There is a reasonable libertarian case for such laws. However, libertarians also tend to wonder whether a specific government program will work as planned. A law must pass two hurdles to find favor with libertarians: it must be legitimate, and it must be effective. But one hardly needs to be a libertarian to argue an unworkable or counterproductive law ought not be passed. Put another way, just because it is a libertarian making a particular argument, doesn't mean that argument is especially or inherently or solely libertarian.

Several Slashdotters treated the following line from my previous article as if it were the sum of my argument: "If you're still tempted by the political approach, ask yourself one simple question: who is more technologically savvy, your average spammer or your average politician?" But obviously this was not the crux of my argument. Rather, I was merely trying to emphasize the point that catching spammers is very difficult from a technical standpoint. This quoted line does not stand alone as an argument, nor did I ever intend it to do so. As some Slashdotters pointed out, politicians can pass laws about robbery or child abuse (or whatever other crime) without being experts in those areas. However, those who enforce the law must indeed be technical experts in those areas. I'm not convinced those who would enforce spam laws can become technically able to stop spam. The other point is that legislation tends to be captured by special-interest groups, such that it does a poor job of solving the problem at hand.

The more important point is that the government need not pass spam-specific legislation in order to crack down on spam. Several Slashdotters recognized this point and claimed most spam is fraudulent. I don't know what percent of spam is fraudulent; one poster claimed "90% or more of the spam is sent by people that are engaging in fraud or the online-equivalent of lock picking and theft of computer resources." So the obvious question is, why isn't the government using existing laws against fraud to crack down on spammers? (And if the anti-fraud laws are ineffective against spam, what makes us think anti-spam laws will be more effective?) Some Slashdotters seemed to assume that, by arguing against spam-specific legislation, I was also opposing laws against fraud, but that's simply not the case. (However, I do tend to favor common-law solutions to fraud.)

Another Slashdotter suggested spammers can use worms to steal people's address lists. However, use of such technology is, again, already illegal. Hacking people's systems is a clearly a form of trespass. Merely sending somebody an e-mail, on the other hand, is not obviously trespass, though some have argued that it is.

So my previous argument was that catching spammers through spam-specific legal means would be supremely difficult, both because of the technical problems, and because of the political mis-incentives (enforcers have some incentive to pursue low-level, easy-to-catch spammers, not those creating the real problems).

I think it's obvious state-based laws, such as the proposal to which I responded previously, are utterly worthless. They are merely political feel-good measures that make for good campaign ads but accomplish little else. I am also skeptical that a national law would help. However, partly this question depends on how easy it is for spam to cross national borders. I suppose someone could argue that international treaties are needed to reduce spam, but at a certain point we have to wonder whether the solution is more costly than the problem.

Denver local David Jilk is more optimistic that a national law might help. His arguments are compatible with the libertarian framework: "Regarding the new Colorado law: This law is pointless. It is a state attempting to regulate what is (in almost all cases) interstate or international commerce, which is not only outside the jurisdiction of the states but is almost impossible for the state to enforce. Any attempt to regulate spam (and inbound telemarketing) would necessarily be done by the federal government, and it should do so in the context of property and privacy rights. I believe it makes sense to define property rights in such a way that inbound communication channels (such as mailing address, fax number, and email address) can be specified by the owner as to whether that channel is available for unsolicited communications. A 'do-not-call/email' list is a reasonable way to implement this aspect of property rights, although it should be voted into law and not created as an agency regulation."

Those advocating a strict reading of the Constitution should not be put off: Section I, Article 8 gives Congress the power "To regulate Commerce with foreign nations, and among the several States..." Again, though, a legitimate national anti-spam law would have to be shown to be a) a proper aim of government in protecting property rights, b) likely to succeed, and c) unlikely to harm innocent parties or consume inordinate resources. To date, I don't see that any of those three requirements has been satisfactorily met.

Private Ways to Attack Spam

But the political approach is not the only one possible for attacking spam. Several Slashdotters suggested possible ways to punish spammers directly, such as by attempting to overwhelm the spammer's systems with data. That could be problematic, but it might be effective in some contexts. Alternately, a spammer could be hit with a bunch of false orders. Another possibility is to use public shame against spammers.

As I noted before, though, the root of the problem is that some people spend money on spam. One Slashdotter suggested in jest that an anti-spam squad could send out fake spam to discover the identities of the suckers, who could then be punished. But this could get nasty, and it could also hurt innocent parties. There are less aggressive ways to help educate potential victims of spam. For example, ISPs could make a point to discourage their users from funding spam. Tipping at restaurants is a cultural norm; we also need a cultural norm that discourages funding spam. The less money that is spent on spam, the less spam will be sent out.

Litigating Against Spam

One Slashdotter makes the excellent suggestion of suing spammers. Is this a government approach, or a private approach? In today's context, it means using courts set up by the U.S. government or the various states. At the same time, libertarians tend to argue "common law" is not rooted in any particular government or state. Regardless, law suits offer an important alternative to legislation. Litigation also gets the incentives right. Whereas the enforcers of statutes have the incentive to bust easy cases and grow their own budgets, litigation creates the possibility of real victims being compensated by real offenders.

Whether litigation should be used against spammers per se depends on whether one believes spam inherently violates property rights. However, litigation against fraudulent spammers should find widespread support. Indeed, now that I think about it, I find it curious that some clever lawyer has not already initiated a class-action law suit against spam.

What is "Spam?"

One Slashdotter wrote, "The most common definition of spam is unsolicited bulk email. This is a very easy test. Is it unsolicited? (Did the recipient ask for it, or is there an existing relationship?) Was it sent to multiple people? If the answer to these questions is yes, then it's spam."

That is a highly problematic definition of spam, and it drives home the point about anti-spam laws targeting innocent users. For example, according to the definition offered, if somebody sends an unsolicited e-mail to 50 people in a town urging them to vote about a particular local issue, that's "spam." Obviously that won't do. The whole point of e-mail is to allow communication. If people fear to communicate important perspectives because they might be wrongly punished as spammers, that does undermine free speech. At a bare minimum, the definition of "spam" must include at least one other restriction: it must be for commercial purpose. Two other restrictions might also be sensible: it must involve a large number of e-mails, and it must be indifferent to requests for removal.

For instance, if we're able to call up Joe down the street and ask him to stop sending us e-mail, I don't really think it's necessary to send Joe to jail or fine him as a spammer. Unfortunately, an ambiguously written spam law might encourage overzealous prosecutors to do just that. Remember, prosecutors and law enforcers have little incentive to conserve public resources, and they have little incentive to spend those resources in the most effective ways.

I'll offer the example of a Colorado political group, the now-defunct Tyranny Response Team. Now, this group was purely political in nature, and nobody made any money off it. However, for tax purposes it operated as a for-profit business. In fact, for a while it was listed as a for-profit corporation. Under the definition offered above, if a member of the TRT sent out a political message via e-mail, that might be prosecuted as "spam" on grounds that the TRT is a "commercial" venture. I'm sure similar examples could be found for left-wing groups. Isn't it abundantly obvious that a badly written spam law would be used to target select political groups?

Two similar groups could send out similar e-mails, yet be treated differently merely because of arbitrary legal distinctions. Indeed, the employees of many "non-profit" organizations make a great deal of money indeed. So should non-profits be automatically exempt from "commercial" spam laws, even as other groups are punished for political activism?

Far too many people take the "we know it when we see it" approach to thinking about spam. Some sorts of e-mails are unambiguously spam. However, there is a very large gray area, and surely if we value the First Amendment we must err on the side of protecting speech.

Collected Commentary

For obvious reasons, I cannot reply to every Slashdot comment. However, I wanted to include a few specific insights from Slashdotters, along with a few comments people sent to me directly.

One Slashdotter claims most spam is sent by "suckers who bought into get-money-quick and be-your-own-boss internet marketing schemes." If that's the case, most spammers are probably short-term offenders, and probably much easier to track down than the originators of the scams. It's likely that government enforcers would have a much easier time nabbing the "get-rich-quick" suckers. But would this significantly impact the problem?

Damian Yerrick makes an important point: "Users behind non-graphical user agents, such as users with vision disabilities, cannot turn a picture of an e-mail address into an e-mail address. I, on the other hand, open first contact through a web form [pineight.com] that spambots looking for @-signs can't pick up but which remains accessible to anybody whose non-graphical web browser supports HTML forms." He points to http://www.section508.gov/. I haven't yet solved this problem for my web page, but I may eventually switch completely to these sorts of forms.

Another user writes, "While I admire the libertarians on some issues, particularly their stance on individual freedom and civil rights, I can't agree with their policy on limited governance, unlimited corporate freedom, and unregulated commerce." This comment manifests an important confusion about libertarianism. What libertarians want to limit is not "governance" per se but the power of the state. Libertarians do not want "unlimited corporate freedom;" they want strict enforcement of property rights. Libertarians oppose special legal privileges for corporations and all rights-violating behavior by corporations. Finally, libertarians want fully "regulated" commerce -- that is, commerce in which property rights are strictly enforced and otherwise "regulated" by market exchanges. What libertarians don't want are legislative restrictions on market behavior that violate property rights rather than protect them.

One Slashdot debate tried to figure out whether spam is inherently trespass. This is a difficult issue. There is nothing like a "do-not-mail" list. People can send you unsolicited snail mails without consequence. However, if somebody started sending out snail mails in bulk just to annoy somebody, that might constitute grounds for a law suit. (The fact that there's a per-unit fee discourages such mailing.) One person pointed out knocking on somebody's door is not the equivalent of breaking into somebody's house. True enough. At the same time, if I post a sign saying, "no soliciting," and a soliciter knocks on the door, the knocker is pretty clearly trespassing. The difficulty lies in posting a "no soliciting" sign on one's e-mail account, plus there's no good way to enforce it. Troubling.

Another user suggested that any conscious attempt to defeat a user's anti-spam filters -- such as by slightly altering a word -- should constitute evidence that the spammer is trespassing (in effect, knocking on a door that bears a "no soliciting" sign). This argument is intriguing. However, it still might allow the punishment of innocent users. Let's say somebody writes a legitimate news article about Viagra or the word "penis" or whatever, but then modifies the word to circumvent filters. Should that be a criminal activity?

One Slashdotter offers a remarkably common-sense argument (for having completely misread my previous article): "the state can make it illegal to forge headers or use non-existent return addresses." Offhand, I can't think of any way such a law could be abused.

A couple of suggested web pages were http://www.paulgraham.com/ and http://bofhcam.org/. Following are replies sent via e-mail. Please note that I can't personally vouch for the suggested proposals -- I am merely passing them on as interesting possibilities.


Dear Ari Armstrong:

I am writing in regards to your article, "How to Kill Spam Without the State." I strongly agree that what needs to change is our attitude towards spam blocking. I set up Tagged Message Delivery Agent (TMDA: http://tmda.net) on a few accounts that were getting too much spam. It cut down my spam to about 5% of what it was before, but I have had a one friend and one family member after getting a TMDA auto-response fail to reply, with the attitude "You can't tell me from a spammer?" No, software can't tell the difference but if you respond you let it know.

If every person used TMDA the e-mail paradigm would shift slightly, but the spam problem would be solved. The first time one e-mails a person who the person has never e-mailed (after installing TMDA) is required to demonstrate that they are using a valid e-mail address and they can reply to the message.

As is it would force spammers to use valid e-mail addresses and set up TMDA responders. Then one more shift would occur that would require the person to respond with the word in the picture or something like that and then spam would have to be individually sent, which would become prohibitively expensive.

Benjamin J. Stassart


Users can do a lot to kill spam - and a few users have. Most don't, most ISPs don't.

It isn't difficult, it is simple for many of the spammers. The users determine the actual IP addresses the spammers are using to send the spam, contact the ISP responsible for that IP address, and the spammer's account is closed. That's for many ISPs. there are spammer-friendly ISPs (including some big ones with very well-known names) that don't respond to such reports. Those can be dealt with later, in a different way.

But the main point is the ease with which users can gather this data. They do it by letting the spammers tell them the spammer IP, and that is accomplished by faking vulnerability to spammer abuse. You could do it, most of your readers could do it. Most users everywhere could do it - if they have permanent (non-dial-up) connections. They have to be on a segment of the internet a spammer will think might contain a system vulnerable to abuse. When the spammer looks for vulnerable systems (and he will, be sure of that) all that need be done is fake vulnerability.

There are already freeware programs to do this. One, "the Bubblegum Proxypot," allows operators of Linux systems to run fake open proxy systems. These are the most powerful fakes because these are the ones most likely to reveal the spammer's IP. Another is Jackpot, that allows Windows users to fake running an open email relay.

I ask you to in some way research this - probably in your own IP space - and see that what I say is true. Even if you don't run either of these packages you can ask the manager of your email system to show you the log entries for rejected relay attempts. These will mostly be rejections of the test messages sent by spammers to see if your email server is an open relay. There's no such log for proxy port activity - not on most systems, but if there were you'd see that, too. (Actually, I use a software firewall program and can see the attempts in the logs.)

IF you have any questions please do ask.

I'll close with a link to some powerful reports made by Ron Guilmette, who until recently ran a network of proxypots. Users all over the world can develop similar, if not so coordinated, data. The information in these reports could be used very powerfully, as it identifies the IP addresses and ultimately the names of the ISPs who continue to harbor spammers.

Good luck.

Brad Madison


The real spammers, the ones causing all the problems, will be virtually impossible to catch.

And so you trip over the real problem causing spam... anonymity.

I have the solution and it lies in an alternative to SMTP (Simple Mail Transport Protocol) . There are two serious deficiencies with SMTP which make spamming work. Both deficiencies are mitigated with a simple model change.

Deficiency 1: Anonymity. Spamming will not work nearly as well if the sender is known and accountable. And when you think about it, why should I be interested in reading mail from someone who won't reveal who they are.

Solution 1: Make the sender known to the recipient. Make it possible for the recipient to respond to the sender.

Deficiency 2: Mail is always sent and stored on recipient's server. By sending mail under SMTP, the spammer succeeds as soon as he sends the mail because that protocol sends the message and it is automatically received by the recipient.

Solution 2: Leave the message on the sender's server and just send a notice to the recipient that he has mail. This works like the post office when they have a package they can't put in your mailbox. They put a notice in your mailbox and you go to them for the package. This solution supports Solution 1 in that you must know who sent the message to go get it. Second, it allows you to ignore the message and the cost is to the sender, not you. Third, it keeps from clogging the internet with spam traffic (e.g. far fewer spam messages will actually traverse the web when recipients have the option of ignoring them). And fourth, it keeps spam from filling up your mail box... you only have these short notices in your mailbox.

Lets call this alternative MPUP (Mail Pick-Up Protocol)

Features:
1. Sender is known and recipient can reply to him
2. Message stays on sender's server
3. Only a notice of the message is sent to recipient
4. Recipient goes to sender to pickup message
5. Recipient can ignore messages at minimal cost to him
6. Only wanted messages (by definition... not spam) cross the net

Benefits:
1. Recipient can scold or encourage sender personally
2. Sender can retract or modify messages after he sends notice of them
3. Sender knows when recipient comes for message
4. Sender knows if recipient has not come for message
5. Minimum storage of messages
6. Sender can use disinterested recipient information to cull his mailing list.
7. Much less net traffic and storage of spam.

All we have to do is set up MPUP as an alternative to the existing SMTP. Once we have both protocols, people will move very quickly to MPUP and just eliminate their SMTP mailboxes. MPUP will be naturally resistant to spam and SMTP will just eventually fall into total disuse.

WithGLEE,
Todd Bjorn Marshall


My modest proposal is: A screen saver that pings the site that is selling the product. Who cares about where the email came from? Bog down the commerce site and they will go away. Spammers are DDOS attackin black list vendors and some say Sobig was created for spammers. We need to ATTACK them via technology. The system needs to be able to edit the list of targets, the rate of ping and maybe have someplace that tracks the 20 worst spammers.

Best Wishes
Steve
Tampa, FL


In case you're not already aware, I posted a story last night about your spam article to Slashdot (www.slashdot.org) - a pretty big techie web site on the internet. They often have stories about spam, including ones that praise anti-spam laws, and I figured they could use your insight. Well, it made it into the system at like 4:40 am today. This means you'll have a LOT of people going to your site today.

I figured you wouldn't mind the extra bandwidth necessary if it meant exposing this many more people to good, clear thinking on the government and it's proper role in society. Thanks for the article, it's a good one (as they almost always are). If you ever want to consult a techie on a story, feel free to email me.

Craig Latzke


1. Brilliant, that non-clickable e-mail address! That's at least half the problem and I will immediately suggest that all USENET addresses and addresses on public forum be non-clickable and thus non harvestable.

2. About a year or so ago, some politician in Arizona came "to the rescue?" of her constituent, a small ISP, who was being flooded by spam. I made the suggestion than that ISP can easily verify spam, mostly by the shear volume of it, and not send it on by spooling all incoming e-mail and if it verifies as spam, basically that the from to address is invalid, "spool" it into the bit bucket. That seems to be too simple a solution.

3. Tom Yager with Infoword wrote "Identity theft: It's not about you" and mintains that verifyable digital signatures are the only true solution to spam.

Henry Keultjes


Hi Ari,

Perhaps you don't know about Paul Graham's Plan for Spam and his more recent Filters That Fight Back.

In the last few days I have put some scripts to work to take the spammers up on their emailed invitations to visit their websites. For each URL they send me I download their entire site, up to a limit of 5 MB. Just to be sure I download their site a few times.

As Paul Graham points out, a very effective way to reduce spam is to attach a cost to it, if not at the spam sending side, then at the spamwebsite side. If even a relative handful of the hundreds of millions of Internet users adopt this approach, the spamwebsite operators who hope to benefit from the billions of spam emails sent on their behalf will have to pay for a lot more bandwidth and traffic.

I strongly recommend reading at least these papers written by Paul Graham:

A Plan for Spam

Better Bayesian Filtering

Filters That Fight Back

Regards,

Thomas Junker


I read your article on spam and, whilst I don't agree with your premise that legislation is worthless, you make some good points. My position is that legislation won't be perfect, but if we can hit the criminals (and all spammers are criminals, they steal resources from you and me, plus almost all the "products" they sell are illegal or fraudulent) from many directions at once - with prison sentences, economically, and by private individuals and service providers installing decent blocking software - the result will be better than if we do just one of those.

As for challenge-response systems, they won't work - at least as currently implemented - for several reasons:

1. Most users are idiots and misconfigure them. I run several mailing lists, and some people who have signed up for the mailing lists can't seem to figure out that they shouldn't be challenging the list. My policy is to publicly humiliate the bozo on the first offence, and on the second to unsubscribe them and - if they are one of my users - to delete their account and all their files.

2. Challenges look like spam. Worse, spammers use the exact same technique to divine whether a given address is read by a human. Therefore, no sensible person will ever respond to one of those challenges. Hell, if you're using one and this message gets caught in it, I'll make an exception, but only because you seem to be open to being educated about why they're a bad idea :-)

3. Most systems try to defeat automatic responses by putting in a de-facto Turing Test such as reading characters from an image. I have yet to come across a system which doesn't discriminate against disabled users.

4. There is no standard. Yet.

5. It can't be automated. You might think that's a good thing, but it's not. Legitimate users don't want to be bothered with challenges from every person that they contact for the first time. The real purpose of a C/R system is not to ensure there's a human at the other end, but to make it impractical for spammers to respond.

There *is* work underway to try to come up with solutions to all but the first of those - technical solutions will never solve human stupidity, I fear, for as the saying goes "make something idiot-proof and the universe will invent a better idiot".

The idea behind most solutions proposed is for the challenge to follow a standard format and to be built as an extension to the mail protocols, and for the response to be something that can be automated, but which requires enough "investment" to make it impractical for a spammer to make thousands of valid responses.

The most commonly cited example is hash-cash, which makes the sending machine perform a computationally expensive task before it can send mail. The following URLs may be of interest:
http://www.hashcash.org/
http://www.ietf.org/proceedings/03mar/asrg.htm

There has also been some discussion in the last few months of challenge-response systems and their problems on Declan McCullough's "politech" mailing list: http://www.politechbot.com/

David Cantrell


One reader replied, "California legislation is a bit more effective that you admit in your article. The California legislation allows action against those who benefit from the spam -- not just the senders. So there is a target to go after that can't hide -- the seller of the product. They have to be contactable or there is no way for them to receive the orders/paymets."

The Colorado Freedom Report--www.freecolorado.com