Selling Your Attention to Spammers

Dotnaught writes "Can the free market stop spam where technology has failed? As described in InformationWeek, Professor Marshall Van Alstyne of Boston University School of Management has co-authored a soon-to-be-published paper that proposes an "attention bond" -- money put up by email senders that recipients collect only if they consider the message a waste of time. Supposedly, this market-based filter performs better than a perfect technology-based solution, with no false positives or negatives. A company called Vanquish already has a working model. Is selling one's attention the answer to spam?"

Can they really afford my time?

[Rude Turnip]

I bill triple digits per hour (but still less than a phone sex operator at $4.99/min). Doctors and lawyers charge even more. Unsolicted messages are an uncompensable waste of time and a theft of network resources.

Sounds dumb

[stratjakt]

Why is a spammer going to put up money when relaying through a zombie net or open relay is easy and free?

Should be a money-maker

[bigtallmofo]

What's to stop someone from signing up for every mailing list everywhere and setting up an automated application to flag it as spam so the money starts rolling in? Three or four thousand such flags per day, even at a few cents each should start to add up fairly quickly.

The problem with spam is weak enforcement

[Animats]

Spamhaus points out that 200 known spam operations are responsible for 80% of spam. [spamhaus.org] They have names for most of the key people involved. Most of them are in the US, even though "bulletproof web hosting" services in China and money laundering in some tax haven may make them appear to be offshore.

The US Federal Trade Commission says that over 80% of spam involves some violation of Federal law. Not just the CAN-SPAM act, but mail fraud, false advertising, money laundering, computer crime, drug counterfeiting, and racketeering. There should be no problem filing charges.

If we had an FBI director who made this a priority, most spam could be eliminated in a year. Just divert some of the FBI Baltimore people who do child pornography [fbi.gov], who are already experienced at tracking people on the Internet, off that job and onto tracking down the major spam operators.

In a sense, CAN-SPAM has been effective. Spamming by even vaguely legitimate companies is down. Almost all spamming now involves felony criminal activity of one kind or another.

Fraud Potential

[erlenic]

If I understand correctly, which I might not, this is how it will work: spammer sends me an e-mail, I mark it as spam and receive money, spammer gets a notice so he can remove me from his list.

What's to stop me from biting the cost of a large mailing, collecting all those notices, and reselling them to other spammers as a list of verified active addresses? My customers could use the lists in a country not on board with the idea, since this will require legislation to enact (which is a problem too obvious to need explanation.)

Seems like a major problem, but I'll wait until the paper is released before making my final judgement.

Final Ultimate Solution to the Spam Problem

[Caveman Og]

"...with no false positives or negatives"

Right.

People flag list traffic for which they subscribed as spam all the time. What is so special about putting up a financial bond that will cause people not to flag mail they requested in March as spam in May, or accidently marking mail from aunt Mildred as spam. I just don't see it.

This fails every test of an anti-spam proposal I can think of, including the most important: It doesn't stop spam.

--Og

Re:The problem with spam is weak enforcement

[SirSlud]

[sarcasm]In fact, I advocate taking anybody working on anything deemed less bad than child pornography and put them on it. In fact, we should not be working on anything except for child pornography. Actually, there are some dudes working on petty things like identity theft, corperate misdeeds, murders, grand theft auto, etc .... [/sarcasm]

why does the casual observer allow objectivity and reasonable thought to fall by the wayside when dealing with the very things that require them the most?

I was a sexual abuse victim when I was young, and I dont see whats so bad about the parent post. Child pornography department just fills in the vacant slot or two and the experts train the newbies. Thats how it should be done .. let the domain knowledge permeate the entire law enforcement departments that deal with online crime. You're not dismantling the original group, you're just letting them share some of their expertise with other departments that so clearly need them .. expertise they had no choice in gaining from working in such an important field.

There doesn't seem to be much motivation to put that kind of knowledge on spam enforcement, but I think the parent poster is right: why isn't there? Obviously spam isn't nearly as bad as child pornography, but judging by some of the porn sites they advertise via unsolicited spam, the industries certainly intertwine. Its not like a potential victim becomes a stupid slut who made her own decision to sell her body the second she goes from non-legal to legal age. I've seen enough stuff in my lifetime to know that claiming you're a consentual adult isn't exactly 100% true if somebody is pulling your strings.

Great idea

[Anonymous Coward]

As a spammer, I love "recipient gets paid" spam solutions. I just reverse my army of zombie PCs to send ME mail. I mark them all as spam and collect the bonds that the innocent PC users put up.

The Only Solution

[_Hellfire_]

The only solution to spam? Replace SMTP.

SMTP is an outdated, insecure protocol which is ill-suited to modern email.

We need to replace it with a protocol which is authenticated at both ends. A friend and I came up with the following; which although not perfect and probably subject to a few tweaks is a step in the right direction.

J Random Hacker/Company/Joe Sixpack leases a domain name from J Random Registrar. Let's call it jrh.com

That registrar provides a private key and a public key pair based on the domain name.

The CMTP (or Complex Mail Transport Protocol - I made that up) server on jrh.com wants to send an email to target.com. It signs the outgoing message with the private key (ie puts a hash in the header - and you could base it on time and date or other arbitrary data to make sure there's no forgery) and then connects to target.com. target.com then asks jrh.com's registrar for jrh.com's public key (either that or it's propagated over DNS). If the pair match up, the email is accepted. If not it's dropped at the door. No questions asked.

During the phase in period, SMTP traffic could be configured for a 15 minute delay on each target server, whereas CMTP traffic is dealt with immediately. I compare it to how Telnet was slowly phased out in favour of its more secure replacement, SSH.

So, if a spam zombie Windows box is spewing out SMTP traffic in a CMTP world, most servers would drop it at the door. The spammers can't go to CMTP because:

1) They can't use a private key they made up because it's checked against the public key held at the registrar.

2) If they use the private key of a domain they hold (ie install it as part of the worm infection) when people get even 1 spam from them (yes 1 spam - it would be that unusual) the server just ignores mail sent with that signature.

The solution works because the motivation would be there for companies to prevent spam on their networks. As soon as they switch to CMTP, they get no spam over it. And eventually they will get no SMTP email at all. Just as nobody uses Telnet anymore, SMTP will die out if replaced with something better. You can make all the laws you like but at the end of the day, the SPAM solution is a technical one.

Re:Automated Spam Response

[jmv]

Most importantly, you forgot:

"Mailing lists and other legitimate email uses would be affected"
Under this plan, I could just subscribe to a bunch of mailing lists and get paid (by mailing list admin) for declaring the emails as spam.

It comes from way before Gates.

[cduffy]

Heinlein came up with it first -- one of the characters had a doorbell which would only ring after a deposit was made -- refundable if it was agreed that her time was not being wasted. I think someone else here referred to Heinlein doing the same thing with a telephone call at some point or another -- I'm not sure if it's the same reference (and one of us is misremembering it) or if he used the same idea twice (which is really quite plausable).

Re:Should be a money-maker

[pklong]

Interesting point, but one that could be avoided if the mailserver has an address book with a pricelist. Presumably you would need to transfer some form of electronic payment at this point anyway. You would mark mailing lists, friends etc. as free in your address book. The mailing list would then refuse to send you email if it had a cost.