Using Identity to Fight Spam

An article in today's NY Times (free registration required) discussed the use of identity in fighting spam. It seems that companies that send out lots of legitimate email are increasingly getting caught in SPAM filters and the mail is not getting delivered. I can sympathize with that. This last month, I did not receive a prescription renewal notification from MedCo Health because their reminder was filtered out. I also nearly missed an invitation to speak (part of my livelihood) because the email seemed like SPAM, even though it was legitimate. I control my own SPAM filter, so fixing these was easy, but what about the person who's at the mercy of their ISP?

The basic idea is that it might be easier to identify legitimate emails that the SPAM. This is something like Called-ID for email. What's required is a way to identify the sender of the email. There are several ways to do this:

  1. Use some kind of email client certificate that has been identity proofed. I wrote about such a scheme in August.
  2. The second is to create a registry for email servers themselves and only identify the email servers.

The choice is between comprehensive and quick. The second choice would increase the burden on people who operate their own mail servers (like me), but it wouldn't be such a big deal, i suppose. Having certificates for every email user would be a bigger cost and more difficult to implement, but allow finer-grained control.

DNSSEC is a related solution. Knowing the domain with a degree of assurance cuts down on the effectiveness of worms, viruses, and so on. It also makes it easier to hold SPAMmers accountable.

Accountability is a more effective means to deal with SPAM than enforcement. Ultimately, what makes society work is that we're free to do what we want, but when we screw up, someone finds us and holds accountable. Enforcement requires larger infrastructure than accountability is. As Dan Geer says, "accountability is a log processing problem."

That raises an important issue: trust. From the Time article:

There is also a growing agreement that it is not enough for an e-mail sender to identify itself. The sender must also earn the trust of e-mail recipients, by promising to follow certain standards and having violations tallied and published. That would let people choose to discard mail from senders with high complaint rates. "Just because we can verify your identity doesn't mean you send good email," said Miles Libbey, the manager for antispam products at Yahoo. "You absolutely need identity and you also need reputation."

The problem with reputation is that it can be unfairly sullied. There's a system like this already called SPEWS (recently shut down) that keeps a blacklist of mail servers that have been used for SPAM. I host at Verio and someone on the same virtual server I use apparently did something to get on the SPEWS list. This meant that my mail server was on the list as well (since virtual servers share IP addresses). A number of emails I sent got bounced before the problem was resolved. Any system that does this needs to be based on identity as well as reputation. The problem with SPEWS is no identity. I can't uniquely identify my server from the problem server. There's no one to vouch for me in the SPEWS world.