Fighting Image Spam: Will Warranties Work?

Lots of good reactions to our piece on Image Spam and how it works. Responses on Slashdot.org, as usual, ran the gamut. A few intelligent discussions emerged, like the ones on the relative effectiveness of gray lists and CAPTCHA (those swervy characters you type in at checkpoints). Still many more crowed about how little spam they received. They wondered who could possibly fall for this stuff or even consider image spam a problem. Usually those posts said the "solution" was "simple" or image spam was "easy enough to defeat." Just use a white list (accepting email only from trusted sources), or disable images and HTML in email, they wrote.

The idea that one person's experience could be a reliable indicator of the problem and its solutions seems callous. If I don't get image spam then, dammit, what's the problem? If white lists work for me, well then everyone else is an idiot for not using white lists. "There is no legitimate reason to be using HTML email. None," wrote one Slashdot squatter. Another poster "shuddered violently" at the thought of images embedded in email signatures, as if such a thing was contemptible to say the least.

Of course, legitimate purposes for HTML email exist. And in response to putting images in email signatures, one person wrote: "It's called branding. Talk to our marketing department." But whether or not you agree that email should be text-only or that attachments ought to be eliminated from email is actually irrelevant. Truth is, no one person or group gets to decide what is and is not legitimate use. When they do, that's called regulation.

Even if these self-appointed arbiters of email usage were, from a security perspective, right to suggest their methods reduced the risk of spam reaching an inbox, it doesn't matter. The image spam problem has little to do with inboxes, with so-called end points. Image spam is big. It takes up a lot of bandwidth on its way to where ever it ends up; it takes time to inspect at filters; it takes up lots of storage space, no matter if it's stored in an inbox, a junkbox or a back-up server.  A few technically proficient Slashdotters might not get image spam but it still affects them, just as crime affects people whose houses don't get broken into.

The truth is, as long as the free distribution mechanisms exist--botnets, vulnerable servers--image spam is a big problem. The if-you-don't-see-it-it's-not-a-problem argument is so narrow and fallacious that we're dismissing it on the spot.

It's just ironic that Slashdot.org, a forum known for celebrating the openness and power of the Internet as a democratizing force has so many Marie Antoinette types suggesting we breadless ones should just eat cake instead. (Yes, yes, we know, she didn't say it. Save your email).

Ironic, too, that one of the more thoughtful comments I received on the subject came from an academic who said his idea was "hammered on Slashdot" when it first appeared there. His name is Marshall van Alstyne, associate professor of economics at Boston University and a visiting professor at MIT. Suggesting that technical and legal responses to spam are doomed to fail (technical ones because computers don't get metaphors and legal ones because there's no jurisdiction over a digital scrap that traverses several countries), van Alstyne, not surprisingly, said we must treat the image spam problem as a market problem. His solution: bonds. van Alstyne calls them "attention bonds" and the conceit behind them is that our time is valuable and wasting it should cost a solicitor money. Therefore,  every unrequested email would come with a contingent claim: I promise my email is quality, not spam. If it is quality, then the transaction is completed, no charge. If it's spam and wastes the recipient's time, the sender pays a fee to the recipient and, presumably, stops emailing them, since it's expensive to do so. A video of his presentation called, An Economic Response to Unsolicited Communication can be found here.

van Alstyne suggests two to five cents per message as a bond, but the market could decide this, too. For example, the recipient could charge more, but if he charges too much, no one--legitimate or otherwise--will email him. He's shut himself off from opportunity. If he charges to little, people will happily pay the bond to get the message through, and the recipient continues to waste his time wending through spam while generating little in return.

It's not a new concept, really. It's a product warranty. If my bike breaks right after I buy it, the company fixes it, no charge. van Alstyne's model borrows on that and many different economic theories. Some of it is Nobel Prize-winning, like George Akerlof's "Market for Lemons" which in the early 1970s outlined "assymetrical information theory"--when the seller knows more about a transaction than the buyer. This leads to a market where inferior products drive out superior ones, because the buyer can't descry the difference and will not pay a premium for a product that they can't tell is better. Bruce Schneier, also citing Akerlof, covered this well, and we wrote about this in the context of the market for high-quality software in The Chilling Effect.

van Alstyne also talks about how subsidies like an attention bond can fix two-sided network effects, the so-called chicken-and-egg problem for legitimate solicitors. Unlike the lemon problems, with two-sided network effects each side lacks information. I don't know if this email is worth my time as a recipient and the solicitor doesn't know if I'm worth their time as a potential customer. But by determining through a small subsidy what is a "legitimate email" and what is "spam" each side gains valuable knowledge of the other, creating a more efficient, albeit less serendipitous, market. (Once was a time when credit cards suffered from this chicken-and-egg problem. Stores didn't want to honor them unless people carried them; people didn't want to carry them unless stores honored them. Part of the solution was a subsidy. To disrupt the stalemate and get people to carry plastic, the card issuers agreed to pay the insurance on the cards by paying for lost or stolen cards and fraudulent charges. A promise that, by the way, is getting harder and harder for them to subsidize today).

As van Alstyne noted, when he first proposed the attention bond model, he was soundly thrashed by Slashdot and others.  Schneier  had a thoughtful critique, noting that in order for it to work, endpoints must be trusted in the first place, not after the fact. That is, the system presumes a person would use their own system (and identity) to send the communication in the first place, when clearly with spam that's not the case. They're being sent by botnet from cat's paws computers. People who didn't intend to forward spam would, technically, be liable for the bond since their machine sent it.  van Alstyne also notes that the clearinghouse that would need to be set up to complete these transactions, and hold emails in escrow until terms are satisfied, would have to be able to scale massively--no small feat.

But he believes all of this criticism helped him flesh out the idea. "We now have rich answres to all of those questions Bruce and the people at Slashdot raised," says van Alstyne. At the time, we didn't have good answers, so the research benefitted from the critique at Slashdot and elsewhere."

I'm not convinced by van Alstyne's model, but it's good to hear new ideas on an old problem. Especially a problem that's been attacked the wrong way from the beginning. As van Alstyne notes in his write up, spam is pollution and "experience tells us that pollution control works best when applied to the lowest cost point of intervention...placing filters at the source. In contrast technological spam controls are backwards. If a handful of spammers can create a $50 billion problem it is because current interventions place filters at the high-cost destination...We know this is wrong and have known it for nearly half-a-century."

    --Scott Berinato

Related:

Copyright © 2007 IDG Communications, Inc.

The 10 most powerful cybersecurity companies