Can e-mail be saved?

E-mail is the victim of its own backward economics. Anyone can send a message to anyone else postage due; the sender pays almost nothing, while the recipient pays in time and money to download and read the message. With that kind of incentive, it's surprising that only 60 to 80 percent of e-mail traffic is unsolicited ads.

Free IT resource Hear how top CIOs turn change into a competitive advantage. Sponsored by HP Free IT resource Attend the SOA Executive Forum: Breaking SOA Bottlenecks SOAExecForum.com/may2007 Sponsored by InfoWorld DOWNLOAD PDF Click here to download InfoWorld's special report Can e-mail be saved?

Any doubts that spam is the biggest problem on the Net were erased in February, when Bill Gates turned it into a keynote topic at RSA Conference 2004. As usual, rather than propose a new idea, Microsoft's chief software architect gave legs to existing schemes. Gates' first proposal, caller ID for e-mail, would use DNS to filter messages from forged addresses. A more high-concept Microsoft research project called Penny Black would require e-mail users to attach e-stamps to messages before sending them to strangers -- the stamps would be cryptographic tokens bought not with cash, but with 10 seconds of CPU time. Clever, but hackers are already cooking up ways to cheat the system.

Whenever Gates shows up, you know the tipping point has arrived. Instead of tinkering with ever more complex anti-spam filters and gateways, it's time to rethink the way e-mail works in the enterprise. With that in mind, we rounded up a half dozen successful software entrepreneurs -- plus one unrepentant spammer -- and asked them how they would change the system to remove mass-marketers' incentives to flood your workplace with ads.

Our six experts gave us six different answers. But all of them agreed that positive identification, rather than rejiggered economics, is the key to clearing the clutter from the e-mail channel in the enterprise. To be clear: Privacy and anonymity are values worth preserving on the Internet. In the workplace, though, the rules are different. As one of our panelists put it, the rules are different. No one should be prevented from posting personal opinions anonymously, but you'd have to be crazy to do business with someone whose identity can't be verified.

From: Eric Allman

Subject: Redesign SMTP

Before getting too blue-sky on e-mail, we decided to take a look under the hood at the current system. As the author of Sendmail, the program that's served as the Net's primary mail transfer agent for more than two decades, Eric Allman has definite ideas on what he'd do differently were he to start on the program today, rather than in 1981 when he coded the first version as a student at the University of California, Berkeley. "The thing that made e-mail so great was that it was completely out of control," he tells InfoWorld. "But everyone was working toward a common goal."

Click for larger view.

If he could start over, Allman would retool the existing protocols with the benefit of hindsight, instead of throwing them out completely. "The first thing I'd say is we had not anticipated the security needs," Allman says. "Authentication should just be built in."

Rather than focus on DNS-based authentication, Allman would choose a cryptographic solution. "I would put something into SMTP that required authentication before proceeding, just as we have with POP. It's a bit harder than that because unlike POP, SMTP connections may not have any prior relationship, so things like shared secrets are out of the question."

Allman's dream solution includes an Internetwide standard domain-authentication mechanism. "This would be part of an optional standard connection initiation protocol," he says, "so we wouldn't have to reinvent authentication for each and every use."

Over the past two decades, Allman's views on privacy haven't changed. He still believes it's a necessity, but he's developed a more sophisticated view of how to implement it. "I used to feel anonymity in the base protocol was important," he says. "But if someone brought up an anonymity server that would do re-mailings for you, that would allow this. The trick, of course, is to avoid abuse -- this could perhaps be done by having explicitly tagged addresses that are willing to receive anonymous mail. Whistle-blower addresses, investigative reporters, and so on might be willing to receive arbitrary anonymous messages," using servers that don't keep any logs that could be subpoenaed.