E-mail is the victim of its own backward economics. Anyone can send a message to anyone else postage due; the sender pays almost nothing, while the recipient pays in time and money to download and read the message. With that kind of incentive, it's surprising that only 60 to 80 percent of e-mail traffic is unsolicited ads.
Any doubts that spam is the biggest problem on the Net were erased in February, when Bill Gates turned it into a keynote topic at RSA Conference 2004. As usual, rather than propose a new idea, Microsoft's chief software architect gave legs to existing schemes. Gates' first proposal, caller ID for e-mail, would use DNS to filter messages from forged addresses. A more high-concept Microsoft research project called Penny Black would require e-mail users to attach e-stamps to messages before sending them to strangers -- the stamps would be cryptographic tokens bought not with cash, but with 10 seconds of CPU time. Clever, but hackers are already cooking up ways to cheat the system.
Whenever Gates shows up, you know the tipping point has arrived. Instead of tinkering with ever more complex anti-spam filters and gateways, it's time to rethink the way e-mail works in the enterprise. With that in mind, we rounded up a half dozen successful software entrepreneurs -- plus one unrepentant spammer -- and asked them how they would change the system to remove mass-marketers' incentives to flood your workplace with ads.
Our six experts gave us six different answers. But all of them agreed that positive identification, rather than rejiggered economics, is the key to clearing the clutter from the e-mail channel in the enterprise. To be clear: Privacy and anonymity are values worth preserving on the Internet. In the workplace, though, the rules are different. As one of our panelists put it, the rules are different. No one should be prevented from posting personal opinions anonymously, but you'd have to be crazy to do business with someone whose identity can't be verified.
From: Eric Allman
Subject: Redesign SMTP
Before getting too blue-sky on e-mail, we decided to take a look under the hood at the current system. As the author of Sendmail, the program that's served as the Net's primary mail transfer agent for more than two decades, Eric Allman has definite ideas on what he'd do differently were he to start on the program today, rather than in 1981 when he coded the first version as a student at the University of California, Berkeley. "The thing that made e-mail so great was that it was completely out of control," he tells InfoWorld. "But everyone was working toward a common goal."
If he could start over, Allman would retool the existing protocols with the benefit of hindsight, instead of throwing them out completely. "The first thing I'd say is we had not anticipated the security needs," Allman says. "Authentication should just be built in."
Rather than focus on DNS-based authentication, Allman would choose a cryptographic solution. "I would put something into SMTP that required authentication before proceeding, just as we have with POP. It's a bit harder than that because unlike POP, SMTP connections may not have any prior relationship, so things like shared secrets are out of the question."
Allman's dream solution includes an Internetwide standard domain-authentication mechanism. "This would be part of an optional standard connection initiation protocol," he says, "so we wouldn't have to reinvent authentication for each and every use."
Over the past two decades, Allman's views on privacy haven't changed. He still believes it's a necessity, but he's developed a more sophisticated view of how to implement it. "I used to feel anonymity in the base protocol was important," he says. "But if someone brought up an anonymity server that would do re-mailings for you, that would allow this. The trick, of course, is to avoid abuse -- this could perhaps be done by having explicitly tagged addresses that are willing to receive anonymous mail. Whistle-blower addresses, investigative reporters, and so on might be willing to receive arbitrary anonymous messages," using servers that don't keep any logs that could be subpoenaed.
Allman thinks that problems with e-mail today extend beyond unsolicited ads. "There are lots of definitions of garbage," he says. "Spam is just the worst one. I know several people who've just given up on e-mail. They've gone back to having 'their person' do it. It's not just spam, it's also the continuous, 'Gee, can you help me on this?' No matter how big a shovel you have, you can't get rid of it."
From: Bill Warner
Subject: Identify Yourself
"Saying I like challenge-response systems is like saying I like duct tape," says Bill Warner, whose frustration with endless rounds of phone tag led to his development of the Wildfire voice system in the 1990s. Warner runs his own challenge-response server to kill incoming spam but would rather see the system redesigned more along the lines of the U.S. Postal Service -- not meaning the government would run it, but that there would be some people-centric checks on identity and abuse.
"It comes back to authentication," Warner says. "If you want to put a server on the system and use DNS, you've got to find your way into DNS somehow. We've managed to build a network of millions of servers around the world with a fairly open and clear process of registering for it. Why can't we do that with e-mail?"
Warner isn't talking about validating sender IP addresses, but instead having some idea of who's behind them. "Part of the problem is e-mail creates a large scale of anonymity. The postal service doesn't have that problem. You can send e-mail through the postal service, and it doesn't get more than a postmark. But you don't get to drop a million messages in the system. If you're a big mailer, you're going to be known. If you deliver a million pieces of mail to the post office, they're going to know who's doing it," and they're legally obligated to deliver them all.
In short, Warner thinks that instead of focusing on caller ID schemes that identify servers, we should reach past the computer to identify the person sending the message. "In a society founded on openness and transparency, one of the fundamental tenets is that people can be identified. A person is allowed to go out in public wearing a mask. But no one will give them a job, and no one's going to buy anything from them in a store. You're not going to let them through the front door of your business." Same with e-mail. "You still have ways to be anonymous. But someone who wants to get in the door and do business with you will have to take the mask off."
From: Eric HAHN
Subject: XML for E-mail
You may remember Eric Hahn as Netscape's CTO or as a member of Red Hat's board of directors. Today, Hahn is chairman of his own startup, Proofpoint, which sells spam filtering solutions (infoworld.com/1220). Hahn thinks Proofpoint's products are just the first instantiation of a much larger transition, in which e-mail becomes XML-encapsulated metadata.
"Corporate mail processing isn't about just spam and viruses," Hahn says. "Most companies have a long list of things they want to see true about their mail. A corporation is going to need to do n things to each e-mail message, where n is greater than two. How are you going to do the next eight things?"
Hahn says those eight things might include: