Many who would cure us of spam look in the wrong place—technology—for the answer. These well-intentioned analysts rightly see this menace as resulting from a state machine that can be tweaked, but they should look to the I/O relationships of human behavior rather than communications protocols for the solution.

A pestilence in its own right, spam is also the dead canary in the mineshaft sternly warning us that the new communication and control system the world will inevitably come to rely upon for mission-critical tasks is dangerously vulnerable to catastrophe from any seriously talented programmer with a motive for chaos.

Trend in proportion of viruses to total e-mail worldwide 2003-2005. Used by permission of Messagelabs Ltd

As with drunk driving, change will come only when people get mad and decide to act in unison against this eminently preventable menace.

Individual victims, and many Internet Service Providers, now employ incoming filters to stem the flood, but this sauve qui peut measure leaves intact the burden on the network. A step up are utilities like Spamcop, which actually reports spam to a responsible party, but this palliative fails to prevent spam at the system level.

Why spam happens

How can this pestilence continue to worsen, when other serious social problems are stable or declining? (Think drug abuse, drunk driving.)

Simply because the internet now ignores basic principles of human behavior known to every parent, and universally applied elsewhere in civilized life:

• Everyone is responsible for his actions
• Actions are traceable to their authors
• Actions bring their authors good or ill, according to their impact on others

In short, spam exists because action is divorced from consequences. Fix that !

How spam happens

Spammers now employ a variety of advanced upload methods such as open mail relays, insecure web proxies, malformed CGI scripts and zombied clueless-luser machines.

There is virtually no legal way to upload spam in the United States and many other countries, due to contractual bans imposed by backbone providers on their ISPs, who in turn impose them on their users

However there is virtually no legal way to upload spam in the United States and many other countries, due to contractual bans imposed by backbone providers on their ISPs, who in turn impose them on their users. Uploading spam always entails one or more offenses like tort, Terms of Service fraud, violation of contract, or trespass.

Major spam-emitting regions worldwide, courtesy of Postini

Spam continues because many ISPs fail to enforce these clear and simple rules against their spamming customers, and the backbones do not enforce the rules against the ISPs. Why can’t they enforce the contracts?

They can, and many do: it is a management decision, driven by money. The providers who do enforce operate ethically; those who don’t operate on the Environmental Polluter business model: it’s easier to dump the waste in the river than to secure one’s factory against pollution.

For the big-time spam-enabling backbones, and their downstream ISPs, abuse desks, with their “thank you for your report” auto-replies, are pacifiers intended to keep the money coming in while placating enraged victims with illusions of action. In fact, the only effective action—cutting off polluting ISPs—is seldom imposed.

Why don’t the spam-enablers rigorously follow up complaints? They claim their abuse desks are “overloaded”. One shameless ISP even sends this auto-reply to complaints:

Thank you for your message. Your email has been received and will be processed in due course. Due to the overwhelming amount of email received at this address, you may not receive a human response.

A more candid confession of failure to secure one’s network is hard to imagine.

If one probes a bit deeper, more sad truths emerge. Spammers open multiple accounts and web pages under false names, spew out their spam, sometimes in fact are shut down, then move to the next ready account or webpage on the same host, and recycle. Abuse desk staffers cheerfully call this whack-a-mole; engineers call it an endless loop.

Lack of identity checking permits this endless loop. When questioned ISP managers reply that they could not possibly earn a profit if they had to secure their networks against abusers.

What is wrong with this picture? It is precisely the Environmental Polluter model: design a business to gather revenue for the stockholders while imposing on outsiders the economic losses to society arising from its polluting operations.

Offending ISPs allege “no one would sign up for an account” if each had to be verified, which of course is true as long as there are race-to-the-bottom providers extending connectivity to any malicious or negligent stranger. If no one could offer service, allowing strangers to injure others, then the current competitive race to the bottom would not exist. (Effective and innocuous measures exist to confirm identity, used by many firms in many economic sectors. A technical solution exists even to preserve anonymity by permitting but rate-limiting such accounts.)

The spammer business model

Spammers have their own business model, aptly summarized as the Thousand Cuts, which meshes with the Environmental Polluter model to victimize the rest of us. Spammers well know the illegality of their businesses but know also that the pain is spread in small amounts among many victims, not one of whom can make an economic case for litigation. Even someone determined to act finds it difficult due to cumbersome legal procedures, the cost of discovering obfuscated identities, and the torpor of the agencies responsible for ensuring accurate databases.

What to do

Spam increases because no ill consequences befall the malefactors and their enablers. As every caring parent knows, this method is guaranteed to raise antisocial offspring.

What to do? Obviously, smash these two business models. Big, immediate improvements require no legislation and little litigation, just doing the obvious on the internet comparable to what every loving parent does in rearing his children.

The following steps can end spam as a “big issue” for internet users.

First and foremost, ISPs must use blocklists to refuse all incoming mail from insecure or misconfigured mail servers, rather than just filtering incoming spam. This is the only method that works, and it works immediately.

Crisis in the making? Total spam on the internet 2004-2005. Source: Distributed Checksum Clearinghouse