Spam has become a global scourge in terms of the sheer volume of spam out there which is reducing the signal to noise ratio of email. While being careful with email addresses (using throwaway Yahoo or Hotmail accounts, for instance, when posting online) goes some way to minimizing the volume of spam, it doesn’t remove it altogether.

Bob Metcalfe, the inventor of Ethernet, postulated what is now known as Metcalfe’s law: the value of a network is proportional to the square of the number of users. The flaw in this law is that it does not take into account a law of diminishing returns: once all of your acquaintances are on the network, each additional user adds only very little value, whereas each additional bad apple destroys a constant value due to the time they waste, and thus, even if bad apples are a small minority, they will eventually drive the value of the network down in a sort of tragedy of the commons. So the value of an email network is going to be some constant times the number of your acquaintances minus the number of spammers. At some tipping point, the rising number of spammers will make this value negative.

What can be done?

Brightmail

Brightmail is a company that sells spam filtering services to ISPs and large corporations. They basically set up unused email addresses and spread them around where they can be picked up by spammers’ email address gathering robots: search engines, newsgroups. Any email that goes to such an address is bound to be spam. Brightmail monitors these mailboxes and whenver they find a new piece of spam, they create a filter specifically for it. If this is done sufficiently quickly, they can nip a mass emailing batch in the bud before it has had the time to hit too many mailboxes. The system is also very reliable and unlikely to cause false positives (a legitimate email being flagged as spam). Unfortunately, this is very labor intensive and thus costly, and will be limited to those with deep pockets.

A company called Cloudmark, founded by an ex-employee of Napster, offers what is essentially a peer-to-peer distributed version of Brightmail. It remains to be seen how resistant that system can be to denial of service attacks.

Legislation

Legislation against spam should be introduced, but is only a long-term solution as spammers will simply relocate to countries without anti-spam laws. Even common crimes like theft are not that well enforced across borders due to the cumbersome procedures involved with Interpol or international judiciary cooperation.

Pricing

The reason spammers can blast away hundreds of thousands or even million of emails is that the marginal cost to them is practically nil. Some people have advocated putting a per-email charge to make spamming economically no longer viable. I have been responsible for building large-scale billing systems at Wanadoo, France’s largest ISP, and I can tell you building a billing system on the scale of the whole Internet is simply not feasible from a project management point of view.

Even if it were, it would not be desirable because in many ways it would be throwing the baby with the bath water. Internet email is successful because it is so cheap, unlike the price-gouging of earlier messaging systems like EDI or X.400. Andrew Odlyzko has written a series of very persuasive papers that show how usage pricing stunts the development of networks and thus prevents society from realizing their full benefits: http://www.dtc.umn.edu/~odlyzko/doc/networks.html

Certification

The main problem with spammers is they are anonymous, and that Internet email with its limited support for cryptographically strong authentication makes it easy for them to hide. S/MIME or OpenPGP signatures are not very commonly deployed because they are cumbersome and this outweighs their advantages (national security agencies also dislike anything that makes crypto more commonplace, but that is another story).

Spammers, however, make digital signatures more attractive by increasing the cost of not using them. I believe when the tipping point I mentioned above is reached, people will only accept email that is signed by someone they already know (someone who is already in their address book) or by someone whose signature is certified by a trusted third party not to be a spammer (probably the same companies that sell SSL certificates that make electronic commerce possible, Verisign being the most commonly known of them).