How to stop spam forever
I was having a discussion at lunch not too long ago about the spam problem. We all hate spam, and there's a ridiculous amount of Internet traffic carrying it, ultimately leaving less bandwidth for all the cool stuff we want to do online. The current approaches to fighting spam generally fall into one of a handful of categories:
- Detect spam when it comes in and filter it away.
- Use some sort of verification system to identify the true origin of the spam (such as Yahoo!'s Domain Keys).
- Punish the spammer...if they're ever found.
At this point in the life of the Internet, it seems like all three methods do nothing but remove a few temporary annoyances from our lives. There's far too many spammers to catch, try, and punish. That would take way too much money and time, both of which have more practical uses. We try to mitigate spam but yet it still represents the majority of emails being sent (Microsoft reported it's 97% of the mail it handles). It seems like these previously mentioned three approaches have done nothing to stem the tide of spam that is flooding the Internet's massive tubs. Therefore, I present an alternative approach.
The problem
The right way to solve a problem, of course, is to first determine the source. As I mentioned in my last post about debugging mistakes, identifying the source of a problem is one of the most important parts of the problem solving process. People have incorrectly been assuming that the source of the spam problem are the spammers, which is why things like Domain Keys and punishments for identified spammers exist. If this were the true source of the problem then we'd likely have much less spam now than we did ten years ago. But that's not the case.
When a solution that you believes treats the source of a problem is ineffective, that typically means that you haven't actually found the source and so are treating the wrong symptom. In the case of spam, the source of the problem isn't spammers at all - it's the regular users who click links in spam emails. Think about it, if no one ever clicked through a spam email link, there would be no incentive to send spam. It's the same as with those ridiculous fliers you get shoved in your door or mailbox: they exist because the cost to produce them is minimal and therefore a small response is enough to offset those costs. Email has practically zero cost to send, which is why there's so much more of it than paper junk mail that has printing and mailing costs.
The real source of the problem are people who respond to spam. These are the people who make it worthwhile to send spam. I remember reading one time (can't find the article right now) that if even 1% of spam receivers respond, then it's worthwhile for the spammer to send the email. But, you may think, no one clicks through on spam emails, we all know better! I wish that were true. A recent study showed that over half of those polled have clicked on a link in a spam email. That's a lot higher than the 1% I had previously read was necessary to generate enough revenue to make spam profitable to the spammer. Clearly, the source of the problem are these users.
The solution
Even though people do click through spam links in emails, I'm not convinced that they do so with intent to purchase. Perhaps it's more curiosity than anything else. I tend to believe that people who make dumb mistakes are just uninformed about the consequences of their actions, and therefore a campaign to teach these users the ills of their ways is the only real solution. Here's what I propose.
Instead of finding the users who actually open and use spam, we start a web site that has information about why clicking through links in emails from people you don't know is bad, and more specifically, hurts everyone on the Internet. I'm sure we can find some stock photos of crying children who are sad that their Internet connection is slow. The homepage should be stark with a big question, "Why did you click on that link?" Underneath it should be a more precise description. The wording can be nice or mean, I really don't care. The point is to get across that this is a frowned-upon action that should not be repeated.
Well that's great, you might say, how do we then get these people to the web site? Simple: we send spam. It's actually ridiculously inexpensive to buy a mailing list and start sending email messages with a link to this site. Disguise it as a discount for Viagra or something similar (since those work so well) and get them to click through. We already know that over half of them are likely to do so.
Of course, for a short period of time, we'd actually be contributing to the amount of spam flowing through the Internet, but I'm willing to take that temporary hit to educate as many people as possible. The point we need to get across is that everyone hates spam and the only way to stop it is to stop clicking those links. Make it pointless for spammers to even try. Now who's with me?
July 18th, 2009 - 14:33
Thanks for this one Nick,
I am actually wondering who IS finally clicking those links. I suppose most modern web mail clients filter those mails out to the spam box, so by doing the math in my head, the average (low-level) end-user that would actually be tempted to click those links, would never be able to find them in the first place!
July 25th, 2009 - 16:04
For fighting spam, I thought about implementing a flag directly in the TCP header, setting it to the lowest value of the node crossed by the packet. With a hierarchical pyramid of responsibilities, the providers would try harder to pinpoint spammers, otherwise their access nodes to the Internet would give those same providers low values. Users in the end could set their accepted spam flag level and most unwanted e-mails would be automatically rejected. Just a way of efficiently regulating what blacklists already do.
Mind though, there’s some scary “big brother” issue in the background
Disclaimer: Any viewpoints and opinions expressed in this comment do not necessarily reflect those of its author
July 30th, 2009 - 11:35
I disagree. The root problem is not that users click on links for penis enlargement drugs. The problem is that spammers can earn money via affiliate marketing relationships with the people who are actually selling and shipping the penis enlargement drugs. Spammers aren’t the problem. The people paying the spammers are. At the root of it all, e-commerce is what makes spam a viable vocation.
If you sever that source of income, then the spammers would have no incentive to send spam. This reduces the payoff for a spam run from 1% efficacy (a stat which I suspect is higher than reality) to 0%.
To do this, punish the retailers who fulfil the orders. Set up bots at major traffic junctions to follow spam links, and follow the trail of hyperlinks until they arrive at their ultimate destination where it’s time to order the pills. Then once detected, kick them off the internet. Delist the domain, and eradicate the DNS, and banish them to the Great Blacklist Of The Interweb.
It refocuses the onus of responsibility on e-tailers who run affiliate marketing programs. Increase their risk of banishment, and they’ll be more selective about choosing with whom they enter into profitable affiliate marketing relationships.
One danger is that someone could shut down ebay.com by running a malicious spam mailout with eBay as its destination. But that’s a problem for which there are likely many solutions, I’m certain.
I like your idea because it’s simple and doable, on a grass-roots level. But I am hesitant to condone sending more spam (which is mostly caught by “junk” filters anyways) to bait clickers into an educational scam.