It is said an ounce of prevention is worth a pound of cure. Of course, you must anticipate what you’re trying to prevent before applying an ounce of anything. And that’s exactly what the original architects of e-mail couldn’t do.
Conceived in the ’70s as a way for members of academia and the military to communicate over great distances, no one could have anticipated how ubiquitous e-mail would become. Or how obnoxious its abuse could be. The early e-mail environment is akin to a small town where everyone knew and trusted each other enough to leave their homes unlocked. Unfortunately, the qualities that made this informal system so effective – trust and openness – are the very ones that make it vulnerable to the abuse we’re grappling with today.
It was recognition of these inherent weaknesses that propelled the industry toward bringing accountability to e-mail. The first step was to definitively determine the identity of senders through e-mail authentication and then to hold senders accountable for their practices.
The notion was simple. Identify and hold the bad players accountable for their behavior and you can break their business model and shut down spam.
Yet, here we sit in 2007 with another authentication summit behind us, and spam is worse than ever.
According to those who track such things, nine out of 10 of the e-mail messages sent now are spam. And although most is stopped at the gateway, spam still bleeds through to our inboxes, and 20 percent to 30 percent of legitimate e-mail is mistakenly intercepted.
Some in Congress are clamoring for changes to CAN-SPAM. The Federal Trade Commission is calling for industry accountability. And some are pronouncing the death of e-mail itself.
What’s gone wrong? Was our faith misplaced in e-mail authentication and reputation systems as the way to achieve accountability? My belief is that we’ve gotten the answer partly right and partly wrong.
We’ve been right in the concept of accountability but wrong in our execution. E-mail authentication is not mandatory, despite the collective agreement that verifying senders is a prerequisite to the spam solution.
We’ve moved too slowly to recognize that identity must extend beyond an IP address that can be changed. It must roll up to the sending domain, to a real-world company and, ultimately, to the spammer’s client whose dollars fuel the business model. In other words, we’ve not yet structured our authentication protocols to follow the money.
And what of reputation systems? Again, the concept is right but the execution is wrong. The anti-spam technologists may have embraced the term “reputation system,” but that doesn’t mean that their methodologies are any less inscrutable to legitimate senders. Reputation systems have become another euphemism for spam filtering. The lack of visibility and accountability remain their hallmarks.
There are a few exceptions in the reputation systems that facilitate e-mail delivery for senders with positive reputations. Adoption is small among senders and uneven among Internet service providers. Moreover, their solutions don’t address the needs of the majority of senders, often lack the predictability that companies need for their customer communications, and, in many ways, are dependent on the same data as the spam filters for building a reputation.
For too long, we’ve been obsessed with prevention as the cure and addicted to technology as the means. The prevention mind-set is what has driven spam filtering as well as other ISP practices such as erroneous bounce codes and silent deletion. This approach to combating spam is a dead end.
While filtering may be needed to stop spam in its most egregious forms, prevention alone will never enable us to clean up the e-mail ecosystem. One of the limits of technology is in providing a proxy for what the users of e-mail want and don’t want in their inboxes.
If we’re ever to realize the potential of e-mail as a channel for business communication and commerce, we must move beyond the spam filters. Holding the potential of e-mail hostage to our inadequate spam solutions puts us out of sync with the needs of all constituents in the e-mail ecosystem. That’s no cure. It’s an invitation for government intervention or worse.