Michał Karzyński

New approach to Anti-Spam

With all the talk about anti-spamming laws soon to be introduced in the US I thought I would share some of my thoughts…

As far as legal concerns go, I believe that the anti-spam laws should be tough. I think the USA would be best off with a law similar to the one in the European Union, where it is illegal to send any unsolicited email. Unfortunatelly America has already developed a strong lobby, which wants to use unsolicited e-mail as a “genuine” promotional channel (i.e. they want to send you spam from their own address). The question would be: do we really need more advertisments? The european law is simple and ends confusion.

The second issue deals with programming.
The anti-spam software of the day works using either a ‘black-list’ or ‘white-list’ mechanism.
A black list contains all adresses/topics/key-words associated with spam. If it encounters any of these words it deletes the e-mail, of moves it to a special spam folder of the e-mail client.
A white list works the opposite way: it looks for known e-mail addresses, from which mail is accepted, rejecting everything else.

Both these mechanisms have faults:
— black lists cannot work agains the real scum spammers, who desguise themselves as a friend of yours, who wants to remind you of a meeting or something.
– white lists only accept some e-mails, making it impossible to recieve e-mail form someone you did not previously have contact with.

1. Use a white list mechanism (either server-side, or client-side), which will accept only e-mails from the list. If an address is not on the list, then create a pair of random numbers and store them.
2. Generate a webpage (could be a subsription service for client-side software) which has an address: www.antispamserver.com/?XXXXXXXX
Where XXXXXXXX is the first of the random numbers. The page shall contain a GD generated graphic showing YYYYYYYY (the second number) and a textfield where the number can be entered.
3. Send e-mail back to the adress which wasn’t on the white list saying: “You are tryning to send an e-mail to NAME, who you have never e-mailed before. Please go to: www.antispamserver.com/?XXXXXXXX and confirm that you are a real person…” (something among these lines)
4. The person visits the page, enters the code and the original e-mail is finally passed on…

There are no major loopholes in the system. The only requirement being that if you send someone e-mail, their address is automatically added to your white list. (Easy client-side, server-side solved by using the same server for POP and SMTP).

This system would not make it impossible to send spam, but would make it a whole lot more energy consuming. Let’s say that the key consisted of 10 digits. The spammer would need to type in 10 characters for every one of the millions of addresses he posts to. I think that would be rather discouraging :)