September 23, 2018

Do We Want a Do-Not-Email List?

The CAN-SPAM Act, signed into law yesterday by President Bush, will take effect on January 1. The Act asks the Federal Trade Commission to study whether a national do-not-spam list, akin to the much-loved do-not-call list, should be implemented. It’s an interesting question.

The crux of the problem is the danger that the do-not-spam list would become, in the hands of unscrupulous spammers, a who-to-spam list. We know that spammers pay money for lists of known-to-be-active email addresses. Surely, they would be more than happy to get such a list – and an unusually large and accurate one – from the government for free.

There are countermeasures, though. If we put some newly minted, fictitious addresses on the list, any mail sent to those addresses later must have involved misuse of the list. If we give out separate copies of the list to different spammers, we might put different fictitious addresses into each copy, so we can tell later whose copy was misused. Of course, spammers may collude and compare their copies to find the bogus addresses, so we want some of the bogus addresses to appear in multiple copies so that we have an idea of who to blame even if lists are combined. Figuring out how best to use duplicate bogus addresses for this purpose is a nice little exercise in theoretical computer science.

Some have suggested another approach, in which bulk emailers are given access to an “oracle” that will answer queries about whether a particular address is on the do-not-spam list. This could be done by providing an on-line service that answers queries, or by giving giving out cryptographic information (i.e., the cryptographic hashes of the addresses on the list) that allows address-by-address querying. In either case, the worry is that spammers will use the oracle to “purify” their address lists, by discarding addresses that aren’t on the do-not-spam list.

Another approach, perhaps ironically, is to provide a mailing service that will forward email to any recipient, except those on the do-not-spam list. Bulk emailers who used such a forwarding service would be able to send mail, via the service, to anybody who isn’t on the list, but they would have no easy way to test for membership of an arbitrary address on the list.

What’s the right answer? I don’t know. But I’m glad that we’re not rushing ahead with a list before we figure out how to do it or whether it’s a good idea in the first place.

Comments

  1. Florian Weimer says:

    In fact, you could put that oracle onto the recipient’s mail server if you assume that the sender is cooperating. A simple SMTP extension is sufficient to signal if a recipient wishes to receive commercial communication before actual transmission of a message.

    However, I’m not sure if it’s realistic to assume that senders of commercial email will cooperate.

  2. I don’t see how a do-not-spam list helps anything. The problem with spam is not that it isn’t illegal, it’s that laws against it are impossible to enforce. A do-not-spam list, even if we solve all the problems with leakage, will only stop spam by people who:

    a) are evil enough that they want to spam,
    b) but will refrain from spamming semi-intelligent people (i.e. everyone who can put their name on a list)

    The spammers in this group, if there are any, must make up a tiny tiny portion of all spam sent. I can’t imagine how it would be worthwhile for the government to set up a list for these people, and then spend more money encouraging everyone to sign up for it.

    True, spammers use remove links and such, but this is only an attempt to pretend to look respectable — if remove links had any serious affect on sales, they’d stop including them or not remove people who followed them (they probably do this now).