To all email users and servers,

particularly:

ASTA

                                 America Online

                                  British Telecom

                         Comcast

                         Earthlink

                          Microsoft

                       Yahoo!

ITU

                                 Robert Horton

                                  Georges Sebek

OECD

                                   Spam Taskforce

Open Source Initiative

                          Ken Coar

FT

                          IT Editor

Meta Group

                            Matt Cain

IDC

Your kind assistance is requested in publicising and setting up the present initiative for cleansing the email system of Spam and the associated viruses and phishing.  Parts 1 and 2 of the initiative are mainly concerned with the technicalities of the method.  Part 3 concerns mostly the publicity and setting up.

Thank you very much for your help.

Brian Stratford,

brian@brianstratford.com

Summary 

In Part 1 a known method for separating spam from one's personal email is chosen and considered as a possible method for stopping the sending of all spam.  The method considered sends an automatic reply to certain of a recipient's incoming emails.  It sends such a reply whenever the mail item does not have a known sender, "known" in the sense of being either on the recipient's whitelist or on his or her blacklist.  In the automatic reply the sender is asked to confirm the sender's address.  Mail is assumed to be spam, and is filtered out, when the sender's address is not confirmed.  The method appears to be close to 100% effective.

Part 2 broadens the proposals of Part 1, partly by offering a second option.  In the second option the automatic reply to the unknown senders is nominally only an acknowledgement that the original email has arrived.  This nominal acknowledgement may be considered by some users of the method to be very much more user-friendly to the sender of the original email than is the confirmation request of Part 1.  Now currently, probably most spam is sent using a non-existent sender' s address.  Consequently most current spam may be filtered out by the second option when the automatic reply is bounced back to the automatic responder.  The other change in Part 2 is to make all aspects of the proposals from Part 1 more user-friendly.

The confirmation of the sending address is a more positive option, and, if acceptable to customers, is a stronger safeguard, than is the acknowledgement of arrival.  In practice the proposed overall arrangement is argued to be the strongest arrangement: it is based on offering both options; it has a more considered user-friendly approach than in Part 1; and it also has three other lines of defence as discussed in Part 1.  Provided, therefore, reasonably early after the launch, the launch can have attracted a substantial number of customers, then its success and its popularity would spread, until spamming ceased to be worthwhile and stopped.  The proposed arrangement is argued to be sufficiently strong to stop substantially all spam - including the likely developments of spam, the viruses in it, and the associated phishing.

In Part 3 the present initiative is directed at encouraging all servers to give their help in converting the proposals just discussed into reality.  All servers are asked if they could please:

(a)  offer to their customers as a free service the overall arrangement of Parts 1 and 2, above,

(b)  explain to their customers the likely very effective performance in filtering out the spam in their own incoming email,

and

(c) explain to their customers the reasoning of the present initiative of clearing the whole email system of spam, viruses and phishing.

It is felt that, under these circumstances, if a substantial number of servers co-operated in the initiative, then a substantial number of customers would accept the offer.  Their success and satisfaction would cause more customers to accept the offer, and, then, soon, most customers would accept the offer.  Furthermore it is felt that under these circumstances most of the customers who accept the offer would soon opt for the stronger safeguard of the confirmation of the sending address.  In that situation spam would cease to be worth the effort that it costs the spammers.  Consequently the proposed arrangement is argued to be sufficiently strong to stop the sending of substantially all spam - including the viruses in it, the associated phishing, and their likely developments.

The initial known method for filtering one's personal email has in some people's view the problem that, in adopting the method, a customer is inconveniencing his first-time correspondents merely in order to sort his own incoming email.  However, that problem is overcome in the present initiative.  Parts 2 and 3 recommend the orchestrated adoption of a user-friendly version of the method.  That, as explained immediately above, is in order to obtain an early and substantial number of satisfied and pleased users of the method, leading rather rapidly to many more customers, and, then, soon, to most email users becoming customers; at that stage, spammers would find that spam was not worthwhile, and spam would stop.  Consequently, the total situation is that, rather than the users of the method merely sorting their own mail, they would, by their co-operation, have cleaned the whole email system of spam, together with the viruses in it, and the associated phishing.  And the burden on first-time correspondents writing to the users is found to be slight.

Part 1

A known method for one person's mail

Introduction

During a recent private discussion of possible ways for stopping the sending of large scale spam and viruses a technical member of staff at an internet firm has sent to the present writer a statement substantially as follows.

"For my personal email I use a method that is arranged such that I read email only from either, people whom I have emailed, or, people who have responded to an automated challenge. This prevents me having to read almost all spam.

"The method does not require any change to the underlying email technology.  There are some problems with automated emailing, but such problems are minor.  Also, an ordinary customer needs an automatic process for adding to the customer's own "whitelist" people to whom the customer has sent emails.

"Further details are given on http://www.tmda.net/."

The above staff member would prefer not to be mentioned by name. The present writer thanks him very much for his contribution.

The apparent success of the above method of challenge seems to be in complete contrast to the present universally strong feelings that spam, viruses, and phishing are all very severe current problems.  .......  Or is that true?  Is spam really a problem?  Certainly spam has already cost the present writer a lot of time.  Other people, also, usually seem to find it troublesome.  Maybe, however, the people who run the web are about to give us a perfect solution?  Well, let us look at some evidence.

Even, for example, the London Financial Times has had three recent articles:

On Thursday July 8th 2004, page 9, the FT reports on an attempt at a new, international, anti-spam policy that had been launched by Regulators on the previous day.  Regulators from about 60 countries meeting at the ITU - the International Telecommunication Union - in Geneva were hoping to craft a global anti-spam stategy, based on a co-operative effort between governments and industry.  Robert Horton, chair of the ITU meeting, said that the meeting would focus on the need for countries to enact anti-spam laws and step up cross-border enforcement:-

"We've tried national solutions and they don't work.  Spam has already reached epidemic proportions and if it gets any worse people will simply stop using the internet."

The FT article gives as background a summary of the current situation and, in the summary, it suggests that:

spam costs the world an estimated $25bn a year in lost productivity and extra security measures

.....and....

fraud, based on spam, is increasing rapidly.

In an earlier FT article, entitled "Gone phishing", on pages 1 and 2 of the IT Review of June 23rd 2004, the FT gives a large volume of information on the developments in phishing - phishing being fraud based on spam.  It evidently considers phishing to be potentially an even greater danger than other spam so far has been.  For example, the article reports that, according to Matt Cain, a senior vice president at research firm Meta Group,

the explosion of phishing scams, as well as generic spam and viruses, is contributing to a crisis that could threaten the viability of e-mail as an indispensable and trusted form of communications in the future.

and

The e-mail infrastructure is in the greatest peril it has ever been in.

And on August 13th 2004, page 10, the FT gives the following heading and text;

Heading: 'OECD taskforce to combat spam', with Text: 'The Organisation for Economic Co-operation and Development, the think-tank for the world's rich countries, has set up a spam taskforce .....'

So, the three FT articles between them show that major global organisations consider that spam, together with its associated viruses and phishing, is a vast current problem.

And yet, apparently, it is already solved by the above method of challenge.

Some discussion seems to be required, and is attempted below.

DISCUSSION

First discussion of the method demanding a response to an automated challenge

The software for the above method is named TMDA.  The 1.0-final release of TMDA was made in December of 2003.
 
The above challenge method succeeds because it attacks a weakness of spam:  the senders of bulk spam do not wish to admit to having sent it.
 
Consequently, in the challenge method, each recipient has an up-to-date whitelist, maintained automatically, and containing all the email originators who already are both known and acceptable to the recipient.  Then, for each item of email arriving addressed to the recipient, if the apparent originator of the item is not already on the recipient's whitelist (or on his blacklist), software automatically sends a challenge to the apparent originator asking the apparent originator to confirm that he or she is in fact the originator.  Only a few of the originators are expected to reply positively.  They are added to the recipient's whitelist and the corresponding mail is passed to the recipient accordingly.  The remainder of the challenged emails are scrapped.
 
Consequently the arrangement automatically eliminates all bulk spam where the senders are not willing to acknowledge that they sent the spam.  That technique appears to be very much more effective as a filter mechanism for spam than is the more conventional filter that is dependent on content.
 
However, despite the promising performance of the challenge TMDA as discussed above, there are some complications.

 

Some complications of the TMDA method of challenge and response

On the website:-

http://www.tmda.net/ 

Jason R. Mastaler explains that: 

1.    TMDA is an open source software application.  Had Jason tried to write the software to support say Microsoft Windows, then to him, the server software would have been like a black box.  That would have made things extremely difficult for him when trying to debug complex problems.

2.  The intended method for utilising the software is for it to be placed at a position suitable for intercepting the incoming email, at the entrance to the customer's mailbox, at the customer's server.  That then ensures that the appropriate challenges are returned to senders immediately and that there are no delays.  Had, instead, the software been installed at the customer's computer, then there could be considerable delays, particularly when both the recipient and the sender have only private domestic dial-up connections. 

3.  In order to use the TMDA open source software a customer needs his or her server to be a UNIX-based server, rather than, in particular, a server that is based on Microsoft Windows. 

 

The problem
 
Jason says that other sources of the software exist.  However, from a small sample of enquiries made by the present writer, it seems to the present writer that very few people working professionally on internet software know of the existence of the challenge and response system, even in any software.  Moreover it seems that very few commercially large servers are able to offer the working system to their customers.  Furthermore, there is a major alliance of major internet companies called ASTA, which is discussed immediately below.  ASTA does not seem intent on using either the above challenge and response system, or an equivalent.  Instead, ASTA is working on what seems to the writer to be an apparently much more complex solution to spam than the method of challenge and response.

ASTA

ASTA is the Anti-Spam Technical Alliance, a collaborative effort between six leading Mailbox Providers and the Internet community.  The six members are America Online, British Telecom, Comcast, Earthlink, Microsoft, and Yahoo!.  ASTA claims to represent a large percentage of the mailboxes on the Internet. 

ASTA has issued Version 1.0 of their Technology and Policy Proposal on 11^th June 2004.  It may be obtained, for example, from the link: 

http://postmaster.aol.com/asta/proposal.html 

In ASTA's Version 1.0 as above ASTA is very concerned to establish email senders' authentic addresses.  The establishment of authentic addresses is part of their total anti-spam proposals.  However, ASTA does not mention the already established method for confirming the authenticity of addresses as provided by TMDA above.

Apparent similarity, but yet contrasting

Despite the apparent similarity of approaches between ASTA and TMDA, there is a difference, of course.  The difference is not only between the techniques of the two methods, but also between their intermediate objectives.  Whereas ASTA is very concerned to establish email senders' authentic addresses, the challenge and response method of TMDA is not interested in establishing email senders' authentic addresses; the challenge and response method merely wishes to exclude all the mail that has travelled non-authentically.  To the writer, the challenge and response method of TMDA seems to be a valid, bold, and very short, short cut.

And so:

Given the open availability of the already written and developed TMDA challenge and response software, then the most basic need for the ASTA members, in order to allow them to carry out the same function as the TMDA challenge and response, would merely be to copy the TMDA software into the environment of their own servers.  Then also, given the very large capacity for writing software within the members of ASTA, and given the very strong and urgent global need to solve the problems of spam, viruses and phishing, then, presumably, with all those favourable conditions, the ASTA members would be able to carry out the necessary transcription and adjustment of the software, and be able to sort out any legalities, in order to be able to offer the service to all their own customers within an extremely short period of time.

Proposals

The obvious present basic proposal seems very simple, that servers should install software such that they can offer all their customers a challenge and response system, operating at the server as described above.  The organisations managing the servers would need to install software appropriate to each server.  The time needed for the servers to install suitable software seems likely to be small, especially in comparison with estimates for the time required for ASTA's proposed techniques.  Then, given publicity, as soon as a substantial number of mailboxes became available on the challenge and response system, a substantial number of customers would probably sign up to use them.  And once success had been obtained for a substantial number of very satisfied customers, many, and then most, other customers would soon join the system.  Spammers would find that spam would cease to be worthwhile.  And so, spam would stop.

This one simple and obvious proposal would seem to clear the email system of substantially all large scale spam, phishing, and viruses.
 
Adjustments may be needed later in order to defeat changes by the senders of spam, but there seems confidence on the tmda site that such problems would be readily soluble - see the answer to Question 1.1 on the page:

http://tmda.net/faq.cgi?req=all .

X's comments
 
X is the staff member whose statement in the Introduction started the present discussion on challenge and response.
 
As a result of the present discussion X comments that if everyone used the challenge and response method and if that threatened to destroy all large-scale spam, then spammers would attempt to fight back.  In particular his judgement is that in the fight-back many PC's in their present builds would be vulnerable to the spammers and could be taken over for use in the spammers' transmission routes. However, X considers that current state-of-the-art advances in software for PC's will sufficiently improve security for PC's that that possibility should become blocked.

Belts and braces

It seems to the writer that, despite the tmda site's confidence, which doubtless is well justified, there could still be an advantage in creating a framework with a multiple "belt & braces" approach, in order to give defence in depth.

For example, in addition to the basic challenge and response method being available for any individual customer as discussed above, some or all of the following requirements could be applied, in order to achieve a well-run overall system operating on good practice.  However, most of these possibilities would not be used initially.  Instead, they would be kept in reserve for use should the techniques discussed above come under pressure from developments by the spammers.

1.   Servers could request each of their own customers to allow their own server to apply virus detection software to the customer's outgoing mail.

2.   Servers could be asked to implement rate limits and other good practice as recommended by ASTA.

3.   Servers could appoint an authorising group of servers; the authorising group would create, monitor and maintain a publicised "OK List" of servers who were properly operating agreed best practices.

4.   If circumstances so justified, the authorising group could recommend that servers should accept email for transmission from other servers only where those other servers were on the OK List. 

The argument could be put forward that applying recommendations or requirements such as the above went against the principles of free democratic access to the internet and of free speech.  However, such an argument is surely invalid provided the requirements applied are all reasonable for ensuring the proper running of the system and that the use of the system is open to everyone who is willing to accept such requirements.  The aspect of being reasonable for ensuring the proper running of the system would be demonstrated by keeping most of the items in reserve and not using them initially, as indicated above.  The aspect of being open to everyone who is willing to accept such requirements is analogous to the requirement that anyone using say public transport, or going to a theatre, cinema, or concert, is usually required to have a ticket.  So, in general terms, the overall principle seems reasonable.  It would be necessary to check that any specific requirement adopted is reasonable for the specific circumstances of the time.

Conclusions for Part 1

1.   For the immediate situation where spammers use their present techniques, if the above obvious proposals, even in their simplest form, were adopted by a substantial number of servers and customers, those servers and customers would be very satisfied, so that many, and then most, other customers would soon join the system.  As a result, spammers would find that spam would cease to be worthwhile - and the sending of all large scale spam, the viruses in it, and phishing, would stop.  The description of the simplest form of the proposals as "obvious" applies once the tmda website has been accepted.  The simplest form of the proposals is very simple, particularly in comparison with the proposals seemingly being discussed by other organisations.

2.   The threat to the spammers of all large-scale spam, viruses, and phishing being stopped would stimulate the spammers into attempting a fight-back.  Three further distinct defences are already foreseen in order to meet this possibility: Jason's approach on the challenge software, X's judgement that state-of-the-art software for PC's will adequately improve PC security, and the defence in depth provided by a belt and braces approach as suggested above.  These further distinct defences could still be relatively simple.

3.   The simplest form of the proposals could involve the current server organisations "copying" the TMDA software.

Another viewpoint 

The Challenge and Response method has generated opposing viewpoints.

An experienced "blogger" has kindly given the present writer his views.  The writer will refer to him as "Y".  Y does not agree with using the Challenge and Response method.  He argues that the burden which it can impose on the senders of genuine email is not reasonable.  In particular, Y argues, many of the people who are sending email - say to himself - are trying to give him helpful information.  Consequently it would be highly unreasonable for Y to impose a burden on his correspondents merely so that he, Y, can sort out his spam.  Moreover, Y says that most people take the same view as he does himself.

Reply to Y from X

The writer apologises for the algebra in this discussion.

X, the Internet Staff member who supplied the information at the beginning of Part 1, said that he had no obvious problems getting people to pass successfully through the Challenge and Response system. Moreover, challenges to senders of genuine email, rather than to senders of spam, were a very rare event.

Constructive use of opinions from both the internet staff member and from the blogger

The arguments and experience of X indicates that the basic method of Challenge and Response provides potentially a very valuable way of dealing with spam, as discussed in Part 1 above.  Nevertheless, Y's comments indicate that maybe some development could be required before it became adopted widely.

The writer has some sympathy with the blogger's viewpoint.  In the opinion of the present writer the Challenge and Response technique at present is not altogether user-friendly.  The mere name of "Challenge and Response", although adopted by the writer for the text of Part 1, above, is user-unfriendly, seemingly calculated to frighten away anyone other than the battle-hardened professional.  Moreover, it seems to the writer that even the email offered on the tmda web page as a model for a challenge message could be considered to be rather user-unfriendly when received unexpectedly by a first time user.  The first time user may feel the need to read the whole message, including the whole address of the link given for possible reply.  And the message and link as modelled is all rather long and involved.  Also, it may occur to the first time user to wonder whether he or she is being asked to sign up to the message or statement in the attachment, which, perhaps, could be subtly different from the user's own original email. 

So certainly the confirmation request should have a format that is entirely user-friendly when received unexpectedly by a first time user.  It must be quick and easy to read and to use, it must be only a simple and a relaxed request for confirmation of the sending address of his or her particular email, which should be merely identified by say just the original addressee and subject, and it must be obvious that it is not a legal commitment in any way.  For example, the text for the confirmation request could perhaps read: 

"Bill Blog would like you please to confirm that you have recently sent from your address an email to him on the subject of Sarah's cat.  If you could please merely click on your system's "Reply" and then on "Send", the resulting blank message arriving at Bill's automatic system would act as confirmation of the sender's address and would cause your original email to be delivered to Bill's mail box." 

However, if the confirmation method as discussed above were being adopted by a substantial number of servers, and once success had been obtained by a substantial number of very satisfied customers, all for eliminating spam as proposed in Part 1 above, and with substantial publicity, then the user-friendly aspect of the situation becomes much simpler.  With that substantial adoption of the confirmation method, and with the substantial publicity, a first-time sender of the original email would know that a confirmation request may arrive, and he or she would become familiar with the usual type of format.  Moreover, a first-time sender of the original email would know that the confirmation request was an arrangement recommended by that substantial number of servers and satisfied customers, and adopted by them in order to stop spam, viruses and phishing, not only for one's own incoming email, but also in order to clear the whole email system.  A first-time original sender would know that it was not merely a peculiarity on the part of the person whom he or she was trying to contact.  The original sender would also know that the request for confirmation was not itself just another item of spam, nor a legal document, nor a trick to sign away something.  Consequently, provided the confirmation request were worded with some reasonable care in order to make it user-friendly, the burden on a first-time sender of the original email would be small - and for other senders of an original email it would be zero.

Y's favoured method

Even with care in making the confirmation request user-friendly, some people may still not wish to submit their correspondents to the burden of confirmation.  Now Y, the blogger, favours for current usage a rather similar system, but one that eliminates the burden of confirmation.  Y's favoured system works on the basis that most current spam is sent using a non-existent sender's address.  His favoured system works with white lists and black lists just as for the confirmation method as discussed in Part 1.  However, the automatic response in Y's favoured method, instead of asking for confirmation of the sending address, nominally merely acknowledges receipt of the original email.  If Y's automatic response bounces - because of its being sent to a non-real originating address - then the original email is scrapped as being spam.  On the other hand, with a real originating address the automatic response does not bounce, so that, after a suitable pause, the original email is delivered to the recipient's mailbox.

Y's favoured method therefore at present provides a second technique of automatic response for sorting the wheat from the chaff.  And it avoids putting a burden of reply on one's correspondents. Even so, the automatic reply even in Y's favoured method is best written rather carefully, so that it can all be read and absorbed very easily, and quite pleasantly, without wasting people's time.

And, so, a combined method 

Consequently, for the total arrangement proposed for stopping spam, Y's favoured method is made available to server's customers as an option, which the customers may choose if they so wish in preference to the confirmation of address method of Part 1 above.  Server's customers could also decide to do nothing.  Both types of automatic reply would be available in the same common total internet framework as put forward in Part 1 above.  In addition, the whole approach from Part 1 is made more user-friendly. 

Y mentions that Russ Nelson has published an algorithm on the web page:

http://russnelson.com/cec.html.
 
 

Technique development by the spammers

It is now necessary to discuss how the above user-friendly system with the 2 options would perform when the spammers develop their techniques.  In order to do so, a general assessment of the system is first required. 

The automatic response that gives merely an acknowledgement of receipt is a less positive technique than is the request for a specific confirmation of sending.  Consequently, in further private correspondence, X, from Part 1, points out that if the only method used were the automatic acknowledgement of receipt, then spammers would merely be encouraged to change from their present practice of using unreal addresses to one of spoofing real addresses.  In addition, X suggests, any system error in the internet transmission, such as occurs very occasionally, could cause more confusion with the method acknowledging receipt than with the method requesting confirmation.  So, as a result of these possibilities, the present general assessment needs a specific assessment of how many customers would choose which method. 

Now, as discussed above, both the user-friendly attitude of the system, and, also, the early adoption of the system by a substantial number of servers and customers - who rapidly become very satisfied - both of these, together with suitable publicity, would significantly increase the attractiveness of the proposals.  It is now also worth noticing that the difference in a person's private assessment, as to whether he or she would prefer their own incoming mail to be subject to a request for confirmation of sending, or merely to a nominal acknowledgement of receipt, could be largely a matter of the characteristics of one's circle of email correspondents:-

If one's circle of email correspondents is rather stable, other than perhaps for mailing lists, (which X states are treated separately), then almost all one's genuine correspondents would already be on one's whitelist - or on one's blacklist.  Consequently one's automatic response system would send very very few automatic responses to genuine correspondents.  Now if, in addition, there had been a good adoption of the total system, and good publicity, then the few genuine correspondents who do receive automatic responses would be first-time correspondents who would be rather expecting the automatic response.  They would be much more familiar with the format and with the system than are most people at the present time.  And they would know that such automatic responses for first time correspondents were an ordinary feature of the overall anti-spam system - rather than being imposed unreasonably by the person to whom the originating email had been sent.  Consequently, with user-friendly formats adopted for the automatic responses, the total burden imposed on one's correspondents would be small.  Overall, therefore, a server's customer having a rather stable circle of correspondents would feel strongly favourable to joining the system. And they would probably ask for the full request for confirmation of the sending address on their own incoming email.

If, on the other hand, a server's customer frequently had new correspondents sending in helpful information, as may hold say for journalists, but with otherwise the circumstances just described, then he or she may still choose to join the system, but with the automatic response on their own incoming email merely using the acknowledgement of receipt.

The total broadened and universalised system as discussed above would therefore prove attractive to server's customers, whatever their circle of correspondents.  With the co-operation of a substantial number of servers, and with substantial publicity, also as all discussed above, a large proportion of servers' customers would opt for joining the system.  Moreover, of the customers who join, probably quite a high proportion would choose the stronger system, ie having the request for confirmation of address.
 
The above broadened situation therefore seems likely to carry even more strength than is provided by Part 1.  Now Part 1 has three back-up lines of defence, as listed in the second of the Conclusions of Part 1.  So, as a start, spammers who use current techniques of non-real sending addresses would find that much or most of their mail was destroyed without being delivered.  Also, spammers who use spoofed real addresses would find that a considerable proportion of their mail was destroyed without being delivered.  And customers using the proposed system would be very satisfied, especially those choosing the confirmation of address.  After a period of such operation, customers would be becoming progressively more familiar with the automatic responses and, correspondingly, the acceptability of the proposed system would increase, as well as the evidence of its success.  The ensuing popularity would then increase the membership among servers' customers.  Spammers would simultaneously be developing their techniques, but, with the 3 lines of defence from Part 1, and with the progressively increasing membership of the proposed overall anti-spam system, the destruction of the spammers' output before delivery should increase, until gradually the spamming ceased to be profitable.  Even, therefore, when the spammers fight back, the proposed total system should be capable of stopping large-scale spam, the viruses in it, and the associated phishing.
 
 

Ken Coar's viewpoint

Ken Coar, also, has kindly sent his comments.  Ken, see, for example,

http://ken.coar.org/

says that he, like Y, the blogger, objects on multiple grounds to challenge and response authentication systems for email.  Ken's main objection, like Y's, is to inconveniencing his first-time correspondents merely in order to sort his own email.

Ken's comments were for an earlier version of the present proposals.  The writer has studied Ken's comments and has made various changes accordingly.  The present version of the proposals seems to the writer to be much improved as a result.  Parts 1 and 2 have been edited and Part 3 has been added.  Part 3, below, emphasizes that the present initiative is for cleaning the total, global, email system - of all its spam, viruses and phishing. As such it should benefit all users of email - whether or not they join in the initiative.  So customers who do join in the initiative would be contributing to the general value of the email system, not merely sorting their own mail.  A large proportion of users would need to join the initiative in order to make it strong enough to stop even the sending of spam.  And correspondingly a substantial number of servers are asked to co-operate in order to get the initiative moving.  Hence again, Part 3.

Part 3

Conversion of the proposals to reality

From the above discussion it becomes apparent that there probably is not a widespread appreciation among computer users of the existence of the challenge and response method for filtering spam from one's personal incoming email.  Moreover, most of the computer users that know of the method probably do not appreciate its very high effectiveness.  And neither, probably, do they appreciate that the "challenge" could be redesigned into a much more user-friendly form.  And for those few who do appreciate all these facts, probably only a small proportion would find that their existing server would offer the service.

Consequently it seems likely that at present very few computer users are already using the challenge and response method.

With only a few users of the method it would not be surprising if some non-users took the view that users were putting other people to an inconvenience.  Non-users could consider that users expected senders of mail to answer a challenge merely to save the users from having to sort their own email.  And so the method could get a bad reputation and the number of users of the method could be even smaller than might be expected otherwise.

At present the method appears to be stuck, perhaps not surprisingly so.

Now in contrast, the discussion of Parts 1 and 2 above has taken us to the position where, if the challenge and response method were made much more user-friendly, if it were offered without charge, with effective favourable publicity, by the people and organisations who run the world-wide email system, and described as being a good practical way of stopping spam from even being sent, as well as stopping the associated viruses and phishing, and that the method would be for everyone's advantage once it were even fairly widely adopted, then, with such a launch, the system could be accepted as being just as reasonable as accepting a ticket to get on a bus.  The feeling of a burden on senders of email would be gone.  And most people would join the initiative.  Spam would become unprofitable and would cease.

Moreover, we know that ASTA, which claims to represent a large percentage of the mailboxes on the Internet, wishes to use their possible near "critical mass" in order to set up an effective barrier to spam, but that the methods which they are pursuing so far, in their June "Version 1.0" Policy Proposal, seem more difficult than the present method of sender's address confirmation.

Consequently in this Part 3 the present initiative is directed at encouraging particularly ASTA, in their scheduled discussions, and all other servers, to convert the proposals just discussed into practical reality.  All servers are asked, please could they -

(a) offer to their customers as a free service the overall arrangement of Parts 1 and 2, above;

(b) explain to their customers the likely very effective performance in filtering out the spam and the associated viruses and phishing in their own email;

and

(c) explain to their customers that the overall initiative, and the invitation to them to join in, is all in order to achieve a well run email system, effectively free of spam, viruses, and phishing, for the benefit of all users of email.

Other organisations that are very concerned about spam, particularly those already mentioned in the text above, are asked if they could please join in the favourable publicity for the present initiative.

The initiative would not get 100% co-operation, but neither would it need 100% co-operation in order to be effective in stopping spam .  For, it is felt that, under the above circumstances, even substantial initial co-operation from servers would lead to substantial initial acceptance from customers.  That should give a substantial feeling of very satisfied customers.  And that in turn should lead to most customers accepting the offer.  Furthermore it is felt that under those circumstances most of the customers who accept the offer would opt for the stronger safeguard of the confirmation of the sending address.  Spam would then cease to be worth the effort that it costs the spammers.  Consequently the proposed arrangement is argued to be sufficiently strong to stop the sending of substantially all spam - including the viruses in it, the associated phishing, and their likely developments.

Final conclusions

For other discussions on this Web Site,
please see any of the links:-