I have gotten as many as 600 spams a week in my inbox, which while not as many as some people, is certainly an aggravating volume. Nearly all of this falls into the familiar categories: sex, enhanced sex, enhanced sex anatomy, meet someone to test your enhanced sex anatomy, and refinance now. The volume would be overwhelming, were it not for the excellent spam filter included with Apple's mail program. I would never want 100 pieces of physical junk mail per day, and especially not if it were as offensive as the vast majority of spam, but a general solution to the junk E-mail problem remains elusive.

M

y company maintains a list of (currently) about 45,000 people who have signed up to take surveys from us. In order to get on this list, you have to fill out two pages of demographic information on our web site, and then confirm your registration by replying to an E-mail. In other words, there is almost no way to sign up by accident, unless you are very clumsy. We also never distribute our list.

Nevertheless, recently when we send out a mailing to our panelists, we inevitably get a handful of irate responses along the lines of "STOP SPAMMING ME NOW!!!!!!!!!!!!!!!!!!!!!!!!!" This is above and beyond the usual "I'm not interested any more, please delete me" letters, and the people who take the initiative themselves and unsubscribe through our website.

This greatly distresses my VP of Operations, who goes to great lengths to ensure that we're one of the Good Guys (with my blessing). Pointing out that there's no way any rational person could consider us spammers doesn't change the fact that there are some people out there who (a) apparently forgot that they signed up with us, and (b) are so irate about spam that they seem to feel the need to respond rudely to any unwanted E-mail they receive.

Another recent incident: we had a customer request some information from us about an upcoming project. I tried several times to send the message, but it kept bouncing with a "content rejected" error. At first, I thought it was the two PDF attachments (less than 100K total), but it turned out to be an overly aggressive spam filter, which somehow thought that my response to his request for a quote and other information was too much like a pitch for generic Viagra. Ironically, forwarding the bounced message--which contained my entire original message--finally got through the spam filter.

These two incidents illustrate a side-effect of the recent anti-spam efforts, which is a growing aggressive vigilanteism when it comes to unsolicited E-mail, a vigilanteism which is running the risk of being almost as destructive to the usefulness of E-mail as spam itself. The problem is that an overly-aggressive approach to eliminating spam also runs the risk of eliminating a lot of the usefulness of E-mail in general.

P

art of the problem is that there are several different attitudes towards spam, and definitions of what constitutes spam. At one extreme, of course, there are the spammers themselves, who presumably don't see anything wrong with what they're doing, aside from the fact that everyone suddenly seems to hate them. At the other extreme there are people who think that E-mail should be reserved for mutually voluntary human-to-human communications only--that any automated or unasked-for E-mail should be verboten.

Somewhere in the middle are a variety of other attitudes:

* "I don't mind advertisements as long as they're from companies I do business with."
* "The real problem is not unsolicited advertisements, but the offensive unsolicited advertisements."
* "If we could enforce removal requests and make sure the headers were accurate, then people could get off the lists they don't want to be on."
* "Spam will always be with us, so the key is to manage it rather than waste energy trying to eliminate it."

Unfortunately, this diversity of opinions has also divided the anti-spam community. Some are content with eliminating the clearly offensive and fraudulent spam ("fraudulent" meaning either that the product or service is a fraud, or that the E-mail was delivered in a way designed to hide its tracks). Others aren't content unless all unsolicited commercial E-mail is banned, even if it is sent directly from a live person.

About 95% of the spam I receive falls into the fraudulent/offensive category, so I would be happy if just that could be eliminated. Others may have different views, as well as a different sense of what constitutes fraudulent or offensive. But for me, the relatively small number of "legitimate spam" I receive (i.e. unsolicited advertisements where the sender is clearly identified and offering a legitimate product or service) is barely at the nuisance level.

As an aside, I don't really buy into the argument that "if just 1% of the businesses in America spammed you just once a year, you'd be flooded, so even 'legitimate spam' should be outlawed." For starters, the E-mail list has to come from somewhere, and it is relatively easy to obfuscate E-mail addresses from web crawlers (I have yet to receive a single spam at the address I use for this blog, despite having a mailto: link on every entry). In addition, even with the relatively low cost of bulk E-mail, it still costs more than nothing, and very few small businesses will want to spend the money.

I

don't know what the solution to the spam problem is, but there are number of proposed solutions I'm fairly confident won't work:

1. The "spam tax" which would mandate a small charge--possibly less than a cent--on all outgoing E-mail. There is a bewildering array of variations on this theme, but the basic idea is always that by charging a small amount of money per E-mail, sending vast numbers of unsolicited E-mails becomes prohibitively expensive. These solutions ignore that (a) Spammers already have nonzero expenses for sending bulk E-mail, but nobody seems to have done the analysis to figure out how much this would actually shift the economics of spam; (b) There does not exist the infrastructure for collecting and enforcing a spam tax, nor even an inkling of how to build the infrastructure in a scalable, enforceable, and economical fashion; (c) Many variations on the spam tax are astonishingly complicated, all in a vain attempt to avoid problem (d) Nobody wants to start paying for something which used to be free, and many current services which depend on very low-cost E-mail would no longer be economical (i.e. getting news or weather E-mailed to you).

2. Purely legal solutions which simply make some definition of spam against the law. Many are inspired by the successful anti-junk-fax law, which basically eliminated the problem of just fax about a decade ago. Ignoring the fact that such an approach to spam is too draconian (junk fax posed a unique problem, in that it creates direct expenses for the receiver, in paper, toner, etc.), it is far easier for a spammer to avoid being traced, and essentially no additional cost in spamming from overseas where the laws are different.

3. Purely technical solutions which seek to use a combination of heuristics and intelligence to figure out what is spam and what isn't. These filters have gotten very good, but they're not a solution in my book. I still see false positives in my spam filters (and we've evaluated several), and even one false positive is unacceptable in a business setting. We can't afford to either lose business because a customer couldn't E-mail us, or annoy our panelists because they can't complain. As a result, we wind up going through our "junk" E-mail anyway, just to make sure nothing got mislabeled.

S

o what is the solution?

By now, it should be clear that I don't have a solution. In fact, the problem of ending spam, as it currently stands, may be intractable. Not because there's no way to eliminate unwanted E-mail, but because people can't even agree on what an acceptable solution would accomplish, much less what the best approach would be.

Rather, I would like to propose a process which should produce a solution:

1. Formulate a common, specific definition of what kind of E-mail needs to be eliminated. For example, is unsolicited commercial E-mail acceptable as long as the sender respects remove requests and doesn't force headers? Or is only solicited E-mail acceptable? And if consent from the recipient is required, what constitutes acceptable consent and record-keeping?

This step is crucial, and requires input from all stakeholders, including legitimate advertisers. Without reaching a consensus on what to eliminate, nothing else will work; and if the views of legitimate advertisers aren't taken into account, the odds of success are much reduced. On the other hand, if there's the equivalent of a global AUP for E-mail, acceptable to both anti-spam crusaders and major companies and ISP's, the road is much smoother.

2. Based on the definition of spam created in Step 1, determine if any laws need to be changed to make it illegal. In addition, appropriate legal sanctions should exist to make it financially painful to break the spam laws. Appropriate "safe harbors" should also exist to protect companies which make an effort to follow all the rules, but make legitimate (and inevitable) mistakes.

3. Determine what technical infrastructure needs to exist to support enforcing the laws and policies formulated in steps 1 and 2. Note the distinction I'm drawing between using technology to directly eliminate spam vs. using technology to enforce policies and laws. Since spam is primarily a human problem, not a technical one, the role of technology is to support the human elements rather than be the solution itself.

The required technology will most likely be to create better audit trails and make it difficult to conceal the origin of a particular E-mail, rather than trying to directly identify spam and eliminate it (though that's not bad as a stopgap). There could even be a transitional period, where there are two parallel E-mail systems: one the current system, and a second a secure, traceable system. Spam filtering could take place at the border between the two.