This weekend, I was reading through the copious list of emails I subscribe to when I stumbled upon an article at ARS Technica concerning China’s recently passed law requiring e-mail servers to have a license. When considered in the context of an authoritarian regime, it’s a bit chilling. Spending more time thinking about it though, and doing that thing I do at work (Internet crime fighter!) it started to look like not such a bad idea…
The whole spam problem comes down to a few inherent design problems:
- E-mail protocols were designed at a time when the number of machines on the Internet could be counted with fewer than 3 digits.
- Only universities and research institutions were online; you didn’t need to confirm the sender’s identity (and when someone forged a message it was for entertainment purposes and considered a great prank).
- The volume of mail was low, filtering was unnecessary, and individuals who abused the system were either booted off, or made into pariahs.
- DNS cannot be used reliably to determine anything. It can only passably be argued that it does forward lookups properly.
Which all leads to my dilemma: licensing of email servers is a very interesting idea when not used for the wrong reasons. The most useful way of determining the legitimacy of an email today is the reputation of the sending organization/mailer/person. But there is no reliable mechanism to determine this, and no way for your reputation to follow you. Today it is accomplished by using IP addresses, which invariably leads to more mistaken identity, rather than truly securing email traffic. IPs change and organizations are compromised, resulting in their IP addresses appearing to be bad (Stolen Identity anyone?), not to mention IPs are very easily forged.
Technologies like SPF are interesting, but there is still no way to actually hold the owners of the domains using SPF responsible for their abuse of the system. Any spammer worth his salt can publish a valid SPF record without allowing you to know who they are… And so they abuse it, and you decide that domain is not reputable and they buy another domain and publish another valid SPF record to hit you again. It’s cheap, fast, and easy.
So, you might say, why trust a domain with no reputation? Well as of July 21st, 2006 there are 72,680,308 registered domains (http://www.domaintools.com/internet-statistics/) that are valid. Do you want to miss out on email from ~70 million domains because you haven’t seen them?
Licensing domains when the purpose is censorship and control is wrong. There is no doubt that if we implemented something similar, the politicians would warp it into a scheme that none of us would like… But it does stimulate some neurons in my brain that suggest, that as a world community we might begin to find ways to tame the wild wild web.