Bill Gates called out the spammers this week in his RSA keynote, asking them to meet him in the alley and duke it out once and for all. But will he ask the rest of us to help Microsoft beat them down? Will it be Bush and the U.N. or Bush and Britain?
Gates swung first with what he dubbed the Coordinated Spam Reduction Initiative, or CSRI (how would we live without acronyms?). This 3-pronged beast springs from the thought that relatively simple system-wide changes could, he said, “change the economic model for sending spam and put the spammers out of business.”
The three prongs are:
- Establish a Caller ID-type system for email;
- Create a certification process to allow legitimate high-volume emailers show they’re playing fair; and
- Create ways for smaller emailers to avoid being lumped in with spammers.
Microsoft also has been ramping up something called SmartScreen, which requires a gazillion volunteer Hotmail users to train the system to identify markers that match typical spam.
Microsoft’s CSRI guru, Ryan Hamlin, says, “With SmartScreen working in Hotmail, we know that upwards of 90 percent of spam is blocked so it never reaches the subscriber.”
That remaining10 percent is still a mighty load, but I love a good algorithm, so I’m willing to give it a chance as they roll it out across all Microsoft email products. But back to CSRI…
“With CSRI, MSN seems to have covered all the bases; filtering, sender authentication, whitelists, challenge -- response, postage and more,” says Michael Mayor, who is president and COO of NetCreations/PostMasterDirect, and iMedia’s email marketing go-to guy. “This in itself is a strong signal that they are further down the path than most, as many experts agree no single form of technology will be effective in fighting spam. The suite of technologies they propose is well thought out and extremely encouraging.”
That’s an excellent point. By the time Microsoft announces something of this scale, it’s been pondered and whiteboarded for many sleepless nights by many nameless yet eager Microsofties. So they probably are farther down the path than many. But that may not be a good thing, as I’ll explain later.
Show Me the Sizzle
The sexy part of this proposal -- especially for the media because it’s an easy-to-understand model -- is Caller ID for Email, or what I’d rather call: Spoofer ID.
Existing filters look at an email message’s origin to decide whether it’s spam. But any 8-year-old can “spoof” an address, making it appear like it comes from someplace other than its origin.
Since we can’t yet demand a DNA sample for email authentication (my personal dream), Microsoft is proposing a 3-step Caller ID-style process to authenticate senders. They’ll try it first with MSN’s Hotmail -- if there ever was a fertile field to test spam reduction technology, it’s Hotmail.
Microsoft’s Hamlin says, “Essentially, it's a mechanism for legitimate senders of mail to help ensure their Domain Name is not being abused by a spammer.”
Spoofer ID works like this: Senders publish their IP addresses in the domain name system (DNS) in a specific -- but as yet unnamed -- manner. Recipient systems identify the originating domain of a message, then the recipient system queries the DNS for the registered IP addresses from that domain. If it doesn’t match, it’s a spoof and the email goes to that place where single socks go to die.
I’m not a tech guy, but that sounds to me like a bloated version of Outlook’s email filtering system -- but with a really big trash can. Then again, maybe that simple solution is the elegant solution here.
If a spammer doesn’t register, he/she/it doesn’t get through. Simple. Elegant.
What About Legitimate Emailers?
Microsoft wisely addressed the concerns of legitimate emailers in CSRI, too. Their solution for large-scale emailers is based in creating independent email trust authorities (IETAs) to monitor compliance. Don’t know what happens if they don’t comply, though. Perhaps John Cleese gets to poke them with the soft pillows (check out Monty Python’s Inquisition riff if you’re thinking “Huh?”).
For the little guys -- and I’ve been one of those -- compliance would be costly if forced to navigate the tribal certification ritual of an IETA system. So Microsoft is proposing that smaller emailers pay in computer cycles instead of cash.
Near as I can tell from the information Microsoft released, that means I’d have to prove that I spent as much as 10 seconds sending an email before it would be allowed to go through. But what the hell does that mean? I’d be happy to buy a beer for anyone who can give me a rational, easy-to-integrate explanation of how I’d do this.
The Bottom Line? Don’t Go It Alone, Bill.
So it looks like CSRI will join safelists, challenge/response, computational puzzles, micropayments and the delete key in the war on spam.
Does CSRI make sense? Absolutely.
Should we, as an industry, get behind it? Definitely.
Will it work? I dunno.
On the surface, it’s a collection of solid ideas. But let’s face it, most serious spammers eat this stuff for lunch. About five minutes after someone comes up with a magic new spam filter, they work around it and my mailbox fills up with concerned missives about my potency, my hairline and how long it’s been since I saw Paris Hilton naked.
Then there’s Microsoft’s innate tendency to ship buggy… er, I mean feature-filled software when left to its own devices. They’re the masters of inadvertent security holes and never-finished products. If Microsoft made cars, they’d get you where you want to go, but without a door or perhaps a window, or with an undiscovered opening that actually would allow that truck behind you to drive into the backseat.
That said, CSRI just could work IF we all band together. Open up the code, Bill. Share technology and ideas with Amazon, eBay and others who are fighting spam on their own fronts.
This is not a time to be imperious. It’s a time to be serious… and cooperative. You know the spammers are comparing notes and cracks and hacks. We should, too. But you have to invite us in.
To read Microsoft’s proposed CSRI and Caller ID standards and to comment, go to www.microsoft.com/spam.
To rant at me, or to congratulate me on my insightful analysis, email [email protected]. But don’t try to spoof anyone else’s domain.
For information on selecting an email marketing provider, visit
iMedia's Email Marketing Services Connection