At the risk of becoming seriously boring, today's log entry is on the topic of spam email again. I'll keep it brief(ish).

The EFF is taking a somewhat anti-anti-spam stance in its latest newsletter. This position is congruent with the stance taken by EFF heavyweight John Gilmore in a previous incident which I discussed in the reactionary rant entitled Are Anti-Spam Policies Censorship?. In short, and I quote, "any measure for stopping spam must ensure that all non-spam messages reach their intended recipients." In John Gilmore's case, this meant that he felt he should be able to operate an open mail relay without any detrimental impact on his own ability to send non-spam mail through it. This, apparently, without any reciprocal obligation on his part to take reasonable measures to prevent his system from facilitating the distribution of spam. I wasn't impressed with the argument.

The EFF article slams legislative attempts to control spam — efforts which it deems "failed, and rightly so" — and also de facto industry bodies (eg MAPS) which attempt to do something about spam via the technological approach. I can agree, to a large extent, with their stance on legislation, but I think their attitude towards MAPS et al is somewhat confused and inconsistent.

With regards to legislation, I'm not overly concerned one way or the other about the laws that could be made, although it seems reasonable to me that persons who deliberately falsify mail headers should (in principle) be prosecutable for false and misleading business practices — if they can be traced at all. The major trap with any legislation, of course, is that it will not cover the entire Internet, and is thus unlikely to be effective in a practical sense. It may be illegal to send unsolicited email to persons residing in certain states of the US, but what do I care, being a citizen of Australia?

One could make a reasonable case for enacting anti-spam law based on anti-junk-fax law, but even that is problematic because Internet providers are not common carriers — a legal status which protects the provider from certain liabilities whilst obliging them to act on behalf of the government in certain circumstances. The regulatory issues associated with the "common carrier" status make it unattractive in the general sense — and then you still have the problem that the law varies from point to point on the Internet.

The EFF describes industry attempts at spam-combatting as "failed", on the other hand, not because they can't and/or don't block spam successfully, but because they also block legitimate mail to some extent. In the most extreme case, an RBL subscriber who is also a backbone carrier may simply instruct their gateway routers to "drop" all packets originating from or destined for a network considered rogue. The effect, from the perspective of the blackholed network, is something like a partial Internet "blackout". If spammers and non-spammers alike are using the impacted network, they all suffer the same fate, and this is the EFF's main beef with the approach.

I can see their point, but I think they're taking an unbalanced view. In this report, they are exhorting ISPs to take a certain technological approach to spam which doesn't use the effectively thermonuclear technique of blackholing entire networks. You'll note that they're not suggesting that spammers take any particular action. Why not? Precisely because spammers are selfish, evasive, and unethical — demonstrating themselves to be bluntly uninterested in anyone else's preferences or desires. There's no point in preaching to that particular audience. And this is precisely what has driven organisations like MAPS to take a hard line against spammers in the first place. The anti-spam mob have already been through all the milder approaches, and they didn't produce satisfactory results.

This is ultimately a question of priorities. The EFF is taking such a radically pro-free-speech attitude here that the dropping of a single non-spam message is enough to justify the abolition of all anti-spam measures. The anti-spam crowd, myself included, responds "unrealistic!" The very presence of spam results in lost messages because of mail servers crashing or inboxes being so full of crap that legitimate mail can't be found. Anti-spam measures are entirely justifiable so long as your net email experience is better with them than without them. If a blocking system stopped nine out of ten spams and only one in a hundred legitimate mails, I'd want it on my system, even if the EFF wouldn't.

Personally, I'm no longer using MAPS, but taking a private blacklist approach to the problem. I take a very severe approach to blocking, whilst doing my best to make sure that any legitimate mail user that falls foul of my list gets a reasonable message instructing them how to get around the block. It's entirely possible that I've missed legitimate emails as a result of my blocking efforts, but from my evaluation of the mail logs, I'm much better off with the blocking than without it. And I still get more spam than legitimate mail.

Lastly, I agree with the EFF's general sentiment of "providing end-users with adequate tools to filter unwanted messages on the receiving end" as the correct approach to combatting spam. Unfortunately, the existing mail protocols aren't terribly amenable to it. Part of my personal hate for spam comes from the fact that I pay for it, being bandwidth-billed as I am. I don't have any choice in the matter — if I could go elsewhere I would have done so at the first opportunity. The kinds of "filtering" approach suggested by the EFF can, in general, only be applied after you've received the entire email. By that stage, all the bandwidth-related damage is done, and the only remaining damage control consists of pre-filing the mail in a particular folder — such as "trash".

Real, effective, end-user-driven countermeasures to spam will only be possible with radical changes to the existing email transport infrastructure — a change that is not likely to happen any time soon. Believe it or not, however, I'm working on it. That's what Nutters are for, more or less.