Dean Anderson wrote: > >It isn't the case that the spammer > intended to send a message about the superbowl, but somehow "noise" > altered the message to a solicitation on viagra. Rather, they intended to > send a message on viagra, and you recieved their message, noise free. > But seeing the solication for viagra, you became upset, and reported a > complaint about the inappropriate use of the channel. In > information-theory-speak, you report a "communication in violation of the > security model"; a covert or sneaky channel. I guess we agree that if the message can be read by the intended recipient then it's not in a covert channel. A covert channel is one that can't even be detected by the intended recipient. But, you may ask, "who" is the intended recipient? In anti-spam email systems, we can usually recognize three "whos": #1: My MTA #2: My MUA #3: Myself The spammer's strategy is to send the spam message in such a way that it is undetectable by my MTA-MUA, while it is detectable and readable by me. In short, it needs to use a covert channel through my MTA-MUA, but not to me. An example of such a covert channel is if a spammer hides information in the subject line by using wrongly spelled forms of "viagra", information which my MTA-MUA cannot detect. It's not a covert channel for me but it is for my defenses. But, once that message passes through to me, it becomes detectable, readable and I call it spam. Does this mean that spam is defined by the rule "I (only) Know It When I See It!" and we have to accept a large failure rate in preventing spam, that can only be solved by laws and law enforcement? I want to emphasize that it does not have to be. Suppose a user can make email senders pay a burden at their MTA or even at their MUA (e.g., a bounce requesting encryption and solution to a puzzle). In addition, using a selective scale defined by the user (so that selected mail senders have less burden) at their MTA and MUA, the user can make the spammer pay a price *as high as desired* by the user (not limited by R. Brown's comments). In such case, the covert channel cannot even be established unless the spammer pays a price -- a price that can be *as high as desired* by the *user*. This is the essence of the proposal (the devil is in details). I take the example of the front door of your house. If you leave it open, so that a thief has no burden getting in, a thief probably will steal something from you -- even though the law says that theft is illegal. What we need is to put a lock into our email communications door. A lock that can be as hard to pick as the user wants, and yet easy to use as the user wants it to be used. Spammers are thiefs -- they steal time and resources, they make us reject legitimate email. They cost a lot of money to all of us. They have not been and will not be deterred by law alone. There is also no "world law" and spammers are often hidding behind legitimate users that change all the time. We can't lock the spammers' doors everywhere, we have to lock our door at our house. BTW, to propose something simple, "running code" helps before any discussion. In a system as complex as email, however, one would have to be naive to even think about "running code" before "running comments." I thank you all for the public discussion on this topic, through which I have learned a great deal, including people's first barriers to change.