If we knew how to deploy such a radical change as sender pays, we would surely also know how to do the much easier task of replacing SMTP with a protocol that is secure by default.
* Every message is signed by the sending client.
* Every message is signed by the originating mail service.
* Every mail receiving service performs access control on inbound messages
* Every mail client performs access control on messages
Messaging abuse isn't entirely absent on Facebook, Skype, Signal, etc. but it is virtually non-existent compared to telephone and email. We are rapidly reaching the point where a large number of customers are going to start unplugging from POTS and only use it for voice mail because the level of abuse is utterly insane.
Subjecting every message to access control is pretty straightforward when you can start with the principle that every message is authenticated by the sender. Defining a set of access control rules that work for me is pretty straightforward.
1) I will accept a contact request of 200 characters or less from anyone
2) I will accept requests from anyone in my contact book that are compatible with the authorizations specified there (e.g. Alice can send me mail or voice, Bob only voice, Carol can send me code, etc).
3) I will accept messages from anyone who has attended an IETF meeting or is a member of an an affinity group I am a member of (school, university, etc. etc.)
4) Reject everything else
Trying to shoehorn this into the legacy SMTP environment is tough because the default is insecure. But there are plenty of closed environments that don't use SMTP which could switch to another messaging protocol.
While I was writing this, I was interrupted by the Nest telling me something I didn't need to know. There is also a 'secure' messaging center on the Nest site and I have the same for each of my banks, brokers, etc. Wouldn't it be nice if all of those could send me messages using a protocol they know is secure and meets their HIPPA, GDPR, MMQF, etc. requirements?
As John points out the telephone system is collapsing. Most of the complexity goes into collecting payments at the per call level that are irrelevant in a world that is moving to flat rate.
On Wed, Dec 18, 2019 at 9:21 AM John R Levine <johnl@xxxxxxxxx> wrote:
On Wed, 18 Dec 2019, George Michaelson wrote:
> IF we had implemented sender-pays, the SPAM problem would be radically
> different. It would still be there, and the existence proof is SMS
> spam.
I wrote a white paper on e-postage in 2004. Nothing has changed since
then other than that some of the numbers would have a few more zeros.
https://www.taugh.com/epostage.pdf
tl;dr:
Nobody knows how to run a payment system for billions of messages a day
Nobody knows how to pay for a payment system for billions of messages a day
Nobody knows how to manage a payment system for billions of messages a day
Typical problem: botnet takes over Grandma's computer and sends a spam
blast. Does she pay the postage? If not, who does? If the answer is
nobody does, how is that an e-postage system? Keep in mind that every
spammer in the world will claim to be a botted grandmother (many already do..)
R's,
John
PS: The current STIR/SHAKEN mess reminds us that settlements in the phone
system no longer work either.
