Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Polls on the front page of Slashdot? Is the world coming to an end?! Nope; read more about it. ×

Pay-per-email and the "Market Myth" 295

Posted by CmdrTaco
from the if-you-only-read-one-article-today dept.
Bennett Haselton has written a thoughtful piece on the latest developments in the pay-for-email schemes making the rounds from some of the big players in the world of AOL. This one is really worth your time, so please click on and read what he has to say.

AOL created quite a stir in February when they announced that senders would soon be able to bypass the company's junk mail filters by paying a quarter-penny per message to a company called Goodmail, which would split the revenue with AOL. EFF and MoveOn.org argued, in an open letter posted at DearAOL.com and co-signed by many groups including Peacefire, that once the big players were able to bypass AOL's mail filters for a fee, there would be less pressure on AOL to fix problems with non-paying senders being blocked, and that the quarter-penny would become a de facto "e-mail tax" for newsletter publishers if other ISPs followed suit.

At the N-TEN conference last Thursday in Seattle, I had the chance to talk to Charles Stiles, the AOL postmaster, and Richard Gingras, the CEO of Goodmail, after a panel discussion about Goodmail's system, where they clarified some issues. First, if you pay for a GoodMail stamp, your mail not only bypasses AOL's junk mail filters, it also gets displayed to the user with a blue ribbon indicating "This mail has been certified" -- which is a promise to the user that GoodMail has actually done a "background check" on the organization and found them to be a "good actor". (So it's mainly useful for banks, as a way of saying "This is not a phishing attack", and for charities, as a way of saying "We are a legitimate charity".) Stiles said that AOL will continue offering a free whitelisting program for people to bypass the filters, where anyone can apply to join the whitelist (even though this can be easily abused by spammers as well, but AOL offers it anyway because most spammers don't bother). If you're on the whitelist, you don't get the little blue "Certified Email" ribbon, but you do get past the junk mail filters.

So, what's everyone so worried about, if anyone can bypass the filters for free? Well, one problem is that this is where Hotmail used to be, before they started requiring senders to pay a fee to bypass their filters. At one time, if your newsletter was being wrongly blocked by Hotmail, you could fill out a questionnaire with some verification information, and they would add you to the whitelist, which is what we once did to get the Peacefire newsletter un-blocked. However, once Hotmail started using Bonded Sender, a third-party company that requires you to post a $2,000 bond in order to get on their whitelist, Hotmail revoked the free whitelistings that had been given out in the past. If your newsletter is being blocked by Hotmail's filters, no matter how many people vouch for you as a non-spammer, the only way to make sure you get past the filters is to pay the $2,000 to Bonded Sender. (I refused to pay the fee, and of the last seven messages that I sent to our press list, all of them got labeled by Hotmail as "Junk Mail".)

Charles from AOL seemed sincere in saying that AOL's free whitelisting won't go away. But he can't promise or guarantee anything, and someday it'll be someone else's decision. And other ISPs, most of which do not have free whitelists, will be tempted to use GoodMail as a de facto whitelist, such that senders that don't pay will have a greater chance of being blocked.

But I think there's a bigger problem underlying all of this. It's not about specific problems with GoodMail's or AOL's or Hotmail's system. The problem is that many advocates of these systems say that any flaws will get sorted out automatically by "the market" -- and in this case I think that is simply wrong. And in fact the people on Thursday's panel can't really believe it either, because one thing we all agreed on was that Bonded Sender sucks. But has the marketplace punished Hotmail for using it? Have people left in droves because non-Bonded-Sender e-mail gets blocked? No, because if they never see it getting blocked they don't know what happens. Free markets only solve problems that are actually visible to the user.

And this is why groups like EFF and Peacefire are rallying against pay-per-mail. We don't protest bad ideas. We protest bad ideas that could cause harm because by their nature, the marketplace will not kill them. Think about it: if AOL announced that they were going to start charging $100/month for dial-up, would we care? Would MoveOn send out e-mail warnings to its AOL subscribers? Would the EFF start a coalition against it? No, because users will abandon AOL over something like that, and the marketplace will kill it. But people don't abandon their provider over wrongly blocked e-mail if they don't even know it's happening. And thus pay-per-mail could become a de facto standard because it's invisible to customers.

If Microsoft released a new version of IE with huge ugly buttons that were hard to understand, would civic-minded groups and public advocates complain? No, because that problem will sort itself out through browser competition. It's when Microsoft releases features that have bad implications for user privacy and security, that civic groups and experts complain loudly -- because most people can't assess the privacy and security risks of using their browser, and so the marketplace alone won't solve that. (Microsoft knows this, of course, which is why they have sometimes released features that have bad implications for users' privacy and security, but they never made the buttons big and ugly.)

This is what I think people like Esther Dyson don't understand, when she wrote her editorial in the New York Times: Partly she wrote why she thought GoodMail was a great idea, but mainly she wrote that she didn't see why EFF and other groups were so upset, when if the idea turns out not to work, it will die in the market. "If they [AOL] don't do a good job of ensuring that customers get the mail they want, even from nonpaying senders, they will lose their customers." But that's simply not true. Hotmail subjects anyone to random blocking who doesn't pay the $2,000 Bonded Sender fee, and there's no evidence that it has caused them to lose customers.

Private companies do not have the absolute right to do whatever they want with your mail. If you sign up to receive mail from someone, and they send you an e-mail, then that e-mail is your property; if your ISP knows that the sender is almost certainly not a spammer, then they are violating the sender's and receiver's rights if they block the message. (Not First Amendment rights -- those only apply to government laws -- but rights based on contracts and implied warranties, since I think an e-mail address comes with an implied warranty that your contacts will be able to send you mail for free. So stop composing your -- yes, this means YOU -- stop composing your message saying that First Amendment rights don't apply to private companies.) EFF and other advocacy groups are working on anti-spam solutions that respect these rights, and you may agree or disagree with their proposals. But the point is that they should be commended for realizing that the marketplace will not preserve these rights "automatically".

After the N-TEN panel on Thursday, since I had sent a "communication" to Richard Gingras from Goodmail by asking him a question, I handed him a penny and reminded him that, per his agreement with AOL, he had to give half of it to them. I hope I never have to pay Goodmail anything again to get my message through, and I hope you never have to either.

This discussion has been archived. No new comments can be posted.

Pay-per-email and the "Market Myth"

Comments Filter:
  • Market Solutions (Score:3, Interesting)

    by w.p.richardson (218394) on Wednesday March 29, 2006 @11:23AM (#15017773) Homepage
    If you aren't getting emails that you are expecting, you would know about it. This would piss you off and you would find another way of getting the messages.

    If you aren't getting emails that you aren't expecting, oh well, that's spam.

    I disagree with the assertion that the market would not kill off this idea. If you aren't getting emails you expect (as has happened to me in the past) you will seek an alternative solution. If it's really important, there's this device called a telephone whereby you can actually speak with someone else in urgent situations.

  • by Metatron (21064) on Wednesday March 29, 2006 @11:24AM (#15017781)
    From my experience working for an ISP, business is more likely to be affect ed for organisations that don't pay for Goodmail certificates. End users just see one thing - email you sent me doesn't get to my AOL account, but email that othercorp sends me does. They don't care about the technicalities of what systems AOL is using that are getting in the way, all they see is service works from x but not y. Large email providers like hotmail and AOL hold everyone else in the palms of their hands, either we play ball, or we lose business.
  • by YU Nicks NE Way (129084) on Wednesday March 29, 2006 @11:25AM (#15017783)
    Wow! The EFF and associates have managed to trump their past inanity.

    The author complains that his organization is unwilling to pay $2000 to send bulk mail past Hotmail's filters, and then complains that it is a violation of the sender's and receiver's rights to block the resulting mail as junk mail, basing this on an implied contract with the receiver. That reaches new heights of disingenuousness.

    First, it ignores the possibility of the recipient creating a new account somewhere else. If AOL gives people free whitelisting, and MSN doesn't -- and there's a solid market for that -- then recipients will add AOL accounts to which the whitelisted people and organizations can send. The market in recipient mailboxes is highly competitive because there's no reason for a recipient to only have one online identity.

    Second, it claims an implicit contract which is not present. There is an explicit contract between account holder and account provider: that non-spam email as viewed by the account provider will be delivered. Those are the TOS for all free email providers, to which the user acceeded when he or she signed up for the service.

    Third, there's no implicit contract whatsoever with the sender -- and it is the sender who's complaining here, not the recipient. Peacefire.org is free to collect donations for its two grand -- but it won't. OK, but that's a demand the sender has made, not a choice the email provider has sanctioned. In a word...tough. Form a coalition of organizations which will prestamp the mail, if that's an issue.
  • by RingDev (879105) on Wednesday March 29, 2006 @11:30AM (#15017828) Homepage Journal
    "Hotmail subjects anyone to random blocking who doesn't pay the $2,000 Bonded Sender fee"

    Do they actually block the email, or do they just send it to your junk mail folder? I am on numerous email lists, and I find it hard to believe that any of them would have coughed up the $2k to avoid getting blocked. Those emails all go to my junk mail folder by default (I have my in box set up with a white list), which is right where I want them to go. They sit in there for 7 days for my review and get deleted on their own, no need for me to hold tri-mag build questions or Microsoft news letters for more then a one time read. So if the "blocking" is just getting sent to the junk mail folder, I say who cares.

    On the other hand, allowing a company to stick their emails in my in box against my wishes (like some MS and Hotmail newsletters) really annoys me. It bothers me in the same way a two tier internet bothers me. It takes away the level playing field and turns the system itself into a capitalist entity.

    But I do like the idea of a certified white list and verified emails. Anything to cut down on the number of phishing emails and exploitation of the uneducated computer using masses.

    -Rick
  • by davecb (6526) * <davec-b@rogers.com> on Wednesday March 29, 2006 @11:33AM (#15017861) Homepage Journal
    Interesting, but it doesn't go back far enough! Back in the dawn of time, a colleague showed me the mail option in ftp (!), before sending me off to write GCOS Internet Mail in my choice of B or C (;-))

    --dave

  • by maillemaker (924053) on Wednesday March 29, 2006 @12:00PM (#15018050)
    I guess I'm a luddite, but I have never been a fan of "managed email services". I don't want filtering, and I don't want to leave my messages on someone else's server.

    All I want is a data pipe, please. Don't filter my content, just give me a pipe with as much speed as I can pay for.

    I don't use email filters because I don't trust them to not block important content. When one email address starts to attract spam, I just delete it and create a new one. I put an auto-responder on the old account that says, "To my friends: this account has attracted too much spam - please contact me offline for my new email address". Within a month, everyone important has my new email. I do this ritual about once every six months.

    If I didn't have to give out my email address for every damn thing on the web I could go a lot longer.

    Steve
  • by ccozan (754085) on Wednesday March 29, 2006 @12:08PM (#15018147) Homepage
    Mind you the original email had nothing commercial in it. It became so, and thus giving birth to spam because some of the companies offered it as a product. The only way out of spam would be creating a kind of VPN of SMTP servers, so that one accepts email only from an "authenticated" SMTP. It's wrongly to solve this problem in a commercial way, because it creates corruption, while the democratic way would be to solve it technically. Maybe an SMPT authority needs to be created, an subdivision of ICANN maybe.

     
  • Re:the real problem (Score:4, Interesting)

    by kimvette (919543) on Wednesday March 29, 2006 @12:15PM (#15018223) Homepage Journal
    I think you're referring to spam as the consequence?

    Well, the reason mail is the way it became is that a few universities, defense contractors, and government organizations needed to communicate, and given the reliability of network equipment of the time, open relays were a necessity to ensure that email got through. The reason that something along the lines of SPF didn't come into play from the beginning is multifold; DNS wasn't around (hosts were maintained in host files at each site), every organization on ARPANET was 100% trusted, and there was no incentive to forge emails nor to do what we now call "spamming" - in fact the few early advertisements which went out in targeted emails were heavily criticized.

    When ARPANET became the Internet and DNS came into being due to the volume of hosts going online, open relays were still the standard, not due to network reliability (which had significantly improved) but due to legacy support. To maintain backwards compatibility SMTP stayed pretty much as-is from day one, and with the harsh criticisms that followed early email advertisemtns from trusted organizations, no one really anticipated a number of things:

      - Internet access becoming a commodity (Quantum Link and Compuserve were just coming into their own then, and dial-up to proprietary online services was the wave of the future beyond private BBSes)
      - Everyone having multiple, multiple email addresses
      - Commercial entities abusing the network

    In hindsight it was quite obvious that things like SPF would be required but given the Internet's early history (and computer networking in general) it's clear why they didn't think of security and sender verification when first implementing an email solution.

    What AOL, Hotmail, and others SHOULD do is not use that GoodMail crap (it's not good sense to do that!) but to make SPF required rather than optional. If you want to send email to AOL recipients, on your authoritative servers, you must list which hosts are actually allowed to send emails from your domain via an SPF record, and all emails from your host not meeting the SPF rules will be regarded as spam and not even make it to the receiver's inbox.

    This puts the onus totally on the senders. Want your mailing lists to make it through to the receiver? Make sure your listserver is listed in your SPF rules.

    This is why SPF was proposed in the first place; to overcome issues arising from legacy support, to work around open relay-originating spam without having to block legitimate email from open relays, and to avoid the need for whitelisting.

    Want to learn more about SPF? Check out http://www.openspf.org/ [openspf.org]

    Posting this reminds me: I need to update our SPF records. Oops! :-/
  • by Russ Nelson (33911) <slashdot@russnelson.com> on Wednesday March 29, 2006 @12:19PM (#15018259) Homepage
    You mean, they should invent DomainKeys [yahoo.com]?
  • by BlackStar (106064) on Wednesday March 29, 2006 @12:40PM (#15018464) Homepage
    Thawte does have a free email certificate. This allows a community verfication network to validate and certify users in a very real way. Since the identities are traceable via digital signature to the real world sender, this could allow for MTAs to allow though the Thawte certified email automatically. That could become an alternative in some scenarios, especially if popularized in conjunction with GPG/PGP style signing. Add these authorities as "root-level" authorities that are always trusted.

    Again the obscurity and technical level puts these at a disadvantage without a more thorough presence in popular consciousness.

  • Re:the real problem (Score:3, Interesting)

    by dgatwood (11270) on Wednesday March 29, 2006 @02:13PM (#15019277) Homepage Journal

    We can trivially solve 99% of the spam problem by the following measures:

    • Requiring a host key (which should be automatically generated as part of creating a domain) to be used to sign any data from your server before it can be received by anyone else's sever. This prevents botnets from delivering mail directly with local SMTP clients. It also enforces some notion of culpability.
    • Requiring all end-user mail clients to use encrypted, authenticated SMTP to send mail over an encrypted channel. This will prevent most botnets from delivering mail through their ISP's mail server unless they manage to exploit a flaw in the mail app itself.
    • Requiring a per-user connection throttling as part of the updated mail server standards. No human can generate more than about an average of one email every thirty seconds. Enforce this.
    • Enforce a maximum number of recipients per message as part of the spec. Build a notion of user-owned "friend groups" into the spec. Make the technology for managing those groups site-dependent. This would mean that users who regularly email a hundred friends could still do so, but they would have to set up a group address (ahead of time) to hold them all... possibly in the form user+group_groupname@user_isp.top. This would prevent a bot from hijacking someone's email account and using it to mail a message to lots of people at once.

    If you put those characteristics into a new SMTP spec (or an overhaul of the existing spec), you will basically obliterate the ability of spammers to send out bulk email anonymously, while still protecting the ability of server operators to run mailing lists non-anonnymously.

    Admittedly, there's still the issue of DNS registrars needing to assign a signed host key, to provide a standard mechanism for SMTP host key revocation, and to legitimately verify that contact info for domain names is legitimate. This should be a mandatory part of the initial registration process, and contact info verification should also be part of the registration process for creating a new NIC handle. Fortunately, much of this can be fixed with a simple policy change. The rest of the issues there are left as an exercise for the reader.

  • No, we aren't (Score:3, Interesting)

    by Roadkills-R-Us (122219) on Wednesday March 29, 2006 @02:54PM (#15019607) Homepage
    I get hit with over 1,000 "spams" a day at my personal address. (Yes, my filters catch most of them, but I'm talking raw numbers sent). While some of that is spam, most of it is scams, viruses, etc. And even the spam is primarily from people who aren't likely to pay even a penny for 100 mails, much less 4.

    OTOH, I send and receive a lot of legitimate email. I pay for this when I pay for my connectivity. I shouldn't have to pay agin.

    Now if you let *me* decide how much a spammer has to pay me before s/he can send an email to my box, that's another issue. For $100, *anyone* can send me one email on anything. I'll even promise to read it so long as it doesn't require more than one minute of my time. And I'll give 10% to charity and 10% to my ISP to license the technology. No problem.
  • Re:the real problem (Score:2, Interesting)

    by kwark (512736) on Wednesday March 29, 2006 @05:04PM (#15020732)
    This solves nothing, 99% of spam is being send by zombies.

    If simple smtp daemons on zombies don't work anymore, zombies simply will be updated to use the users MUA. The spam remains but only it will be easier to hold an individual user "accountable" for its spreading.

The best laid plans of mice and men are held up in the legal department.

Working...