David A. Wheeler's Blog

Thu, 08 Jul 2004

Countering Spam Using Email Passwords

I’ve been having a great deal of success countering spam using a simple technique that I call “email passwords”. It’s been mentioned on my website for a long time, but I thought it might be helpful to others if I gave a more detailed description of them and how they work.

As a result, I’ve just released a short essay titled “Countering Spam Using Email Passwords” which describes email passwords, including how they work and how to implement them. The idea is pretty simple: if a stranger wants to contact you, tell them to include an ‘email password’ in the subject line. Then provide the email password in a shrouded way on your website so that legitimate senders can get it, but so it’s a pain for a spammer to get. If a spammer gets the email password, you can simply change it. I also use a “reply indicator” text phrase in my replies, so that legitimate replies are also less likely to be labelled as spam. But simple isn’t necessarily bad! Combined with other anti-spam tricks (like whitelists, content filters, and blacklists), I get really useful results.

I suspect other people have done this too, but I haven’t seen anything written about email passwords before. Maybe it’s in many places and I just missed it; sorry if I have. Maybe some people will point me to prior work (I could update my essay to reference some). But since I’ve read about many anti-spam approaches without seeing a discussion of this approach, I suspect others haven’t heard of this either. It’s similar to challenge-response systems, but there’s no actual challenge. While it’s not perfect, it definitely helps.

In the long term, I believe that governments must step in and make spamming illegal, with serious legal teeth (including possible prison terms and financial bankrumptcy) for the spammer and the people who fund them, as well as making spamming itself illegal (instead of just fraudulent headers and spamming after a “please stop” message). Spamming is a massive denial-of-service attack against people’s email accounts, and it’s basically a theft of service. After all, it doesn’t matter if you own an email account if you can’t use it. But the history of computer crime law shows that this takes time; it took a long time for laws to be written to criminalize computer crime, and it’s really still in process. Current laws are completely ineffective (especially the U.S. law), but that’s not surprising; lawmakers often try to make small steps in the hopes that they will solve the problem. Eventually laws with real teeth will have to be written, or email will be useless. Since legislatures like to use email, and have constituents who will throw them out if their email is taken away, in the long term this will be addressed.

But in the short term, we need to use email in spite of inadequate laws. Approaches like email passwords will hopefully make it possible to keep using our email until the legislatures around the world catch up to the technology.

If you’re curious, you can also see my essay on stopping spam and my paper on guarded email. I’ve also written several articles on other topics you may find interesting, including writing secure programs and quantitative reasons why you should consider open source software / Free Software when acquiring software. And of course, you can always visit my home page.

path: /misc | Current Weblog | permanent link to this entry