The Future of Email
Posted by Scott Laird Mon, 03 Nov 2003 23:29:09 GMT
VentureBlog has an interesting bit on spam, claiming that spam is going to give Microsoft control over the entire email server market. The logic is kind of interesting; basically it boils down to using your Exchange server license as a bond against sending spam. If you spam, they yank your license, so owning a valid Exchange server license is an automatic key to spam whitelisting:
However, corporations are already shelling out big bucks for email - specifically for Microsoft Exchange or IBM/Lotus which between them have 75% of the corporate market.
Microsoft could just provide a stamp on each outgoing message (think public key cryptography) identifying that it came from a specific exchange server. This would be verified with Microsoft, which would provide a whitelist of valid exchange servers to every anti-spam company. [VentureBlog]
Three problems with this:
- Bayesian filtering seems to work really well. My home email filter is over 99% effective right now, blocking roughly 200 messages per day with no false positives.
- Spammers are already using viruses to generate open relays. How long will it take before office computers are attacked deliberately to use their whitelisted Exchange server for spamming?
- The liability issues of point 2 will effectively keep Microsoft from blacklisting large customers, even when bushels of spam are pouring out of their servers.
So, in short, I think it’s a neat idea, and I wouldn’t be surprised if Microsoft tries it, but it isn’t going to help. In fact, it’ll probably just make corporate PCs even more attractive to spammers.
Scott –
Good comments on my post at VentureBlog. Some quick Responses.
Two issues. First, Bayesian filtering is individual and works less and less well (bye definition) as you increase the sample set to include the company. It works very poorly at server levels, since one man’s spam is another man’s treasure and false positives go up too much.
Additionally, the corporate problem is only partly spam getting to users. As big an issue is overloading of servers as a higher and higher proportion of email is spam, and all of it needs to be “quarantined” for awhile just in case good messages were held. This pretty much mandates a server side solution, which (for reasons stated above) can’t be Bayesian.
Yep – the problem gets switched into one of preventing your server from being hijacked rather than preventing spam. The first is much easier than the second. Even better, the damage of being put on a blacklist puts the cost of lax security on the company that needs to do the security. Presently, that cost is carried by the network (since the recipients of what you send out are hurt, not you). Economics to the rescue again, as the new system will lead people to secure their systems better.
I didn’t get into this because the post would have been too long – I didn’t say Microsoft had to keep the blacklist. The current public domain blacklists will work just fine (they’ll just have to use the Microsoft “from” server instead of IP address). Microsoft doesn’t need to do this themselves. A company that finds itself on the blacklist needs to decide whether to get a new copy from MSFT or to try to get off the blacklist – much the same as companies need to go through today with their IP address blacklisting. This method just makes the blacklists work in a way they don’t today.
That said, I’m not necessarily saying turning over email to MSFT & IBM is a good thing – only that it is likely to happen.
Thoughtful comments…