[messaging] Spam-resistance of different systems

Tom Ritter tom at ritter.vg
Wed Sep 24 06:18:36 PDT 2014


On 23 September 2014 16:35, Joseph Bonneau <jbonneau at gmail.com> wrote:
> To that list we can apparently add Kik and its 150 million users.

Kik sees spam.  How much, I'm not sure; how well they combat it, I'm
not sure.  But I know there's at least two different campaigns that
have happened on it - one trying to drive installs of various App/Play
store games, another is porn bot.  Googling reveals the latter, the
former was shown to me by an acquaintance who wanted help
understanding what was going on. It's apparently enough to make blogs
and news.




Like Joe mentioned, every system you've listed is mobile-only and (at
least for iMessage, probably BBM and Wickr also) wrapped up in a
client that's difficult to reverse engineer.




If we want to consider spam, we should also consider SMS spam, which
was combatted fairly effectively by a couple aspects.  (According to
Wikipedia)

1) Making recipients pay for the messages (in the early days).  When
recipients paid for spam in money as well as attention - lawmakers got
involved and attached hefty fines.
2) Rate: slow sending rate means a mobile can get shut down before it
sends too many.  Figure, 86400 messages a day - you can get maybe a
couple days out of a phone?

The other spam is telephone spam and postal mail spam.  I'm not sure
where they rate in cost to sender, but both have legal penalties
attached to them I believe.  Postal and Telephone spam I'm reasonably
confident are not done with content scanning.  SMS spam is, probably.

TextSecure is getting larger, with Cyanogen mod installs, and some
central server where you can look up pre-keys.  It's all Open Source.
I wonder if we'll see TS spam.




If the goal is a new, non-email system, it seems like it would be
beneficial without penalty if we could attach ourselves to the
CAN-SPAM act.  The requirements for this are probably meeting the
definitions set in the law:

            (4) Domain name.--The term ``domain name'' means any
        alphanumeric designation which is registered with or assigned by
        any domain name registrar, domain name registry, or other domain
        name registration authority as part of an electronic address on
        the Internet.

            (5) Electronic mail address.--The term ``electronic mail
        address'' means a destination, commonly expressed as a string of
        characters, consisting of a unique user name or mailbox
        (commonly referred to as the ``local part'') and a reference to
        an Internet domain (commonly referred to as the ``domain
        part''), whether or not displayed, to which an electronic mail
        message can be sent or delivered.

http://www.gpo.gov/fdsys/pkg/PLAW-108publ187/html/PLAW-108publ187.htm



Strengthening a provider reputation system seems very likely to lead
to tremendous centralization and exclusion for people who want to run
their own domain. Large providers already shut out small domains
regularly, I heard that AOL had blocked a community provider for some
time, and RiseUp's page has a few horror stories:
https://help.riseup.net/en/spam

However, there can be measures taken at the provider level which are
federated, automatic, and strengthen the provider reputation
automatically.  SPF, DKIM, and DMARC all raise the cost per message
for a spammer.  If we get usage of these accelerated like we've
accelerated StartTLS, one can strengthen spam heuristics based on
them.  Enough by itself to forgo content scanning right away -
probably not. But it's a start, and it exists, is specified, has
running code, and is deployed at scale.


Strengthening the reputation at a user level is what Google does with
phone signups, and they see good success with that.  So my thought
goes to a way to do that in a privacy preserving manner or to come up
with something else that's as simple and more private.

-tom


More information about the Messaging mailing list