'Knock-Knock' - A Modest Proposal For Client-Side SPAM Suppression

Tim Daneliuk (tundra@tundraware.com)
TundraWare Inc.

August 24, 2002

Copyright © 2002 TundraWare Inc.  Permission to freely reproduce this material is hereby granted under the following conditions: 1) The material must be reproduced in its entirely without modification, editing, condensing, or any change. 2) No fee may be charged for the dissemination of this material.  Commercial use such as publishing this material in a book or anthology is expressly forbidden. 3) Full attribution of the author and source of this material must be included in the reproduction.

Defining The Problem

OK, we all are sick of the garbage we see in our email boxes.  Electronic junk mail clutters our computers, wastes our time, and costs businesses untold millions in the resources consumed passing this nonsense around.  Unsolicited emails are also probably the single biggest vector for passing around computer viruses.  Worst of all, they are the prime vehicle for propagating fraudulent and otherwise illegal schemes..

So, what would a "perfect" SPAM suppression look like?  In my view, it would exhibit these properties:

This sounds ambitious, but it may turn out to be pretty simple to do.   I hasten to point out that I'm "thinking out loud" here.  This idea may be bad, dangerous, or just dumb.  If so, let me know, and I'll slink off quietly into the weeds ...

Why Current Anti-SPAM 'Solutions' Aren't

Some technology has been brought to bear on this problem on the server side (MAPS/RBL) as well as the client side (SPAM detection systems), but they suffer from a number of limitations.  The server side solutions are effective only to the extent that a well-known point of SPAM origination is known.  Keeping the databases up-to-date with every new open relay on the Internet is essentially impossible.  Other solutions such as the 'sendmail' access database are administratively intensive.  They're fine for a small business or SOHO operation, but are impractical if the mail server is responsible for a large user community getting SPAM from lots of  different places.  Moreover, most SPAM has forged headers making it effectively impossible to determine the true point-of-origination of the message.

The client-side solutions also work to some degree by doing textual analysis and scoring a message to see if it is legitimate.  However, this too has a number of problems.  First, all such approaches to-date (at least that I have seen) are heuristic in method - there is not a canonical method of separating junk email from desired email with 100% correctness.  Secondly, these kinds of  systems are typically more complex to set up than the average non-technical user can probably handle.  Thirdly, these systems require a fair amount of CPU horsepower to run the textual analysis heuristic.  That's fine on a Pentium, but what about a mobile device like a PDA or a cell phone?  Here computation time translates directly into reduced battery life, the bane of all traveling devices.

A Modest Proposal - 'Knock-Knock"

I make no claim the the approach outlined below is entirely new or novel.  Elements of this exist already, but I've not yet seen it all packaged into a single mail client (if it has been, please let me know), and it is this integration of features that makes this approach work, IMHO.  I call this the 'Knock-Knock" method.

The central idea here is that instead of trying to identify SPAM, we design a system to recognize legitimate senders and discard all else as SPAM.  In effect, we want to push the "opt in" mechanism to the end-user and take it away from the bulk mailer.  This has to be a client-side technology because who a "legitimate sender" is will vary considerably by individual email recipient.  To do this, I would suggest adding the following behaviors to every mail client.  They're not complicated and ought to serve pretty much every one of the goals stated above:

There are also some advanced twists we might want to add to our client:

In summary, then,  we enable email passing into an Inbox based on multiple selection criteria:

The first two alone ought to knock out pretty much all SPAM, which meets our original objectives.  For really strict SPAM suppression, you could turn off the last three and require presence in an Address Book for validation.  Moreover, it is being done it a way that is entirely compliant with existing RFCs.   The X-Header would be ignored by non-'Knock-Knock' clients who would deliver such mail unconditionally.  The only problem here is that such clients could potentially forward such a message with the KKID intact.  The more this gets passed around electronically, the more exposed you become to having it harvested and used to get into your system.  In that case, you could switch to a new KKID - only people who were not yet in your Address Book and had your old KKID would be affected.  This is still way better, IMHO, than putting up with bags of SPAM.

What This Will NOT Solve

Assuming this all works as it should, there are still some problems this aproach does not solve:

What About 'Free Speech'?

Finally, we should dispose of the (really stupid) argument that suppressing unwanted email is a form of limiting Free Speech - a value dear to all free societies.  This argument has been used by bulk emailers in legal action against some of the existing anti-SPAM mechanisms, and this argument is complete nonsense.  In a free society, you are absolutely entitled to speak your mind as you see fit with few limitations.   "Speech", in this case, has been defined by the courts to pretty much embrace any form of personal expression including written works, music, photographs, movies, and yes, email.  There are a few limitations on such expression - your Free Speech does not include the right to engage in fraud, violence, threats, and so forth, but that's pretty much it.  However, and this is key, an individual's right to free expression does not include the right to be heard!  I have no moral or legal obligation to listen just because you are talking.  Arguing that suppressing SPAM inhibits Free Speech is effectively arguing that the mass emailers have an even more specific right to make you listen to their foolishness. Hogwash!

One other reason I am drawn to this approach is that it would remove the instinct for the Government to stick its Big Nose into the issue. The Congress Critters are making noises about finding a regulatory "solution" to SPAM. This means it will be ineffective, complicated, expensive, and useless. Better we should find our own solution without "help" from Washington.


Like I said, I'm just Thinking Out Loud here.  I'd be very interested in comments, input, and improvements...