The Spam and Attention Bond Mechanism FAQ
Mark Benerofe, Vortex Communications
Thede Loder, Marshall Van Alstyne, Rick
Wash, University of Michigan
Note: This document is one of a group of related documents that together
describe the Attention Bond Mechanism (ABM). The ABM is a means of using
sender-posted bonds to eliminate spam, restore message quality, and improve the
value of communication for email and for other media.
The other documents are:
This document is also available as a PDF
1.2 Q: What is the Attention Bond Mechanism?
1.4 Q: How does the Attention Bond Mechanism work?
1.6 Q: Will there be an easy way to add lots of senders to my whitelist?
1.7 Q: How much does the sender put at risk?
1.8 Q: Does the sender have to pay for every message?
1.9 Q: What is a reasonable size for a bond?
1.10 Q: Will the ABM be complicated to use?
1.11 Q: How does it work (in more detail)?
1.12 Q: Can you show me a diagram?
1.13 Q: How does a sender post a requested bond?
1.14 Q: How can I add senders to my whitelist?
1.15 Q: How will use of the ABM change the value of email as a medium?
1.16 Q: When everyone uses the ABM, what are the effects?
1.17 Q: So I get back control of my mailbox?
1.18 Q: Why does the ABM work?
1.19 Q: Paying someone you know to receive your email seems weird.
What about etiquette?
1.20 Q: Why wouldn’t you just seize the bond all the time?
1.21 Q: What prevents the recipient from taking the money, regardless of the
message value?
1.22 Q: Who gets the payment if a recipient decides the email is spam?
1.23 Q: Can I keep my existing email address?
1.24 Q: Is the ABM a universal spam cure-all?
1.25 Q: What if the sender does not have an escrow account when they are
challenged?
1.26 Q: Will I have to check a second mailbox for email that was
misclassified?
1.27 Q: Will using the ABM require a credit card or a bank account?
2.1 Q: What is a bond? What is a
warranty?
2.2 Q: What is the purpose of a sender posted bond for email?
2.3 Q: Why a bond and not a warranty?
2.4 Q: How is an Attention Bond different from a product warranty?
2.5 Q: What are the advantages of allowing customized (per-person) bond
sizes?
2.6 Q: What is my optimal bond size?
How often should I seize the bond?
3 Comparison to other Approaches
3.1 Q: Why won’t filters solve the problem?
3.2 Q: What about other market-oriented approaches?
3.3 Q: Isn’t the Attention Bond Mechanism really a combination of several
other solutions?
3.4 Q: Why is the Attention Bond Mechanism a good solution?
3.5 Q: What other benefits does deployment of the ABM provide?
3.6 How does the ABM compare to other solutions?
3.6.1 How does the ABM compare to regulation and legislative solutions (such
as CAN-SPAM)?
3.6.2 How does the ABM compare to filters?
3.6.3 How does the ABM compare to sender-pays solutions?
3.6.4 How does the ABM compare to computational challenges?
3.6.5 How does the ABM compare to community filters?
3.6.6 How does the ABM compare to challenge-response with CAPTCHAs?
3.6.7 How does the ABM compare to one-time email addresses?
3.6.8 How does the ABM compare to Whitelisting?
3.6.9 How does the ABM compare to Blacklists?
3.6.10 How does the ABM compare to a flat tax?
3.6.11 How does the ABM compare to a flat postage fee?
3.6.12 How does the ABM compare to using email stamps (e-stamps)?
3.6.13 How does the ABM compare to Brightmail?
3.6.14 How does the ABM compare to Ironport?
3.6.15 How does the ABM compare to Ironport’s Bonded Sender Program?
3.6.16 How does the ABM compare to Goodmail?
3.6.17 How does the ABM compare to Microsoft’s Penny-Black?
3.6.18 How does the ABM compare to Bankable Postage?
3.6.19 How does the ABM compare to Microsoft’s “Caller-id”?
3.6.20 How does the ABM compare to Domain Keys?
3.6.21 How does the ABM compare to SPF?
3.6.22 How does the ABM compare to Yahoo’s Filtering?
3.6.23 How does the ABM compare to Cloudmark?
3.6.24 How does the ABM compare to Vipul’s Razor?
3.6.25 How does the ABM compare to Reputation Systems?
4 Security, Viruses, Honeypots, and Authentication
4.1 Q: What about possibility of fraud or a virus triggering bond payments?
4.3 Q: Does this mechanism require strong identities?
4.4 Q: What is the role of stronger authentication of individual identity?
4.5 Q: Why are Certifying Authorities not needed for individual identities?
5.1 Q: Doesn't this require infrastructure?
5.2 Q: Who runs the payment system?
5.4 Q: Will existing mail clients need to be changed?
5.5 Q: Does this design require changes to SMTP?
5.6 Q: What happens if warranties are demanded in foreign currencies?
6 Compatibility with Existing Uses
6.1 Q: How does this system work with mailing lists that I subscribe
to?
6.2 Q: How is this compatible with e-commerce and customer relationships?
6.3 Q: What if I have forgotten my password to a website and need it to be
emailed to me?
6.5 Q: How will the ABM work for large institutions?
6.6 Q: What does my IT department need to do once we begin using the ABM?
6.7 Q: What about friends and family?
6.8 Q: How does the ABM work with children under 18?
7.1 Q: If I am a marketer, will this system stop me from reaching my
customers?
7.2 Q: What are the effects on Marketers?
7.3 Q: Will I have to pay taxes on any warranties I claim?
8.1 Q: Why would anyone participate?
8.2 Q: How can user adoption be encouraged?
8.3 Q: Why should marketers participate?
8.4 Q: What are the benefits to ISPs?
9.1 Q: Will this cause a loss of freedom of speech?
9.2 Q: If everyone starts using the ABM, what happens to anonymous email?
10.1 Q: Is this really a new idea?
10.2 Q: So what’s your contribution?
A: We define spam as any email that you would rather have not received. It is important to note that with this definition, we assume you know whether or not something is spam only after you have received it.
An alternative definition is “any email for which after reading the email, you feel that if you could charge the person sending it to you for wasting your time, you'd do it.”
The above definition excludes things like email that represent a bill or a death in your family. In the case of a bill, despite the fact that you would rather not have to pay it and hate being reminded of it, you typically still want to pay since the alternatives to not paying are usually worse.
A: The Attention Bond Mechanism is a means to improve the value of communication between two parties and increase the likelihood that such communication is mutually desired. In other words, it is a means of eliminating spam. It can be used for many different communications media, including email, phone, SMS, and instant messaging. This FAQ focuses primarily on its application to email and spam.
A: A bond is a sum of money (or other exchangeable good) which one party in a transaction sets aside with a third party before the primary transaction occurs, as a show of good faith.
A bond is similar to a warranty, but not the same. The difference between a bond and a warranty is that a warranty is a promise to pay, but is not paid or set aside in advance. If the second party to a transaction (the recipient, in the case of spam) is dissatisfied, with a warranty she must request payment from the first party. With a bond, she instead requests payment from the third party, which holds the bond.
The third party plays the role of an escrow. The bond is placed with the third party, who provides the service to both primary parties of holding the bond and releasing it when certain events occur.
Example Bonds:
For better or for worse, perhaps the most widely known example of a bond is a “bail bond”. In the situation where a suspected criminal offender captured, they are sometimes required to post a bond in order to leave custody of authorities. The money set aside as the bond constitutes a promise to return to a trial for formal interaction in person. Should they not return on the promised date, the bond money is forfeit.
It is important that the bond is large enough such that showing up in court is actually in the best interest of the suspect offender. Bonds are also used as investment instruments, in housing purchases, and for providers of contracting services.
A: Email from a sender who is pre-approved or whitelisted (See Q: What is a whitelist?) goes directly to the recipient. A sender who is not pre-approved by the intended recipient is required to post a small sum of money (a bond) in order for his email to be delivered. In effect, the sender warranties the content of his email and pre-pays the warranty in the form of the posted bond.
Assume, for example, that a sender sends an email and receives notification that he is required to post a bond to ensure delivery. Assume also that he then posts the bond (see “Q: How does the sender post a requested bond?”). When the bond is posted, the email is delivered to the recipient.
Once the email is in possession of the recipient, the recipient can choose whether or not to claim the bond. If the recipient claims it, bond money is transferred to her and the sender loses it. If instead the recipient is satisfied with the email, she allows the bond to be returned to the sender unclaimed and no money changes hands.
A: A whitelist is a list of identities of approved senders. Whitelists are used to route email from selected senders around filtering, screening, or additional challenges and allow the email to be placed directly into the recipient’s mailbox. A requirement for an efficient whitelist is that the identity of the sender of the message is cheaply and easily recognizable, yet hard (or computationally expensive) to fake.
See also “How does the ABM compare to Whitelists?” and “How does the ABM compare to Blacklists”
A: A software program can be designed which scans through your mail folders and adds senders with whom you’ve had prior correspondence. It could allow you to modify or remove entries. This type of management will not be required most of the time, but can be done periodically as needed. Third party reputation systems can be integrated when they become more available to further reduce or eliminate the management load for users.
A: The sender must post a bond at least as large as the size required by the recipient. It could be pennies or more than $5.00. See What is a reasonable size for a bond?
A: The sender does not have to pay anything if they are sending email to people with which they correspond regularly, for example to friends, family, co-workers, other professionals, or mailing list subscribers. These senders will typically be whitelisted by recipients (see “What is a Whitelist?”). The sender may have to pay if he sends email to someone with whom he has never had prior communication, or to someone who does not want the communication.
A: For most people, a good size bond is likely to be somewhere between a few cents and less than $1.00.
If a recipient demands too large a bond, marketers will avoid them altogether or only rarely take the risk of sending an email. This might be fine for some users of email, but a recipient’s friends might choose to avoid sending to them as well. With a very high bond, the recipient risks alienating young or less developed relationships, particularly if the senders are risk-averse. A sender may not want to risk losing a large sum of money when the relationship with the recipient is tenuous or where an expectation of future interaction is limited.
On the other hand, if a recipient demands too small a bond, she will end up receiving spam. It is likely that for each person, there is a unique optimal size. Over time, more sophisticated recipients will learn what is most appropriate for their own social and business relationships, and set the bond accordingly. To make it easy initially, recipients can simply take a default size provided by their ISP or escrow agency, or may use the default in whatever software tool they use for mail. Most users may never need to change the default.
A: From the standpoint of the average user, the ABM will be simple to use. The complexity of the underlying system, including the details of its operation, various parties involved, and protocols used can be hidden from the end user, just as the complexity of the underlying Internet or the stock market is hidden from users today. Existing mail clients can be adapted to hide the complexity and provide a very simple set of options. ISPs and corporations will be able to automate the setup of the accounts required by the ABM for their users. Users of email who want greater control of their accounts (or greater visibility) or want customized options will be able to set up their own accounts or have access to services that provide greater levels of control.
A: The inbox of the recipient
is protected by a whitelist. The
recipient has control of which identities are on the whitelist. Any email sent from a sender listed on the
whitelist is immediately delivered to the recipient’s inbox. Email from a
sender not on the whitelist is blocked and the sender is sent a challenge
message.
Up to this point, the design of the ABM is quite similar to existing
challenge-response systems, but hereafter the approach differs.
With the ABM, the challenge message contains a request for the sender to post a bond to an escrow account controlled by the recipient (see “Q: What is a reasonable size for the bond?” for a discussion of bond size). The recipient’s escrow account can be set up in advance or when first required. The recipient can set it up with a third party escrow service, or it could be set up on behalf of the recipient by their ISP, a bank, or by their employer.
The challenge reaches the sender in both human readable and machine-readable formats, which a sender to manually respond to the challenge, but also lets software operated by the sender automatically respond. If the sender chooses to accept the challenge, they authorize posting of the requested bond. Once the bond is posted with the recipient’s escrow service, the recipient’s mail system receives a notification. This notification triggers delivery of the original email into the recipient’s inbox.
When the recipient opens the email, she can see the associated bond and may decide whether or not to claim it. She might think, for example, "no, this is spam, I'm going to collect the bond", or think, "This is a direct marketing offer for a product I am not interested in. I will collect the bond as compensation for having to review it." Or they may say to themselves “this is interesting,” then review, keep and/or respond to the mail and not collect the bond, as they would if the email is from a friend, family member, or business associate.
By default, if the recipient
does not explicitly choose to keep the bond, the bond is automatically returned
to the sender after a few days. If the recipient chooses to keep the
bond, she notifies her escrow service by clicking on a button. The value
of the bond is then deposited into her own general-use account.
To avoid the extra work of having to respond to challenges by hand, a sender
may choose to activate a policy, similar to the following: “If I ever send
someone an email and they respond with a challenge, as long as the amount of
the challenge asks for less than $0.50, it’s ok to automatically post the
bond. For any requested bond larger than $0.50, return the challenge to
my inbox so that I may review it and decide.”
Such a policy could be implemented in software on the sender’s mail
servers, and would reduce the number of times direct intervention is
required. With such a setup, most of the time the posting of bonds would
be transparent and automatic.
A: For a diagram that outlines the various parties, their interactions and the steps involved see the How it Works document.
A: The sender posts a bond by authorizing their escrow agency to move the amount of money requested as a bond into an account controlled by the intended recipient. This can be done with a mouse click when the sender receives the challenge, or they may set things up so that it can be done automatically by establishing a policy with their own mail servers. See “How does it work (in greater detail)”
A: There are several ways to add senders to your whitelist. One way is to use your mail tool when a message from a new sender arrives. You could do this simply by clicking on a button. Another way is to use your email software to manually add a sender’s identity by typing it in. Since this could be a nuisance if you are adding many senders, you could make use of a software feature that automatically adds your list of contacts or scans your archived mail folders and your outbox for identities of those who are already acceptable to you. This would need to be done only once during setup, though there may be reasons to manage the whitelist later.
When sending email, your mail system can automatically add the identity of the
recipients you have specified if they are not already whitelisted. This
way, when they reply to your email they will already be on your whitelist and
the reply will not be blocked.
A third automatic method is analogous to a “letter of introduction” commonly used in the last century. If someone you know “cc’s” a third party they want you to know, then the system can automatically grant that person a temporary waiver until you can evaluate whatever they send.
A: It will help restore the value of email by making it reliable again.
In addition to eliminating spam, it expands the use of email by allowing payments, making it easier for users and companies to maintain relationships. It increases the value of the information marketplace by allowing marketers, first-time senders and recipients to fine-tune their communications, letting each side tell the other what they want and how much they are willing to pay for it.
A: By participating in this system, you help improve the quality of information exchanged through email, and reduce unnecessary waste and email volume that clogs networks and increases costs. Such costs are ultimately are paid for by consumers and businesses. In general, everyone’s productivity will increase, with the exception of the spammers. You’ll be able to immediately prevent the delivery of billions of spam messages that are designed to break through today’s filtering systems from landing your mailbox. You will also help maintain the values and promise of email – and squarely put the “cost” on those who abuse the system. This is in contrast to some other proposed solutions (economic or otherwise), some of which tax everyone indiscriminately and degrade the value of email.
A: Yes, control you will get. No more spam. One exception: if you do receive email from someone you don’t know, it will have money attached. Although the default bond size will probably work fine, you’ll be able to fine-tune it if you like. Set your bond size just right and you can turn what would have been an annoyance into something you are happy you received.
If you never want to receive email from someone unknown to you, you can simply use the whitelist part of the ABM by itself.
A: It works because it lets both the recipient and the sender cheaply negotiate the terms under which both want communication. This is accomplished without third party human mediation or taxes. The low costs are possible because software on both sides can handle the first few rounds of communication – no human involvement unless they want to be involved.
Unlike existing challenge-response solutions, the ABM allows relationships to be established entirely via email without requiring the sender to use other forms of communication such as the phone, the web, or instant messaging.
A: Etiquette will evolve around this mechanism, just as etiquette has evolved around voicemail, email and instant messaging. The design of the ABM assumes honesty, but will ultimately punish those who abuse it. If you improperly collect the bond or set your required bond too high, senders will take you off their list. See What is a reasonable size for a bond?
A: Nothing in the ABM directly prevents you from always seizing posted bonds. However, by always seizing bonds you could hurt yourself more than you hurt others. If you just try to make money off other people, then they will stop communicating with you; marketers will quickly blacklist those recipient identities that always seize the bond, or achieve the same effect by tracking and managing lists of those senders that regularly release it. See the ”honeypot” question.
When you collect bonds more often, you increase the costs to the senders. Consequently, less email will be sent to you, and you probably do not want to lose email from you friends or work associates. But when spammers are the senders, collecting from them is ok. So, rather than keeping the bonds all the time, you will want to keep them from spammers, but not from your friends.
A: The ABM enables the recipient to seize the money solely at her discretion. Nothing, other than perhaps etiquette and good judgment, prevents claiming a bond.
Why is this ok? The ABM puts the burden on the sender to think carefully about to whom they are sending email. If it really is to a friend or acquaintance, the sender should have no fear of sending an email and, if necessary, posting the bond.
A: The recipient is the main benefactor. However, a small portion will be necessary to cover the costs of the escrow agencies and to provide the right incentives for the ISPs or enterprises that operate the recipient’s and sender’s email accounts. This size of this portion should be low (perhaps a few percent) due to competition between service providers.
A: Yes you can. There is no reason to lose your present email address if your ISP or web-mail provider supports a system that implements the ABM. Even if you regularly access your mail with a traditional client such as Eudora or Outlook, you should be able to keep your address. However, if you switch providers, you might not be able to take your address with you. This is no different than the way it works today.
A: No. There are certain types of mailbox uses for which the ABM would be inappropriate. For example, suggestion drop boxes, sales and info email addresses, and any situation where the recipient wants no barriers, what so ever, to be placed in front of the sender.
For example, the New York Times, CNN, and many local newspapers and broadcasters have an email address that people can use to send anonymous tips of breaking stories. Any additional barrier on such addresses address, aside from the unavoidable costs to the sender of taking the initiative, is too much. In cases such as these, recipients can set the threshold to zero cents, and may want to use an appropriate filtering solution. Fortunately, due to the small number of people who would get submitted emails, spammers may not even be justified in sending to these addresses.
A: If the sender does not
already have an escrow account setup, they can set one up before they respond
to the challenge. The challenge email can contain instructions as to
where to go to get started. Alternatively, they can contact the recipient
through other means, and ask to be added to their whitelist.
To aid the adoption, if the recipient chooses they can optionally include in a
challenge message references alternatives other than bond payment that do not
require account creation with an escrow agency. During early days of adoption, few people will have escrow
accounts, so this alternative can make things a little easier for the typical
sender until the infrastructure becomes widespread.
For example, the alternative challenge could be a CAPTCHA (like a Turing Test), where the sender is required to take a simple test that is designed to prove they are human, similar to what is used today by challenge-response systems. See “Q: How does the ABM compare to Challenge-Response?”
This is an option, but not a requirement. The recipient’s mail server can be instructed to deliver email from a non-whitelisted sender (a suspect sender) into a separate mailbox (commonly called a ‘grey mail’ box). The recipient can then view the contents of this mailbox at any time. When notification is received from the recipient’s escrow agency that a sender has posted a bond for a particular message, that message is ‘promoted’ out of the ‘grey mail’ box and placed the recipient’s primary mailbox.
A: In order to post bonds or collect them, users of ABM will need an escrow account. Escrow accounts can be set up in advance for users by their ISPs or by their employers. Alternatively, users can set up an escrow account directly through an escrow agency on their own. Users should be able to support multiple email addresses per escrow account if this is desired.
To post a requested bond will require the sender to have an account that has a high enough balance. The funding of this account could be accomplished through a credit card payment, or through other payment means. In the case where the account is setup by an ISP, the funding for this escrow account balance could come from an additional payment on top of that for the first month of service.
If a recipient claims bonds, over time the sum of claimed bonds will accumulate unless they are spent paying bonds to others. At some point, if the balance gets high enough, the recipient may want to transfer money out of the account to a general-purpose bank account. The ACH checking network would be suitable for these transfers, if the size of the transfer was set large enough to offset the transaction cost.
A: In lay terms, a bond is a risk that a person on one side of a transaction takes to prove to the other party that he will find the completed transaction valuable. Technically, this is described as a “contingent liability with an expiration date”. A warranty is a promise to pay compensation for dissatisfaction after the transaction completes as opposed to setting it aside in advance as with a bond. See the previous section, Q: What is a Bond?
A: The purpose is to make spam too expensive for spammers to send. The bond is required only for first-time communication from a stranger, or for subsequent communication if a recipient has removed the sender from her whitelist.
The sender who believes his message is not spam is willing to put up that money - to risk it - to prove that if the recipient reads the email, they will agree that it is not spam. Spammers, in general, cannot afford to take this risk.
Of course, the bond can also represent a pledged amount of money a legitimate marketer is willing to spend to reach a person in exchange for his or her time. Again, the recipient can decide to accept it or not.
A: For tangible products and services, a higher quality warranty (one that is likely to be more costly to provide if requested) implies that the goods offered will satisfy. Someone offering a poor quality product or service will find warranties more expensive than someone offering higher quality because they will need to spend money fixing their broken promises. The good guys incur much lower warranty costs. In the digital world, such a warranty can be used to imply “even though you don’t know me, my message is worth your time.”
The trouble is, in the online world, it is possible for the party offering a warranty to “split the scene” after the primary transaction completes, and just disappear. This means there is no way to track them down, and no way to enforce the claim on the unpaid warranty. Warranties cannot be used. In short, the Internet is like the Wild West, so it's wise to collect cash, up front, before providing spending additional effort.
It is for this reason we propose a bond, paid up front, rather than a warranty. The bond goes to a third party before the transaction completes. The third party, who requires both a good reputation and significant sunk costs to retain and attract customers, will not disappear after the transaction, even if the sender does. Therefore a claim on the bond can be effective, and the recipient gets paid the amount of the bond.
A: There are two primary differences. The first difference is that with the Attention Bond, the money for the bond is collected up front, yet with a warranty, it is only promised.
Attention Bonds also differ from standard product warranties in that recipients of email get to choose the size of the bond, allowing customization. Usually, in the non-electronic world, the cost of customizing a warranty to each individual buyer of a product is too great and so it is rarely done.
A: The advantage is primarily economic. Different people have different value for their time, have different tastes, and may want to receive more or less communication from outsiders. The best bond size will be somewhat different for each person. A fixed bond has little flexibility and cannot accommodate these differences.
A: You should be guided by three factors. First, if your time is very valuable, you want to set a higher warranty level. If high enough, any strangers are unlikely to bother you. Second, if new information is valuable to you, you should set a lower warranty level. This encourages more people to contact you with new ideas, observations, and information. Finally, you need to decide when to force senders to honor their warranty. If they’re bothering you with useless sales pitches, then go ahead and claim it -- they’ve wasted your time. If someone is your long lost high school buddy, then you’re glad they reached you and you don’t need to bother claiming it. Pick the factors that are most important to you.
A: Technology-based filters are required in many situations and useful, but they don't solve the problem. And they have two terrible side effects. First, they create a technical “arms race” - with spammers on one side and filter makers and Internet service providers on the other. You, the recipient, are stuck in the middle. This kind of battle only increases the volume and variety of junk the spammers send to try to get their message through. Second, while some filters claim to get closer to 99.8% effectiveness - false positives are still a problem. The incidence of false positives (a false positive is good email that is incorrectly classified as spam) is increasing with filters already in use as they are modified to include more screening criteria and rules.
For many, the occurrence of these false positives is intolerable. For example, AOL is constricting its filters so tightly that some moms coordinating after-school activities can no longer rely on email and are returning to the phone. Admissions departments are having email acceptances simply "dropped" as bulk mail, which means students don’t receive them. Emails that include website addresses are often determined by the filters to be “spam” even between people with a long history of communications between their two addresses.
Even spam filter experts at the January 2004 MIT conference on spam (www.spamconference.org) report losing "good mail" from friends and business associates - including valuable contracts - in their bulk mail and spam folders because they were misclassified.
One commonly implemented means to address the problem of false positives it to provide a ‘grey-mail’ box, in which suspect messages are placed for later review. Unfortunately, although use of a grey-mail box reduces the likelihood of missing an important email, there are two problems. Unless you check your ‘grey-mail’ box as often as you do your regular inbox, delays are introduced. And, if you have to periodically go through the grey-mail box to check to see if something important was misclassified, you still end up having to look at all the spam.
Both of these side effects of filtering- the technical arms race and false positives- devalue the entire medium of email. They damage email’s accessibility, convenience, reliability, authenticity, and low cost, and destroy the way it helps people and creates communities. And filtering provides no incentive to the “good” players using email – personal users, legitimate businesses, and marketers – to improve and fine-tune their communications. It provides a lot of incentive to spammers to figure out how to outwit the filters.
A: As compared to email-stamps, a flat tax on email, or per-email postage fees, the Attention Bond Mechanism has the advantage that charg