How to stop the spam arms race

I've written before about how anti-spammers, no matter how effective they attempt to be, are always fundamentally fighting the last war. For those who are interested, my client-side spam filter currently has a success rate of 96.6% - good, but if a hosting company were to offer that sort of uptime guarantee, they'd be a laughing stock. You need at least 99% uptime guarantees if you're going to be taken seriously, and ideally 99.9% or even 99.99% (although that one is pushing it a bit).

Well, here's Cringely's take on spam:

Spam has become so pervasive because it works.  If it didn't work, people wouldn't do it.  If other forms of Internet advertising were equally effective, spam wouldn't be so popular.  So spam proves by its own success that most other forms of Internet advertising are ineffective.

I think he's got a point. People like Egg and Freeserve have dabbled in spam in the past; they got a right royal roasting, and I for one stopped using my Egg card as a result, but you can see why they did it - the temptation of the cheapness and apparent efficiency of spam can be overwhelming, if you're not aware of the potential PR disaster of being a known spammer. I think that's why spam mostly comes from disreputable companies selling viagra, Nigerian 419 scammers, or, for some reason, people selling septic tanks.

But spam exists, and Cringeley goes on to talk about how, for instance, his email alert mails are being bounced by spam-filters. Well, that's a problem of how you configure spam-filters: spam-filters should never bounce emails, unless they're absolutely sure that the email is spam (like, say, it scores a bazillion out of 10 on the spam-ometer). And even then I'm not sure bouncing is a good idea; I expect that the spammers may treat bounce messages as signs that an email address actually works, but is spam-protected. If they know that, they can then store that email address for later, and when they think they've got round the anti-spam software that email account is using, they'll try again.

(Another problem for hosting companies is that if they bounce spam, they've got to pay for the bandwidth used by the bounce message. Suddenly their bandwidth bill for handling spam doubles. That can't be right.)

The proper way to deal with spam is for it to be automatically tagged / moved into a separate folder. You never throw it away. You leave it down to the user to decide what to do, so they can delete everything sight unseen, or they can go through looking for subject headings or senders that they recognise, and pluck emails misidentified as spam out of the pile. We're still in the early days of spam-tagging and -filtering, but I think if we can educate users - and make it easy for them - we can beat the spammers, without poisoning people's life too much.

Incidentally, Cringeley reckons that the solution is to make it easier and more cost-effective for spammers to target just the people who would be interested in their product. Well, this would have to be pretty damn cheap, given how cheap it is to send normal spam at the moment, and I don't see how you could possibly fund such a scheme. It also doesn't tackle Nigerian 419 scams; almost by definition, nobody wants those.