‘Internet Stamps’: ‘Sender Pays’ Is Back From The Dead

Jeremy Zawodny mentions that Tim Bray has proposed something he calls ‘Internet Stamps’ to solve the blog-spam problem; here’s Tim’s description of how it works:

An Internet Stamp is an assertion, signed by a Post Office, that some chunk of text was issued by someone who paid for the stamp. At least one major Post Office will be required by government statute to sell stamps to anyone in the world for either US$0.01 or EUR 0.01, and no stamp-selling organization will be recognized which sells stamps for less than this amount. For this to work, the number of stamp-selling organizations needs to be small and the organizations stable; another reason why Post Offices are plausible candidates.

It works like this: if you want to buy stamps, you sign up for an account with your Post Office; it works like paper stamps, you buy a bunch at a time in advance, in small amounts like $20 or EUR 10. Then the Post Office offers a Web Service where you connect to a port, authenticate yourself and send along some text; the Post Office decrements your account and sends back the stamp. There are a variety of digesting/signing/PKI techniques that could be applied to implement the stamps; a standard is required but should be easy.

Apparently himself and a few other guys chatted about it at the first Foo Camp, back in 2003. Funnily enough, in the anti-spam community, we were having our own chats about it, but it sounds like our paths didn’t cross for some reason…

We call this idea ‘sender pays’. Earlier in 2003, in June, John Levine published what I’d consider the canonical wrap-up of why it will not work, in ‘An Overview of e-Postage’.

That report demolishes the use of ‘sender pays’ for e-mail anti-spam, on three main counts:

  • Creating a transaction system large enough for e-postage would be prohibitively expensive. The nearest parallel is the credit card transaction system, which deals with 1% of the transaction volume per day, and with much larger profit margins to make it worth their while.

  • The true financial, administrative, and social costs of e-postage are completely unknown. What do you do when a ‘bad guy’ steals the e-postage stamps off Aunt Millie’s hard disk, without her knowledge? How much is the Fraud Handling Department going to cost? Is she just going to be out of luck when this happens? Will you need to use whitelisting and a content-based anti-spam filter as well, to filter out the messages sent using valid, but stolen, stamps?

  • Users hate micropayments. In short, see Andrew Odlyzko’s research.

Now, using it on weblog spam is a little more practical than e-mail spam, for one because it has a lower daily volume of transactions; but these objections still stand, in my opinion.

John Levine is one of the foremost authorities in anti-spam, and this report has been a mainstay of the anti-spam canon for two years. Anyone discussing a new anti-spam concept really ought to know this report backwards and forwards by this stage, and go into some detail as to how their proposal deals with the issues raised, if it’s to be taken seriously.

This entry was posted in Uncategorized and tagged , , , , . Bookmark the permalink. Both comments and trackbacks are currently closed.


  1. Posted October 23, 2005 at 02:53 | Permalink

    Wow, taint.org has comments now! With realtime preview no less. By the way, for some reason the “Justin’s first name” box seems to be skipped over when tabbing using Firefox. Not sure what’s up with that.

    Now for the actual comment: How about we have an international registration system, where you can submit a DNA sample and notarized affadavit promising never to post comment spam or send spam emails (with some suitable definition), with a $500 or local equivalent registration fee. Once registered, and as part of what you get for the $500, you get one of those little number-generating secureID cards, and a hand-scanner. They also scan your hand when you register, so your hand-scan is on file centrally, and and they take a copy of your public PGP key too. All blog software then simply implements a standard protocol to do 3 factor authentication before every comment is posted (secureID number, hand scan, and passphrase for your PGP key), and all free-email or free-blog sites call the same authentication API. MTAs similar call the API, with MUAs modified to collect the 3 bits of data from the user. Authentication is handled through a federated LDAP backend which spreads the load among servers in all the various member nations, making scalability a cinch.

  2. Posted October 23, 2005 at 02:55 | Permalink

    Oh, I forgot to mention — the reason for the notarized affadavit is that by registering, you’re agreeing to a contract whereunder anyone else who’s a member of the registry can sue you if you violate the terms of the agreement. The notary is responsible for making sure that you are who you say you are when you register.

  3. Simon
    Posted October 23, 2005 at 23:35 | Permalink

    But you misunderstand! It’s a new idea from Tim Bray. Of course it will work! Who needs prior research in a situation like that?

  4. Dan
    Posted October 25, 2005 at 19:42 | Permalink

    “Creating a transaction system large enough for e-postage would be prohibitively expensive.”

    In terms of transaction volume, current estimates are that 66% to 80% of all e-mail is spam. And that number is growing. Sender pays cuts out that traffic. IMO, the system that can’t keep up with spam is the one we use now.

    As far as fraud goes, there are significant disincentives for defrauding people based on sender pays, the most obvious of which is that spammers must send out millions of e-mails to make a profit, which, under sender pays, would require picking too many digital pockets to make the risk and the effort worthwhile.

    (For what it’s worth, I prefer the Attention Bond Mechanism to any stamp based approach.)

    “The true financial, administrative, and social costs of e-postage are completely unknown.”

    Here be dragons? Legacy e-mail and sender pays don’t have to be mutually exclusive. They can exist right alongside each other. We do know that there are real financial, administrative, and social costs with the system we have now, including an assault of hardcore porn, Nigerian 419 scammers, deceptive medication and other marketing messages. Sender pays can hardly do worse.

    “Users hate micropayments.”

    I’d say users hate spam. As for micropayments, it all depends on product, price, and implementation. iTunes competes with free, and yet they’re making a profit using what the credit industry used to consider micropayments. Paypal just a couple months ago changed their pricing structure to make it micropayment-friendly. Bitpass already supports transactions down to a single penny. And as I said above, the option to send legacy e-mail for free will still be there. So it’s not either/or, it’s just a higher level of reliability you may choose if you desire it.

    Or so it seems to me, a self-described spamateur. :)

  5. Posted October 29, 2005 at 23:28 | Permalink

    Hi Dan —

    sorry about the delay! Some followups:


    current estimates are that 66% to 80% of all e-mail is spam. And that number is growing. Sender pays cuts out that traffic.


    I doubt we’d see the spammers doing us the favour of entirely omitting ‘sender pays’ data from their spam. More likely, they’ll add expired, duplicated, cut-and-pasted, invalid, or fake ‘stamps’ to their messages (as they’ve done in the past with PGP and SPF data). The SP infrastructure will still be required to examine these stamps and make a spam/ham decision, so they still need to be counted in terms of traffic volume.


    I likewise, in the past, thought that the existing legal disincentives to impersonation and trespass would help us in the fight against spam.

    • Impersonation: we whitelisted a few very large email senders by default in SpamAssassin, including Amazon, because we thought spammers would be disinclined to impersonate such large, litigious companies when the laws are strongly tilted in Amazon’s favour. We were wrong — spammers did indeed impersonate them in an attempt to get those whitelisting bonuses, forcing us to change the implementation.

    • Trespass: I never thought I’d see the borderline-legitimate spammers using open proxies, botnets, and other forms of misuse of infected end-user home computers. Wow, was I wrong. One spammer even claimed that the end-users had willingly installed the proxies.

    What makes you inclined to think that fraud would be any different?

    As far as I can see, the spammers and the phishers are not far from each other nowadays — I see spam and phish mails sharing common traits, demonstrating that, at least in some cases, it’s the same people involved at some level. In my opinion, that shows that many of the spammers are already in bed with hardcore fraudsters anyway.


    iTunes in my opinion is not a valid comparison — we’re talking here about a previously free resource (email) here, whereas iTunes is dealing with a previously quite expensive, still-metered resource (music); it just breaks down the granularity of the metered purchasing from “1 album” to “1 track”.

    Reading Odlyzko’s The Case Against Micropayments paper explains the trouble with metering via micropayments a lot better than I could. In particular, see ‘6 Behavioral Economics’ in that paper, and Pricing and architecture of the Internet, which provides more economic data on how consumers and users prefer flat-rate/free vs. metered usage, and the chilling effects of the latter.